As 2018 came to a close, there was a collective sentiment that GDPR enforcement was sluggish but poised to pick up in 2019. French regulators wasted no time in confirming those suspicions.
On Monday, January 21, we saw the first major GDPR penalty since the General Data Protection Regulation launched last May. What’s more is that it was levied against one of the largest U.S. tech giants, Google.
This aligns with what authors of our 2019 Top 10 Ethics & Compliance Trends report predicted – GDPR will really start to show its teeth when a major U.S. company is hit with a significant violation. (This was elaborated on in our Top 10 Trends webinar last Thursday and in the replay of that webinar in Europe on January 22.)
Lessons to Be Learned About Informed Consent Under GDPR
As a first of its kind, this enforcement, amounting to $57 million, may reveal what the future of GDPR enforcement will look like.
According to the Commission nationale de l'informatique et des libertés (CNIL) – the regulating body that brought forth the charge – the tech company did not meet the transparency standards for data use outlined in the GDPR.
As stated by CNIL, key data use practices such as data processing, storage, and how the information would be referenced for advertising purposes were not reasonably clear or accessible. I use the word “reasonably” here because they were in fact available; however, available only by clicking a number of links and viewing a series of supporting pages.
The problem of transparency can be seen more clearly in the issue of consent outlined by CNIL: “…the information communicated is not clear enough so that the user can understand that the legal basis of processing operations for the ads personalization is the consent, and not the legitimate interest of the company.”
Simply put, the data processing practices of the organization are extremely complex, yet the language used to communicate those practices to the public is “generic and vague.” Although users are providing their consent, they are not fully informed of what that consent entails.
Kristy Grant-Hart, who co-hosted our Top 10 Trends webinar explains:
“This enforcement action is fascinating because of the focus on lack of valid consent for use of personal data. France’s CNIL specifically called out Google’s use of pre-checked boxes to indicate user’s consent to personal data processing.
This enforcement action didn’t come from a massive data breach. Instead, it came from the day-to-day use of pre-checked forms and convoluted privacy notices. Many experts expected the first big GDPR fines to come from a large data breach involving sensitive personal data, where the organization had inadequate data security. This fine should alert companies to the fact that they don’t need only to fear a data breach – they must review their personal data collecting, storage, access, and consent activities as well."
Shon Ramey, NAVEX Global General Counsel, adds:
“It further shows how seriously regulators are taking the requirements that consent be ‘specific’ and ‘informed.’ From the statements of the regulators, to be informed, a potential data subject shouldn’t be required to review several documents to grant such consent.
It’s important to note the regulators did NOT say the company didn’t provide the information necessary, but took issue with how the information was provided and displayed. The decision appears to say that for consent to be ‘informed,’ and therefore a valid legal basis for processing, a data subject shouldn’t have to complete multiple steps and that all information required to be informed needs to be provided in one, concise and informative presentation."
As we’ve seen time and time again, GDPR is not about checking boxes for fine print; it’s about ensuring the individual has transparency into and control over how their personal data is being used.
Furthermore, this type of data acquisition and usage is not uncommon for digital properties. So although this violation is against Google, it effectively puts Silicon Valley, the larger tech community, and our modern information technology driven society on notice.