North American companies with operations that come under the European Union’s tough privacy law have been warned by a new ruling from France’s data protection regulator: Make sure your privacy policies are clear or be heavily fined.
The regulator, which goes under the initials CNIL, fined Google LLC the equivalent of US $57 million under the General Data Protection Regulation (GDPR) for for lack of transparency, inadequate information and lack of valid consent regarding the ads personalization.
“The amount decided, and the publicity of the fine, are justified by the severity of the infringements observed regarding the essential principles of the GDPR: transparency, information and consent,” the CNIL said in an English translation of it news release.
Google’s way of making users go through several menus or documents to find explanations of how it collects and uses user data “deprive the users of essential guarantees regarding processing operations that can reveal important parts of their private life since they are based on a huge amount of data, a wide variety of services and almost unlimited possible combinations,” said the regulator.
As a result the “specific” and “unambiguous” user consent required by GDPR is not obtained.
According to news reports Google issued a statement saying, “People expect high standards of transparency and control from us. We’re deeply committed to meeting those expectations and the consent requirements of the GDPR. We’re studying the decision to determine our next steps.”
The CNIL investigation was launched after complaints were filed in May by two privacy groups, None Of Your Business (“NOYB”) and La Quadrature du Net.
The CNIL found two violations of the GDPR:
–Information provided by Google is not easily accessible for users.
‘Essential information, such as the data processing purposes, the data storage periods or the categories of personal data used for the ads personalization, are excessively disseminated acrosss several documents, with buttons and links on which it is required to click to access complementary information. The relevant information is accessible after several steps only, implying sometimes up to five or six actions. For instance, this is the case when a user wants to have a complete information on his or her data collected for the personalization purposes or for the geo-tracking service.
“Moreover, the restricted committee observes that some information is not always clear nor comprehensive.
“Users are not able to fully understand the extent of the processing operations carried out by Google. But the processing operations are particularly massive and intrusive because of the number of services offered (about 20), the amount and the nature of the data processed and combined. The restricted committee [the committee of the CNIL that did the invesigaion] observes in particular that the purposes of processing are described in a too generic and vague manner, and so are the categories of data processed for these various purposes. Similarly, the information communicated is not clear enough so that the user can understand that the legal basis of processing operations for the ads personalization is the consent, and not the legitimate interest of the company. Finally, the restricted committee notices that the information about the retention period is not provided for some data.”
–User consent is not validly obtained
“The information on processing operations for the ads personalization is diluted in several documents and does not enable the user to be aware of their extent. For example, in the section “Ads Personalization”, it is not possible to be aware of the plurality of services, websites and applications involved in these processing operations (Google search, Youtube, Google home, Google maps, Play store, Google pictures…) and therefore of the amount of data processed and combined.
“Then, the restricted committee observes that the collected consent is neither “specific” nor “unambiguous”.
“When an account is created, the user can admittedly modify some options associated to the account by clicking on the button « More options », accessible above the button « Create Account ». It is notably possible to configure the display of personalized ads.
“That does not mean that the GDPR is respected. Indeed, the user not only has to click on the button “More options” to access the configuration, but the display of the ads personalization is moreover pre-ticked. However, as provided by the GDPR, consent is “unambiguous” only with a clear affirmative action from the user (by ticking a non-pre-ticked box for instance). Finally, before creating an account, the user is asked to tick the boxes « I agree to Google’s Terms of Service» and « I agree to the processing of my information as described above and further explained in the Privacy Policy» in order to create the account. Therefore, the user gives his or her consent in full, for all the processing operations purposes carried out by GOOGLE based on this consent (ads personalization, speech recognition, etc.). However, the GDPR provides that the consent is “specific” only if it is given distinctly for each purpose.”
The Hacker News noted it’s not the first time when Google has been fined under privacy violation. Back in July, the company was levied with a record $5 billion fine by the EU in an Android antitrust case, which Google is currently appealing.