First major GDPR fine

Only now I realize there should have been a pool around GDPR enforcement. We could have placed bets on the first company fined, the first country to fine, over/under on the fine amount, month and year of action. But, it’s too late, all bets are closed, we have our first action.

Today the French National Data Protection Commission’s (CNIL) announced that they fined Google €50 million for violations of GDPR. The announcement is well worth a read fully, but here are some of the highlights.

Jurisdiction

Under GDPR the countries where the company is headquartered has preference in handling issues. In this case, Google is headquartered here in Ireland. However, as I read the CNIL press release, it seems that, in discussion with other European Data Protection Authorities (DPA), the decision was made that there was no primary jurisdiction.

In this case, the discussions with the other authorities, in particular with the Irish DPA, where GOOGLE’s European headquarters are situated, did not allow to consider that GOOGLE had a main establishment in the European Union. Indeed, when the CNIL initiated proceedings, the Irish establishment did not have a decision-making power on the processing operations carried out in the context of the operating system Android and the services provided by GOOGLE LLC, in relation to the creation of an account during the configuration of a mobile phone.

As the “one-stop-shop mechanism” was not applicable, the CNIL was competent to take any decision regarding processing operations carried out by GOOGLE LLC, as were the other DPA. The CNIL implemented the new European Framework as interpreted by all European authorities in the European Data Protection Board’s (EDPB) guidelines.

Transparency

The CNIL determined that it was difficult for consumers to access information about what data Google collects and how they use it. The information may be available on the Google website, but involves clicking through multiple documents and lots of cross referencing. And, as the committee notes, sometimes what is there isn’t clear or comprehensive. The crux is that it’s difficult for users to understand what data Google is collecting, how they’re collecting it and what they’re doing with it.

Consent acquisition

Google says they get the consumer’s consent to process data, but the committee determined that consent is not validly obtained for two reasons. First, the information on processing is spread across multiple documents and does not truly give the user information about the extent of data collected. Secondly, even though it is possible to configure the display of personal ads, the configuration is only accessed through a “more options” button. Users who do click on the more options button are presented with pre-ticked boxes. However, pre-ticked boxes are not unambiguous consent, GDPR requires some action by the user.

CNIL does acknowledge that users are asked to tick multiple boxes « I agree to Google’s Terms of Service» and « I agree to the processing of my information as described above and further explained in the Privacy Policy» during account creation. This is not, however, sufficient to comply with GDPR as consent is required for each distinct purpose.

Hints of things to come

Reading between the lines in the CNIL press release the fines seem to to be specific to creation of Google accounts associated with Android phones. While it’s not stated directly, Android is mentioned both in the jurisdictional section and in the conclusion:  “… taking into account the important place that the operating system Android has on the French market, thousands of French people create, every day, a GOOGLE account when using their smartphone …”

The CNIL also drops a broad hint that these issues are still happening and this is not a one-off infringement. It’s possible that these fined are also not a one-off.

Now what?

I’ve always said the first targets of GDPR were Google and Facebook. I’m unsurprised that Google received not only the first fine, but more than the statutory €20 million. They did not receive anything close to the 4% of global revenue as allowed – that would be closer to €4 billion if my back of the envelope math is correct. However, I do think this is a warning to all of us. Make it clear what you’re doing with data and how you’re collecting it.

Google has made trillions of dollars by collecting data and selling it to the highest bidder. Throughout their existence they’ve been apologetic about it. This isn’t new. I was in the courtroom back in 2013 when they argued users should have no expectation of privacy when using Google services. Even during that case, the privacy policies were a twisty maze of documents that made it difficult to understand what they were collecting.

Facebook is likely next. They are collecting so much information from users including listening into conversations and selling advertising based on keywords. We just recently experienced this. We were sitting at a bar watching the bartender making a drink and discussing the ingredients with him, and in the next 2 days started getting Facebook ads for chocolate martini ingredients. I didn’t, and wouldn’t, give active consent for Facebook to access my phone’s microphone, but that doesn’t mean there’s not a checkbox somewhere that included the consent.

This is the first. it won’t be the last. It may not even be the last fine leveed on Google for this by France.

Related Posts

I subscribed to what?

Tomorrow is GDPR day. That’s the day when the new Global Data Protection Regulations take effect in the EU. I’m sure everyone reading this blog has seen dozens, if not hundreds, of blog posts, articles, webinars, and guidance docs about how to comply. I’m not going to rehash it because, other folks know this better than me.
There are a some things I’m finding fascinating watching  this whole GDPR thing.
First, the number of companies who have my addresses and I don’t know why. Take Newsweek (yes, the magazine people). They’re sending GDPR notifications to my LinkedIn address. I can’t figure out why they’re harvesting / buying addresses from LinkedIn. Then there’s SALESmango who are some company that started spamming me a few years ago and refuses to accept unsubscribe request. They’re sending me opt-in requests. Yeah, no, go away. I told you to stop, but wow, you won’t.
Another interesting piece is just how much I’ve signed up for over the last 18 – 20 years I’ve been using this set of addresses. Wow. So much mail. And, generally, I thought of myself as relatively careful in who I gave email addresses to. I don’t normally go around dropping addresses into forms but even a couple a month adds up over 20 years.
Then there are the companies violating CAN SPAM in one way or another. Sending mail to unsubscribed addresses and refusing to include an opt-out link are the two things I’ve seen regularly. Yeah, no. I think it’s safe to say that if I’ve opted out from receiving your mail, you should probably put my data away in a dark closet and not touch it again. But.. but.. but… But nothing. Go away. As for the lack of an unsubscribe link, get over yourself. You’re not that special. I don’t think that this really is something that counts for exemption.
Also, is there an official template? So many of these emails look identical. I have to give credit to whomever did it first. Because if plagiarism is the sincerest form of praise, you have an entire industry praising you.
Finally, it’s been amusing to watch the general frustration with all the GDPR mail. It seems many people are getting tired of the deluge. That’s OK, though, it should end by Saturday. Or so we can only hope.
 

Read More

Marking mail as spam says what?

I wear a number of hats and have a lot of different email addresses. I like to keep the different email addresses separate from each other, “don’t cross the streams” as it were.

Read More

November 2017: The Month in Email

We’re in the thick of the busiest time of the year for email. It’s been so busy, in fact, that we’ve seen some slowdowns and delivery issues across the email universe. It may be worth thinking about alternate strategies for end of year promotions beyond Black Friday and Cyber Monday.
I was delighted to chat with Julia Angwin for her ProPublica piece on subscription bombing and abuse prevention. Her piece is a good introduction to the topic, and very much worth reading.
ICYMI, I did a rough analysis of the data from our survey on Google Postmaster Tools. Stay tuned for more insights when I have a moment to explore this further.

Read More