On January 21, 2019, the French data protection supervisory authority ("CNIL")
fined Google €50 million (approximately $57 million) for violating the European General Data Protection Regulation ("GDPR"). The fine penalizes Google for failing to comply with the GDPR’s transparency and notice requirements, and for failing to properly obtain consent from users for ads personalization. This is the largest GDPR fine imposed to date and the first action against a major global tech player. The CNIL’s decision sends an important message to companies that tough enforcement actions are not just a theoretical threat. Companies should look closer at data protection compliance and particularly work on their notices and consent forms.
Google Case Specifics
In May 2018, the CNIL received group complaints regarding Google’s processing of personal data from two associations: None of Your Business ("NOYB"), a group led by notorious Austrian data protection activist Max Schrems, and La Quadrature du Net ("LQDN"), a French advocacy group. Their complaints maintained that Google’s data privacy policy, which it provided to users of Google’s Android operating system on a mobile phone during account creation, did not sufficiently inform the users about Google’s processing activities. Additionally the complaints maintained that Google used personal data for analytics and targeted advertising purposes without users’ informed and free consent as required by the GDPR.
The CNIL agreed with the allegations, concluding (1) that Google’s disclosures were not sufficiently transparent, and (2) that Google did not obtain sufficient consent from users for the processing of personal data for ads personalization purposes. According to the CNIL, there were two categories of issues relating to
transparency of Google’s disclosures and its
consent practices:
Transparency
- Data subjects were forced to search for privacy-related information across multiple documents that were unintelligible to consumers, rather than being offered a comprehensive, concise and easily understandable overview of Google's data processing activities;
- Google required users to follow five links through several documents in order to find information regarding Google’s processing of geolocation data and Google’s processing of data for ads personalization; and
- Google’s policy wording in some cases was ambiguous, preventing data subjects from gaining a clear picture of Google’s activities and their own data protection rights. For example, users were not given clear information regarding the sources Google used to personalize the ads, such as their Google Accounts, YouTube, and third-party websites, and therefore could not effectively oversee the impact of the processing activities on their privacy.
Consent
- Google’s approach to obtaining consent for personalized advertising violated the GDPR, reasoning that Google did not provide users with all of the necessary information to give informed, unambiguous and specific consent, and made it unnecessarily difficult for users to change their consent preferences;
- Google designed its consent as an opt-out solution, even though GDPR requires a clear, affirmative, opt-in action by data subjects, such as checking an un-checked box;
- Consent was not sufficiently specific because Google asked users to consent to all of Google’s processing activities. The CNIL ruling clarified that consent must be distinctly given for each purpose or processing activity.
The €50 million fine is meant to reflect the seriousness of the breach and Google’s dominant position in the market, as well as the CNIL’s view that the breach was not a one-time violation—even after having gained knowledge of the complaints, Google did not change its practices and continued to be in breach of the GDPR.
GDPR enforcement activity focused on personalized advertising
The Google decision shows that the CNIL is getting more serious on GDPR violations, following formal decisions the CNIL issued with respect to the practices of online and mobile adtech companies
Fidzup,
Singlespot, and
Vectaury in late 2018 (links in French). In those cases, although the CNIL declined to assess monetary fines—because each company agreed to revise its consent procedures—the CNIL faulted the companies’ consent mechanisms when the data subjects’ consent to personalized advertising was not informed (
i.e., information provided was not easily accessible or unintelligible), not specific (
i.e., did not name each data controller that would obtain the data subjects’ personal information), and/or not based on an affirmative action (
i.e., an unchecked, rather than pre-checked box).
What does the CNIL’s decision mean for companies that use Google personalized advertising services?
The CNIL’s decision is silent as to advertisers and publishers that incorporate Google advertising tools into their apps or websites. However, its determination that Google has not acquired valid consent for the processing of personal data for the purposes of personalized advertising could potentially also affect companies that use Google’s personalized advertising tools. In June 2018, the European Court of Justice
determined that the administrator of a Facebook "fan page" can be considered a "joint controller" of personal data processed on that page. European supervisory authorities similarly could consider Google and its advertiser-customers to be "joint controllers," who would then be jointly liable for each other’s breaches of the GDPR. Accordingly, an advertiser-customer’s continued use of Google's advertising tools could itself be grounds for a GDPR violation
by the customer.
Further, a company’s use of Google’s personalized advertising tools on its website could lead to additional disclosure obligations. As a good practice, where companies choose to continue to use Google’s personalized advertising tools vis-à-vis data subjects in the EU, they should consider updating their privacy policies to provide additional disclosures both about Google's data processing activities and about their own basis for processing the personal data at issue.
Key Takeaways from the Decision
The CNIL’s decision and the severity of the fine should be considered a clear warning to all companies that process data within or from the EU. This fine could be the beginning of a new, more aggressive regulatory environment—at least in France.
Because GDPR applies not only apply to processing personal data within the EU, but can also potentially apply to the processing of personal data from the EU in other parts of the world, companies doing business in or with the EU should consider the following:
- review the applicability of GDPR to their data processing activities;
- review and amend consumer-facing data privacy policies to be comprehensive, intelligible, concise, and transparent;
- review any consent mechanisms that are leveraged to justify data processing activities, including advertising, and any tools or processes that allow data subjects to modify their consent or change their data-related preferences to ensure that consent is fully informed, specific, and affirmatively given; and
- keep close watch on GDPR enforcement activity relating to personalized advertising practices, and be prepared to adjust disclosures or third-party partnerships as new standards of practice and guidance emerge.