The first significant fine, equivalent to £44m, has been levied on Google by the French data regulator, the CNIL, for lack of transparency, inadequate information and lack of valid consent regarding the personalisation of advertisements.
The fine was levied by the CNIL after an investigation into complaints received in May 2018 from the associations None Of Your Business (NOYB) – the European centre for digital rights championed by privacy activist Max Schrems on behalf of 10 individuals – and La Quadrature du Net, which was mandated by 10,000 people to refer the matter to the CNIL.
Although Google’s European headquarters are in Ireland, the CNIL said the one-stop-shop mechanism was not applicable because Google does not have one main establishment in the EU and the Irish data protection authority “did not have a decision-making power on the processing operations carried out in the context of the operating system Android and the services provided by Google in relation to the creation of an account during the configuration of a mobile phone”.
In the two complaints, the associations reproach Google for not having a valid legal basis to process the personal data of the users of its services, particularly for advertisement personalisation purposes.
CNIL found that users were “not sufficiently informed” about how Google collected data to personalise advertising, that Google had not obtained clear consent to process data because “essential information” was “disseminated across several documents”, that the relevant information is accessible only after several steps, and that, as a result, “users are not able to fully understand the extent of the processing operations carried out by Google”.
The CNIL found that the option to personalise ads was “pre-ticked” when creating an account, which was then used as the basis for all the processing operations carried out by Google. But the CNIL said this did not respect the EU’s General Data Protection Regulation (GDPR), which says the consent is “specific” only if it is given distinctly for each purpose.
This fine is the first imposed by the CNIL under the GDPR and it warns that as the infringement is continuing, and it also involves the Android mobile operating system, further sanctions are on the agenda. “It is not a one-off, time-limited infringement,” the regulator said.
In a statement, Google said: “People expect high standards of transparency and control from us. We are deeply committed to meeting those expectations and the consent requirements of the GDPR.” The company also said it was “studying the decision” to determine its next steps.
Max Schrems, chairman of NOYB, said: “We are very pleased that, for the first time, a European data protection authority is using the possibilities of GDPR to punish clear violations of the law.
“Following the introduction of GDPR, we have found that large corporations such as Google simply ‘interpret the law differently’ and have often only superficially adapted their products. It is important that the authorities make it clear that simply claiming to be compliant is not enough.
“We are also pleased that our work to protect fundamental rights is bearing fruit. I would also like to thank our supporters who make our work possible.”
As the highest fine imposed by the CNIL to date, this punishment sends a serious warning to Google that the CNIL will not hesitate to use its powers where it deems the case at hand serious, according to Sonia Cissé, managing associate at law firm Linklaters.
“More than just a significant amount of money, this sanction is particularly detrimental to Google as it directly challenges its business model and will, in all likelihood, require it to deeply modify its provision of services,” she said.
And the CNIL decision goes way beyond Google, said Cissé. “Indeed, companies like Facebook, Amazon, but also any companies with a similar business model based on the processing of personal data for targeted advertising, could be sanctioned with high fines in the near future.
“With this decision, the CNIL is sending a strong message to companies with business models which are not complying with the requirements of the GDPR,” she said, adding that if other regulators come to the conclusion that Google is breaching the GDPR, then significant administrative fines could also be imposed elsewhere.
The CNIL fine has met a mixed reaction, with some welcoming the decision and others critical of the CNIL for not working with Google to improve the business model.
Among those who have welcomed the decision is Kevin Curran, professor of cyber security at Ulster University and senior member of the Institute of Electrical and Electronics Engineers (IEEE).
“The spirit of GDPR is that any data collected on the consumer should be accurate, protected and available to individuals to collect, move, delete, modify and view, and that they should only collect what is necessary,” he said. “In addition, consent should be freely given. In other words, companies should not capture too much data, or treat it lightly and also not use covert measures to opt users into services.”
Curran said the fine should act as a stark warning to other big technology organisations that may view themselves as too big to take down.
“The key to GDPR’s effectiveness is, of course, adherence,” he said. “Such adherence will only come about through the hefty fines outlined. Fining Google like this is a good start to set a precedent.
“No one can really say at this stage whether we will see the giant conglomerates suffer fines frequently, but the European Commission should bear its teeth at this time to ensure the IT giants do not become lax about the law. A fair law. A welcome law.”
Bharat Mistry, principal security strategist at security firm Trend Micro, said the fine shows that that even the big tech firms are struggling with the tightening regulatory and compliance regimes that the EU has put in place to protect citizens’ data.
“This fine will be a wake-up call for the tech giants and any other company that is collecting and hoarding mass amounts of personal data without applying due care and attention to the protection, retention and safe disposal of the data once it is no longer required,” said Mistry.
Ian Woolley, chief revenue officer at marketing security and data protection firm Ensighten, said the new data economy demands trust and transparency between businesses and their customers. “Google has failed to do that and it is now paying the price,” he said.
“This is another warning for all businesses to review their data strategy as a whole and ensure they address all potential gaps. When it comes to compliance, investment is key to ensure brands are not caught out by huge fines and the cost of reputational damage by cutting corners with data.”
Application security firm Veracode believes the fine is the start of a challenging 2019 for businesses when it comes to compliance. “The fine against Google is an indication of the serious focus on privacy and security by regulators,” said Paul Farrington, director of solutions architecture for Europe at Veracode. “Global enterprises must take steps to ensure security hygiene and compliance with standards to reduce their risk and protect data.”
Not solving the issue
But Jonathan Bensen, interim CISO at vulnerability management firm Balbix, said the CNIL’s decision to fine Google does not seem to be aimed at solving the issue.
“Instead, the fine seems to be aimed at making money,” he said. “Most people should be aware that if they want enhanced digital services, they must pay the price of giving some reasonable amount of privacy away.
“If the CNIL wanted to take a step in the right direction, it should suggest Google change the language in its terms of service versus imposing a fine without offering a solution.
“While it is possible to run an Android phone without a Google account, it makes it almost unusable. The same argument can be made about iPhones and needing an account with Apple. You can run the phone without one, but it severely limits the capabilities of the device.”
The key thing to take from this news is that this is a substantial fine in the name of GDPR, said Guy Bunker, senior vice-president of products at information security firm Clearswift.
“It is nowhere near the maximum available fine, but it is enough to make organisations sit up and take note,” he said. “It also shows that no organisation is above the law and the regulators will go after big names.
“For businesses now fearing the risk of substantial fines to their own organisations, the key to compliance centres on three aspects: people, processes and technology. These are vital areas that organisations need to review to gain visibility and control of critical data in order to comply with the GDPR.
“The board should be working together with middle management on their organisation’s GDPR compliance to maintain a clear understanding of the state of their data security status.”