The €50 million fine levied last week by the French National Commission on Informatics and Liberty (CNIL) against Google for violations of the GDPR has struck the tech industry with a resounding thunderclap, sending shockwaves that are being felt in boardrooms across the globe. As the first significant penalty imposed against a major multinational technology company under the EU’s new GDPR regime, the hefty fine is widely viewed as a shot across the bow in the coming struggle between privacy regulators and big data aggregators about the scope of conduct that will be permitted under the new rules. While surely intended as an instructive example to set the tone of regulators’ expectations, the contours of the CNIL decision and Google’s swift pledge to appeal the ruling likely means this event will generate as many new questions as it answers.
Long before the GDPR came into force last May, tech companies have been pouring tremendous resources into bringing their operations into compliance with the new requirements, and those efforts continue today. But the degree to which those requirements would be enforced and the severity of the actual penalties that would be imposed have remained hypothetical—until now.
In announcing the penalty, the CNIL identified two areas where Google allegedly violated GDPR requirements. In the first, the CNIL cited a “violation of the obligations of transparency and information” because the information provided by Google is not easily accessible. Google’s data processing purposes, storage periods, and the categories of personal data can only be reached after clicking several buttons, totaling as many as five or six actions before reaching the relevant information. Furthermore, the operations are “particularly massive and intrusive” in light of the constellation of different services offered and the volume of data processed and combined.
In the second, the CNIL identified a “violation of the obligation to have a legal basis for ads personalization processing.” While Google does obtain users’ consent to process personal data for targeted advertisement, the CNIL alleges that the consent is “not validly obtained” because the user is not sufficiently informed and the consent is neither specific nor unambiguous. By spreading the necessary information across several documents, users struggle to understand the scope of the information processing. While options for targeted ads can be customized through a series of check-boxes, the default state is for those boxes to be ticked “yes,” while the GDPR conversely requires an affirmative act—for instance, ticking a box that has by default been set to “no.”
Although this action is rightly interpreted as a warning intended to provide clarity and induce companies to take heed and make changes, it also raises a number of new questions. And some of the largest tech industry players may find that there is no easy way to revise their products and services framework and literature to bring their operations in line with regulators’ expectations.
Google is by no means a small company and, while €50 million will not have a material impact on the financial condition of a company the size of Google, fines of this magnitude could threaten the survival of many smaller companies who handle personal data.
In addition to the threat of much higher fines, the ruling also threatens the company’s bottom line by potentially disrupting the tremendous targeted ad revenues that make up a large portion of that $110 billion in revenue. For instance, even by just making one single alteration referenced in the CNIL’s decision—changing the default personal data sharing option to “no”—the number of users who opt to make their personal data available for processing could suffer a precipitous fall. This trend might be exacerbated once newly revised privacy disclosures lead to customers having a more complete understanding of all that is being done with their data. Armed with this knowledge, customers are more likely to opt “no” in far greater numbers.
Furthermore, the ruling raises important questions about what general conclusions the tech industry can draw about adequate privacy disclosures based on the deficiencies identified by the CNIL. Are boxes ticked by default to “yes” to be prohibited in all cases, or just in this particular case? If five or six actions to access relevant privacy information is opaque, will two or three be considered transparent, or must it be one… or zero?
One might also wonder: how it is possible for a company to offer dozens of interconnected services that share and co-mingle customers’ personal data across platforms, while at the same time making it easy to understand all of the purposes, uses, and retention periods for that data? Is it even possible, or is that a contradiction in terms? This conundrum could present a Gordian knot that Google and others in the tech industry may find impossible to untangle without cutting some of their current product and service offerings. The answers to these questions and many others will come into greater focus as the appeal plays out and future enforcement actions come down the pipeline. But for now, one thing is crystal clear: this ruling presents an ill omen for business models that rely on customers to swiftly click “accept” and share their personal data.
While the drumbeat of GDPR compliance may have become all too familiar to privacy practitioners during the past few years, the CNIL’s decision on Google underlines the reality that we are likely only just witnessing the opening act of an epic drama whose scenes will take center stage for a global audience of politicians, regulators, and tech titans for many years to come.
Disclaimer: The purpose of this post is to provide general education on Information Governance topics. The statements are informational only and do not constitute legal advice. If you have specific questions regarding the application of the law to your business activities, you should seek the advice of your legal counsel.