50 MILLION – FIRST FINE FOR GOOGLE FOR A BREACH OF GDPR IN FRANCE. WHAT SHOULD THE BALTIC COMPANIES KNOW?
On the day of the Super Blood Moon, the French data regulatory authority (CNIL) imposed a financial penalty of EUR 50 million against Google France and made the full text of the punitive decision public for two years. This is the first major fine related to the GDPR imposed in the European Union.
The CNIL fined Google after eight months of investigations that were started based on complaints received from Max Schrems’ advocacy group None of Your business (NOYB) and another association. They argued that:
(i) Users of Android OS devices are under the impression that they won’t be able to use them without creating a Google account – the devices aggressively suggest that the users create one; and
(ii) no clear or complete information about the processing of personal data is available when signing-in to a Google Account or using it; as well as
(iii) Google had not obtained their consent to place personalised ads in its services or explained why no consent was necessary for other promotional products.
These recent events in France closely reflect the reality in the Baltics – the European Union data protection authorities regularly discuss issues related to the application of the GDPR and CNIL is one of the leading institutions in Europe. Below you will find five things any company in the Baltics that processes personal data and has already tried to implement the GDPR should know. If you are only considering implementing the GDPR, this is a good time to start working on it.
1/ Opt-out is dead
Google processes our data to create personalised ads based on our consent. However, such consent is given in the form of an opt-out. A default setting automatically giving such consent is hidden on a page, which a user can only access after reading the Terms of Service, i.e. on the second layer. The CNIL agreed with the long-standing case-law of the European Data Protection Board which does not recognise such pre-set consents.
If your company still collects such consent, it would be best to create a detailed menu offering an option to consent to each data processing purpose separately or to their groups (especially with respect to cookies, see dvi.gov.lv). For user convenience, an option “agree to all” may be provided at the end of such a list. Such option allows the user to choose ads she wants to see. The marketing departments, on the other hand, must become more creative and treat personal data as products that should be exchanged or kindly asked for.
2/ The consent text must be crystal clear
The CNIL also fined Google for not explicitly indicating the legal basis for each purpose of data processing (one of the six types defined in Article 6 of the GDPR). The CNIL considered this to be a particularly serious violation because the users didn’t understand that they had agreed to the collection of large amounts of their private information and to supplementing it with conclusions about people living in their region or other conclusions drawn from the analysis of this information. Namely, in the field of advertising, Google handles personal data for two main purposes – to offer personalised ads and ads that can be seen on the side of a particular website.
A personalised ad is a pop-up window on a YouTube video or an offer for me to study personal data protection in the AdWords section of my Gmail. Google’s prior consent was worded as follows: “We request your consent to the processing of your data for specific purposes and you have the right to withdraw it at any time. For example, we ask that you consent to the provision of personalised services such as advertising.” Google believes that by clicking “accept” I have agreed to personalised ads and have allowed Google to analyse my Gmail Inbox and search history so that Google can learn about my interest in data protection.
On the other hand, Google explains that the IKEA ad on the side of Delfi page you are browsing is need (legally – its Google’s legitimate interest) to provide advertising services and profile you on the basis of your home address (IP address, language settings) and income range (the type and model of your device, the Jysk site you’ve previously visited). It explains this type of advertising right after explaining the previously-mentioned consent, as well as mentions its minimal marketing interest in exploring user habits and allowing them to use YouTube, Gmail and other services for free.
If this clarified which ads require consent and which only help Google get to know users and sell non-personalised ads, then there’s a great chance you could help Google in the court against CNIL (yes, they appealed). The CNIL argued that the above wording doesn’t allow users to understand the difference between consent personalised advertising and its other forms. By the way, the CNIL also pointed out that consent must be obtained when creating a Google Account and not when starting to use a new service such as a new Android tablet. That way the GDPR requirement to give consent at the time of data collection or before would be fulfilled.
The CNIL stressed that Google processes large amounts of personal data through 20 different services that study our behaviour under a magnifying glass. Therefore, it needs to put much more effort into providing information to users. This would allow each of us to genuinely assess, control or change the information about us that Google has observed.
