On 21 January 2019, France’s data protection regulator, CNIL fined Google €50m ($80 million AUD) for breaches of the European Union’s General Data Protection Regulation (GDPR).
Complaints were made against Google by two associations in May 2018, claiming that Google did not have sufficient legal justification to process personal data from users - specifically in features such as ad personalisation. CNIL commenced an investigation in September 2018, to determine whether Google had complied with Data Protection Act and the GDPR.
Google was in breach. The CNIL found two main infringements:
Transparency
CNIL found that Google did not provide sufficient information to users regarding how their data was to be processed, how long it was to be retained, or how it would be used in features such as ad personalisation. Information provided by Google regarding data usage was scattered and required multiple successive clicks to access, and in some instances 5 to 6 clicks.
Furthermore, information provided by Google was not clear or comprehensive, and found to be generic. It contravened transparency obligations under Articles 12 and 13 of the GDPR. Moreover, the information was not clear regarding the intent for processing users’ data.
Legal Basis to Obtain Data
Google was found to have not collected sufficient consent from its users prior to collecting and processing data, particularly for advert personalisation. Firstly, users were not sufficiently informed regarding the range of the services, websites and other features involved in processing user’s data. The services utilising this data included Google search, YouTube, Google Maps and several others.
Secondly, when users created an account they are able to click a “More Options” button which would allow them to specify preferences, including altering how personalised ads are shown. The box permitting ad personalisation was already pre-ticked. This created an ambiguity. Had the user actually consented or just proceeded to use the site without turning their mind to the question of consent at all.
Furthermore, in order to complete signing up with an account, users must tick a box specifying that they have agreed to Google’s Terms of Service and to the processing of their information as described in sign-up and in Google’s Privacy Policy.
This consent afforded Google the ability to utilise user’s data for an array of subsequent features. The CNIL held that this did not specify what features the consent was obtained for and as such, did not meet the threshold of providing a legal basis for processing personal data as per Article 6 of the GDPR.
If you have a query relating to any of the information in this article, or you would like to speak with somebody in Holman Webb's Business, Corporate and Commercial team with respect to a GDPR-related matter of your own, please don't hesitate to get in touch with Tal Williams today.