Google Fine Signals GDPR Enforcement Priorities and Complexities
The French Data Protection Authority, CNIL, has fined Google $50 Million Euros for Google’s alleged failure to comply with the EU’s sweeping General Data Protection Regulation (GDPR). The enforcement action is significant for a number of reasons:
- Jurisdictionally, CNIL ignored Google’s attempt to be regulated by Ireland’s Data Protection Authority, generally assumed to be somewhat more sympathetic to Google in light of Google’s significant connections to and investments in Ireland. CNIL observed that Google’s decision-making location with respect to privacy issues remained in the United States, rather than Ireland, so CNIL was not obligated to respect Google’s attempt to select Ireland’s DPA as its jurisdiction of choice.
- CNIL went on to assert that Google’s process for obtaining consent was neither specific or unambiguous because the user was required to navigate what CNIL apparently viewed as too many successive steps when first opening their account to exercise opt-out rights regarding collection and processing of personal data. CNIL was particularly critical of Google’s ‘pre-ticked’ box for ad personalization, which CNIL considered insufficient to meet the ‘voluntary’ requirement for consent.
- In what may be the most challenging aspect of the ruling for companies hoping to avoid what consumers may view as off-putting sequences of consents, CNIL also found fault with Google’s ‘single-click’ approach to consents to both its Terms of Service and Privacy Policy, asserting that consumers should be allowed to pick and choose whether they wish to consent to each of the various processing functions that Google performs, which in turn would require much more detailed disclosures of exactly what processing Google actually does.
Google’s past differences with EU regulators on various privacy matters obviously placed it in the cross-hairs of the EU’s DPAs (the recent decision regarding the jurisdictional limits on Google’s obligations regarding the right to be forgotten likely was not wildly applauded by DPAs), so it should come as no surprise that CNIL chose Google for one its first test cases on exactly how the ‘fine print’ of GDPR is to be applied. The potential precedent, and frankly compliance headache, associated with a more disaggregated and nuanced consent process, however, applies not just to Google, but other companies which have tried to streamline their disclosure and consent procedures by requiring only single clicks to approve Terms of Service and Privacy Policies. Privacy advocates will applaud the ruling as confirmation of the sweeping changes many have hoped for with the passage of GDPR, particularly with regard to the opaque world of targeted advertising. Those companies having to rethink the adequacy of their disclosures and consents – many of which are likely to be fairly similar to those found lacking by CNIL – may feel otherwise.
It remains to be seen how the average consumer might react to the practical implications of the ruling, Those more interested in ease and efficiency of access than sorting through a series of mandatory individual consents for each processing function being performed – and we have not even touched on the potential implications for third party processing by the data analytic companies – may have mixed reactions. And the touchy subject of whether consumers prefer a blizzard of unstructured advertising, or the ‘creep out’ of targeted advertising, may become even more problematic if CNIL’s enforcement approach is widely adopted by other DPAs.