GDPR enforcement is ramping up. The French data protection authority, Commission nationale de l’informatique et des libertés (‘CNIL’) has just fined Google €50 million, the world’s largest data protection fine. It is one of only a handful of fines issued since the GDPR came into force on 28 May 2018, and the biggest by far. The General Data Privacy Regulation (‘GDPR‘) is a data protection law that replaces and extends Directive 95/46/EC (‘Data Protection Directive’) from 1995. It imposes baseline requirements for data protection across the EU, allowing Member States to legislate with respect to their own jurisdiction in many areas.
CNIL found that Google had committed two breaches of the GDPR. The first was that Google had violated the obligation of transparency and information. Essential information, such as data processing purposes, was difficult to find, sometimes requiring up to 5 or 6 actions to reach.
Secondly, Google also violated obligations to have a legal basis for ad personalisation processing. The GDPR requires specific and unambiguous consent to use data for ad personalisation, including an affirmative action from the user. Information provided by Google about personalised ads was found not to clearly convey the number of services processing personal data, including Google Maps, YouTube and Gmail. Further, to configure the display of personalised ads, Google users had to click “more options” and, when they did, all checkboxes were pre-ticked. Pre-ticked checkboxes are widely accepted to not meet the GDPR thresholds of consent.
In short, it was CNIL’s argument that, while Google may, in respect of some actions, have been construed as technically complying with the requirements of the GDPR, it was not meaningfully engaging with the spirit of the regulation.
This case study highlights two interesting questions regarding jurisdictional governance of data and privacy.
The answer to the first question can be found in Article 3 of the GDPR, guidelines about which were released on the 16th of November 2018. The GDPR applies to processing of personal data not only by EU controllers, but also by the EU establishments of non-EU controllers. This means that Google, a US company, is subject to the GDPR.
The answer to the second question is more complex. The GDPR provides for a so-called ‘one stop shop’ mechanism, which outlines that the GDPR will only be enforced by the supervising authority of the main establishment of the data controller, with a view to simplify compliance that was previously fragmented across 28 different Member States of the EU. However, because Google was a non-EU controller, and processing took place across multiple Member States, CNIL considered itself jurisdictionally competent to rule on all complaints made against Google and impose the €50 million data fine. While various commentators have questioned the legality of this regulatory reach, it does not seem to have attracted broad controversy.
The GDPR applies to all data processors, including individual content creators and small businesses who may not have adequate consent mechanisms for data capture on their platforms. There are concerns that the precedent set by the CNIL ruling will hamstring these original content creators and publishers. It is on this basis that Google has announced they plan to appeal the data fine. For instance, many publishers only allow users to give consent to data collection, providing no option to deny consent except by exiting the webpage.
One counterpoint to note is that few data processors would have a network of services as complex as Google’s and therefore few would be held to such a high standard. This should come as a relief to many smaller web publishers.
Notwithstanding the above, the message of the ruling is clear. Data processors must embrace the spirit of the GDPR, even if attempts are made to create a GDPR-compliant consent process, as was the case with Google.
Richard Reeves, managing director of the Association of Online Publishers, says “this is about the fact they have so many spider webs out there, that they are leveraging the opportunity that provides.” [1] That is, Google’s prefilled consent form and scarce information wasn’t sufficient for the uniquely high level of data processing that Google conducts.
The GDPR should be seen as one of a range of changes, including changes to copyright law, that the EU is making to overhaul data laws for modern realities.
The size of Google’s data fine comes as a shock to many, though in fact it pales in comparison to the upper limits of what the GDPR is empowered to impose, up to 4% of annual worldwide turnover, which would mean a data fine of €4 billion. Google violated its obligations to inform and seek valid consent from data subjects about how their data was being used. Though few other companies will conduct data processing operations as complex as Google’s, and therefore not be held to as high a standard, the ruling should nonetheless be seen as an indication that the EU is serious about GDPR enforcement. Data processors should also be aware of the broad jurisdictional scope of the GDPR that could leave them open to prosecution from anywhere.
[1] DigiDay UK, “The industry can’t say it hasn’t been warned: Media execs react to Google’s GDPR fine” 23 January 2019.
The information above is general in nature. If you want to learn more about how the GDPR might affect your business, please contact us below.
