Google hit with first big GDPR fine over “forced consent”; eight new complaints filed over “right to access”

Posted on Feb 2, 2019 by Glyn Moody

Last June Privacy News Online wrote about complaints filed just six minutes after the EU’s tough privacy law, the General Data Protection Regulation (GDPR), started to be enforced. They were brought by a new organization defending privacy rights, “None of your business” (NOYB), headed up by the Austrian lawyer Max Schrems. Four similar complaints were filed, against Google, Facebook, WhatsApp and Instagram. Because of the way that EU law operates, the complaints were filed with national and regional data protection authorities – respectively, those in France, Austria, Belgium and Hamburg, Germany. Each of those data protection authorities considers the case before them, and then issues a ruling if it is within their jurisdiction. Although the judgment only applies to the country in question, in practice, data protection agencies in the EU tend to follow each other to ensure a consistent approach to privacy law across the region. Last year’s complaints were over what NOYB called “forced consent” – the fact that users must agree to the use of their personal data if they want to access the service:

Privacy à la “take it or leave it”? The new General Data Protection Regulation (GDPR) which came into force today at midnight is supposed to give users a free choice, whether they agree to data usage or not. The opposite feeling spread on the screens of many users: tons of “consent boxes” popped up online or in applications, often combined with a threat that the service can no longer be used if users do not consent.

The French data protection authority, the Commission nationale de l’informatique et des libertés (CNIL, in English: the National Commission on Informatics and Liberty) has just issued its judgment regarding the NOYB complaint. It includes the first major fine for a breach of the GDPR:

On 21 January 2019, the CNIL’s restricted committee imposed a financial penalty of 50 Million euros against the company GOOGLE LLC, in accordance with the General Data Protection Regulation (GDPR), for lack of transparency, inadequate information and lack of valid consent regarding the ads personalization.

CNIL’s post gives a good explanation of how the French authority came to this decision, and why it found Google had broken the law. Although the 50 million euros fine (about $57 million) is well below the maximum possible – under the GDPR, Google could have been fined 4% of its global turnover – CNIL notes: “the violations are continuous breaches of the Regulation as they are still observed to date. It is not a one-off, time-limited, infringement.” That is, CNIL may impose further fines if Google does not address the problem. Not surprisingly, Google has said that it will appeal.

CNIL was punishing Google for breaching the GDPR in France only: it is quite possible that the data protection authorities in other EU nations will now impose similar fines, which could therefore add up to considerably more than 50 million euros. The ruling is important for signalling that even the biggest non-EU companies must fully comply with the GDPR, or face significant and repeated fines.

The ramifications of the decision for the online world are wide. “Forced consent” forms the basis of most of today’s online advertising, as this comment from Articl8 – which describes itself as “the world’s first pro-privacy” lobby group – makes clear:

According to [Interactive Advertising Bureau Europe] the digital advertising industry in Europe in 2017 was worth 48 Billion Euros and (with very few exceptions) the vast majority of those revenues come from the same business model (in fact Google and Facebook are estimated to receive 84% of global digital advertising revenues – so arguably exactly the same model) and the CNIL action essentially outlaws the model which for the last decade and a half has depended on people opting out of a practise they are not even aware of, now requiring those same people having to give consent under the terms of GDPR.

Significant as the Google fine may be, it’s worth emphasizing that it is likely to be only the start of a much wider crackdown on non-compliance with the GDPR. There are the three other complaints about “forced consent” filed against Facebook, WhatsApp and Instagram: it is possible that the relevant data protection authorities will find further grounds for concern. In addition, NOYB has just filed eight more complaints under the GDPR. This time, the targets are online streaming services: Amazon Prime, Apple Music, DAZN, Flimmit, Netflix, SoundCloud, Spotify and YouTube. At issue is the new “right to access” granted by the GDPR. This is a right to obtain a copy of all raw data that a company holds about a user, as well as additional information about the sources and recipients of the data, the purpose for which the data is processed, and information about the countries in which the data is stored and how long it is stored. Here’s what NOYB found, according to its director, Max Schrems:

Many services set up automated systems to respond to access requests [for personal data held], but they often don’t even remotely provide the data that every user has a right to. In most cases, users only got the raw data, but, for example, no information about who this data was shared with. This leads to structural violations of users’ rights, as these systems are built to withhold the relevant information.

Clearly, if any of the eight complaints filed with the relevant local data protection authorities is upheld, it could have important implications for how companies respond to GDPR requests. It could require the re-vamp of systems used to process GDPR requests automatically, or lead to more manual processing – at greater cost. As with the first round of GDPR complaints filed by NOYB, it will be many months before the first ruling is handed down. But things are unlikely to get any easier for online companies that do business in the EU – wherever they are based. Recently, the European Commission issued a statement noting with satisfaction the impact of the GDPR:

We are already beginning to see the positive effects of the new rules. Citizens have become more conscious of the importance of data protection and of their rights. And they are now exercising these rights, as national Data Protection Authorities see in their daily work. They have by now received more than 95,000 complaints from citizens.

The statement claimed that there was “a clear convergence at international level towards a modern data protection regime.” The obvious exception to that convergence is the US, which has traditionally avoided regulating privacy directly. But that may change. Tech leaders like Apple CEO Tim Cook are calling for new privacy laws in the US, and many others are waking up to the far-reaching nature of the GDPR. The first big EU fine, with the prospect of more to come, is likely to increase the pressure from privacy advocates for similar laws in the US.

Featured image by Simon Steinberger.