Yesterday, the French data protection authority (CNIL) issued the first major penalty under the GDPR: 50 million euros for lack of transparency and failing to obtain valid consent. This post will provide a summary and initial analysis based on the currently available information. More will undoubtedly follow as the dust settles.
On the same day the GDPR went into force (25 May 2018) and three days after (May 28) CNIL received collective complaints from the association None Of Your Business ("NOYB") and La Quadrature du Net ("LQDN"), claiming that Google did not have a valid legal basis to process personal data of the users of its services, in particular for the purpose of ad personalization.
According to CNIL it immediately started investigating the complaints and consulted with the other EU data protection authorities about which of them would have jurisdiction in accordance with the ‘one-stop-shop-mechanism’ provided in the GDPR. Interestingly, it was concluded that Google did not have a main establishment within the EU, because its Irish establishment did not have decision-making power about the processing operations at hand. This meant that CNIL deemed itself, as well as all of the other DPAs, competent to take a decision on the matter.
CNIL decided (in French) that Google had violated the GDPR by (i) not providing sufficient transparency and information as required under articles 5, 12 and 13, and (ii) processing personal data without a valid legal basis as required under art. 6, all in the context of creating a Google account when setting up an Android phone. According to CNIL the information provided by Google was not sufficiently clear and too difficult to access. Moreover, CNIL held that Google had not obtained valid consent for the personalization of ads because it was insufficiently specific and unambiguous. In particular, users were not sufficiently informed about the extent to which personal data was combined and profiles were formed and used across different services offered by Google (Search, Home, Maps, Youtube, Playstore, etc).
The violations were deemed severe enough to justify a fine of 50 million euros, which was based on but still far less than the potential maximum of 4% of Googles worldwide turnover of about 96 billion euros. In its justification of the penalty amount, CNIL considered in particular that Google had violated essential principles of the GDPR while processing vast amounts of personal data under its business model which is partly (or largely) based on ad personalization across its wide variety of services (approximately twenty).
CNIL’s penalty to Google for violating the GDPR is the first major enforcement action under the GDPR and clearly sends a signal to the market that compliance must be taken very seriously. It also shows that tech giants may be held to a particularly high standard, as great responsibility follows inseparably from the great power which their massive data troves and processing capabilities present.
This landmark decision also indicates that it may be worth investing substantial effort and resources towards properly integrating privacy and GDPR compliance into user interface design, so that the appropriate information is provided to users at the appropriate moment, without too much effort from the user being required.
It remains to be seen whether Google will appeal the decision and the precise extent to which its considerations about transparency and consent will shape GDPR doctrine. We will keep you informed of relevant developments.