Google Fined $57 Million under GDPR

The French national data protection supervisory authority, CNIL, handed down its first large financial penalty Monday under GDPR, the new EU General Data Protection Regulation.  CNIL fined Google 50 million euros (about $57 million) for “lack of transparency, inadequate information and lack of valid consent regarding ads personalization,” warning that Google’s ongoing practices could lead to further sanctions unless corrected.   

CNIL, the Commission Nationale de l'Informatique et des Libertés, is an influential European privacy regulator, historically one of the most active in publishing official guidance and undertaking enforcement actions.  The decision by CNIL’s “restricted committee,” which reviews recommended sanctions by individual CNIL members, is published (in French) as Délibération n°SAN-2019-001 du 21 janvier 2019 .  CNIL provides an English summary here.   

Privacy Policy Criticism 

GDPR, which was enforced starting May 25, 2018, set a higher standard for transparency and consent compared to prior data protection law.  Like thousands of other technology companies, social media operators, retailers, and service providers, Google rewrote its online and mobile privacy policies for European users to comply with the new privacy regime last year.  Google’s task was more difficult than most, however, because of the sheer number and variety of services it offers that utilize personal data, sometimes in ways that are not obvious to users.   

GDPR Article 7 makes it clear that the obligation rests on the controller to demonstrate that the data subject has consented to the processing of personal data.  The request for consent has to be presented in a manner “clearly distinguishable” from other matters and “in an intelligible and easily accessible form, using clear and plain language”; otherwise, the consent is not binding.   Articles 12-14 set out the information that must be provided in the interest of transparency, and how it must be communicated, “in a concise, transparent, intelligible and easily accessible form.”  Recital 32 says that consent should be given by “a clear affirmative act establishing a freely given, specific, informed and unambiguous” indication of the individual data subject’s agreement.  

CNIL concluded that Google’s privacy policy did not meet these standards in several respects.  The purposes for collecting data are not always evident, and the data retention periods are not stated for various categories of personal data used for personalization of ads.  CNIL noted that the policy covers 20 or more different services or operations (Search, Gmail, YouTube, Maps, Play, News, Contacts, Drive, Calendar, Google+, Translate, Photos, Shopping, etc.), described too “vaguely and generically” for the user to understand the purposes and uses of personal data and retention periods for each.  Even where this information could eventually be found on Google websites, it could not be considered “easily accessible,” as it was dispersed over multiple documents that could be reached only with “five or six actions” and required the user to correlate information from several sources.  CNIL also objected that the policy was unclear as to the legal basis for processing each category of personal data, “consent” or “legitimate interests,” and in the case of the latter, which legitimate interests it was claiming. 

Ad Personalization 

Google’s ad personalization is presented as a control feature for users, and it is based on consent, but CNIL determined that the consent is not validly obtained under GDPR standards. 

When users get an Android phone, they normally must set up a Google account if they do not already have one.  Other consumers often sign up for a Google account in any event to use with online services such as Google Docs, Gmail, or Google Drive.  When creating or modifying their Google accounts, users can click on a “More options” button to configure the display of personalized ads, but the display is pre-checked.  CNIL does not consider any pre-checked boxes or default selections to be consistent with the GDPR principle of requiring a “clear affirmative action” to express consent.   

Also, in finalizing the account creation or modification, the user must click on “I agree to Google’s Terms of Service” and “I agree to the processing of my information as described above and further explained in the Privacy Policy.”  This effectively gives blanket consent for all of Google’s many processing operations with personal data (ads personalization, speech recognition, geolocation, etc.), but CNIL says this is inconsistent with the GDPR principle that consent is valid only if it is “specific” and “unambiguous” and therefore must be given “distinctly for each purpose.”  CNIL also does not consider that consent well informed, since the various operations are not fully and clearly described and often require clicking through multiple links to obtain even a cursory description. 

Tech Industry in the Crosshairs 

Google responded publicly to the decision by saying that users “expect high standards of transparency and control from us … We’re deeply committed to meeting those expectations and the consent requirements of the G.D.P.R.   We’re studying the decision to determine our next steps.”   

As a practical matter, Google ultimately has to satisfy privacy regulators (and consumers) in the large European market, and what Google works out as sufficient transparency in Europe will probably end up describing its services and options for users globally.   

The pressures resulting from GDPR on the one hand, and state laws such as the California Online Privacy Protection Act on the other, may help explain why Apple CEO Tim Cook proposed last week, in time for his first appearance at the World Economic Forum in Davos, Switzerland, “meaningful, comprehensive federal privacy legislation” in the US.  Cook also proposed developing universal privacy tools such as a mandatory, FTC-supervised data-broker clearinghouse.  There is a sense in his proposals that legislative convergence and technological solutions might offer hope for more individual self-determination over privacy – and perhaps more certainty and less risk for companies handling personal data.      

A European Privacy Law with Teeth 

European data protection laws have been around since the 1970s, and the EU Data Protection Directive that preceded GDPR had similarly broad scope.  But GDPR sets a higher bar for compliance, requires the Member States to give the supervisory authorities more powers, and establishes much higher penalties for violations.  Previously, for example, the maximum fine CNIL could have imposed would have been 150,000 euros (300,000 for a repeat offense).   

Many complaints and investigations were launched in the first months of GDPR enforcement last year, some resulting in reprimands or informal agreements to rectify procedures.  Several of the national authorities conducted extensive surveys and inspections (even the relatively small Swedish authority audited 350 companies and public authorities in the course of a few months, issuing dozens of reprimands).  However, only a few proceedings have produced monetary penalties so far -- a small fine for overly intrusive security video surveillance in Austria, a 20,000 euro fine imposed by the German state of Baden-Württemberg in September for a security breach in a German social media network, and a 400,000 euro fine last month against a Portuguese hospital where staff members improperly accessed patient records. 

