Google and CNIL: a Case of Inappropriately Obtained Consent
On January 21, 2019, the CNIL imposed the largest financial penalty to date on Google for breaches of the GDPR, amounting to 50 million euros.
By Nicolas St-Sauveur, Lawyer
In its deliberation decision No. SAN 2019 001, the French Data Protection Supervising Authority ("CNIL"), meeting in a restricted committee, ruled that Google LLC ("Google") had failed to comply with its obligations pertaining to transparency and information imposed by General Data Protection Regulation (EU) 2016/679 ("GDPR"), and that the consent on which Google relies for processing personalised advertising was not legitimately obtained.
Without elaborating further on Google's shortcomings, here are some things you should take away from this decision if, for example, you run a company selling to Europeans online (although CNIL does not want to give you too much opportunity to improve things before they sanction you).
The Principal Place of Business
The principal place of business of a data controller (the company which processes personal data) is not determined by its size (number of employees, monetary value of their economic activities, etc.), but by whether it is the place in which decisions are taken regarding the purposes and means of processing personal data, and whether it has the power to enforce these decisions.
In the present case, in the absence of a principal place of business within the European Union, any supervisory authority was competent to bring the action against Google.
The Separation of Consent
This decision reminds us of the importance of separating each request for consent, without pre ticking any boxes in order to obtain bulk consent.
Freely Given Consent
In order for consent to be freely given, it is important to ensure that the different services you use to process your users' data are available to view by hyperlink (for example). The users in question must be in a position to understand the nature and the volume of the data you collect about them.
Lots of Privacy Documents and Lots of Clicks: Bad Idea
The use of several electronic documents requiring several "clicks" should be avoided. In the case against Google, users were required to browse through more than one document and to perform up to six actions in order to find some of the relevant information.
The recommended practice is to write the privacy policies by layer. However, we believe that particular attention should be paid to the number of layers and clicks required to access the information. The use of explicit titles in such policies will be useful, since the number of clicks and the ease of locating the necessary information will now become criteria to consider when determining the validity or otherwise of obtaining consent.
Defining the Purposes of Data Processing
When defining the purposes of processing personal data, it is essential to be specific and to highlight the extent of the processing and the degree of intrusion into the data subject's private life. Google has been criticised for defining its purposes too broadly. Here, it should be remembered that giving too many details may confuse the person in question and may also fail to comply with the obligation for transparency. As such, defining these purposes will require precision. Have you specifically stated each purpose of the personal data processing tasks you are carrying out, at the time of collection?
It is advisable to follow developments on this decision, about which Google has appealed to the French Council of State.
Nicolas St-Sauveur is part of BCF's Web team that offers our clients relevant legal services and advice about their presence on the Internet. This constantly evolving environment requires the expertise of a multidisciplinary team like BCF.