CNIL reminds Google of obtaining a “GDPR” level of consent – with a €50 million fine!

Earlier this month, the Commission Nationale de l’Information et des Libertés (CNIL), the French data protection authority, issued a fine of €50 million against Google for its failure to obtain valid consent as a legal basis for processing user data.

The fine is highly significant as it is the largest fine issued this far in Europe in respect of a breach of data protection rules. This fine will give some companies a wake-up call – GDPR rules have bite - and a sore one at that! 

What happened and what did the CNIL find?

Two privacy groups issued complaints against Google in 2018 alleging that Google did not have a legal basis for processing the data of its users. This is because it did not seek a “GDPR” level of consent when asking users to consent to being targeted with personalised advertisements.

The CNIL made its decision against Google on the basis of Google’s lack of transparency, provision of inadequate information to users and failure to obtain valid consent in relation to personalised advertisements. Transparency is fundamental to data protection.

What does this mean? We look at the two main areas of decision making below – transparency and consent.

Lack of transparency

The CNIL found Google lacking in transparency in relation to the user data it collected, stating that users were not sufficiently informed about Google’s activities.

In particular, essential information such as data retention periods and the purposes of processing, was spread across multiple pages and documents, making it difficult for users to locate important information and understand Google’s processing of their personal data.

This highlights the importance of the transparency principle and making sure Privacy Notices are clear, simple and easy to understand. If you are making users go between multiple documents and have not clearly explained why you are collecting the data, what you are going to do with it and why, it is likely that you are not complying with GDPR! Why? Because the user cannot make an informed decision as to whether they are going to give their consent or not if they do not have all the relevant information upon which to make such a decision.

Lack of valid consent

The CNIL found that the consent obtained by Google was insufficient and did not meet the standard required under the GDPR. This is because the consent gathered was ambiguous and not specific to the purposes for which Google were using the data collected.

The consent gathered was ambiguous because, when creating an account, the box asking the user to indicate whether they wished to receive personalised adverts was already “pre-ticked.” This consent was therefore not a “clear affirmative action” of the data subject’s wishes (to receive such personalised advertisements) and therefore fell short of the GDPR standard of consent.

The consent obtained by Google was not specific because the user’s consent was sought only once for all processing purposes (i.e. they could not consent to some processing purposes but not others – there was no element of choice for the user). Under the GDPR, consent must be provided for each distinct purpose for which data is processed (i.e. the consent must be granular) and by bundling all the consents together, Google did not adhere to the GDPR in this regard.

Due to these failings on the part of Google when obtaining the consent, such consent was held to be invalid and, as a result, Google did not have a lawful basis for processing personal data.

What can your organisation learn from the Google decision?

Perhaps this decision is an example of “how not to go about obtaining consent”. The ruling against Google is very significant for organisations that rely upon consent as a legal basis. And with such a large fine being levied against Google, the CNIL has shown that it is not holding back using its new enforcement powers granted by the GDPR.

It is likely that the CNIL decision will inform and influence the levels of fines issued by other Data Protection Authorities in the future (and indeed Google may yet face further fines from other Data Protection Authorities), therefore if your organisation relies on consent for some of your data processing activities, you need to take note of the following:

  • Your organisation’s Privacy Notice must be comprehensive and easy to understand (i.e. have your Privacy Notice in one document with all the relevant information in a clear and simple manner).
  • You must not rely upon pre-ticked boxes for the purposes of obtaining consent (this is not valid consent as it is based on inaction and not an affirmative action by the data subject – pre-ticked boxes are no longer permitted under GDPR!)
  • If you are obtaining consent for multiple purposes, the individual’s consent must be obtained in relation to each specific purpose (i.e. the consent sought should be granular and give data subjects a genuine choice over what you are doing).
What happens next?

In response to the fine, Google stated:

"People expect high standards of transparency and control from us. We’re deeply committed to meeting those expectations and the consent requirements of the GDPR. We’re studying the decision to determine our next steps."

Therefore, we await to see whether Google will appeal against the CNIL’s decision and/or the fine imposed. Irrespective, with over 400 GDPR fines having been issued thus far in Germany alone, we should not be complacent and should expect GDPR fines in the UK soon.

This article was co-written by Charlotte Fleming.

Latest updates from @MacRoberts

  • Huge congratulations to Rebecca Cox in our Corporate Finance team who has been shortlisted for the Rising Star of t… 1 hour ago
  • MacRoberts is delighted to be shortlisted at this year’s Scottish Legal Awards! We're up for Firm of the Year & t… 20 hours ago
  • Have you and your partner been considering moving in together? Are you aware of the legal implications that this ma… 29/07/2021
  • Following a consultation in 2019, the UK Government has outlined its intention to introduce a mandatory duty on emp… 29/07/2021
  • Our award-winning Family Law team can help you and your partner through difficult situations by providing support w… 27/07/2021
  • To celebrate the Olympic Games in Tokyo, we're delighted to launch our latest sporting challenge in support of our… 23/07/2021
  • MacRoberts is recruiting! We are currently looking for a Real Estate Planning Solicitor to join the MacRoberts tea… 23/07/2021
  • The countdown is on! With just 100 days to go, we’re looking forward to #COP26 in Glasgow! ♻️ As a firm accredite… 22/07/2021
  • Has lockdown led you to consider a move to the countryside? From discussing a possible purchase to obtaining the… 22/07/2021
  • Have you seen our latest vacancies? 💼 We currently have opportunities in various departments across the firm. Fin… 21/07/2021
  • Acas has published new guidance for employers with helpful information on #flexibleworking & #hybridworking. With t… 20/07/2021
  • Busting the myth that a career in law is only for the privileged few: @marikaflawyer is speaking at this morning’s… 19/07/2021
  • MacRoberts is recruiting! We are currently looking for a Support Services Assistant to join our team in Edinburgh.… 16/07/2021
  • MacRoberts is pleased to have been part of the team advising @HV_Systems in its £5m capital boost from Beehive Equi… 15/07/2021
  • MacRoberts is recruiting! We are currently looking for a NQ Solicitor to join our Conveyancing & Private Client te… 14/07/2021