4/ The supervisors care about your plans to implement the GDPR
An interesting fact is that Google promised to fully implement the GDPR by 21 January 2019 by handing USA Google LLC’s functions over to its Irish entity, thus making it the data controller of Google data and making sure Google is subject to the jurisdiction of the Irish authority (more on this later). The CNIL awaited the date by which Google had promised to implement its plan and imposed a penalty of EUR 50 million finding that nothing had changed on that date and that the privacy information was still fragmented.
Such approach confirms that the CNIL was ready to cooperate in order to properly incorporate the GDPR in Google products. However, I sensed a certain level of disappointment when reading the part of the decision talking about Google’s promises, which may have motivated the CNIL to apply the publication of its decision as an additional penalty.
Therefore the good news for those who are still in the process of implementing the GDPR is: all the plans that you have documented so far will be good arguments for the data protection authority and may help prevent or mitigate the potential penalty. The bad news is that everyone should keep their promises and such excuses as budget cuts or changes in staffing will not justify the fact that these plans have not been implemented.
5/ Partial implementation of the GDPR may protect you against maximum penalties
Although the CNIL recognised that the Android operating system and other Google products are developed by USA Google LLC, it calculated the penalty based on the turnover of Alphabet, Google’s parent company (see the next section for more details).
It seems that the CNIL reduced the initial 4% fine to EUR 50 million, or less than 4% of Alphabet’s (Google LLC’s owner) turnover worldwide. Although this reduction was based on proportionality only, in my opinion, the reduction could be justified by the fact that Google had provided some information to users and tried to bypass rather than completely ignore the requirements of the GDPR.
6/ The supervisors will verify where the group decides about processing data
The CNIL decision contains two issues of particular interest to lawyers. The first is which European data protection authority should Google be subject to. Every EU Member State has a data protection authoriy, so, in theory, each of them can penalise a company that serves individuals on the national market.
For example, the Data State Inspectorate in Latvia may control the work of sudzibas.lv even if its servers are located in Lithuania and Belarus because its target audience is the residents of Latvia. Therefore, the GDPR explains how an institution that receives complaints should understand in which Member State the group decides the purposes and methods of personal data processing and where its target audience is located.
Google defended itself by saying that the centre of its European companies is in the Republic of Ireland. It sells all the services that are provided in Europe and Africa, therefore the CNIL must hand the case over to the Irish authority. Even if there is a dispute over this aspect, it should be resolved by the European Data Protection Board.
The CNIL basically laughed at this reasoning and told Google that neither its terms of service, nor any other of its public information mentions the Irish company as its data controller. Moreover, the information available about its operations has shown that the Irish company is acting as a Google service provider and administrative financial centre rather than creating products or making decisions with respect to personal data.
It also noted that the Irish data protection supervisor had already disassociated itself from being the lead supervisor of Google (most likely in response to Google’s request to recognise itself as one), and that, in practice, Google’s activities in each Member State should be monitored locally.
When structuring the data processing, Baltic companies must have it clear which company decides to create a new product functionality how documents shall be circulated within the group of companies. If there is no single seat or headquarters for the unified services in the Baltics, I suggest centralising decision-making by product categories or across the group of companies in order to operate in accordance with one data protection supervisor’s understanding of the GDPR and the requirements of one legal system.
7/ The association’s right to complain could be interpreted widely
Article 80 of the GDPR requires the supervisors to accept complaints from associations that are active in the field of data protection and even grants them the right to receive compensation for a data breach. In this case, the CNIL acted in response to a complaint by 9'974 members of associations - NOYB and Le Quadrature du Net.
Google argued (fully in line with the existing Latvian case law with respect to any applications from associations) that these associations did not have a mandate in their bylaws to lodge complaints. Such mandate couldn’t be deduced from their purpose. CNIL pointed to the respective article of the GDPR and explained that the purpose of these associations is to defend the public interest in the field of IT and that they had been truly active in protecting personal data. Consequently, no additional formalities were required and the mandate of the associations was sufficient.
As I have already mentioned, the procedural laws in Latvia strictly follow the formal approach and require that the statutes of an association specifically provide for representation of the rights of its members. It is most likely up to the European Court of Justice to decide if this approach will change with respect to the GDPR.