Welcome back to our two-part series examining CNIL vs. Google: 10 lessons from the largest data protection fine ever issued.  In this post we continue our analysis of CNIL vs. Google by taking a closer look at the additional lessons we can learn from this important decision. 

6. …tell data subjects exactly what you’re doing with their data

CNIL found that it was hard for users to understand what Google was doing with their data. They commented: “Users are not able to fullly understand the extent of the processing operations… the purposes of processing are described in too generic and vague a manner and so are the categories of data processed for these various purposes.”

The lesson here is: tell data subjects clearly what data you are collecting and what you are using it for. Do not try to obfuscate it.

7. Identify your lawful basis (or bases) for processing and communicate it clearly…

The GDPR requires controllers and processors to identify one of six lawful bases for all their processing activities. The lawful basis or bases must then be communicated to the data subject.

CNIL found that it was not clear to users that Google was relying on consent as its lawful basis for processing. They observed: “the information communicated is not clear enough so that the user can understand that the legal basis of processing operations for the ads personalisation is consent, and not the legitimate interest of the company”.

8. …and be careful when relying on consent – it’s got to be GDPR-standard consent! 

Under the GDPR, if an organization wishes to rely on consent as a lawful basis for processing, then they require a “clear affirmative act” from the data subject, establishing “freely given, specifically, informed and unambiguous” agreement.

CNIL decided that Google had not obtained consent from users for two reasons: first, they felt that user consent was not informed, because the necessary information was diluted across many documents and was insufficiently comprehensive; and second, in CNIL’s view, the consent obtained from users was neither “unambiguous” nor “specific”.

CNIL said that consent was not “specific” because Google asked the user to give their consent in full for all the processing activities Google undertakes; but under the GDPR, consent is specific only if it is given distinctly for each purpose.

They said that consent was not “unambiguous” because there was no affirmative action from the user to consent to advert “personalisation.” Although users did have the ability to indicate their preferences, they had to navigate away from the main page to do so, and the box consenting to advert “personalisation” was pre-ticked.

The lesson here is: consent is one of the most nuanced of the lawful bases to rely on, because it has to be GDPR-standard consent which is a high standard to meet. Do not rely on consent where it is inappropriate, because if it is not GDPR-standard consent, it is not valid.

9. Regulators will take a number of factors into account when determining the size of a fine

CNIL decided to fine Google for breaching the transparency principle and breaching the requirement to identify and communicate a lawful basis for processing; but they indicated that several other factors had determined the size of the fine:

  • The processing in question concerned vast amounts of data that was potentially very private (i.e. the users’ browsing history).
  • The breaches were still ongoing at the time CNIL issued the fine: they were not one-off or time-limited.
  • Thousands of French people create a Google account every day: the ubiquity of the Android operating system means that the breaches affect huge numbers of data subjects.
  • The delivery of personalized advertisements is a fundamental part of Google’s economic model – it is not ancillary. CNIL felt that Google therefore had a responsibility to ensure that it complied with GDPR in respect of that aspect of its services.
  1. This isn’t over – Google plans to defend itself

Google has confirmed that it plans to challenge CNIL’s decision before France’s highest administrative court. Google said, “We’ve worked hard to create a GDPR consent process for personalized ads that is as transparent and straightforward as possible, based on regulatory guidance and user experience testing… We’re also concerned about the impact of this ruling on publishers, original content creators, and tech companies in Europe and beyond. For all these reasons, we’ve now decided to appeal.” The outcome of the case will be watched closely by many, particularly those in the tech sector.

The lessons are clear – make sure your privacy notice is clear and accessible; do not rely on consent as your basis for processing, unless you are genuinely seeking the user’s consent; and if you are in the targeted advertising space or your business is making use of adtech services, then you need to treat GDPR compliance as a major priority. Meanwhile, the privacy community will be watching Google’s appeal with great interest.