When the General Data Protection Regulation went into effect last May, the big question was whether European regulators would take advantage of the greater powers to impose heavy penalties on violators. A heavy fine would send a strong message to both the offending company as well as other companies that privacy and data collection can’t happen without clear, unambiguous consent from the users.
France’s National Data Protection Commission (CNIL) fined Google €50 million ($57 million) under GDPR for making it too difficult for users to understand and manage preferences on how their personal information is used. The original complaints were filed back in May by privacy advocacy groups None of Your Business (led by Austrian privacy lawyer Max Schrems) and La Quadrature du Net.
“The amount decided and the publicity of the fine are justified by the severity of the infringements observed regarding the essential principles of GDPR: transparency, information and consent,” CNIL said in the English version of its decision. A penalty notice in French outlined the details of the investigation and the fine.
“It is important that the authorities make it clear that simply claiming to be [GDPR] compliant is not enough,” said Nyob chairman Max Schrems.
The complaints alleged that Google were railroading users into consenting into data processing without fully understanding what that meant. Google secured “forced consent” from Android users by implying that services would not be available unless the terms and conditions are accepted. CNIL concluded that Google did not transparently communicate the scope of data processing used for targeted advertisements, and left consumers uninformed about how their information would be used. Google didn’t concisely explain that personalized ads run across multiple services, including YouTube, Google Maps, and search.
“Users are not able to fully understand the extent of the processing operations carried out by Google,” CNIL said.
Clarity and Consent
The fact that users have to perform five or six actions just to find relevant privacy controls and information about what Google intended to with the data was a problem. “Essential information, such as the data processing purposes, the data storage periods or the categories of personal data used for the ads personalization, are excessively disseminated across several documents, with buttons and links on which it is required to click to access complementary information,” CNIL says.
During account creation on an Android phone the setting for allowing ad personalization is pre-checked by default. This violated GDPR as it defines unambiguous consent as the user purposefully selecting—opt-in—to such settings.
“This type of procedure leads the user to give global consent... but the consent is not ‘specific’ as the GDPR requires,” CNIL said.
The existing documentation was also “too generic and vague” and didn’t convey to users the “particularly massive and intrusive” systems in place for personalizing ads. It wasn’t clear how long data will be stored, for example.
CNIL said it considered the fact that Google was still in violation of the law when setting the fine, as well as the fact that Google’s Android had a dominant market position.
“Moreover, the violations are continuous breaches of the Regulation as they are still observed to date. It is not a one-off, time-limited, infringement,” CNIL said.
“Each day thousands of French users create a Google account on their smartphones. As a result the company has a special responsibility when it comes to respecting their obligations in this domain.”
GDPR gives data protection authorities the authority to impose fines of up to €20 million ($23 million) or 4 percent of an organization's annual global revenue—whichever is greater. Google’s parent company Alphabet reported annual global revenue of $110.8 billion in 2017, which means regulators could have gone as high as $4.4 billion in fines. Regulators can also decide to revoke the company’s ability to process individuals' personal data.
CNIL’s decision is the largest fine against Google to date—although it is worth noting there have been only a handful of enforcement actions since the law went into effect eight months ago. The previous largest fine was for €400,000 fine ($454,426) against a Portuguese hospital. It is too soon to know if other regulators will follow CNIL’s lead, or if this fine was just a one-off event.
Google told the Washington Post it is “deeply committed to meeting those expectations and the consent requirements of the GDPR.” It has not said whether it plans to appeal the fine.
"We are very pleased that for the first time a European data protection authority is using the possibilities of GDPR to punish clear violations of the law," said Schrems, Nyob chairman. "Following the introduction of GDPR, we have found that large corporations such as Google simply 'interpret the law differently' and have often only superficially adapted their products. It is important that the authorities make it clear that simply claiming to be compliant is not enough.”
More Enforcement on Way
The actual amounts tell only part of the privacy regulation story. The true sign of GDPR's power will be whether the rules can change data privacy and collection practices. Companies with business models that involve data collection and ad personalization are watching carefully how European regulators enforce the new rules.
Even though the regulation ostensibly applies only to European companies, companies based outside of the EU still need to comply with GDPR if they want to have European users. And users in countries that don't have strong privacy laws—such as the United States—benefit from the fact that companies have to change their processes for EU residents.
CNIL's action is just one of many. There are other complaints against Google pending in other countries. European Union citizens (or groups representing them) can file complaints with their country’s data regulators, and each country investigates and sets fines independently. Consumer groups filed complaints in seven countries back in November over how Google obtains permission from Android users on collecting location data.
Google isn't the only one in the crosshairs, either. Nyob has already filed related complaints against Instagram, WhatsApp, and Facebook. Last week, it filed new complaints in Austria against eight companies, including Apple, Amazon, Netflix, Spotify, and YouTube for not being able to tell users what data was collected and how it was used. Under the law, users have the right to obtain data collected on them from websites, what it was used for, and who it was shared with. In many cases, users only got the raw data, but did not know who saw the information, Schrems said.
Schrems will be carefully scrutinizing how companies handle user privacy. “In 1995 the EU already passed data protection laws, but they were simply ignored by the big players. We now have to make sure this does not happen again with GDPR – so far many only seem to be superficially compliant,” Schrems said on Nyob's site.