The French data protection supervisory authority CNIL has imposed a € 50,000,000 fine, the highest to date under the GDPR. The fines were imposed following complaints by the NGO noyb.eu (short for “none of your business”) and the LQDN group (short for “Le Quadrature du Net”). noyb.eu had filed complaints against Google, Instagram, Whatsapp and Facebook in four countries right at the beginning of the applicability of the GDPR in May 2018 (more on this in our earlier article on SDPL).
The CNIL has now been the first to conclude the proceedings with its record fines. Online inspections, in particular the analysis of a user’s browsing pattern, were used to examine which documents the user is presented with when setting up a Google account during the configuration of an Android mobile device. The authority identified two types of data protection violations:
- Violation of transparency and information obligations (Art. 5 and Art. 12 GDPR)
- Breach of the obligation to have a legal basis for personalised advertising (Art. 6 GDPR)
With regard to transparency and information, it was criticised that the information was not easily accessible. For example, the basic information on the purpose, duration or categories of personal data processed was excessively scattered over various documents, and in some cases up to 5 or 6 actions had to be taken in order to obtain the corresponding information. In addition, the information was partly unclear or incomplete. For example, information on the storage period of certain data was missing and it was not sufficiently clear to the user that the legal basis for personalised advertising was his consent (Art. 6 para. 1 lit. a GDPR) and not the legitimate interest of the company (Art. 6 para. 1 lit. f GDPR).
With regard to consent to personalised advertising, it was criticised that insufficient information was provided as to which individual services were covered by the consent (specifically: Google Search, Youtube, Google Home, Google Maps, Playstore, Google pictures and others) and that it had not been obtained unambiguously or in a specific manner. The CNIL reiterates and confirms the well-known demand of the GDPR that data protection Opt-In boxes may not be “pre-checked” and states that consent is only valid if it is specifically given for each purpose (instead of the usual “I agree to the data protection declaration” question).
Google has announced that they will appeal the fines.
Companies can learn the following lessons from the fines imposed on Google:
- A company should centralise its data protection information in a few documents, i.e. preferably work with only one or very few privacy policies (ideally with the so-called “Layered Approach”, which has been approved by different data protection authorities; if you are interested in the Layered Approach, please leave a comment and we will publish an article on it).
- Consent must be obtained through a positive action, not through pre-checked checkboxes, and it should be specific, i.e. given or denied for each purpose individually.
- It should be checked whether one really wants/needs to base one’s processing on consent or whether one of the other legal grounds is not more reliable and easier to handle (e.g. GDPR Art. 6 para. 1 lit. b – performance of contract, lit. c – legal obligation or lit. f – legitimate interest).
The decision of the CNIL can be found here. The CNIL has also issued a press release on the matter.