Only now I realize there should have been a pool around GDPR enforcement. We could have placed bets on the first company fined, the first country to fine, over/under on the fine amount, month and year of action. But, it’s too late, all bets are closed, we have our first action.
Today the French National Data Protection Commission’s (CNIL) announced that they fined Google €50 million for violations of GDPR. The announcement is well worth a read fully, but here are some of the highlights.
Under GDPR the countries where the company is headquartered has preference in handling issues. In this case, Google is headquartered here in Ireland. However, as I read the CNIL press release, it seems that, in discussion with other European Data Protection Authorities (DPA), the decision was made that there was no primary jurisdiction.
In this case, the discussions with the other authorities, in particular with the Irish DPA, where GOOGLE’s European headquarters are situated, did not allow to consider that GOOGLE had a main establishment in the European Union. Indeed, when the CNIL initiated proceedings, the Irish establishment did not have a decision-making power on the processing operations carried out in the context of the operating system Android and the services provided by GOOGLE LLC, in relation to the creation of an account during the configuration of a mobile phone.
As the “one-stop-shop mechanism” was not applicable, the CNIL was competent to take any decision regarding processing operations carried out by GOOGLE LLC, as were the other DPA. The CNIL implemented the new European Framework as interpreted by all European authorities in the European Data Protection Board’s (EDPB) guidelines.
The CNIL determined that it was difficult for consumers to access information about what data Google collects and how they use it. The information may be available on the Google website, but involves clicking through multiple documents and lots of cross referencing. And, as the committee notes, sometimes what is there isn’t clear or comprehensive. The crux is that it’s difficult for users to understand what data Google is collecting, how they’re collecting it and what they’re doing with it.
Google says they get the consumer’s consent to process data, but the committee determined that consent is not validly obtained for two reasons. First, the information on processing is spread across multiple documents and does not truly give the user information about the extent of data collected. Secondly, even though it is possible to configure the display of personal ads, the configuration is only accessed through a “more options” button. Users who do click on the more options button are presented with pre-ticked boxes. However, pre-ticked boxes are not unambiguous consent, GDPR requires some action by the user.
Hints of things to come
Reading between the lines in the CNIL press release the fines seem to to be specific to creation of Google accounts associated with Android phones. While it’s not stated directly, Android is mentioned both in the jurisdictional section and in the conclusion: “… taking into account the important place that the operating system Android has on the French market, thousands of French people create, every day, a GOOGLE account when using their smartphone …”
The CNIL also drops a broad hint that these issues are still happening and this is not a one-off infringement. It’s possible that these fined are also not a one-off.
I’ve always said the first targets of GDPR were Google and Facebook. I’m unsurprised that Google received not only the first fine, but more than the statutory €20 million. They did not receive anything close to the 4% of global revenue as allowed – that would be closer to €4 billion if my back of the envelope math is correct. However, I do think this is a warning to all of us. Make it clear what you’re doing with data and how you’re collecting it.
Google has made trillions of dollars by collecting data and selling it to the highest bidder. Throughout their existence they’ve been apologetic about it. This isn’t new. I was in the courtroom back in 2013 when they argued users should have no expectation of privacy when using Google services. Even during that case, the privacy policies were a twisty maze of documents that made it difficult to understand what they were collecting.
Facebook is likely next. They are collecting so much information from users including listening into conversations and selling advertising based on keywords. We just recently experienced this. We were sitting at a bar watching the bartender making a drink and discussing the ingredients with him, and in the next 2 days started getting Facebook ads for chocolate martini ingredients. I didn’t, and wouldn’t, give active consent for Facebook to access my phone’s microphone, but that doesn’t mean there’s not a checkbox somewhere that included the consent.
This is the first. it won’t be the last. It may not even be the last fine leveed on Google for this by France.