In the spirit of Data Privacy Day, which was recognized throughout the world, we wanted to share a special mid-week post with you from our GDPR expert Privacy Consultant and Legal Counsel, Laura Sulymosi.
Once upon a time, there was a very influential household conglomerate called Google, with extensive and extremely complex data processing activities. Google encompassed such characters as Android, YouTube, AdSense, Ads, Google Play, Google Search, Google Photos, Gmail, Google Maps, Google Analytics, Google Docs, Google Hangouts, and Google+, to name a few. These heroic entities play leading roles in many tales in many lands, both near and far away. Making their story ever more intriguing was the never-ending assortment of understudies that would appear on stage using the information from their characters based on personal data collected and stored away. While the plot to Google’s story always begins with the goal of making our lives better, and easier, villains certainly exist and their goal might be to use personal data without letting people know about it, and without appropriate consent for their own betterment.
In the right hands personal data accumulated by services like the Google suite can be used for good and truly make our lives better and easier, and our communication effortless.
In the wrong hands? That's a whole other story and unfortunately it is not a happy one. And that's why data protection regulations like GDPR and the CNIL exist.
Recently Google was issued a 50 million Euro fine by the French data protection authority CNIL (Commission nationale de l'informatique et des libertés) for not complying with GDPR.
There is no question that Google has invested significant resources in privacy management. That said, it is not hard to imagine how complicated compliance with the strictest data regulation in the world (GDPR (the General Data Protection Regulation of the European Union) would be for a provider whose service models were designed around the extensive processing, combination, and sharing of personal data.
The CNIL fine decision is notable since it highlights how a very sophisticated brand employing a large number of privacy professionals was found to be in breach of the most basic concepts of GDPR. Concepts such as transparency, legal basis, and retention. If Google is found to be in breach of the GDPR, it is quite likely that a large number of smaller businesses might be found in breach as well.
Google had some history with the European data protection authorities and courts before the introduction of the GDPR in 2016.
Almost 7 years later, in the current CNIL fine decision, Google was called out on very-very similar shortcomings.
On May 25, 2018 (the very date of GDPR’s implementation), and a few days later, a group of approximately 10,000 individuals submitted a complaint against Google claiming that Google did not have a legal basis to collect, use, share, etc. their personal data, particularly for the purpose of personalizing ads. As a result of these complaints, the CNIL launched an investigation that focused on the personal data collected by Google based on the browsing habits of users and the documents they access when creating a Google account - particularly during the configuration of an Android-based smart phone.
Lack of Transparency. The CNIL criticized Google for a lack of transparency saying that essential information, such as the (i) purposes of processing, (ii) the storage periods or (iii) the type of personal data used for ads personalization are scattered across several documents while users need to click on various buttons and links to get to this basic information. This is certainly not an accessible and user-friendly way of providing information.
Lack of Clarity and Comprehensiveness of Google’s Privacy Policy. The CNIL noted that the purposes of processing and the types of personal data processed are described in a too generic and vague manner. The CNIL also criticized that the lawful basis of processing is not clearly identified.
No Valid Legal Basis for Ads Personalization Processing. The CNIL found that although Google intended to rely on consent as a legal basis for its processing of personal data for ad personalization purposes; its consent process failed to meet the defined requirements of GDPR. Consent that is not informed, specific, unambiguous, and not expressed by a statement or clear affirmative action, is not a valid consent after all.
Lack of Defined Retention Period or Criteria. In the CNIL’s view, Google does not provide any precise retention period or criteria, which is one of the mandatory items to be listed in any privacy policy.
In order to avoid following in Google’s privacy footsteps, companies must revise their privacy policies to become compliant with GDPR and ensure that their privacy policies, procedures, and practices are in line with what is stated in their public privacy policies through a GDPR gap assessment.
There is a way to achieve GDPR-compliance by not limiting your company’s ability to innovate and improve its services, but instead strengthening your users’ trust and control over the processing of their personal data.
This CNIL fine must serve as a cautionary tale for all North American companies who process personal data of European Union residents. The breaches highlighted by this recent decision are the most basic and common breaches that any company can make, big or small, and this particular outcome is just scratching the surface. The more complex rules of GDPR around security, privacy by design and by default, data protection impact assessments, or third-party management were not even challenged by this decision. Those are areas that might bring into light some further shortcomings at most companies.
If you would like to ensure you are complying properly with the GDPR and don't want to become part of a scary story; do not hesitate to reach out to us today!