Last week, the French data privacy authority fined Google €50 million (about $57 million) for what it called “lack of transparency, inadequate information and lack of valid consent regarding the ads personalization.” The Commission Nationale de L’informatqiue et des Libertés (CNIL) said that it began its investigation of Google on June 1, 2018 after receiving complaints from two different digital rights advocacy groups on May 25 and May 28, 2018, right when the GDPR was entering into force. In response, the CNIL set out to review the documents available to a user when creating a Google account during Android configuration. Upon that review, the CNIL found two alleged violations of the GDPR, including: (1) a lack of transparency and specificity about essential information such as the purpose of the data processing and the categories and data retention periods of personal data used for personalizing advertisements; and (2) lack of valid consent for ads personalization.
Although Google has stated it intends to appeal this fine from the CNIL, the initial imposition of the fine, in reaction to consumer complaints and after a more than six-month long investigation, demonstrates that regulators are viewing compliance with the GDPR in very strict terms, particularly with respect to disclosure and consent. In part, this raises the question of whether companies with large and spread out data ecosystems can rely on privacy policies to adequately inform users of what is happening with their personal data, particularly if they are not written in plain, accessible language in a transparent manner. Instead, we may see a shift to more granular consent processes, with a data collectors renewing their requests for consent with each new processing activity. While this undoubtedly may lead to diminished user experience, the GDPR set out to fundamentally alter the landscape of personal data collection and protection, and so far European regulators seem keen to achieve that goal.
In terms of the CNIL serving as the regulatory authority in this context, it found that because Google’s decision-making over data processing did not take place in Ireland, which maintains only its European finance and human resources operations, it was free to pursue the consumer complaints against Google’s US headquarters, and without pre-empting the Irish Data Protection Commission. For US-based data collectors and processors that also operate in Europe, this action sends the message that a main establishment in Europe needs to have decision-making authority for data processing operations in Europe to enjoy GDPR’s “one-stop-shop” enforcement protections.