On January 22, France’s National Data Protection Commission (“CNIL”) imposed its very first penalty for a GDPR violation. The $57 million penalty levied against GOOGLE represents the largest penalty on any company since the GDPR became effective in 2018.
The Investigation
CNIL began investigation GOOGLE in 2018 after receiving complaints about GOOGLE’s handling of personal data, especially with respect to ads from the associations None of Your Business and La Quadrature du Net. CNIL found two types of GDPR breaches after conducting online inspections in September 2018:
Google Violated GDPR’s Transparency and Clarity Obligations
The GDPR provides that a data controller (defined in the GDPR as “natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data”) must present information about how it processes personal data in a concise, transparent, intelligible and easily accessible form, using clear and plain language. GOOGLE failed to do either of these things.
CNIL found that certain information the GDPR required GOOGLE to provide was not easily accessible. Specifically, CNIL stated that essential information covered by the GDPR, such data processing purposes, data storage periods, and information about which categories of personal data GOOGLE stored, could only be found by accessing an unreasonable number of separate documents. Essentially, users needed to go through up to five or six steps to access this information. CNIL further found that even after users found the information, it was presented vaguely and generically, another problem under the GDPR.
Google Violated GDPR’s Consent Requirements
The GDPR stipulates that user consent shall be a freely given, specific, informed and unambiguous indication of the data subject’s wishes.
CNIL held that the information about user data processing for ad personalization was diluted in several documents and did not adequately inform users, rendering consents insufficient. Additionally, consents were not “specific”, i.e. given distinctly for each purpose. Instead, users either had to give their consent in full, for all the processing operations purposes carried out by GOOGLE (ads personalization, speech recognition, etc.), or not at all.
Moreover, the option of whether to consent to personalized ads is pre-ticked when a user creates an account. CNIL stated that, under the GDPR, consent is “unambiguous” only with a clear affirmative action from the user – by ticking a box, for instance. Requiring a user to un-tick a pre-selected option is insufficient to indicate consent.
The Penalty
CNIL did not disclose how it arrived at $57 million for the penalty. However, CNIL suggested that both the amount and subsequent publicity of the fine were justified by the severity of GOOGLE’S violations. As described, GOOGLE breached essential GDPR obligations regarding transparency, clarity, and effective user consent. CNIL deemed these breaches especially problematic because they were continuous and broadly impactful, considering the prevalence of the Android OS in France, and because GOOGLE had special obligations under the GDPR since its economic model is partly based on personalized ads.