But on May 25 and May 28, 2018, as soon as GDPR enforcement came into effect, two advocacy groups filed GDPR complaints against Google, Facebook, Instagram, and WhatsApp.  The groups are None of Your Business and La Quadrature du Net .  NOYB was founded by Max Schrems, the Austrian Lawyer who brought the complaint that resulted in the 2015 invalidation of the former EU-US Safe Harbor Framework by the European Court of Justice.  According to its website, NOYB has about 3,000 contributors.  LQDN is a French digital rights advocacy organization with five staff members, supported by the Electronic Frontier Foundation and other international organizations.  Following the CNIL decision against Google this week, LQDN adopted the slogan, “50 million for a start,” as the organization points out that the company must implement substantial changes to avoid further penalties.   

This is a real threat, because under GDPR Article 83 penalties for serious or recurring violations can be set as high as 4% of a company’s worldwide group revenues for the preceding financial year.  Google’s 2017 worldwide revenues are reported as nearly $110 billion, so a maximum penalty would be calculated in billions not millions of dollars. 

These and other advocacy groups also have pending GDPR complaints against Amazon, Apple, Netflix, and Spotify, as well as another complaint against Google for its “deceptive practices” in location tracking.  While GDPR also includes a private right of action to seek injunctive relief and compensation in court (Articles 79-82), so far the activity is all in administrative proceedings before the data protection supervisory authorities under Article 77.  This is much cheaper and easier to pursue than a court action, especially in Europe.  In both administrative and judicial proceedings, GDPR Article 80 expressly provides that individuals have the right to be represented by a nonprofit body that is active in the field of data protection and also permits Member States to choose to allow such groups to bring complaints on their own, without representing named individuals.  Germany, for example, allows this; the UK does not.   

There is definitely forum shopping in the effort to shape policy and practice in data protection.  NOYB and La Quadrature filed their complaints with CNIL in France and with the data protection supervisory authorities in Hamburg, Austria, and Belgium, all notably proactive authorities.  But Google’s European headquarters is in Ireland, which has traditionally been a relatively business-friendly environment for data protection regulation and “home turf” for Google, and Google tried to get the Irish Data Protection Commission to take jurisdiction over the NOYB and La Quadrature complaints, arguing that the Irish authority should be the lead agency for all decisions concerning Android users.  The first part of the CNIL decision takes up this jurisdictional question, observing that decisions about Google privacy policy are probably made in California, not Ireland.  CNIL kept the case.  It also shows an appetite for handling other high-profile investigations of global companies, some of them already in the pipeline.    

One result of GDPR is that, even without US-style class actions across Europe, since May 2018 the combination of substantial penalty provisions and representative complaint procedures means that companies handling personal data are under much greater scrutiny and act at much greater risk.  The larger players are the more obvious targets for complaints by advocacy groups and investigations by the authorities, but the decisions in those cases set standards for policies and practices by all. 

Impact 

CNIL recognized that this is the first time it has imposed the new pecuniary penalties under GDPR.  The agency decided that the severity and publicity of the sanctions were justified because the infringements touched on “the essential principles of the GDPR:  transparency, information and consent.”  CNIL observed, moreover, that the violations are continuous, “thousands of French people create, every day” a Google account on their smartphone, and part of the company’s economic model is based on ads personalization.  Thus, Google has to get this right.  The company may appeal, of course, but it is more likely to go back to the drawing board with its privacy disclosures and enter into renewed discussions with CNIL. 

While these issues are more problematic for Google than for most service providers, because of the sheer number of services and features that it offers online and in connection with the Android mobile operating system, similar criticisms could probably be levelled against many privacy policies and ad personalization techniques.  If European authorities insist on more clear and precise descriptions of purposes, legal bases, and retention periods, there may be some rethinking and redrafting in our collective future.   

Here are some preliminary take-aways from the Google decision: 

  • While a “layered approach” to privacy policies is often encouraged (a short description up front with a link to a more detailed explanation), an adequate and comprehensible description of each service or operation using personal data should be posted in one place that a user can easily find. 

  • Clearly state the legal basis (e.g., consent or a defined legitimate interest) for each category of personal data collected.  This matters under GDPR, because consent can be withdrawn, and legitimate interests must be balanced against privacy interests.  The legal basis often determines which data subject rights can be exercised, and how the controller’s processing can be assessed and challenged.  This is why CNIL, and presumably other authorities, will not tolerate vagueness on this point, and it should matter for the controller to determine how to handle the data over time. 

  • Request consent separately for each service or operation using personal data.  A  blanket consent at the end of a privacy policy covering multiple services may not be valid. 

  • State the retention period for each category of personal data, where feasible, or the criteria used to determine that period (see GDPR Art. 13(2)(a), 14(2)(a)).  This can be a difficult exercise, but CNIL insists it must be done. 

  • Don’t use pre-checked boxes or default configurations if you want to rely on consent as the lawful basis for collecting and using personal data.  This has been the advice for some time from CNIL, the UK Information Commissioner’s Office, and other data protection supervisory authorities, as it is inconsistent with “a clear affirmative act” to demonstrate consent.    

  • The Google decision does not necessarily herald a wave of multi-million dollar fines for ordinary businesses, but it would be unwise not to review GDPR privacy policies and practices to take into account the message that CNIL clearly meant to deliver.

Update 

Google announced today (January 24) that it will appeal the CNIL decision, saying that its consent process for personalized ads is “as transparent and straightforward as possible” and expressing concern about “the impact of this ruling on publishers, original content creators and tech companies in Europe and beyond.”