.

By Richard Stobbe

The National Data Protection Commission (CNIL), France’s data protection authority, came down on Google with a €50 million penalty for breach of the EU’s General Data Protection Regulation (“GDPR”).

CNIL was responding to complaints from two privacy advocacy groups who called out Google for lacking a valid legal basis to process the personal data of EU users of Google services, particularly for ads personalization purposes. Although Google’s European headquarters are situated in Ireland, that country did not take the role of “lead authority” for DPA purposes, since processing of EU users’ data occurred through Google’s U.S. operations, rather than through its Irish division. This left the field open for France to take over the file and render a decision on the complaint.

The GDPR establishes a “one-stop-shop” which is designed for greater certainty for those organizations doing business in the EU. A business should only have to deal with the Data Protection Authority (“DPA”) of the country where its “main establishment” is located.

A DPA is, under the GDPR regime, an independent public authority tasked with supervising enforcement of data protection laws, with investigative powers and corrective authority. There is one DPA in each EU member state.

Google, according to CNIL, failed on two main counts based on the GDPR principles of transparency, information and consent:

• First, Google’s explanation of data processing purposes is not clear nor comprehensive. “Users are not able to fully understand the extent of the processing operations carried out by GOOGLE,” says CNIL, and Google’s processing operations are “massive and intrusive” due to the sheer scope of the company’s services and the high volume of data which is collected and processed by Google.
• Second, consent was not validly obtained, because the specific uses are not made clear to the user. This is the case even though the user of Google’s services can modify some options and configure some features of personalized ads. Just because some user configuration is allowed, that does not mean Google is in compliance with GDPR requirements.
• CNIL was not impressed with the configuration options for ads personalization. To the extent configuration is made available to Google’s users, the choices are “pre-ticked”. The GDPR requires “unambiguous” consent, requiring a specific affirmative action from the user (for example, by clicking a non-pre-ticked box ). At the point of account creation, when a user clicks “I agree to the processing of my information as described above and further explained in the Privacy Policy“, the user gives consent in full, for all processing operations. However the CNIL notes that “the GDPR provides that the consent is ‘specific’ only if it is given distinctly for each purpose.”

This is the first penalty issued by France’s DPA.

Should Canadian companies be concerned? Any company that is engaged in processing of EU resident data will be subject to the GDPR, not just those who have a permanent establishment in the EU.

Calgary – 07:00 MST