French DPA concludes its first investigation; fining Google LLC €50 million in the process
On 21 January 2019, the French Data Protection Authority, the Commission nationale de l'informatique et des libertés (the “CNIL”) imposed a financial penalty of €50 million on Google LLC (“Google”) for a number of breaches of the General Data Protection Regulation (the “GDPR”). The CNIL found Google guilty of two breaches of the GDPR. Firstly, Google violated the principle of “lawfulness, fairness and transparency” and secondly, Google violated the requirement to have a “lawful basis for processing” when sending personalised ads.
Breach 1: Lack of Transparency
The CNIL found that Google’s fair processing information was lacking in both detail and clarity. The CNIL identified that essential information, such as: the data processing purposes, the data storage periods and the categories of personal data used for the personalisation of ads is excessively disseminated across several documents, meaning it is only possible to view relevant information after 5 or 6 click through actions. Such a process is at odds with the “transparency” principle of article 5.1(a) of the GDPR and has the effect of preventing service users from fully understanding the extent of the processing operations carried out by Google.
Breach 2: Lack of valid consent
Under article 7 of the GDPR consent is valid only where this is unambiguous and involves a clear affirmative action i.e. an opt in. In addition, distinct consent options must be given where there are a number of processing operations undertaken. The CNIL found that Google failed to adhere to these requirements for valid consent in two ways. Firstly, as information on the ads personalisation process is spread across several documents it does not enable the user to fully understand the extent of such processing and, as such, users are not sufficiently informed of the processing operations undertaken. Secondly, users were not able to provide specific or unambiguous consent because users are asked to tick a box providing a general consent to Google’s terms of service and processing of their user information. Given users are not able to opt in or out of one or more processing operations but instead are required to provide a blanket consent to Google’s processing operations, the CNIL found this is not GDPR complaint consent.
It is particularly interesting that the investigation came in response to two group complaints one of which was received on 25 May 2018 (i.e. GDPR day). In the lead up to the GDPR the difficulties the digital advertising sector would face were much publicised and debated; this investigation demonstrates an immediate challenge on the compliance one of the largest players in the sector and highlights the ongoing difficulties of achieving compliance. The CNIL noted the level of penalty was such because the breaches of the GDPR set out above were continuous and still observed at the date of the publication of its findings. Importantly, this investigation shows that the relevant data protection authorities are prepared to use their new GDPR powers which is especially challenging for the digital advertising sector given others might suffer the same fate, were they to be investigated.
This article was written by Rachel Bell. If you would like to contact Rachel please call +44 (0)20 7427 6573 or email Rachel.Bell@crsblaw.com.
The Future of Property Careers
Join to our panel discussion and Q&A with industry leaders on the range of opportunities within the property and construction sector.
Procuring modular housing: Is MMC becoming mainstream?
Is Modern Methods of Construction becoming mainstream? Read what it means for Development and Procurement here.
Dual class share structures: how do they work and what are the pros and cons?
Dual class share structures allow a shareholder, for example the founder, to retain voting control over a company.
Q&A: Talking the telecoms talk
Georgina Muskett and Jonathan Wills answer queries on Electronic Communications Code agreement.
Property Patter: Navigating the complexities of Pharmacy Property
Pharmacy property is a specialist area which contains many traps for the unwary.
COVID-19 Vaccination – can an employer make it compulsory for employees?
We review what legal issues to take into account when considering to make vaccination compulsory as an employer.
Music to our ears? Well, perhaps not for Apple.
A feud first began when the music streaming giant, Spotify, filed a complaint against music streaming provide rand competitor, Apple Inc.
Linking ESG and Executive Pay
How does a business go about embedding a focus on strong ESG performance into the structures and culture of its organisation?
National Security and Investment Act granted Royal Assent
The Act establishes a new regime for the review of mergers, acquisitions and other transactions that could threaten national security.
Recent Trends In Firewall Legislation: BVI, Bermuda And Gibraltar
Charles Russell Speechlys advises Waverton on acquisition of Cornerstone Asset Management
Established in July 2010 and with offices in Edinburgh and Glasgow, Cornerstone offers wealth management and financial planning advice.
What do the new Debt Respite Scheme Regulations mean for Landlords and Tenants?
This will provide legal protection from creditors in the form of either a breathing space or a mental health crisis moratorium.
Charles Russell Speechlys promotes five to Partner
The promotions are effective 1 May 2021 and are accompanied by one Legal Director and 15 Senior Associate promotions.
Risk allocation in commercial leases: the High Court considers rent suspension, insurance and frustration arguments
Read our summary of the full judgement on the latest Covid arrears case.
Charles Russell Speechlys boosts private wealth offering with the hire of an international tax team
Robert Reymond will be joined at the firm by Leigh Nicoll, Emma Tyrrell and Oliver Cooper.
Proposed Takeover Code Amendments – Key Changes
The Consultation Paper has now been followed by a corresponding response paper which made certain modifications to the initial proposals.
Competition and Markets Authority announces review of the EU vertical agreements block exemption
The UK Competition and Markets Authority is reviewing the future application of the EU vertical agreements block exemption in the UK.
Playing Copycat – Why have M&S begun legal action against Aldi over Colin the Caterpillar?
M&S’s chocolate caterpillar was the first of its kind to land on our supermarket shelves, over 30 years ago.
Building Back Better: Future Gazing
What’s next for the hospitality industry post-pandemic?
Building Back Better: Re-examining your proposition
Why hospitality businesses should re-examine their proposition now