Articles - Privacy - March 4, 2019

Don’t Google This: What the French GDPR Fine Taught Us About Data Protection

admin March 4, 2019

0 814 8 min read

Organizations on the hook for General Data Protection Regulation (GDPR) compliance need a data protection officer (DPO) to audit all personal data and an automated, centralized process for managing data in order to avoid hefty fines like the one France leveraged on Google last month. Experts shared that and other advice with CMSWire in light of the French National Data Protection Commission (CNIL)‘s $56.5 million fine on the American search giant.

“The complaint seems to be based on Google’s practice of not moving toward clearer, less legally-oriented language on their data collection disclosures,” said Rob Perry, vice president of product marketing at ASG Technologies. “Google collects substantial data on users’ internet usage, which drives its business model. And, being a high profile internet business, it stands out for careful scrutiny.”

Privacy Organizations Generated Google Complaints

Google violated its obligations under GDPR — the European law for protecting citizens’ privacy and access to personal data that went into effect last May — in the areas of (1) obligations of transparency and information, and (2) having a legal basis for ads personalization processing. The findings stem from an investigation launched last May by privacy-rights groups None Of Your Business (NOYB) and La Quadrature du Net (LQDN). Those organizations claimed Google did not have a valid legal basis to process the personal data of Google users, particularly for ads personalization purposes.

GDPR complaints are rolling in, according to numbers released last month by the European Commission (EC), a branch of the European Union. Data Protection Authorities (DPA), or EU independent law enforcers, have received 95,180 complaints under GDPR from May 2018 to January 2019, the majority of which are related to telemarketing, promotional emails and video surveillance/CCTV. The French $56.5 million fine is one of most notable under the GDPR, others include, an Austrian entrepreneur who was fined for placing a CCTV outside his establishmentthat was not sufficiently marked, and an unnamed German social media platform that compromised the personal information of 330,000 users, including their passwords and email addresses.

Not Easily Accessible Information

Back to the French fine against Google. The CNIL found that information provided by Google “is not easily accessible for users” and that Google’s “general structure of the information” is not GDPR-compliant. Information such as data processing purposes, data storage periods or the categories of personal data used for the ads personalization are available but “excessively disseminated across several documents with buttons and links on which it is required to click to access complementary information.”

Ultimately, it’s not easy to find privacy stuff on Google. The search company is not transparent in these key GDPR compliance arenas, according to regulators. Some information-gathering by users could take “5 or 6 actions,” according to the CNIL. Some information, investigators added, is not always clear nor comprehensive. Users can’t easily understand that the legal basis of processing operations for the ads personalization is the consent, and not the legitimate interest of the company, CNIL reported.

Consent Obtained Not Valid

Google also does not validly obtain user consent for processing data for personalizing ads, CNIL investigators found. User consent is not “sufficiently informed because the information on processing operations for the ads personalization is “diluted in several documents and does not enable the user to be aware of their extent.” CNIL cited Google’s “Ads Personalization” section, in which it is “not possible to be aware of the plurality of services, websites and applications involved in these processing operations (Google search, YouTube, Google home, Google maps, Playstore, Google pictures…) and therefore of the amount of data processed and combined.”

Further, the collected consent is neither “specific” nor “unambiguous” as GDPR requires. Consent is “unambiguous” according to the GDPR with “a clear affirmative action from the user (by ticking a non-pre-ticked box for instance),” the CNIL reported.

Start With Audit, Central Data Management

So, what can your organization do to ensure GDPR compliance in these specific arenas? Have a DPO appointed to initially audit where personal data exists in an organization, according to Peter Gillett, CEO of Zuant. Put in place a process to centralize it and ensure that all future contacts with the outside world use a GDPR permission process for the defined purpose requested, Gillett added.

The key aspects moving forward include:

Make sure that the process is recorded and shared with all customer-facing personnel.
Make sure that IT puts in place the software to allow easy opt-ins and access to a “customer preference center” and ways of handling data access requests and the requests for erasure.

Have Clear…

Read The Full Article

Leave a Reply Cancel reply

DON'T MISS

Leading with a security-first mentality

Danish DPA set to fine furniture company

Why Few Marketers Are Invited To Join Boards Of Directors

How to Completely DELETE Your Facebook Account in 2020

How Much Data Do We Create Every Day? The Mind-Blowing Stats Everyone Should Read

Blazon Online

Latest News

Email Subscription

We are Blazon.Online a strategic partnership between RMA and 2410365 Ontario, Inc located at 37 Hwy 8, Dundas, Ontario L9H 4V1. We send a weekly update and the occasional email regarding response marketing. You can reach us at dl@blazon.online or 416 524 7844. You can unsubscribe at any time.

Industry Leaders Reflect on 2018, Offer Predictions for 2019

Average Cost of Cyberattack Now Exceeds $1 Million

5 Things for a Marketer to Consider for 2019!

30 Must Read Articles On Brand Management

Your Customers May Be the Weakest Link in Your Data Privacy Defenses