Executive Summaries Jan 30, 2019

Google and CNIL: a Case of Inappropriately Obtained Consent

On January 21, 2019, the CNIL imposed the largest financial penalty to date on Google for breaches of the GDPR, amounting to 50 million euros.

In its deliberation decision No. SAN 2019 001, the French Data Protection Supervising Authority ("CNIL"), meeting in a restricted committee, ruled that Google LLC ("Google") had failed to comply with its obligations pertaining to transparency and information imposed by General Data Protection Regulation (EU) 2016/679 ("GDPR"), and that the consent on which Google relies for processing personalised advertising was not legitimately obtained.

Without elaborating further on Google's shortcomings, here are some things you should take away from this decision if, for example, you run a company selling to Europeans online (although CNIL does not want to give you too much opportunity to improve things before they sanction you).

The Principal Place of Business

The principal place of business of a data controller (the company which processes personal data) is not determined by its size (number of employees, monetary value of their economic activities, etc.), but by whether it is the place in which decisions are taken regarding the purposes and means of processing personal data, and whether it has the power to enforce these decisions.

In the present case, in the absence of a principal place of business within the European Union, any supervisory authority was competent to bring the action against Google.

The Separation of Consent

This decision reminds us of the importance of separating each request for consent, without pre ticking any boxes in order to obtain bulk consent.

When a company processes complex, technical or unexpected data, it must define, separately and clearly, the main consequences of processing this data to those concerned. The latter (your user, for example) must be informed of how this may affect him, and when seeking consent to use his personal data, you should ensure that he explicitly consents to it (by clicking a button, for example); you may not proceed with processing his data without this consent, even if this person ultimately accepts your privacy policy in order to obtain your services. If several tasks for processing personal data require your user's consent, each request for consent included within your privacy policy must first be configured in such a way that processing is initially refused.  You may only process the data once your user has changed the setting to allow data collection.

Freely Given Consent

In order for consent to be freely given, it is important to ensure that the different services you use to process your users' data are available to view by hyperlink (for example). The users in question must be in a position to understand the nature and the volume of the data you collect about them.

Lots of Privacy Documents and Lots of Clicks: Bad Idea

The use of several electronic documents requiring several "clicks" should be avoided. In the case against Google, users were required to browse through more than one document and to perform up to six actions in order to find some of the relevant information.

The recommended practice is to write the privacy policies by layer. However, we believe that particular attention should be paid to the number of layers and clicks required to access the information. The use of explicit titles in such policies will be useful, since the number of clicks and the ease of locating the necessary information will now become criteria to consider when determining the validity or otherwise of obtaining consent.

Defining the Purposes of Data Processing

When defining the purposes of processing personal data, it is essential to be specific and to highlight the extent of the processing and the degree of intrusion into the data subject's private life. Google has been criticised for defining its purposes too broadly. Here, it should be remembered that giving too many details may confuse the person in question and may also fail to comply with the obligation for transparency. As such, defining these purposes will require precision. Have you specifically stated each purpose of the personal data processing tasks you are carrying out, at the time of collection?

Substantial Damage

CNIL specifies that a lack of transparency regarding the personalisation of advertising (remarketing), as well as a lack of valid consent to this processing by users, constitute substantial breaches of users' privacy and is at variance with the legitimate aspirations of individuals wishing to retain control of their data. If you do business online and are collecting personal data about people within Europe, you should take a look at your privacy policy to ensure it surpasses Google's.

It is advisable to follow developments on this decision, about which Google has appealed to the French Council of State.

Nicolas St-Sauveur is part of BCF's Web team that offers our clients relevant legal services and advice about their presence on the Internet. This constantly evolving environment requires the expertise of a multidisciplinary team like BCF.

Stay on the lookout!

Subscribe to our communications and benefit from our market knowledge to identify new business opportunities, learn about innovative best practices and receive the latest developments. Discover our exclusive thought leadership and events.

Subscribe

You would also like

Data-Privacy

Bill 82: One Step Closer to a National Digital Identity (and Modifications to Other Provisions!)

Entrepreneurship forum

Entrepreneurship Forum: Vision 2025

Athlete

Protecting Privacy in Sports – Don’t Wait to be Caught Flat-Footed!

data-protection

Obligation to Report Information Security Incidents: The Autorité des Marchés Financiers Catches the Wave and Publishes a New Regulation

Right to Data Portability: Is your Organization Ready?

