On 21 January 2019, the CNIL, the French Data Protection Authority, imposed a record fine of €50,000,000 on Google. What can we learn from this decision?
The CNIL criticizes Google for two main shortcomings:
- Lack of transparency and information
The general architecture of the information provided to a user creating a Google Account prevents the user from being fully, clearly and easily informed about the nature of the data that Google processes or will process about them.
The processing purposes are too generic, too vague. Where the legal basis for the processing is consent, there is confusion as to the nature of the legal basis. In addition, the data subject is not informed of the length of time for which his or her data are kept.
- Lack of legal basis for data processing
Google invokes consent (art. 6, 1, a. of Regulation 2016/679) as the legal basis for the processing necessary for the personalisation of advertisements. However, the CNIL considers that this consent is not valid for two reasons:
– Consent is not sufficiently informed because the information given to the person concerned is diluted in several documents.
What should you remember from this decision in the context of your own compliance with the GDPR ?
First of all, communicate in complete transparency about the processing of personal data that you carry out. Be concise, precise and as complete as possible. Don’t just use a simple legal “gibberish” to “give the change”. The information to be provided to data subjects is set out in Articles 12, 13 and 14 of Regulation (EU) 2016/679.
Then keep in mind that consent is not the mother of all processing of personal data. Article 6 of Regulation (EU) 2016/679 lists the six legal bases for the processing of personal data, consent being only one of them. As consent may be withdrawn at any time by the data subject, and the conditions for its validity are extremely strict, consent should (i) be used as the legal basis for processing only where no other legal basis exists and (ii) where consent is the only legal basis possible to obtain it validly and to preserve its proof (Articles 7 and 8 of Regulation (EU) 2016/679).