€50m fine for Google: Transparency and valid consent both lacking

February 15, 2019

On 21 January 2019, an eye-watering €50m penalty was imposed on Google under the GDPR. Side-stepping the €20m maximum, the French data protection regulator, the CNIL, issued a turnover related fine, highlighting that the maximum possible fine under the GDPR is €20m or 4% of global annual turnover, whichever is the greater.

The regulator’s action followed complaints which were made within days of the GDPR coming into effect in May 2018. The complaints were from the associations None Of Your Business (“NOYB”) and La Quadrature du Net (“LQDN”), mandated by 10,000 people to refer the matter to the CNIL.

The case concerns personalised ads on smart phone devices using the Android operating system with a Google account. The regulator found two types of breaches of the GDPR. First, a lack of transparency, and second a lack of valid consent regarding the targeted ads.

Transparency

The requirement for transparency goes to the heart of the GDPR and applies to all processing.

CNIL looked at the information and process a user goes through when setting up the account with Google. They found that the information provided by Google to the user is not easily accessible. Essential information, such as the purposes of the processing, data storage periods and the categories of personal data used for the ads personalization, are disseminated across several documents. Specifically, information is not clear enough for a user to understand that the legal basis of processing for the ads personalization is consent, and not the legitimate interest of Google.

Meanwhile, the processing operations are “massive and intrusive” because of the number of services offered (e.g. Google search, YouTube, Google home, Google maps, Playstore, Google pictures…), and the volume and the nature of the data processed and combined.

Lack of a legal basis

The GDPR requires a legal basis for processing. “Consent” is one of the possible legal bases and the GDPR significantly raised the bar for obtaining a valid consent.

The CNIL decided that the user’s consent is not validly obtained for two reasons. First, the consent is not sufficiently informed - a lack of transparency is fatal to obtaining a valid consent. Second, the collected consent is neither “specific” nor “unambiguous”. The user gives his or her consent for all processing operations together, whereas the GDPR requires that the consent is “specific” only if it is given distinctly for each purpose, i.e. a separate consent for each separate processing operation.

Google has said it will appeal the decision.

The case highlights the imperative of, as well as the difficulties in, obtaining a valid consent especially in the complex and mystifying world of targeted advertising where presentation of transparent intelligible information to a user in order to inform consent is challenging. Where the use of data is based on consent, it is necessary to continuously review and improve the content and presentation of privacy information to ensure that it meets the transparency requirement.


Related pages:

Data Protection, Privacy and emarketing more

General Data Protection Regulation (GDPR) more

icons Addthis Print Contact Register

Contact

tel: +44 (0) 20 7628 2000
10 Finsbury Square, London, EC2A 1AF
View map


For more information

 image

Nigel Miller
Partner
Direct dial: +44 (0)20 7614 2504
nmiller@foxwilliams.com

Accreditations

  • Top Ranked Chambers UK 2014 - Leading Firm
  • Ranked in Chambers Europe 2013 - Leading Individual
  • Ranked in Chambers Global 2014 - Leading Firm
  • Legal 500 - Leading Firm
  • The Lawyer UK 200 - Listed Firm
  • The Law Society Excellence Awards 2012 - Shortlisted
  • Investors in People - Bronze