Earlier this month, the Commission Nationale de l’Information et des Libertés (CNIL), the French data protection authority, issued a fine of €50 million against Google for its failure to obtain valid consent as a legal basis for processing user data.

The fine is highly significant as it is the largest fine issued this far in Europe in respect of a breach of data protection rules. This fine will give some companies a wake-up call – GDPR rules have bite - and a sore one at that! 

What happened and what did the CNIL find?

Two privacy groups issued complaints against Google in 2018 alleging that Google did not have a legal basis for processing the data of its users. This is because it did not seek a “GDPR” level of consent when asking users to consent to being targeted with personalised advertisements.

The CNIL made its decision against Google on the basis of Google’s lack of transparency, provision of inadequate information to users and failure to obtain valid consent in relation to personalised advertisements. Transparency is fundamental to data protection.

What does this mean? We look at the two main areas of decision making below – transparency and consent.

Lack of transparency

The CNIL found Google lacking in transparency in relation to the user data it collected, stating that users were not sufficiently informed about Google’s activities.

In particular, essential information such as data retention periods and the purposes of processing, was spread across multiple pages and documents, making it difficult for users to locate important information and understand Google’s processing of their personal data.

This highlights the importance of the transparency principle and making sure Privacy Notices are clear, simple and easy to understand. If you are making users go between multiple documents and have not clearly explained why you are collecting the data, what you are going to do with it and why, it is likely that you are not complying with GDPR! Why? Because the user cannot make an informed decision as to whether they are going to give their consent or not if they do not have all the relevant information upon which to make such a decision.

Lack of valid consent

The CNIL found that the consent obtained by Google was insufficient and did not meet the standard required under the GDPR. This is because the consent gathered was ambiguous and not specific to the purposes for which Google were using the data collected.

The consent gathered was ambiguous because, when creating an account, the box asking the user to indicate whether they wished to receive personalised adverts was already “pre-ticked.” This consent was therefore not a “clear affirmative action” of the data subject’s wishes (to receive such personalised advertisements) and therefore fell short of the GDPR standard of consent.

The consent obtained by Google was not specific because the user’s consent was sought only once for all processing purposes (i.e. they could not consent to some processing purposes but not others – there was no element of choice for the user). Under the GDPR, consent must be provided for each distinct purpose for which data is processed (i.e. the consent must be granular) and by bundling all the consents together, Google did not adhere to the GDPR in this regard.

Due to these failings on the part of Google when obtaining the consent, such consent was held to be invalid and, as a result, Google did not have a lawful basis for processing personal data.

What can your organisation learn from the Google decision?

Perhaps this decision is an example of “how not to go about obtaining consent”. The ruling against Google is very significant for organisations that rely upon consent as a legal basis. And with such a large fine being levied against Google, the CNIL has shown that it is not holding back using its new enforcement powers granted by the GDPR.

It is likely that the CNIL decision will inform and influence the levels of fines issued by other Data Protection Authorities in the future (and indeed Google may yet face further fines from other Data Protection Authorities), therefore if your organisation relies on consent for some of your data processing activities, you need to take note of the following:

  • Your organisation’s Privacy Notice must be comprehensive and easy to understand (i.e. have your Privacy Notice in one document with all the relevant information in a clear and simple manner).
  • You must not rely upon pre-ticked boxes for the purposes of obtaining consent (this is not valid consent as it is based on inaction and not an affirmative action by the data subject – pre-ticked boxes are no longer permitted under GDPR!)
  • If you are obtaining consent for multiple purposes, the individual’s consent must be obtained in relation to each specific purpose (i.e. the consent sought should be granular and give data subjects a genuine choice over what you are doing).
What happens next?

In response to the fine, Google stated:

"People expect high standards of transparency and control from us. We’re deeply committed to meeting those expectations and the consent requirements of the GDPR. We’re studying the decision to determine our next steps."

Therefore, we await to see whether Google will appeal against the CNIL’s decision and/or the fine imposed. Irrespective, with over 400 GDPR fines having been issued thus far in Germany alone, we should not be complacent and should expect GDPR fines in the UK soon.