At the start of this week, CNIL (the French equivalent of the UK’s Information Commissioner’s Office) fined Google LLC €50million (around £43million). The decision followed complaints coordinated by privacy organisations None of your business (Noyb) and La Quadrature du Net. The complaints alleged that Google was processing personal data without a valid legal basis. Google’s processing of personal data for ad personalisation was a particular focus.

The complaints were made shortly after the GDPR’s implementation in May 2018. The French authority conducted online inspections in September 2018 to check Google’s compliance with the new law. Those inspections focused on the documents a user can access when creating a Google account during the configuration of a mobile device running the Android operating system.

CNIL concluded that Google had committed two breaches:

First Breach

The data protection information provided by Google was not easily accessible for users. It was noted that key information, such as the data processing purposes, data retention periods and categories of personal data used for ad personalisation were spread across a number of interconnected documents rather than being provided in one place. In some instances, the information was only accessible after taking 5 to 6 additional steps (such as clicking a link).

It was also noted that the purposes for processing personal data provided by Google in its documentation were too generic and vague. As were the listed categories of data. The CNIL also determined that the information provided was not clear enough for a user to understand the legal basis upon which Google would process their personal data for ad personalisation.

Second Breach

Google had sought to rely on consent as the legal basis for processing users’ personal data for ad personalisation. The CNIL held that such consent was not validly obtained. Two reasons were given for this:

1. The consent was not sufficiently ‘informed’.
2. The consent was not ‘specific’ or ‘unambiguous’.

Article 4 of the GDPR defines consent as a “…freely given, specific, informed and unambiguous indication of the subject’s wishes…”.

The French authority found that Google’s information on ad personalisation was spread across numerous documents (see the first breach, above) and did not address the overlap in data processing across Google’s various services (e.g. Google Search, Google Maps, Playstore, YouTube, etc.). As such, when the user gave their consent to Google’s processing activities, they had not been provided with enough information, in an accessible manner, for that consent to be ‘informed’.

At the account creation stage, a user can turn off ad personalisation by clicking through a number of options. The GDPR provides that ‘unambiguous’ consent can only be achieved where the user makes a clear affirmative action. Google had pre-ticked the box for enabling ad personalisation. This meant that if the user left that box pre-ticked, this could not be treated as ‘unambiguous’ consent to enabling ad personalisation because the user simply could have missed it. This was particularly a concern as the option was not prominently displayed.

The consent was not ‘specific’ because the user was asked to tick boxes saying “I agree to Google’s Terms of Service” and “I agree to the processing of my information as described above and further explained in the Privacy Policy”. By ticking these boxes, the user gave their consent to all the processing operations carried out by Google (ad personalisation, speech recognition, etc.). This was not ‘specific’ consent under the GDPR because the consent was given generally, for multiple purposes, rather than separately for each processing activity.

Amount Of The Fine

Google’s annual revenue in 2017 was nearly 110 billion US dollars (that’s $110,000,000,000) meaning the €50million fine equated to roughly 0.05% of Google’s annual revenue. That’s a far cry from the maximum fine available under the GDPR, which on this occasion would have been 4% of Google’s global turnover (circa €3.9billion).

The CNIL justified the (relatively) low amount of the fine saying it had limited the scope of its examination to “the data processing covered by the privacy policy presented to a user when creating their account on their Android mobile phone” (translation from French provided by La Quadrature du Net).

What Next

La Quadrature du Net are hoping that the French authority will continue to investigate similar complaints made against Google’s YouTube, Gmail and Google Search platforms, notwithstanding Google’s relocation to Ireland.

La Quadrature du Net has also issued collective complaints against Apple, Facebook, Amazon and Microsoft which are being handled by the Irish and Luxembourg data protection regulators.

In the meantime, it will be interesting to watch the growth of not-for-profit privacy organisations such as Noyb (founded by Max Schrems, famous for campaigns against Facebook for privacy violation, including its violations of European privacy laws and alleged transfer of personal data to the US National Security Agency (NSA) as part of the NSA’s PRISM program) and La Quadrature du Net, as they continue to empower consumers to hold multinational businesses accountable under data protection law.

If you would like to discuss any issues relating to data protection please email me.