A huge fine of €50 million (£44 million) has been issued to Google by CNIL, the French equivalent of the Information Commissioner's Office (ICO) in Europe’s first major fine under GDPR.
It relates to Google not giving users clear and accessible information about how their personal data was used in their personalised ad service and not having valid consent from users to this service.
CNIL started investigating Google’s consent process and transparency in relation to personalised ads following complaints made by privacy groups on 25 May 2018 (the day GDPR came into force) and 28 May. The main concerns CNIL had with Google related to the fact that information about how personal data was used to personalise ads was not clear and easily accessible and that the consent taken was not valid.
The transparency and accessibility concerns arose because the information relating to how personal data was used for ad personalisation given to users when they set up a Google account on an Android device was hard to find – it was spread between a number of documents which needed users to follow several steps. CNIL also thought that the information provided was not always clear and comprehensive.
GDPR requires that all businesses who are controllers of personal data provide information about how they are using personal data in a concise, transparent, intelligible and easily accessible form, using clear and plain language. CNIL thought that splitting this information made it difficult for users to understand how their personal information was being used and manage their preferences.
CNIL’s concerns relating to the Google consent also arose from the fact that the information was spread across different documents which meant that people didn’t understand the scope of what they were agreeing to. Also, the consent taken was consent to the use of personal data as set out in the Google privacy policy as a whole which covered more services than ad personalisation. It was therefore not specific enough. In addition a pre-ticked box was used which meant that there was no clear affirmative action from the user demonstrating their consent.
GDPR requires that if consent is being taken it must be via a clear affirmative act (which means no pre-ticked boxes). It must also be freely given, specific, informed and unambiguous. In a nutshell people must understand what they are consenting to and have a genuine choice about whether to give the consent. Consent under GDPR needs careful thought as it is not always straightforward. The ICO consent guidance should always be consulted before drafting consents as there are details in addition to the above which need to be met.
Another interesting aspect of the matter, particularly for those with group companies, relates to why CNIL took the lead on the complaint. Under GDPR there is meant to be a “one stop shop” so that only one regulator takes action and this is meant to be the regulator in the country where the main establishment of the company being investigated is based. Google’s head office in the EU is in Ireland but as it didn’t have real decision making power, CNIL felt that the Irish regulator did not automatically have jurisdiction and that it would be appropriate for it to take the lead as the complaint on 25 May came from France.
The amount of the fine may seem surprising, particularly as many thought the first big fine would come from a data breach. The fine is certainly much larger than those we have seen in the UK to date. Prior to GDPR, the maximum fine that could be levied in the UK was £500,000 and after GDPR the maximum fine is up to 4% of global annual turnover. Whilst this fine is large it is less than 1% of Google’s global annual turnover. Also CNIL felt it was justified because Google had not met some of the core protections relating to personal data under GDPR, it affected a large number of people and was not a one-off, time-limited infringement. It will be interesting to see if the ICO in the UK follows suit.
This fine should be seen as a warning for businesses to take the requirements of GDPR seriously and all organisations should ensure that they consider the following:
- You need to ensure you are clear with people about how you collect, store and use their personal data. This is usually done by having a clearly worded privacy notice which is easily accessible and not split across a number of documents
- You should review your consents to ensure that that they are GDPR compliant. Consent must be freely given, specific, informed and unambiguous
- Do not use pre-ticked boxes for consent. For consent to be valid the person must provide clear affirmative action by actively opting in.
Winter 2019
For general enquiries
0808 291 3524
Or we can call you back at a time of your choice
Phone lines are open 24/7, 365 days a year
