All Kiwi businesses should consider getting ahead of the curve, and ensuring that they engage with their consumers regarding privacy in a transparent and open manner
On 21 January, the French data protection regulator, la Commission Nationale de l'Informatique et des Libertés (‘CNIL’) imposed on Google the first major fine - €50 million - for failing to comply with the GDPR.
Even for those businesses who are not subject to the GDPR, the decision gives a taster of how New Zealand privacy law is likely to develop as the Privacy Bill makes its way before the New Zealand Parliament, and an indication of how global consumer trends are likely to influence how personal information is collected not only in the EU but further afield.
The CNIL’s decision followed complaints by two consumer rights organisations. In reaching its decision, the CNIL analysed a user's journey when creating a Google account during the configuration of mobile equipment, using the Android operating system. The CNIL’s analysis identified a lack of transparency, insufficient information to the data subject and a lack of valid consent from users to process their data to personalise ads.
According to the CNIL, the fine imposed takes into account the widespread use of Android devices in the French market, and the fact that Google’s economic model relies on personalised ads. The CNIL warned that if Google continues its practices without correction, then Google may face further sanctions
Google has indicated that it will appeal the decision.
The CNIL reached its decision on the basis that Google did not have a valid basis for processing personal information for the purposes of personalising ads for users. Specifically, the consent Google purported to obtain from users (as a basis for processing) was not valid under the GDPR.
The consent was not ‘sufficiently informed’ – information disclosed regarding the processing of a user’s data was diluted in several documents which did not allow the user to become aware of the scope of their purported consent;
The consent sought was not ‘specific’ and ‘unambiguous’, in that the consent sought was ‘bundled’ with consent for all of Google’s many processing operations with personal data (for example, customised advertising and speech recognition).
In reaching its decision, the CNIL noted that:
Essential information provided by Google (including the purposes for which data was processed, the length of time the data is stored, and the categories of data used to personalise ads to users) was not easily accessible to users, and that up to five or six actions (involving buttons and links) could be required to access the relevant information;
When creating an account, it was possible for a user to set display modes for personalised ads, but the user was required to click on ‘more options’ to access this setting and the display of personalised ads was pre-checked by default (rather than requiring users to actively consent);
When creating a Google account, the user would not be able to understand the scope of processing undertaken by Google, and in particular, that the purposes for processing data and the data retention periods disclosed by Google were too general and vague, considering the wide range of services that data was being used for (approximately 20 different services).
Our two cents (or ‘deux centimes’): takeaways for NZ businesses
Level of fines
The level of the fine – €50 million – makes this decision noteworthy.
That said, the GDPR gives authority for data protection regulators to impose substantial fines of €20 million or 4 per cent of its global turnover (whichever is higher). While €50 million may seem like a huge fine, it could have been a lot worse for Google had the maximum fine been imposed.
The level of potential fines shows how seriously the EU is taking privacy. For New Zealand businesses who are or may be directly subject to the GDPR, the fine comes as a warning.
On the other hand, the maximum fine for a breach of New Zealand privacy law under the proposed new regime is yet to be concluded. While it is highly unlikely to be anywhere near the maximum contemplated by the GDPR, we expect that it will nevertheless be significant for most New Zealand businesses.
Requirement for transparency
The decision highlights that transparency is crucial.
Organisations cannot rely on fine print or vague, broad disclosures in privacy policies. They must consider not only what their privacy policies say (in plain English, without legalese) but also how they shape the user journey to ensure that individuals are expressly aware of how their personal information is going to be used.
New Zealand businesses – whether or not subject to the GDPR – should consider building privacy disclosures directly into product design and the user experience. A layered approach to privacy policies (a shorthand description linking to a more general policy) is not always the best approach. Businesses should strive to have an adequate and understandable description of each service using personal data in one easily accessible place.
Consumer expectations are driving change
Even though New Zealand privacy law doesn’t go anywhere near as far as the GDPR, consumer expectations and the global privacy environment are changing thanks to the publicity the GDPR is bringing to the privacy landscape.
Consumers are becoming more aware of where and to whom their personal information is being disclosed and how it is being collected, and have elevated their expectations of how transparent they expect businesses to be when it comes to the use of their online footprint.
All New Zealand businesses – regardless of whether they are subject to the GDPR – should consider getting ahead of the curve, and ensuring that they engage with their consumers regarding privacy in a transparent and open manner, by developing user interfaces and processes which incorporate ‘privacy by design’ as a core principle.
Get the latest on digital transformation: Sign up for CIO newsletters for regular updates on CIO news, career tips, views and events. Follow CIO New Zealand on Twitter:@cio_nz
Join the CIO New Zealand group on LinkedIn. The group is open to CIOs, IT Directors, COOs, CTOs and senior IT managers.