Google fined millions for alleged GDPR violations
Google is on the receiving end of the first major enforcement action of the General Data Protection Regulation (GDPR), to the tune of €50 million for lack of transparency and information and a failure to obtain valid consent for targeted advertising. Brought by the Commission nationale de l’informatique et des libertés (CNIL), France’s data privacy and protection agency, the action was a response to early complaints filed by None Of Your Business and La Quadrature du Net.
The enforcement action alleges that Google violated certain provisions of the GDPR and, as a result, was fined €50 million (approximately $57 million). CNIL alleges that Google is not sufficiently transparent in that it does not provide adequate disclosures or information regarding data collection or storage and Google does not validly obtain consent for targeted advertising (also referred to as ad personalization).
Google has said that it will appeal.
GDPR obligation of transparency
CNIL alleges that Google violated its obligation of transparency because information regarding data collection and processing is provided on several different webpages instead of in one easy-to-read policy. If the user wants a full understanding of the information that Google collects or stores, he or she must select and review a number of different webpages. Further, CNIL alleges that data processing and collection for targeted advertising is either not disclosed to the user, or is unclear or too vague for the user to understand. Taking these together, CNIL concluded that Google violated the GDPR by failing to be transparent in its data collection and processing practices.
GDPR user consent for targeted advertising
Second, CNIL alleges that although Google obtains user consent for targeted advertising purposes, it does not obtain valid consent. The user is not fully informed as to what specific information is collected and is not told that the consent is applied to multiple platforms owned by Google. Importantly, the checkbox seeking user consent to targeted advertising is pre-checked. The GDPR requires affirmative consent for targeted advertising, and data protection authorities have warned that a pre-checked box does not signify valid affirmative consent.
Finally, before an account is created, the user must check two boxes providing, “I agree to Google’s Terms of Service,” and “I agree to the processing of my information as described above and further explained in the privacy policy.” The result of these checkboxes is that the user gives a “broad” consent to Google’s data processing operations, and not an individual consent for each data processing operation as required under the GDPR. Looking at these factors, CNIL found that consent violated the GDPR because it is not sufficiently informed, “specific,” or “unambiguous.”
Google has asserted that its consent process is “transparent and straightforward” and that it is concerned about the public policy implications of the enforcement action, stating that it is “concerned about the impact of this ruling on publishers, original content creators and tech companies in Europe and beyond.”
Practical implementation of the GDPR’s requirements
This enforcement action and appeal may provide some much-needed clarity around the practical implementation of the GDPR’s requirements. It may be too soon to talk about lessons learned, but the CNIL’s allegations help to provide some guidance on consumer disclosures, transparency, and informed consent. At the very least, this enforcement action presents an opportunity for companies subject to the regulation to review privacy policies and consents.
Also notable here is the question of jurisdiction. GDPR complaints, once received, are generally sent to local data protection agencies. Although Google’s European headquarters are in Ireland, CNIL found that the Irish headquarters “did not have decision-making power on the processing operations.” Instead, decision-making power for Google’s processing system was most likely at its Mountain View office. Accordingly, CNIL retained investigatory and enforcement power over the complaint and brought the enforcement action.
McDonald Hopkins can therefore caution companies operating in Europe from relying on any GDPR complaints being investigated by the enforcement agency in the country in which their European headquarters is located. Similar to the Google investigation, unless the European headquarters has decision-making power, the company may be subject to investigation by any agency that has received a complaint.
We will continue to monitor Google’s appeal, and other notable enforcement actions brought under the GDPR, and advise on best practices in light of GDPR enforcement.