Quite possibly the most famous case up to date, when it comes to GDPR, is the one involving Google, when privacy rights groups, the association None Of Your Business (NOYB) and La Quadrature du Net (LDQN), issued complaints against Google in May of 2018.
The first complaint was filed on the very first day of the GDPR enforcement, accusing Google of not having a valid legal basis to process users’ data for ad personalization. Google’s European headquarters are located in Ireland, but authorities decided that the case would be handled by the CNIL – French data regulator, since the Irish watchdog did not have the “decision-making power” over its Android operating system and services.
Eventually, on the 21st of January, Google was fined €50 million by the French data protection watchdog. CNIL found that, according to the GDPR, Google breached personal data protection, demonstrating a lack of transparency, providing inadequate information, and failing to provide valid consent regarding ads personalization.
Once the investigation was finalized, CNIL concluded that Google failed to provide essential information about their operations that would be easily accessible to all users. This information should have covered topics of great importance, including categories of processed data and the duration of the information storing process. Google users were only able to access categories of data that was used to personalize ads after taking several steps. In addition, the information wasn’t categorized, but rather scattered all over the place, making the entire process lack transparency and accessibility.
Even once the users were able to access the information, it was lacking transparency and clarity, since it was usually presented too generically and roughly. Therefore, it was concluded that users weren’t able to fully grasp the extent of the processing operations carried out by Google.
Lack of valid consent
Even after dividing and organizing the privacy information into several documents, a layman would not be able to comprehend the background of the personal data collecting system. In addition, in order to change some of the account settings, a user had to click on the “More Options” button, which led to the display of personalized ads pre-checked by default. In conclusion, Google failed to obtain freely given, specific, informed and unambiguous consent required under the GDPR.
The case against Google stated the following arguments:
- Google failed to provide easy access to essential information (category of the data, how long would the collected data be stored for, the purpose of collecting personal data, etc.);
- They divided information into several documents and made them pretty much inaccessible;
- They pre-checked certain preferences in their users’ account settings;
- They provided intransparent, almost incomprehensible information;
- They tricked the users into giving consent for personal data to utilized by the company in any way they see fit.
Was the fine fair… or too low?
Some might argue that a fine of 50 million euros might be too mild, considering that we’re talking about a global force that Google is. The speculations that Google “lucked out” revolve around one of the stipulations of GDPR’s, which states that a penalty can rise up to 4% of the global turnover.
Ron Moscona, a partner at international law firm Dorsey & Whitney, stated for Independent that this case could be interpreted as a warning to other digital giants, knowing that penalties can be even more strict.
More information on this case can be found on the French National Data Protection Commission- CINIL’s official website.