The French Data Protection Authority, or CNIL, fined Google LLC EUR 50 million for failing to adequately obtain user consent before gathering data for targeted advertising, as required by the EU’s GDPR. The case was brought before CNIL by privacy activist noyb, a nongovernmental organization seeking to enforce existing EU data protection legislation, and the French NGO La Quadrature du Net. The initial complaints, filed right after the GDPR went into effect, targets Google, Instagram, WhatsApp Messenger and Facebook, Inc.
The four complaints are very similar and allege that “forced consent” and “bundled consent” methods were used to bully users into signing their rights away in order to use Google’s and Facebook’s services: “The ‘core’ element of consent is probably the fact that it must be freely given, as clarified in Article 4(11) of the GDPR and further specified in Article 7(4) of the GDPR,” write the authors of the complaint against Android, Google’s iOS software. “Thus, this complaint focuses primarily on the act of consent, which, in the present case, we do not see as ‘free.’”
The complaints touch on several topics, including:
The controllers’ duty to be able to demonstrate that data subjects have consented to their data being processed.
The imbalance of power between a giant tech company and a data subject.
The need for separating the services contract from the data processing consent form.
The detrimental effects that may occur when data subjects withhold consent.
A sign of things to come
The GDPR and the Working Party Guidelines (published prior to the GDPR) provide laws that govern and define “freely given consent.” Articles 6(1) and 7(1) of the GDPR deal with the controller’s obligation to demonstrate consent, stating that “[t]he burden of proof to demonstrate that the processing operation is lawful and that valid consent was obtained is … placed on the controller, not the Supervisory Authority or the data subject.” In its consent policy, Google bundles all of its products together and requests one-time consent from the data subject to collect, process and share personal data obtained from those products. But according to the GDPR, the company must show that consent was given for each product or be in violation.
“We are very pleased that for the first time a European data protection authority is using the possibilities of GDPR to punish clear violations of the law,” said Max Schrems, chairman of noyb. “Following the introduction of GDPR, we have found that large corporations such as Google simply ‘interpret the law differently’ and have often only superficially adapted their products. It is important that the authorities make it clear that simply claiming to be compliant is not enough. We are also pleased that our work to protect fundamental rights is bearing fruit.”
The fine is not a significant one for Google, but it is the largest fine levied so far under the GDPR and is a sign of things to come. As regulators grow more familiar with the regulation and how it operates, they will feel more comfortable reaching settlements and applying penalties.
Google was governed by CNIL, but responsibility for overseeing Google’s compliance with GDPR regulations has recently shifted to the Irish Data Protection Commission. CNIL levied the fine this time, but in any following actions, the Data Protection Commission will be the governing authority. The complaints against the other three services (Facebook, Instagram and WhatsApp) are all governed by separate data protection authorities, and rulings regarding the cases can be expected in the near term.
The larger questions remain: Now that CNIL has found Google’s “bundled consent” approach to be in violation of GDPR, what changes will Google make, and how will users be able to take advantage of a presumably more transparent and consumer-friendly method for obtaining consent?
In related news …
In another issue regarding Google and CNIL, the discussion over how to implement the “right to be forgotten,” took a new turn after Maciej Szpunar, advocate general for the court, made his recommendations. At issue is whether or not Google must erase the data of a person who invokes the right to be forgotten from every Google platform or only the one native to the user.
Szpunar said that implementing the right to be forgotten globally could entice other countries to use that technology to threaten free expression or challenge data rights in third countries. The attorney general also argued in the nonbinding opinion that if the EU orders removal of content from websites accessed outside the region, there is a danger that other jurisdictions would use their laws to block information from being accessible within the EU.
But he also recommended that Google continue to remove results from non-EU versions of the site, provided the search was conducted from within the EU country of the EU resident who made the request. Although not the global solution some were looking for, having Google remove links to EU resident data from all of its platforms, so long as the search began in the EU, is still a very wide net to cast. Opinions filed by the advocate general are generally followed by the courts, suggesting that Google will win its legal battle with CNIL.
This issue stems from a separate case, Google v. Spain, in which the European Court of Justice ruled that European citizens have a right to request commercial search firms that gather personal information for profit, such as Google, should remove links to private information when asked, provided the information is no longer relevant.
In a sign of things to come, European data protection authorities are beginning to rule on cases brought under the GDPR following its implementation in May 2018, willing to issue fines even against tech giants like Google.
The practice of “bundled consent,” in which companies bundle several products together and request one-time consent from data subjects to collect, process and share personal data, is a violation under the GDPR and will result in fines. Companies must obtain consent for each product they offer.