Last week, the French data privacy authority fined Google €50 million (about $57 million) for what it called “lack of transparency, inadequate information and lack of valid consent regarding the ads personalization.” The Commission Nationale de L’informatqiue et des Libertés (CNIL) said that it began its investigation of Google on June 1, 2018 after receiving complaints from two different digital rights advocacy groups on May 25 and May 28, 2018, right when the GDPR was entering into force. In response, the CNIL set out to review the documents available to a user when creating a Google account during Android configuration. Upon that review, the CNIL found two alleged violations of the GDPR, including: (1) a lack of transparency and specificity about essential information such as the purpose of the data processing and the categories and data retention periods of personal data used for personalizing advertisements; and (2) lack of valid consent for ads personalization.

The first alleged violation feeds the second alleged violation here, as the CNIL said users’ consent to ads personalization could not be sufficiently informed when the information presented to them was dispersed over several documents requiring “sometimes up to 5 or 6 actions.” Thus, it isn’t that Google does not provide enough information, but that it does not present the information in one place for the about 20 services that are being offered. And the CNIL stated that the purposes of processing are too vague, meaning a user cannot tell if Google is relying on his or her consent or Google’s own legitimate interests as the legitimate basis of processing. Last, the CNIL found certain of Google’s ads personalization options were pre-checked, although GDPR views unambiguous consent as coming only from an affirmative action such as checking a non-pre-checked box, and that Google’s non-pre-checked boxes for accepting its Privacy Policy and Terms of Service were all-or-nothing consents for all processing activities, whereas GDPR requires specific consent for each purpose.

Our take:

Although Google has stated it intends to appeal this fine from the CNIL, the initial imposition of the fine, in reaction to consumer complaints and after a more than six-month long investigation, demonstrates that regulators are viewing compliance with the GDPR in very strict terms, particularly with respect to disclosure and consent. In part, this raises the question of whether companies with large and spread out data ecosystems can rely on privacy policies to adequately inform users of what is happening with their personal data, particularly if they are not written in plain, accessible language in a transparent manner. Instead, we may see a shift to more granular consent processes, with a data collectors renewing their requests for consent with each new processing activity. While this undoubtedly may lead to diminished user experience, the GDPR set out to fundamentally alter the landscape of personal data collection and protection, and so far European regulators seem keen to achieve that goal.

In terms of the CNIL serving as the regulatory authority in this context, it found that because Google’s decision-making over data processing did not take place in Ireland, which maintains only its European finance and human resources operations, it was free to pursue the consumer complaints against Google’s US headquarters, and without pre-empting the Irish Data Protection Commission. For US-based data collectors and processors that also operate in Europe, this action sends the message that a main establishment in Europe needs to have decision-making authority for data processing operations in Europe to enjoy GDPR’s “one-stop-shop” enforcement protections.