The French Supervisory Authority, Commission nationale de l’informatique et des libertés (CNIL) has issued Google LLC with a €50m (£44m) fine following an investigation into their advertisement personalisation purposes. This marks the first occasion Google has been fined under the EU General Data Protection Regulation (GDPR) since it was enforced in May 2018 and is considered by many to be the largest fine in data protection history.
Two of the major factors in CNIL’s decision were Google’s failure to provide a sufficient degree of transparency to data subjects about their ad personalisation process and failure to obtain a lawful basis for processing (valid consent in this case). Organisations looking to avoid similar fines should ensure that their data processing activities are clearly explained to their data subjects as well as having the appropriate lawful basis for processing.
“A violation of the obligations of transparency and information”
The CNIL notes that data subjects cannot easily access “essential information” regarding Google’s processing activities of their personal data. Several key pieces of information for data subjects, such as purpose of processing and categories of personal data which are processed are spread across several documents and privacy notices. Additionally, these documents were found to be buried beneath several layers, requiring several clicks or taps to access them.
Furthermore, once they have accessed the relevant privacy notices, data subjects are overloaded with complex information which is neither “clear nor comprehensive.” This has led the CNIL to conclude that “Users are not able to fully understand the extent of the processing operations carried out by Google.”
“A violation of the obligation to have a legal basis for ads personalization(sic) processing”
The CNIL also found that Google did not obtain valid consent from data subjects for their ad personalisation service. This was for two main reasons:
Firstly, and similarly to the lack of transparency finding, it is difficult for data subjects to understand the plurality of services which take advantage of ad personalisation. Visits to websites and the use of applications take advantage of a single submission of consent to provide personalised advertisements. For example, Google search, YouTube, Google Play Store and Google Maps all rely on this sole consent. Users who register an account with Google are prompted to agree to all processing operations that they undertake. This directly contravenes the Regulation which only recognises consent if it is specific for each purpose that personal data is used for.
Secondly, there are several barriers for data subjects to overcome in order to modify their privacy settings, including several pre-ticked boxes which are specifically outlawed under the GDPR. The CNIL notes that in order to remove consent from personalised ads, the user must first navigate to the “more options” menu, and then untick the box relating to ad personalisation. In their opinion, this did not meet the requirement for consent to be clear and unambiguous.
What can your organisation do to avoid similar fines?
There are several key lessons for organisations to learn from this early landmark case in order to avoid similar fines levied against them:
Firstly, in order to fulfil the obligation of transparency, your organisation should ensure all front-facing notices which detail your data processing activities (such as your privacy notice) are presented to the data subject in a single, all-encompassing document. This should be drafted in plain and easy to understand language, covering all the requirements of Article 13 and 14 of the regulation. Avoid overly technical terms and legal jargon – put yourself in the shoes of the data subject and imagine what they would like to know when it comes to how their personal data is going to be used.
Secondly, ensure all processing activities are undertaken using one of the six lawful bases of processing found in Article 6. If you intend to rely on legitimate interest, also consider conducting a legitimate interest assessment (LIA) to determine whether this is the appropriate legal basis. Each processing activity you undertake should also be logged in a master Record of Processing (ROP) file which will also ensure you meet your Article 30 requirements.
If you wish to read the CNIL’s full report into their fine levied against Google, you can do so here.
For more information visit the Trilateral Data Governance page and contact our team.