On January 21st, 2019, CNIL's Restricted Committee imposed a financial penalty of 50 Million euros against the company GOOGLE LLC, in accordance with the General Data Protection Regulation (GDPR), for "lack of transparency, inadequate information and lack of valid consent regarding the ads personalization".
CNIL's position regarding Google's processing of personal data is bound to have a tremendous impact on the myriad of companies using data-based Google services to drive their business and their ongoing compliance, which is in turn likely to affect Google's future revenue. Regarding this decision, we summarized below some key elements:
Alexander Popescu, CIPP/E
Group complaints on behalf of over 10,000 individuals claimed GOOGLE did not have a valid legal basis to process the personal data of the users of its services, particularly for ads personalization purposes. In less then 4 months, in accordance with the Decision 2018-199C of the President of the Commission dated 20 September 2018, an online investigation was carried out by CNIL on 21 September to verify the compliance of any processing relating to the use of the operating system Android for mobile devices, including the creation of a Google account, with the French Data Protection Act and GDPR.
At the end of the investigation, on 22 October 2018, CNIL has notified Google a detailed report regarding shortcomings relating to sections 6, 12 and 13 of the GDPR, and issued a decision approximately 3 months later.
Considering the complexity of the investigation and the size of a company like Google, this timeline announces a very swift and stream-lined enforcement process by CNIL, which may accelerate in the future. Under current French law (Decree n° 2005-1309 du 20 octobre 2005 ), a data controller has one month to respond to the observations contained in CNIL's report.
It should be a priority to an organization subject to GDPR to establish and maintain in a process and policy to be used in case of such an enforcement action.
Despite Google's assertion that CNIL has confused the Android operating system and the Google account, which are different services which implement different processing activities, CNIL noted that:
1. when setting up a Android device, the ability to create a Google account or connect to an existing account naturally appears at the beginning of the setting process, without specific action of the user;
2. The user is prompted to create or sign in to a Google Account when she clicks on the links to learn more or to skip the step of setting up the device.
As such, because the user path of setting up an Android device creates a "continuum of use" between the processing activities linked to the operating system and the processing operations related to the Google account, CNIL decided that the online investigation performed should include both services.
III. CNIL finds that the general structure of how the information is presented by Google to users does not enable it to comply with GDPR.
IV. CNIL believes that Google processes data in a massive and intrusive way, without allowing the users to sufficiently understand the consequences of Google processing of their data.
CNIL further notes that, in addition to the large data being processed by Google, the collection geolocation data and content considered in isolation are likely to reveal with a high degree of precision many of the most intimate aspects of people's lives, including their lifestyle, their tastes, their contacts, their opinions or their trips. The result of the combination of these data between them greatly reinforces the massive and intrusive nature of the processing in question.
CNIL states that Google's description of the purposes of processing does not allow users to measure the extent of the processing and the degree of intrusion into their private lives that they are likely to take away. It considers, in particular, that such information is not provided in a clear manner, nor at the first layer of information provided to users through, in this case, the document entitled "Confidentiality rules and conditions of use" nor in the other levels of information proposed by the company.
V. CNIL indicated Google claimed user consent as the only legal basis for processing data in connection with ad personalization services. The consent obtained by Google for its ad personalization services is not valid because it is not sufficiently informed, non-specific and ambiguous.
CNIL retained that Google's policies do not allow the users to understand which processing activities are based on the user's consent and which processing activities have a legitimate interest as a legal basis. In particular, when requesting consent, Google discloses to the users that "(...) However, the company adds further to base itself on the legitimate interest, in particular to carry out actions of marketing in order to make known our services with the users and especially to resort to the publicity in order to make a large number of our services freely available for users". This type of formulation is unclear and ambiguous to CNIL.
VI. Retention policies have to at least specify the criteria used to determine the duration and the purposes for which the personal data is retained. CNIL argues that Google's retention policy did not.
With respect to retention period information, the Restricted Committee noted that the "How are Google's collected information" page is maintained has four categories:
- Information retained until you delete it
- Information with a timeout
- Information retained until your Google Account is deleted
- Information kept for long periods of time for specific reasons.
CNIL took issue with the latter stating that very general explanations of the purpose of this retention are provided and no precise duration or the criteria used to determine that duration are indicated.
VII. Information tools made available to users concomitantly and after the creation of their account do not make it possible by themselves to reach the requirements of transparency and transparency of information.
The Restricted Committee considered that if any data other than those strictly necessary to create the account are collected throughout the life of the account, such as browsing history or purchases, the time of its creation marks the entry of the user in the ecosystem of Google services. This step marks the beginning of a multitude of processing operations: collection, combination, analysis, etc. Therefore, since the process of creating the account is essential in the understanding of processing and their impact the information provided for in Article 13 of the Regulation at that time must, by itself, be sufficient in the light of the requirements of that provision.
Notably, the Committee notes that Privacy Dashboard tools can only be used after the account creation step, which is nevertheless essential for informing users as well as it has been said. In addition, although their existence and interest are brought to the attention of users, they imply an active step by the users to access them. For these reasons, these tools do not allow, in CNIL's opinion, to provide sufficient information to comply with Articles 12 and 13 of the GDPR.
VIII. Google's methods to gather consent for ad personalization services does not result in valid consent.
In addition, having pre-ticked boxes for displaying personalized ads hiding behind a "more options" button in addition to an unclear statement did not help Google's case. For more details on gathering valid consent, which is entirely possible without a significant decrease in UX, please read my previous post on the subject of consent.
While we expect this type of enforcement actions to multiply in the near future before compliance becomes the norm, it is not clear if CNIL has considered the entirety of Google's operations (including US operations) or just the data subjects in France (approximately 27 million users). In either case, it is an alarm signal for most companies using Google services to combine data for ad purposes, which should be encouraged to:
- obtain legal advice regarding their data processing operations and vendor agreements regarding personal data.
- design and implement a data privacy compliance program.
- include adequate protections in their agreements and internal policies.
- purchase adequate insurance policies.
This Blog/ Website is made available by Intel Lex for educational purposes only as well as to give you general information and a general understanding of the law, not to provide specific legal advice. By using this blog you understand that there is no attorney-client relationship between you and Intel lex. The Blog/Web Site should not be used as a substitute for competent legal advice from a licensed professional attorney in your state.