France’s CNIL Gives Record GDPR Fine of $57 Million to Google
The National Data Protection Commission (CNIL) of France issued a record GDPR fine today (January 21, 2019) of $50 million euros today. The penalty was levied for a violation of (1) the obligations of transparency and information; and (2) the obligation to have a legal basis for ads personalization processing.
The CNIL Investigation
CNIL received two complaints in May 2018 contending that Google did not have a legal basis to process personal data for, in particular, the personalization of ads. The complaints were filed within three days of GDPR going into effect – on Friday, May 25th and Monday, May 28th.
CNIL sent the complaints to the other Data Protection Authorities (DPAs) in the European Union to determine whether it had the authority to proceed or whether the one-stop-shop mechanism applied. In consultation with the other DPAs, they determined that one-stop-shop did not apply.
CNIL conducted an investigation online in September 2018 of the process of creating a Google account during the configuration of mobile equipment using Android, including the “browsing pattern of a user and the documents he or she can … access”.
GDPR Violations concerning Transparency / Information
1. Essential information is disseminated across several documents requiring additional clicks. It takes up to 5 or 6 actions for the user to understand the data processing purposes, retention period and categories of personal data used for ads personalization.
2. Some information “is not always clear nor comprehensive”.
– Users are not able to understand the extent of processing. The amount and nature of data processed is massive because of the number of services offered.
– Purpose of processing description is too generic and vague.
– List of categories of data processed for each purpose is too generic and vague.
– Unclear to users that legal basis for processing of ads personalization is consent and not legitimate interest.
– Retention period is not provided for some data.
GDPR Violations concerning Consent
1. Consent was not sufficiently informed because of the dilution of the extent of processing for ads personalization across several documents. CNIL said: “[I]t is not possible to be aware of the plurality of services, websites and applications involved in these processing operations” from the Ads Personalization section.
2. The consent was neither “specific” nor “unambiguous”.
– User has to click on the “More options” button to access configuration.
– Ads personalization was pre-ticked in the additional options.
– User consent for full processing at the end was not specific because it was not given distinctly for each purpose.
Factors for the GDPR Fine
This is the first time that France has utilized the higher limits for fines provided for by GDPR. GDPR authorizes the DPAs to fine up to 4% of a company’s global annual revenue for a GDPR violation.
CNIL discussed part of its thinking in setting the 50 million euro fine. In short, CNIL said that the severity of the infringement justified the fine. Here were some of the factors that they indicated were considered:
– The infringements deprive the users of essential guarantees regarding processing that can reveal important parts of their privacy life.
– They were continuous breaches and not one-off, time-limited infringement.
– The importance of the Android operating system on the French market, which has thousands of people in France use their smartphone to create a Google account every day.
Why Didn’t the One Stop Shop Mechanism Apply?
“[W]hen the CNIL initiated proceedings, the Irish [DPA] did not have a decision-making power on the processing operations carried out in the context of the operating system Android and the services provided by GOOGLE LLC, in relation to the creation of an account during the configuration of a mobile phone.
What Does This Mean?
There have been a few mentions online over the past few months about the lack of major fines from the DPAs under GDPR and how perhaps the hype over the new privacy law was unwarranted. This fine should wipe out those doubts.
Although the fine is nowhere near $4.3 billion, the maximum fine that could be issued based on its global annual revenue in 2017 of $109 billion, it is more than enough to establish that the DPAs mean business and that companies need to take a second look at their GDPR compliance efforts to make sure that they are sufficiently transport and meet the requirements to establish consent as a lawful basis for processing personal data.
Contact Clarip for CCPA and GDPR Software
The Clarip privacy management software is ready to help improve your organization’s privacy practices. Click here to contact us (return messages within 24 hours) or call 1-888-252-5653 to schedule a demo with a member of the Clarip team.
If your immediate need is California Consumer Privacy Act compliance, take a look at our CCPA software. From consent management to powerful DSAR Software, Clarip offers enterprise privacy management at an affordable price.
Click here to contact us (return messages within 24 hours) or call 1-888-252-5653 to schedule a demo and speak to a member of the Clarip team.