Analysis. The French data protection authority, CNIL, finds that Google – with its dominant market position and its economic model based on data – deprives users of essential privacy rights, and thus has issued the biggest fine ever of 50 million Euros. Also Swedish data authority investigates Google for alleged abuse of location data and web history.
Lack of transparency. Inadequate information. Lack of valid consent. Such are the violations from Google according to the French Data Protection Agency, CNIL, who 21 January 2019 issued their first fine under the new General Data Protection Regulation (GDPR). Google LLC was fined 50 Million euro.
Just a few hours after GDPR came into force, CNIL received group complaints from two associations. One is the None Of Your Business (NOYB), coordinated by Max Schrems, the Austrian activist who took on the battle with Facebook and the question on legal transfer mechanism in the former directive, putting the Safe Harbor-agreement in the grave. The second association is the La Quadrature du Net (“LQDN”). LQDN was mandated by 10,000 people to refer the matter to the CNIL and not the Data Protection regulator in Ireland and the jurisdiction of Google’s European headquarter.
Based among other things on an inspection in September 2018, the CNIL ruled on two types of violations.
- Violation of the obligations of transparency and information; some information is not always clear nor comprehensive.
- Violation of the obligation to have a legal basis for ad’s personalization
When considering the first, CNIL add to the discussions among professionals on how to comply with the requirements of information to be clear and comprehensive. It finds that these requirements are not met as the information is accessible only after several steps, sometimes up to 5 or 6 actions. In combination with a vague and generic description of purposes, the number of services offered, and the nature of data processed, the users are not able to fully understand the extent of the processing operations carried out by Google.
As for number 2, it has always been Google’s main argument facing complaints on processing of user data, that Google process data for ads personalization purposes based on user’s consent. The CNIL, however, ruled that the consent is not valid for two key reasons:
- The users are not sufficiently informed
- The consent is neither “specific” nor “unambiguous”
GDPR article 7 provides (among other things) for these requirements to be met for a consent to be valid. As for number two, the ruling clarifies on issue that has been discussed among practitioners; the GDPR provides that the consent is “specific” only if it is given distinctly for each purpose.
Not a Word on Privacy By Default
According to GDPR article 25 data protection by design and default is a core principle. It ensures that by default personal data are not made accessible without the individual’s intervention. In other words, users should opt into tracking – not, as is the case with Google – opt out of tracking. Strangely enough, the CNIL ruling does not touch upon this.
Swedish Authority Investigating Google
Also the Swedish Authorities is on to Google. Early January the Swedish DPA announced its investigation in complaints concerning Googles collection of people’s location data and web browsing histories. The complaints were filed in November 2018 by the Swedish Consumer Association, who initiated it in the wake of a report from the Norwegian Consumer Council about Google’s use of dark patterns
The Lack of Ethics in The Business Model
CNIL points out in its ruling that the huge amount of data, a wide variety of services and almost unlimited possible combinations can reveal important parts of the user’s private life and this is not in accordance with the principles of the GDPR. Even if the GDPR has a rigid focus on the individual’s right to protection of personal data, CNIL takes what could be considered competition restriction violations into account as it also addresses the important place that Android has at the French market. Finally, the CNIL points out that the economic model of the company is partly based on the ads personalization. Due to this, there is an utmost responsibility to comply with the obligations set out in ads personalization.
These considerations are extremely important, as the so-called free model, that Google, Facebook and many others practise, might encounter the GDPR in general and definitely the core of data ethics. ‘Free’ only means that you don’t pay with traditional money or currencies, but that you pay with your personal data. However, the payment with personal data is happening blindfolded, as nobody knows what a birthday, a message, a political opinion or sexual orientation is worth. Thus, users have no idea how much they pay for a Google service. The data payment model is in itself counter to GDPR and very much in line with a complaint from the US privacy-enhancing browser Brave filed in September 2018 in Ireland. The complaint argues that Google and the ad tech industry commit “wide-scale and systematic breaches of the data protection regime” through the way they place personalized online ads.
Google to Appeal
Google, however, decided to appeal the CNIL ruling to Council d’État (the Council of State), the highest administrative court in France. Besides complaining not to be recognized for hard work to comply with the GDPR consent process and arguing that it is as transparent and straightforward as possible, Google in an email statement also takes on a more policy making concern that the impact of the ruling on publishers, original content creators and tech companies in Europe and beyond. Nevertheless, the CNIL ruling has for the time being launched a new era of enforcement of data protection rights within the European Union.
CNIL-ruling A Precedent On One-Stop-Shop Mechanism
The CNIL ruling on Google does not only address privacy violations but also brings light to the “one-stop-shop” mechanism. CNIL had to establish if CNIL was competent to deal with the complaints on Google. The GDPR “one-stop-shop”-mechanism is in essence a mechanism to support that an organization set up in EU only have one regulator authority, which is the country where its “main establishment” is located. This authority will then serve as “lead authority” and will have to coordinate the cooperation’s between other Data Protection Authorities in matters including cross border processing.
As Google’s European headquarter is in Ireland, the discussions were if the Irish DPA was lead authority. However, as the Irish establishment – at the time of CNIL initiating the processing – did not have a decision-making power on the processing operations carried out in the context of the operating system Android and the services provided by Google in relation to the creation of an account, came to be decisive.
Due to this, Google did not have a main establishment as this should be interpreted under the GDPR, the one-stop-shop-mechanism was not applicable, and not only the CNIL was competent but also any other DPA.
This article was also published in the International Journal for the Data Protection Officer, Privacy Officer, and Privacy Counsel January 2019.