In the spirit of Data Privacy Day, which was recognized throughout the world, we wanted to share a special mid-week post with you from our GDPR expert Privacy Consultant and Legal Counsel, Laura Sulymosi.

You Should Become Pals With Privacy

Once upon a time, there was a very influential household conglomerate called Google, with extensive and extremely complex data processing activities. Google encompassed such characters as Android, YouTube, AdSense, Ads, Google Play, Google Search, Google Photos, Gmail, Google Maps, Google Analytics, Google Docs, Google Hangouts, and Google+, to name a few. These heroic entities play leading roles in many tales in many lands, both near and far away. Making their story ever more intriguing was the never-ending assortment of understudies that would appear on stage using the information from their characters based on personal data collected and stored away. While the plot to Google’s story always begins with the goal of making our lives better, and easier, villains certainly exist and their goal might be to use personal data without letting people know about it, and without appropriate consent for their own betterment.

In the right hands personal data accumulated by services like the Google suite can be used for good and truly make our lives better and easier, and our communication effortless.

In the wrong hands? That's a whole other story and unfortunately it is not a happy one. And that's why data protection regulations like GDPR and the CNIL exist.

Recently Google was issued a 50 million Euro fine by the French data protection authority CNIL (Commission nationale de l'informatique et des libertés) for not complying with GDPR. 

There is no question that Google has invested significant resources in privacy management. That said, it is not hard to imagine how complicated compliance with the strictest data regulation in the world (GDPR (the General Data Protection Regulation of the European Union) would be for a provider whose  service models were designed around the extensive processing, combination, and sharing of personal data.

The CNIL fine decision is notable since it highlights how a very sophisticated brand employing a large number of privacy professionals was found to be in breach of the most basic concepts of GDPR. Concepts such as transparency, legal basis, and retention. If Google is found to be in breach of the GDPR, it is quite likely that a large number of smaller businesses might be found in breach as well.

It Didn’t Come Without Warning

Google had some history with the European data protection authorities and courts before the introduction of the GDPR in 2016.

Between 2012 and 2015, the Information Commissioner’s Office (ICO) of the United Kingdom criticized Google on the lack of clarity and comprehensiveness of Google’s privacy policy.

• In the Vidal-Hall v. Google Inc. case, a group of individuals successfully argued before the English Court of Appeal that profiles of their browsing habits constituted personal data and that Google’s use of these profiles to target ads to their devices was objectionable. (Vidal-Hall v. Google Inc. [2015] EWCA Civ 311, 27 March 2015.)
• In 2014, the CNIL “warned” Google that its then current privacy policy did not meet the requirements laid down in the respective national data protection laws at that time.
• In 2012, after several months of investigation led by the CNIL into Google’s then new and current privacy policy, the CNIL recommended Google to:

1. Provide more clear and complete information on its data processing practices to users, including comprehensive information about the collected data and purposes of each of its personal data processing operations.
2. Offer users more control over the combination of their personal data across its numerous services.
3. Clarify legal basis to perform the combination of data of each of the stated purposes;
4. Provide retention periods.
5. Modify its tools to avoid an excessive collection and combination of personal data.

• In the same year, the Article 29 Data Protection Working Party made detailed recommendations on how to fix the above shortcomings.

Almost 7 years later, in the current CNIL fine decision, Google was called out on very-very similar shortcomings.

The CNIL’s Fine against Google
in January 2019

On May 25, 2018 (the very date of GDPR’s implementation), and a few days later, a group of approximately 10,000 individuals submitted a complaint against Google claiming that Google did not have a legal basis to collect, use, share, etc. their personal data, particularly for the purpose of personalizing ads.  As a result of these complaints, the CNIL launched an investigation that focused on the personal data collected by Google based on the browsing habits of users and the documents they access when creating a Google account - particularly during the configuration of an Android-based smart phone.

There were several principles and requirements of GDPR that were examined:

Lack of Transparency. The CNIL criticized Google for a lack of transparency saying that essential information, such as the (i) purposes of processing, (ii) the storage periods or (iii) the type of personal data used for ads personalization are scattered across several documents while users need to click on various buttons and links to get to this basic information. This is certainly not an accessible and user-friendly way of providing information.

Lack of Clarity and Comprehensiveness of Google’s Privacy Policy. The CNIL noted that the purposes of processing and the types of personal data processed are described in a too generic and vague manner. The CNIL also criticized that the lawful basis of processing is not clearly identified.

No Valid Legal Basis for Ads Personalization Processing. The CNIL found that although Google intended to rely on consent as a legal basis for its processing of personal data for ad personalization purposes; its consent process failed to meet the defined requirements of GDPR.  Consent that is not informed, specific, unambiguous, and not expressed by a statement or clear affirmative action, is not a valid consent after all.

• No Informed Consent. The CNIL found that the consent assumedly provided by users to Google to process their personal data is not sufficiently informed due to the lack of transparency, clarity, and comprehensiveness of information provided on Google’s data processing activities. The CNIL notes that the information provided by Google does not enable the users to appreciate the extent of the personal data processed, the processing operations, and extent of Google services involved in the collection and use of personal data(Google Search, YouTube, Google Home, Google Maps, Google Play, Google Photos, Google Analytics, & Google Translation).

• No Unambiguous Consent and Lack of Clear Affirmative Action. Google requires a user to modify certain options associated with a Google account upon creation to make the services more privacy-friendly, and the ad personalization is pre-ticked, meaning that by default the user allows ad personalization. Thus, there is a lack of clear affirmative action (ie. ticking an unticked box), which makes the consent ambiguous and therefore not valid.

• No Specific Consent. The CNIL states that instead of requesting users to give their consent to all operations, all at once; consent should be specifically given for each processing operation.

Lack of Defined Retention Period or Criteria. In the CNIL’s view, Google does not provide any precise retention period or criteria, which is one of the mandatory items to be listed in any privacy policy.

How and Why to Become Pals with Privacy

In order to avoid following in Google’s privacy footsteps, companies must revise their privacy policies to become compliant with GDPR and ensure that their privacy policies, procedures, and practices are in line with what is stated in their public privacy policies through a GDPR gap assessment. 

There is a way to achieve GDPR-compliance by not limiting your company’s ability to innovate and improve its services, but instead strengthening your users’ trust and control over the processing of their personal data.

This CNIL fine must serve as a cautionary tale for all North American companies who process personal data of European Union residents. The breaches highlighted by this recent decision are the most basic and common breaches that any company can make, big or small, and this particular outcome is just scratching the surface.  The more complex rules of GDPR around security, privacy by design and by default, data protection impact assessments, or third-party management were not even challenged by this decision. Those are areas that might bring into light some further shortcomings at most companies.

If you would like to ensure you are complying properly with the GDPR and don't want to become part of a scary story; do not hesitate to reach out to us today!