2019 is slated to be the “Year of Privacy” and the European GDPR regulators have wasted no time taking enforcement action under the GDPR with record fines.
Google has been handed a €50 million (approximately NZ$83 million) financial penalty by France’s National Data Protection Commission (CNIL), in the country’s first GDPR enforcement action.
This update provides an overview of the Google decision and highlights some important lessons for New Zealand and practical steps to prepare for further changes ahead.
Summary of Google case
France’s CNIL identified two key breaches of the GDPR by Google:
(a) lack of transparency; and
(b) lack of legal basis to process user data for ad personalisation.
While Google had procured consents from users for ad personalisation, CNIL determined that such consents were insufficiently specific and inadequately informed.
Specifically, Google’s personal data consent processes were found to be invalid because users were not given sufficient information to be able to give informed consent. CNIL considered that:
(a) information was being collated in a way that didn’t allow users to be aware of the extent of data being deployed for ad personalisation purposes;
(b) information essential to user consent was “disseminated across several documents” and accessible only after, in some cases, “five or six actions”; and
(c) this lack of clarity meant that it was difficult for users to be able to exercise their right to “opt-out” of their data being processed for the purpose of personalised ads.
The CNIL highlighted that:
“in the section ‘ads personalisation’, it is not possible to be aware of the plurality of services, websites and applications involved in processing operations [Google Search, YouTube, Google Home, Google Maps, Playstore, Google pictures] and therefore the amount of data processed and combined.”
The fine follows an eight-month investigation by CNIL, instigated in June last year following two complaints made by the associations None Of Your Business (noyb) and La Quadrature du Net (LQDN), the latter mandated by 10,000 people to present the case. Both complaints related to Google’s lack of clarity around consumer data utilisation for advertising purposes. noyb has filed similar complaints against Amazon, Apple, Spotify and YouTube.
Under the GDPR, large companies can face fines of up to €20 million or 4% of its global turnover (whichever is higher). In 2017, the annual global revenue for Alphabet, Google's parent company, was $110.8 billion. Accordingly, the maximum fine that could have been levied by CNIL would have been $4.4 billion.
Google has responded to the fine by emphasising that it had "worked hard" to create a transparent and straightforward GDPR consent process for its ads personalisation settings, and was "concerned about the impact of this ruling on publishers, original content creators and tech companies in Europe and beyond".
For these reasons, Google has chosen to appeal. This will be heard by the Conseil d'Etat, which may decide to refer some of the questions to the Court of Justice of the European Union.
Lessons for New Zealand businesses
The Google decision is a timely reminder for New Zealand businesses to prioritise data governance in 2019. Relevant steps may include:
(a) GDPR compliance - reassess whether the GDPR applies to your business and, if it does, whether you comply – see our previous update .
(b) Marketing consents – ensure that your Privacy Policy and marketing consent processes are sufficiently comprehensive and accessible to provide the basis for individuals’ informed consent. New Zealand businesses can no longer afford to assume that having generic consent policies in place for data use is adequate.
The Google decision, coupled with other recent GDPR enforcement activity, signals that European regulators are focusing their energies (at least initially) on companies that make use of their customers’ personal data to develop targeted advertising. The United Kingdom’s privacy regulator, the Information Commissioner’s Office (ICO), brought a GDPR-related enforcement action last year against AggregateIQ, which the ICO alleged had processed personal data to develop targeted, pro-Brexit political ads. The ICO also fined Facebook £500,000 for ‘serious breaches of data protection law’ last year, under old (pre-GDPR) legislation.
(c) Privacy Review – consider a Privacy Review to ensure that you comprehensively understand where and how your data is collected, used, stored and disclosed. If you don’t know where your data resides, you cannot ensure that you are taking adequate steps to protect it and comply with your legal obligations. A Privacy Review will assist with a range of data governance objectives, including:
(i) data flows – identifying or confirming your data flows, including where data is collected, stored, disclosed and used;
(ii) digital strategy – supporting digital and data use strategies, with robust supplier and customer contracts and update to privacy policies – particularly if you are using or considering the use of new technologies to harness the value of personal data;
(iii) best-practice consents - reviewing your privacy policies and customer consents to ensure that they are up to date with best practice, including in the wake of the Google decision; and
(iv) legal compliance – assisting with compliance with the full scope of data protection obligations – including, if applicable, with the GDPR and other international obligations and “front-footing” the of New Zealand’s Privacy Act 1993.
Please contact your usual Bell Gully advisor if you would like any advice or assistance in relation to a Privacy Review or any other matter addressed in this update.