The CNIL started to look into the case at the instigation of two privacy rights organisations as the authority in Ireland, where Google’s European headquarters are based, had insufficient decision-making powers.[3] The complaint was filed on behalf of several thousand Android users on the very day that the GDPR became effective.

Google failed to provide information to users with sufficient transparency
The CNIL found that the information provided by Google to users was not sufficiently easy to access. The information that must be provided pursuant to the GDPR (eg, the processing purpose or period of storing personal data) was diluted across several documents that required five to six clicks or other actions if the user wished to obtain full information. The CNIL also concluded that the processing purposes as stated by Google were too vague and did not adequately explain the legal grounds for processing. Therefore, users may not have had clear information as to whether the processing was based on their consent or the protection of Google’s legitimate rights.

The CNIL found the “pre-ticked” consents to be invalid
The consents which Google was granted for the purposes of ads personalisation were found to be invalid for two reasons. Firstly, as the information was fragmented, it was impossible for users to trace the actual scope of services and applications using the data and were thereby insufficiently informed.

Secondly, the consents were neither sufficiently clear nor specific (granted for each individual purpose). For users to be able to create an account, they had to tick off that they agreed with the terms of use and personal data processing “described above and explained in the personal data processing rules”. In doing so, users gave their consent to all purposes such as ads personalisation or speech recognition. Neither was Google saved by the fact that it subsequently enabled users to click on the pre-ticked consent with ads personalisation. According to the CNIL, the correct treatment would be, for example, for the user to actively mark an empty field.

The amount of the fine was justified by a breach of basic principle
The CNIL justified the amount of the fine by the severity of the breach, which was related to the basic principles on which the GDPR is founded: transparency, information and consent. In addition, the CNIL stated that the breach had been committed on a large scale until the present day; therefore, it was not a one-off breach. The fact that Google’s economic model is partially based on ads personalisation was also weighed against Google by the CNIL, therefore it was “of its utmost responsibility to comply with the obligations on the matter”.

Last year, the Czech OPPD announced that until the GDPR adaptation act was adopted, it primarily wished to raise awareness of the GDPR rather than impose sanctions. However, as the Regulation is applied in the whole EU in the same manner, there is no reason to assume that the OPPD’s assessment of the case would differ from that of the CNIL in the event of such extensive and systemic misconduct.

The article is part of dReport – January 2019, Legal news.