As we mentioned last December in our analysis of recent data breaches, the enforcement of GDPR is gearing up quickly. This past week, the French CNIL set a new fine record for the highest fine when they slapped Google with a €50 million fine.
The sanction resulted from a complaint brought forward by Max Schrems, who rose to fame in 2014 when he filed a complaint that ultimately brought down the Safe Harbor deal between the US and EU. He has since founded the NGO None Of Your Business which advocates privacy rights, and which filed the complaint with the CNIL.
The fact that the French Supervisor handled the complaint is interesting, as Google has its European HQ in Ireland, and thus one would expect the Irish regulator to be responsible for dealing with complaints. However, the CNIL found that the Irish establishment “did not have a decision-making power on the processing operations” related to its Android operating system, and thus could not be considered Google’s “main establishment” in the EU and therefore, the one-stop-shop did not apply. This is potentially an even more important finding than the height of the case, as one of the promises of the GDPR has always been that organisations have to deal with only one ‘lead supervisor’.
A second learning from this case is what criteria consent should (and needs to) meet for it to be valid; in particular, specifying what ‘unambiguous’, ‘informed’ and ‘specific’ means. For example, the CNIL points out that “relevant information is accessible after several steps only, implying sometimes up to 5 or 6 actions.” Through this layered structure, it is almost impossible for people to be truly informed about how their data is being used by Google when accepting the Terms and Conditions. The information presented should be clear and concise.
Furthermore, the CNIL points out that consent is bundled for several services Google provides, e.g. Google search, YouTube, Maps, Google Play. Because as a user it impossible to distinguish between these services, the CNIL rules that the consent is not unambiguous – it is unclear for which service and purpose the user has given consent to process their personal data.
Up until now a lot has been unclear regarding what valid consent means. These judgements will help to clarify the steps you need to take to obtain consent. A clear learning from this case is that you shouldn’t mix different purposes in a single consent form. Further, when obtaining consent, the information presented should be easily navigable, and not spread through different documents. It should be intuitive for users, for example, via clear and easily accessible policies.
A last warning is that the one-stop-shop principle should not be taken for granted. The Supervisory Authorities will look on a case-by-case basis whether it applies, or they themselves will take action. In this case the CNIL deemed that there was no cross-border element involved that justified activating the mechanism.
ESOMAR continues to have a close watch on these cases, and we will publish regular updates on how the interpretation of the Regulation evolves. Through our ESOMAR Plus programme we can help you prepare your consent forms so you can avoid getting caught in these breath-taking fines. Just drop us an email or file a request for proposal. You can learn more at our website at: https://www.esomar.org/esomar-plus