Since its introduction in May 2018, GDPR has become a mainstay in the news agenda around Europe. With its more stringent requirements and further rights being given to data subjects, claims against large organisations have increased with even the most established companies struggling to tweak internal processes to ensure compliance.
In October, Talking Business considered whether GDPR was starting to ‘bite’ following an increase in high profile fines and action being taken by the Information Commissioner’s Office. But it was the French regulator, CNIL, which recently took the most significant action against entertainment giant Google.
Google ‘ads’ fuel to the GDPR fire
CNIL fined Google €50 million for a breach of GDPR. The record fine was imposed for a lack of transparency and inadequate information being given to users about the processing of their personal data. Google also failed to get valid consent from users regarding the personalisation of online adverts.
Google uses user data to personalise which adverts users see based on websites they visit. This allows for a tailored, more targeted stream of adverts. But CNIL said that users were ‘not sufficiently informed’ about how Google collected data to allow it to carry out this level of personalisation.
Claims were brought by two privacy rights group which claimed that Google did not have any valid legal basis to process user data in this way.
A lack of transparency
Under GDPR, a company must be able to demonstrate that personal data is being processed in a transparent manner for each data subject. These transparency obligations apply from the point the data is collected and continue to apply for the duration of the processing. Communications to data subjects should be concise, transparent and intelligible, and use clear and plain language. Information should not contain technical, legal or specialist terminology which a data subject is unlikely to understand.
In Google’s case, the required information was included in numerous different documents, which made it difficult for users to understand the full extent of the processing and how exactly their data would be used. This was not sufficient to satisfy the transparency requirements.
Consent under GDPR is defined as: “any freely given, specific, informed and unambiguous indication of a data subject’s wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her“.
Google had not got valid consent and there was no valid legal basis on which to process the data. When creating an account with Google, the option to personalise ads was ‘pre-ticked’ which goes against the requirements in GDPR – consent should be positive.
The result of this tick-box is that consent is granted for all processing operations, such as advert personalisation and speech recognition but it is not made abundantly clear that this is the case. This is not sufficient for specific consent, which must relate to each purpose individually and be obtained in a manner that is distinct from other purposes.
Data held by streaming services
But it is not just Google. Other giants of the entertainment industry, particularly those providing streaming services, have also been accused of breaching GDPR.
All data subjects have a right to access a copy of the personal data a company holds on them. However, one of the privacy groups behind the Google action recently found that many of large streaming services, such as Spotify, Netflix and Amazon, do not fully comply with this.
Data provided to individuals following a request must be easy to understand and should be provided in a machine-readable and intelligible format. Many of the largest technology companies made changes following GPDR to allow customers to download a copy of their data.
But an investigation by one privacy group found that a substantial amount of data it requested was not in the correct format and so could not be understood by the majority of individuals. Some of the largest companies also failed to provide additional information relating to, for example, which other companies data had been shared with.
Some requests only resulted in raw information being provided and some were only dealt with after a period of up to 30 days. All of these failings led to ‘structural violations of users’ rights’.
This is yet more evidence of the impact GDPR is having across Europe. It also highlights that regulators are not content with targeting the ‘little guy’ and are more than willing to make an example of the world’s largest organisations.