Locations
Ever since the 25th May last year, the privacy community has been on tenterhooks, waiting to see whether European DPAs would take advantage of the significant fining powers afforded to them under the GDPR. That question has been answered today, with news that the CNIL, the French data protection authority, has imposed a whopping fine of EUR50M on Google.
The fine concerns a complaint made to the CNIL by the not-for-profit association NOYB (“None of Your Business”) founded by Max Schrems - the lawyer and privacy activist noted for his complaints which eventually led to the collapse of the EU-US Safe Harbor regime. The complaint was reportedly the first GDPR complaint ever made (in parallel with other complaints made by NOYB against Facebook, Instagram and WhatsApp on the same day), being filed on 25th May 2018 - the very day that the GDPR became applicable. The complaint concerned the validity of consents obtained by Google for its data processing, alleging that Google “forced” the consent of its users.
The CNIL has seen fit to agree with the complaint, and today reported that it has levelled a fine of EUR50M on Google. Details of the fine, and the CNIL’s reasoning, are available here. While you can read details of the complaint for yourself, a few key points are particularly worthy of note:
- European DPAs were given some whopping great big new fining powers under GDPR - up to 4% of annual worldwide turnover, or EUR20M, whichever the larger (and the CNIL clearly took the words “whichever the larger” to heart, choosing to impose EUR50M on Google). Today’s news is a clear statement of intent that they will use them - in other words, they’ll walk the walk, not just talk the talk.
- There’s been a lot of misunderstanding about the functioning of the lead supervisory authority. In the wake of the GDPR, many companies have talked about “selecting” their lead authority, or assumed that because they have an EU HQ in one Member State it must follow that the DPA in that Member State will always be their lead supervisory authority, whatever the issue. Today’s message is don't get complacent about who your lead authority is! Google had its EU headquarters in Ireland, but the CNIL still led this investigation and enforcement (not the Irish DPC).
- Personalised ads are firmly in the DPA's crosshairs at the moment - in recent months, the CNIL has issued decisions against mobile ad tech vendors Vectaury, Fidzup, Teemo and Singlespot, in each case emphasising the need for clearer transparency and consent. And now we have this. A big focus of the CNIL’s decision was on the need for unambiguous consent for ad personalisation. It’s time to get serious about unambiguous consent for targeted ads - reliance on navigational or implied consent mechanisms will seemingly no longer cut it with EU DPAs.
- The complaints criticised Google for requiring users to “agree” to its privacy policy in order to use its services. While asking users to “agree” to a privacy policy is still common practice for many companies, privacy notices are too long and too complex to be something that users can realistically understand and “agree” to. Under GDPR consent needs to be freely given and specific, and must not be bundled - the user must be able to freely consent to specific activities on a case-by-case basis, e.g. consent to receive e-mails, or consent to use of their photograph within a promotional brochure etc. Privacy notices are still needed for transparency of course - but they should serve as just that: informational notices, not catch-all consent-gathering documents.
- Will this decision lead to an appeal? It would be naive not to expect one. The size of the fine, and the significance to online advertising revenues (and for certain business models), means an appeal is all but inevitable.
- Longer term, query what impact this will have on the future of tech, data collection and ad personalisation - is this the beginning of the revolution, or will fines simply be seen as a cost of doing business...?