The data protection authority of France, the CNIL, assessed the first penalty against a US company, Google, on January 21, 2019. The penalty, 50,000,000 Euro, was levied on the basis that Google’s information regarding its practices and the way in which it obtained user consent was not clear and unambiguous. This should surprise no one who has ever tried to view or change privacy settings on an Android phone or a Gmail account.
Nor is it a surprise that the French, vigilant for many years in protecting privacy, would issue the first penalty. After all, its data protection authority is the Centre Nationale de l’informatique et des libertes. Roughly translated into English, the CNIL is the National Commission on Informatics (data) and Liberty. Yes, they conflate a person’s data rights with his or her freedoms. This is the theme behind the law under which the penalty was assessed, the General Data Protection Regulation, or “GDPR” (EU 2016/679). This law applies to US companies who sell or market goods and services to EU residents, or track the online behavior of EU residents, (for example, through “cookies”).
The CNIL found that Google violated a central tenet of the GDPR by failing to set forth information in a clear, understandable way about how it uses an account holder’s data. The CNIL press release noted that the information was provided in a “generic and vague manner,” and even then was only accessible “after several steps, implying sometimes up to 5 or 6 actions.” Accordingly, the provisions of the GDPR that require information on processing of data to be readily accessible and presented in a “clear and unambiguous manner” were violated by Google. In addition, Google had pre-ticked the box next to the statement “I agree to the processing of my information as described above and further explained in the Privacy Policy” in order to create a Google account. Again, the CNIL noted, this is contrary to the GDPR requirements of specific consent that is manifested voluntarily and unambiguously.
This is the first shot fired in what will no doubt be a lengthy GDPR war that EU countries will wage in the name of basic digital rights protections for its residents. The penalties, which can reach as high as 4% of annual revenue, may be much higher as supervisory authorities of other countries consider other Google practices, such as the questionable ability of a user to effectively turn off location tracking.
If you have questions regarding applicability of the GDPR to your organization, or the requirements of the GDPR, please contact Kenneth N. Rashbaum.