Royaume-Uni & Europe
Assurance et réassurance
Written by Helen Bourne and Madeleine Shanks.
On Monday 21 January 2019, French regulator the National Data Protection Commission (CNIL) imposed a fine of €50m against Google LLC, in accordance with the General Data Protection Regulation (GDPR). This sets a higher bar for compliance, which ought to be observed by others and provides some guidance as to what can be expected from future enforcement actions.
The fine follows an investigation carried out by the CNIL in accordance with Article 58 of the GDPR, as a result of group complaints by non-profit organisations None of Your Business (NOYB) and La Quadrature du Net (LQDN) in May 2018.
In response to the fine, Max Schrems, chairman of NOYB, commented: “Following the introduction of GDPR, we have found that large corporations such as Google simply ‘interpret the law differently’ and have often only superficially adapted their products. It is important that the authorities make it clear that simply claiming to be compliant is not enough.”
The CNIL imposed the fine for “lack of transparency, inadequate information and lack of valid consent regarding ad personalisation”.
The complaints alleged Google did not clearly state which processing operations relate to each legal basis relied on under Article 6 and 9 of the GDPR, and simply listed four bases for lawful processing.
The CNIL observed that the information provided was not easily accessible for users and not always clear or comprehensive. The structure of the information chosen by Google did not comply with GDPR, and essential information required to sufficiently inform data subjects of storage purposes, periods or categories of personal data used for advert personalisation was spread across various documents, with a number of clicks required to access the full information.
CNIL observed that due to the number of processing operations carried out by Google (about 20), the description of purposes of processing were too generic and vague. CNIL concluded that it was not clear to the user that Google was relying on data subjects’ consent and not the legitimate interest of the company to process data for advert personalisation.
CNIL concluded that data subjects’ consent was not sufficiently informed due to the use of multiple documents and the section on ‘Ads Personalisation’ did not clearly depict which services and websites would be involved.
It is clear from the CNIL’s decision that claiming to be compliant is not enough and companies need to consider how clear, unambiguous and easily accessible information about data protection is. The CNIL has viewed Google’s data protection from the perspective of the data subject and this is the perspective from which potential risks should be considered.