“Gimme, gimme, gimme your data after midnight …”
25 January 2019 (Paris, France) — Having just finished Le FIC (the International Cybersecurity Forum) earlier this week, and an Ad Age event here in Paris on the GDPR and advertising platforms, a few words about the GDPR … which includes some off-the-record chats with several EU data regulators who were attending Le FIC this week.
That French Google case: a recap
As most of you probably know, France’s data protection regulator, CNIL, has issued Google a €50 million fine (around $56.8 million USD) for failing to comply with its GDPR obligations. This is the biggest GDPR fine yet to be issued by a European regulator and the first time one of the tech giants has been found to fall foul of the tough new regulations that came into force in May last year.
CNIL said that the fine was issued because Google failed to provide enough information to users about its data consent policies and didn’t give them enough control over how their information is used. According to the regulator’s press release, these violations are yet to have been rectified by the search giant. Under GDPR, companies are required to gain the user’s “genuine consent” before collecting their information, which means making consent an explicitly opt-in process that’s easy for people to withdraw.
As many GDPR pundits have pointed out although the €50 million fine seems large, it’s small compared to the maximum limits allowed by GDPR, which allows a company to be fined a maximum of four percent of its annual global turnover for more serious offenses. For Google, which made $33.74 billion in the last quarter alone, that could result in a fine in the billions of dollars.
And this is not the first GDPR fine to have been issued, but it’s by far the biggest. In December, a Portuguese hospital was fined €400,000 after its staff used bogus accounts to access patient records, while a German social media and chat service was fined €20,000 in November for storing social media passwords in plain text. A local business in Austria was also fined €4,800 in October last year for having a security camera that was filming public space.
The Austria case is actually quite interesting (confusing?) and has opened a whole kettle of fish and created several “attack points” to now weaken the GDPR. In brief, a company had installed a CCTV camera in front of its establishment that also recorded a large part of the sidewalk. The camera was also not sufficiently marked as conducting video surveillance, meaning that (according to the regulator) the applicable “transparency obligations” had not been fulfilled. But as my Austrian GDPR lawyer contact said “wrong interpretation of what the GDPR says”. The company is appealing. I will save that for a subsequent post.
As discussed today at the Paris event, Google will appeal the fine, noting in a press release yesterday that it was “concerned about the impact of this ruling on publishers, original content creators and tech companies in Europe and beyond”. That will require a much longer, subsequent post because the advertising industry has now determined pathways around the GDPR.
That French Google case: some comments
Several EU data regulators I spoke with at Le FIC told me they viewed the CNIL move effectively as “a warning shot”. All of them thought it was an appropriate amount. Why? Said one:
Look, the law is very complex and has a lot of room for interpretation. So long as parties they are moving forward and trying to correct the gaps, so to me all is good. And frankly a much higher amount would just have lead to a legal challenge tied things up in court unnecessarily.
This last point deserves a special note. At Le FIC and other data events I have attended, the regulators voice the same issue we hear in the private sector. Lack of talent. Said one regulator at Le FIC:
Look, it’s going to be an iterative process, and GDPR compliance stuff will be a marathon and a theme far into the future. There will be many, many, many lessons learned. And most of us are just not properly staffed, quite frankly. We cannot find the right talent. So we are all going for low-hanging fruit like audits of data processing activities and DSAR. That’s the real easy stuff.
And said one ad executive at today’s event in Paris:
Listen, believe it or not. I do care about my privacy but I’ve also had to try and understand how to correctly implement what this damn GDPR law dictates and, believe me, it’s so complex and generic that, unless you have a team of good lawyers working for you, it’s basically impossible to comply. I go to these GDPR events and these damn lawyers talk about GDPR from 10,000 miles up. Absolutely zero help. So now … with these regulators slapping fines around … we are learning. Except so are our lawyers.
“Knowing me, knowing too much about you …”
Google’s slurping of people’s location data and web browsing histories is being probed by Swedish privacy watchdog. The Swedish Data Protection Authority (Datainspektionen) announced the investigation earlier this week, just as the search engine giant was handed that €50m penalty from the French data watchdog. The probe is the result of a complaint submitted in November by the Swedish Consumer Association (Sveriges Konsumenter) that is based on a report from the Norwegian Consumer Council (Forbrukerrådet) about Google’s use of dark patterns – which are user interface design choices that attempt to trick users into doing things they may not want to do.
In brief:
- The regulator criticised the “overwhelming amount of granular choices” on Google’s privacy dashboard, and the pop-ups trying to dissuade users from turning off (or, as Google says, “pausing”) location data.
NOTE: Google is already facing lawsuits in the US over admissions that when users “paused” location history, it still gathered up that information – unless they had also turned off “web and app activity”.
- The complaint to the Swedish authority said Google used “deceptive design, misleading information and repeated pushing to manipulate users into allowing constant tracking of their movements”, the Datainspektionen said: “In essence, the complainant holds that the processing of location data in this way is unlawful and that Google is in violation of Articles 5, 6, 7, 12, 13 and 25 of the GDPR.”
- The questions include:
- the purpose and legal basis Google is relying on to process location data;
- when and what information data subjects were given on the processing; and
- whether any of the data processed is special category data, which is granted greater protections under GDPR.
- The authority also asked whether the “design patterns” it is alleged to have used for obtaining the legal basis for location data processing is accurate for Swedish data subjects.
Google must also outline how many Swedish data subjects it obtained location data on between 25 May and 27 November 2018, and how many data points are gathered, on average, on an individual, broken down on an hour-by-hour basis for a 24-hour period.
Phew! Done for the week. My media team … 6 people, 4 cameras … will see many of you
at LegalTech New York. Enjoy.