Don’t Google This: What the French GDPR Fine Taught Us About Data Protection
Organizations on the hook for General Data Protection Regulation (GDPR) compliance need a data protection officer (DPO) to audit all personal data and an automated, centralized process for managing data in order to avoid hefty fines like the one France leveraged on Google last month. Experts shared that and other advice with CMSWire in light of the French National Data Protection Commission (CNIL)‘s $56.5 million fine on the American search giant.
“The complaint seems to be based on Google’s practice of not moving toward clearer, less legally-oriented language on their data collection disclosures,” said Rob Perry, vice president of product marketing at ASG Technologies. “Google collects substantial data on users’ internet usage, which drives its business model. And, being a high profile internet business, it stands out for careful scrutiny.”
Privacy Organizations Generated Google Complaints
Google violated its obligations under GDPR — the European law for protecting citizens’ privacy and access to personal data that went into effect last May — in the areas of (1) obligations of transparency and information, and (2) having a legal basis for ads personalization processing. The findings stem from an investigation launched last May by privacy-rights groups None Of Your Business (NOYB) and La Quadrature du Net (LQDN). Those organizations claimed Google did not have a valid legal basis to process the personal data of Google users, particularly for ads personalization purposes.
GDPR complaints are rolling in, according to numbers released last month by the European Commission (EC), a branch of the European Union. Data Protection Authorities (DPA), or EU independent law enforcers, have received 95,180 complaints under GDPR from May 2018 to January 2019, the majority of which are related to telemarketing, promotional emails and video surveillance/CCTV. The French $56.5 million fine is one of most notable under the GDPR, others include, an Austrian entrepreneur who was fined for placing a CCTV outside his establishmentthat was not sufficiently marked, and an unnamed German social media platform that compromised the personal information of 330,000 users, including their passwords and email addresses.
Not Easily Accessible Information
Back to the French fine against Google. The CNIL found that information provided by Google “is not easily accessible for users” and that Google’s “general structure of the information” is not GDPR-compliant. Information such as data processing purposes, data storage periods or the categories of personal data used for the ads personalization are available but “excessively disseminated across several documents with buttons and links on which it is required to click to access complementary information.”
Ultimately, it’s not easy to find privacy stuff on Google. The search company is not transparent in these key GDPR compliance arenas, according to regulators. Some information-gathering by users could take “5 or 6 actions,” according to the CNIL. Some information, investigators added, is not always clear nor comprehensive. Users can’t easily understand that the legal basis of processing operations for the ads personalization is the consent, and not the legitimate interest of the company, CNIL reported.
Consent Obtained Not Valid
Google also does not validly obtain user consent for processing data for personalizing ads, CNIL investigators found. User consent is not “sufficiently informed because the information on processing operations for the ads personalization is “diluted in several documents and does not enable the user to be aware of their extent.” CNIL cited Google’s “Ads Personalization” section, in which it is “not possible to be aware of the plurality of services, websites and applications involved in these processing operations (Google search, YouTube, Google home, Google maps, Playstore, Google pictures…) and therefore of the amount of data processed and combined.”
Further, the collected consent is neither “specific” nor “unambiguous” as GDPR requires. Consent is “unambiguous” according to the GDPR with “a clear affirmative action from the user (by ticking a non-pre-ticked box for instance),” the CNIL reported.
Start With Audit, Central Data Management
So, what can your organization do to ensure GDPR compliance in these specific arenas? Have a DPO appointed to initially audit where personal data exists in an organization, according to Peter Gillett, CEO of Zuant. Put in place a process to centralize it and ensure that all future contacts with the outside world use a GDPR permission process for the defined purpose requested, Gillett added.
The key aspects moving forward include:
- Make sure that the process is recorded and shared with all customer-facing personnel.
- Make sure that IT puts in place the software to allow easy opt-ins and access to a “customer preference center” and ways of handling data access requests and the requests for erasure.