PART 2: Google Saga - The importance of consent!

In this digital age, data protection and privacy are more important than ever.

With the new European-wide rules imposed by the GDPR, every business must be aware of its obligations to avoid fines, sanctions and bad press. Google is amongst the biggest companies learning these lessons, and by following its legal battles we can learn some lessons of our own!

In this second part of a two-part article, Gerrish Legal will consider the high profile and high impacting disputes Google has had in the epoch of data protection, and what it can teach us about GDPR…  

Part 2: Failure to obtain consent: Google’s record-breaking sanction

In the first part of our “Google and Privacy” article, Google seems to have won its case (for now) against the CNIL, France’s data protection watchdog, when it comes to the right to be forgotten in data processing.  However, Google has not been this successful in all of its battles with the CNIL- with it receiving a record-breaking €50 million fine for failing to respect the General Data Protection Regulation ((EU) 2016/679) rules on consent in January 2019. 

What the GDPR says about “consent”

The GDPR allows for the processing of personal data if the data subject has consented to the processing (Article 7) and sets out very specific requirements on the type of consent that must be obtained (Article 32). 

The consent must be freely given on a voluntary basis, which means that any sort of pressure or influence which could affect the data subject’s decision would render consent invalid. 

Consent must also be informed and specific, with the data subject having clear information on who the controller is, what kind of data will be processed and for what purpose. It must be clear to them that they always have the right to withdraw their consent and withdrawing consent must be as easy as giving it. 

The consent must be clearly bound to a specified purpose which is sufficiently explained, and there must always be a clear distinction between the information which is being provided in order that consent can be given, and unrelated information about other contractual matters. 

Lastly, consent must be unambiguous. It requires a statement, or a clear affirmative act. It cannot be passive or implied; it must always be through an opt-in, a declaration or an active motion. This is to ensure that the data subject’s consent cannot be misunderstood.

Google’s €50 million fine

Complaints were made about Google to the CNIL (France’s data protection watchdog) in May 2018 by two European pressure groups, None Of Your Business (Noyb) and La Quadrature du Net. Sites like Google process personal data especially when they are personalising ads, and the pressure groups complained that by offering a “take it or leave it” option to its users when they sign up to the site, consent was not being validly obtained. 

 Google was not the only site targeted by the pressure groups- they also accused sites such as Facebook of not having a valid legal basis to process the personal data of people using its services. 

 The CNIL reviewed Google’s processes and agreed that two vital parts of the GDPR requirements were missing: that the uses of the data being processed are transparent, and that the legal basis is clear- and it issued Google with a €50 million fine. 

 This was not the largest amount the CNIL could have fined Google- it has the authority to fine up to 4% of annual turnover, which for Google would be almost €4 billion!

 When users sign up to Google they are presented with a privacy agreement, but information about Google’s processing of data was split over multiple documents, help pages and settings screens. This included links that needed to be used to read additional information, and some information was not available until up to 5 or 6 actions had been taken.  Even then, the information was not always clear and understandable. 

It was too difficult for users to understand the extent of data processing Google would carry out, especially since some of the processing was particularly lengthy and intrusive, some involving over 20 services that could be offered. In the section explaining data processing in relation to the customisation of ads for example, it was not clear sites and applications were involved- spanning from Youtube, to Googlemaps, to Playstore. 

Google additionally did not validly collect consent as it did not ask users to specifically opt in to ad targeting, but simply asked them to agree to Google’s terms and privacy policy in one single click.  When creating an account, the user did have the option to change some options (if they clicked the “more options” button!), however the personalisation of ads was checked by default. 

At the end of the process, users had to accept that their information would be used “as above”- the CNIL held that this does not count as collecting consent, as the consent is not “specific” or “unambiguous”, and consent had not been collected for each purpose.

The CNIL justified the massive fine on the basis that these violations are happening every day with people continuing to sign up to and use the Google site. 

What’s next for Google?

It might not be over yet! Google announced after it received the massive fine that it would appeal and attempt to defend its name. In a statement, it said that it has worked hard to create a GDPR consent process for personalised ads that is “as transparent and straightforward as possible, based on regulatory guidance and user experience testing”. 

What will happen next? Watch this space…

In the meantime, if you have any queries about the Google saga or how the decision applies to your business’ personal data processing and deletion / retention requirements, then get in touch for your free 30 minute consultation.

Article by Lily Morrison, Legal Consultant at Gerrish Legal, February 2019