On 21 January 2019, the CNIL, the French Data Protection Authority, imposed a record fine of €50,000,000 on Google. What can we learn from this decision?
The CNIL criticizes Google for two main shortcomings:
- Lack of transparency and information
The general architecture of the information provided to a user creating a Google Account prevents the user from being fully, clearly and easily informed about the nature of the data that Google processes or will process about them.
The processing purposes are too generic, too vague. Where the legal basis for the processing is consent, there is confusion as to the nature of the legal basis. In addition, the data subject is not informed of the length of time for which his or her data are kept.
- Lack of legal basis for data processing
Google invokes consent (art. 6, 1, a. of Regulation 2016/679) as the legal basis for the processing necessary for the personalisation of advertisements. However, the CNIL considers that this consent is not valid for two reasons:
– Consent is not sufficiently informed because the information given to the person concerned is diluted in several documents.
– The consent obtained is not “specific” and “unambiguous”. A checkbox is pre-checked, so the user does not perform a positive act indicating the unambiguous nature of his consent. Finally, before creating an account, the user is asked to check the boxes “I accept Google’s terms of use” and “I agree that my information may be used as described above and detailed in the privacy policy” in order to create my account. Such a process leads the user to give his consent in once, for all the purposes pursued by GOOGLE on the basis of this agreement (personalisation of advertising, voice recognition, etc.). However, consent is “specific”, as required by the GDPR, only if it is given separately for each purpose.
What should you remember from this decision in the context of your own compliance with the GDPR ?
First of all, communicate in complete transparency about the processing of personal data that you carry out. Be concise, precise and as complete as possible. Don’t just use a simple legal “gibberish” to “give the change”. The information to be provided to data subjects is set out in Articles 12, 13 and 14 of Regulation (EU) 2016/679.
Then keep in mind that consent is not the mother of all processing of personal data. Article 6 of Regulation (EU) 2016/679 lists the six legal bases for the processing of personal data, consent being only one of them. As consent may be withdrawn at any time by the data subject, and the conditions for its validity are extremely strict, consent should (i) be used as the legal basis for processing only where no other legal basis exists and (ii) where consent is the only legal basis possible to obtain it validly and to preserve its proof (Articles 7 and 8 of Regulation (EU) 2016/679).