Google Fined €50 Million for GDPR Violations: What Does This Mean and What to Expect Next?

Type: Blog
Topic: Compliance

What Happened?
France’s Supervisory Authority (CNIL) has fined Google $56.8 millions Euros for what the data protection watchdog believes is a violation by the multinational tech company on EU’s General Data Protection Regulation (GDPR).

How did it start?
After receiving complaints based on ‘forced consent’ by Google from La quadrature du Net, a French digital rights advocacy group, and None of Your Business, a nonprofit organization led by Max Schrems (known for previous campaigns against Facebook for privacy violation), the CNIL started its investigation.

For what reasons?
On the basis of its investigation, the CNIL established two types of breaches of the GDPR by Google that occur when new Android users set up a new phone and follow Android’s onboarding process.

They claim that Google is making its data collection policies too difficult to access and that the company failed to obtain specific user consent.

The CNIL notes two specific reasons, later covered in this document:

• A violation of the obligations of transparency and information.
• A violation of the obligation to have a legal basis for ads personalization.

Policy Implications:
This decision by the CNIL shows insight into how it was permitted to issue the fine despite Google’s European HQ being located in Dublin.

The GDPR establishes a “one-stop shop” mechanism, providing that, as a main rule, organizations carrying out cross-border personal data processing activities will only have to deal with one lead supervisory authority (the DPA of that Member State) in the future. Cross-border processing can be further understood through Article 4(23) of the GDPR.

The benefit of the one-stop shop mechanism is that controllers and processors will be able to collaborate with one DPA so that other “concerned DPAs” can also be involved when the processing in question affects individuals in their State.

Cross-border processing applies to Google and so Google’s challenge is to find its lead supervisory authority. Article 56(1) establishes that the Supervisory Authority for the main establishmentof the controller (controller = organization, just to keep it simple) will serve as the Lead Supervisory Authority.

The main establishment is further defined in Article 4(16) as:

“the place of central administration in the Union, unless the decisions on the purposes and means of the processing of personal data are taken in another establishment of the controller in the Union and the latter establishment has the power to have such decisions implemented, in which case the establishment having taken such decisions is to be considered to be the main establishment;”

The word “unless” is key in identifying the Lead SA for Google, or the lack of. Google’s headquarters is in Ireland, so naturally one would think it constitutes as the “place of central administration in the Union.” Wrong. The CNIL concluded that the EU Google HQ does not have the final say when it comes to data processing during the creation of new users on the Android OS (Who does? Most likely Google’s HQ in California but decidedly not in Ireland). This means that the Google Ireland HQ cannot be considered as a main establishment within the meaning of Article 4(16).

So, the issue remains in the hands of the French authority. Interesting. The CNIL is effectively considered the competent Supervisory Authority to flex its newfound power given under the GDPR.

Parting Thoughts:

• The CNIL noted that the violations are “continuous breaches of the Regulation as they are still observed to date. It is not a one-off, time-limited, infringement.”
  • As of now, the CNIL is the supervisory authority responsible for the matter; other SA’s across EU will not be able to issue fines for the same infractions. However, I would not be surprised if SA’s across EU are examining Google’s operations under a now heavily magnified GDPR lens.
• As this is the largest fine issued under the GDPR, all Member States of the EU would be wise to pay close attention and be eager to exercise their powers. Google (and manyother companies) would be even wiser to take a closer look than before on how the GDPR impacts their data processing and act quickly.
  • NYOB has already taken aim at top tech firms including Apple and Amazon under the GDPR. Now that the CNIL has acted on Google, expect more regarding other tech firms.
• Most certainly Google will appeal the fine which will provide more insight onto the situation and how clever Google’s lawyer can get in excusing Google’s actions.
• The $58.6 million fine is likely not a concern to Google. The real concern to Google is the changes it will be forced to make.

For those still reading on, here is a breakdown of the reasons the CNIL lists in its sanction of Google.

• A violation of the obligations of transparency and information
  • The main infraction here relates to the availability of what is considered essential information.
    • Data processing purposes
    • The data storage periods
• Categories of personal data used for ads personalization
  • These essential information “are excessively disseminated across several documents, with buttons and link on which it is required to click to access complementary information.” Furthermore, “the relevant information is accessible after several steps only, implying sometimes up to 5 or 6 actions.”
  • This impacts users as they are not able to fully understand the extent of the processing operations carried out by Google, an understanding mandated by the GDPR (Article 5(1)(a)).
• A violation of the obligation to have a legal basis for ads personalization.
  • Google states that it obtains the user’s consent to process data for ads personalization purposes.
  • The CNIL notes that “the consent is not validly obtained for two reasons”:
    • User’s consent is not sufficiently informed. The information regarding this is spread across several documents, making the user unaware of the full extent of the processing.
    • Collected consent is neither specific nor unambiguous. This violation can be seen in Recital 32.
      • Specific – Recital 32 of the GDPR states that “when the processing has multiple purposes, consent should be given for all of them.” The CNIL notes that “before creating an account, the user is asked to tick the boxes « I agree to Google’s Terms of Service» and « I agree to the processing of my information as described above and further explained in the Privacy Policy» in order to create the account. Therefore, the user gives his or her consent in full, for all the processing operations purposes carried out by Google.”
      • Ambiguous – Under the GPDR, consent is unambiguous only with a clear affirmative action from the user. Pre-checked boxes will not suffice. When creating an account, the user can configure the display of personalized ads. However, when clicking “More options” to access the configuration, the display of the ads personalization is pre-ticked. Recital 32 states that “silence, pre-ticked boxes or inactivity should not therefore constitute consent.”

Matt Dumiak is Director of Privacy Services, Customer Engagement Compliance at CompliancePoint focused on U.S. and international direct marketing compliance regulations. He works with clients in a variety of industries and is dedicated to providing reliable and practical consulting services. Matt has earned a Certified Information Privacy Professional (CIPP/US) certification from the International Association of Privacy Professionals (IAPP), a Customer Engagement Compliance Professional (CECP) certification from the Professional Association for Customer Engagement (PACE), and has a B.S. in Economics from Georgia College.  www.compliancepoint.com