By Adrian Faelli (Lawyer) and Koula Politis (Senior Associate).
On 21 January 2019, the French independent data protection agency, CNIL, fined US-based Google €50m (AUD $79.8m) for failing to provide users with transparent information concerning its data processing purposes, storage periods and ad personalisation.
This marks the largest fine imposed under the EU’s General Data Protection Regulation (“GDPR”) since its implementation less than a year ago. It also represents a timely reminder that EU national regulators have the power to issue extensive fines to foreign, non-compliant businesses (up to 4% of their worldwide annual revenue) and are beginning to exercise these powers after concluding lengthy and rigorous investigations. In Google’s case, CNIL’s investigation commenced after receiving complaints on 25 May 2018, the day the GDPR came into effect.
The French regulator concluded that Google had violated two main themes of the GDPR:
- the principle that processing of personal data must be lawful, fair and transparent; and
- where a company relies on obtaining consent to collect and process personal data, processing of that personal data will only be lawful if the individual’s consent is freely given, specific, informed and contains a statement or a clear affirmative action that indicates agreement to the type of processing.
First, they found that Google failed to ensure information concerning data processing purposes, data transmission and storage, and categories of personal data collected was readily accessible to users. CNIL focused on the fact Google made it difficult to access this essential information (only accessible after 5 or 6 clicks in some instances) and when accessible, the information was fragmented, unclear and was not comprehensive. Users were forced to make multiple clicks and consult several documents in order to access and identify the relevant information.
Further, Google’s description of the “purposes” for processing was “too generic and vague” as were the categories of data processed for those purposes. For example, at least twenty services offered by Google are likely to be involved in the processing of personal data, which may include web browsing history, history of use of applications, data stored locally on the equipment (such as address books) and geolocation of the device. CNIL found Google’s lack of accessible information left users unclear about the legal basis for personalisation of ads or the legitimate interests of the company and that they failed to provide adequate information around data retention periods.
Secondly, CNIL found Google did not have a legal basis for ad personalisation as it failed to validly obtain user’s consent. Users could not provide informed consent as the information provided failed to disclose the full extent of the personal data Google collected and processed. Users were told that Google can show them ads based on their activity in Google services such as YouTube and on Google’s “websites and partner applications”. However, it was not possible for a user to read what those websites and partner applications were in order to properly understand the number of services and the nature and volume of data that is collected. Consent was deemed ambiguous, as boxes related to ad personalisation were pre-ticked when creating an account. CNIL found that a user could complete creating an account by clicking “I accept” without being taken to the options page to uncheck the default settings and could therefore not have made a positive statement that they agreed to the types of processing. CNIL deemed this type of consent was not valid and ineffective and instead confirmed that consent requires a “clear, affirmative action from the user”.
What are the implications for Australian businesses?
CNIL’s reasons for penalising Google are an important reminder for Australian businesses caught by the GDPR to ensure that:
- information concerning how and why a user’s personal data is collected and used by the business is easily accessible and transparent on their online platforms; and
- they ensure specific, informed and affirmative consent is obtained from users for each of the purposes for collecting and processing personal data.
Ultimately, the penalty suggests the interpretation and limits of the GDPR are still being tested. Watch this space!
If you need advice about the GDPR’s application to your business and compliance, please don’t hesitate to contact us.