Tech Forum 360

Tech 360 Forum: Growth and Inflection Points

Prospera: Québec’s Economic Barometer

Canada's Best Managed Companies: BCF Recognized for 17th Consecutive Year

paul et misha

BCF Strengthens its Expertise in Artificial Intelligence

new-partners-2024

BCF Has Appointed Three New Partners

Who’s Who Legal : 5 BCF Professionals Stand Out

BCF extends its Partnership with the Canadian Association of Black Lawyers to a Third Year

Demystifying Privacy Impact Assessments (PIAs)

The Data Processing Agreement: An Essential Resource to Implement

camera-on-a-wall

The Incident Response Plan: the Cornerstone of Effective Crisis Management

forum-privacy-en

Strategic Forum on Enterprise Data Protection

Chambers Canada Ranking: Five of our Lawyers Recognized

Photo of Julie Doré

Julie Doré Takes Over Management of The BCF Business Law Firm

Prospera – Quebec Economic Barometer

Julien Tricart, Member of the Meritas Sports Law Group

Pride Month: Let’s Create an Inclusive Future

Canada’s Best Managed Companies: BCF Recognized for 16th Consecutive Year

New Privacy Requirements: Is Your Business Compliant?

Every Woman Counts

Strategic Forum on the Role Played by Businesses in the Fight Against Climate Change

BCF Partners with the Canadian Association of Black Lawyers to Promote Diversity in Québec Law Faculties

BCF's More Inclusive Approach: Improved Parental Leave

Shaun E. Finn Appointed to the Superior Court of Québec

How to Ensure a Business Succession?

Business black folders on table

Adoption of Bill 78 on Transparency Business: Are You Ready?

Strategic Forum on Market Consolidation and Business Succession

BCF Partners with the Clinique Juridique de Saint-Michel to Promote Access to Legal Studies for Young People from Diverse Communities

What Are the Best Practices for Managing Privacy Incidents?

Shaun E. Finn, Co-Author of In the Public Eye: Privacy, Personal Information, and High Stakes Litigation in the Canadian Public Sector

Should Using Personal Information Obtained Without Consent Be Grounds for Class Action Authorization?

Five of our Lawyers Stand out in the 2023 Edition of the Chambers Canada Ranking

Cybersecurity and Privacy in Canada: What You Need to Know About Bill C-27

Is the Loss of Personal Information Sufficient to Justify the Success of a Class Action on the Merits?

Bill C-26: The Federal Government Takes a Closer Look at Cybersecurity and Privacy

Jocelyn Poirier, BCF’s Chief Privacy Officer

43 BCF Professionals Stand Out with 78 Nominations in the 2023 Editions of Best Lawyers in Canada and Ones to Watch

Seven New Lawyers Join BCF

Adoption of Bill 96: Be Ready

Pride Month: The Value of Diversity

BCF, the 3rd Largest Law Firm in Québec

Canada’s Best Managed Companies: BCF Recognized for 15th Consecutive Year

BCF Recognized by the Globe and Mail as one of Canada’s top Law Firms

Chambers Canada 2022: BCF Earned Band 1 Ranking in Québec for Corporate and Commercial Law

Seven New Lawyers Join BCF

Privacy and Data Protection Class Actions: Trends, Challenges and Best Practices

A First in Canada: Privacy Class Action Dismissed on the Merits

escalier

BCF Welcomes Seven New Lawyers

Collaboration in the Time of COVID-19: Legal Considerations for Successful AI and Healthcare Partnerships

Shaun E. Finn and Danielle Miller Olofsson Publish a Unique Practical Handbook on Privacy and Data-Protection Class Actions

What Are the Implications of the End of EU-U.S. Privacy Shield Framework for Your Business?

Investigation on Tim Hortons’ Application

Québec’s Bill 64 to Amend Data Protection Legislation: A Bill with Teeth?

Does the Use of Thermal Imaging Cameras in Stores Comply with Privacy Laws?

COVID-19: Solutions to Address this Situation

COVID-19: Finally a Toolbox for Developers of Geolocalisation Applications

Tracking the COVID-19 Pandemic with Cellphones

COVID-19: Don’t Forget Data Protection When Designing a Response Strategy

BCF once again ranks as one of Montreal's Top Employers

BCF Names 16 New Partners for Its 25th Anniversary

Joint Controllership or the Risks of using Website Plugins

Are You a Leader or a Follower?Results of the Innovation Survey

Chambers Canada 2020: BCF Recognised in Corporate and Commercial Law

Strategic Forum on Innovation

Different Legislative Approaches to 5G

Innovating to Survive: Are You a Leader or a Follower?

Is Your Company Implementing a New Technology System? Remember to Protect Your Data

5G Technology Is Coming: Legal Questions Abound

Legal Issues Surrounding the Industrial Revolution 4.0

Where Does Québec Stand in Terms of Privacy Class Actions?

De-fogging the Cloud Act

Best Practices for Québec Companies Receiving European Data

Anonymization? Think Again

The Deep Web and Dark Web Demystified for Businesses

The GDPR is Coming: How to Get Ready

Protection of Personal Data: New Measures Put in Place by the European Union

Is Your Organisation Collecting Too Much Data and Is It Well Protected?

Get the latest thought leadership