CIO

€50 million fine under the GDPR – French Data Protection Watchdog flexes its muscles: what does it mean for you?

Even for businesses not subject to the GDPR, the decision gives a taster of how New Zealand privacy law is likely to develop as the Privacy Bill makes its way before Parliament, write Hayley Miller and Campbell Featherstone of Kensington Swan

All Kiwi businesses should consider getting ahead of the curve, and ensuring that they engage with their consumers regarding privacy in a transparent and open manner

On 21 January, the French data protection regulator, la Commission Nationale de l'Informatique et des Libertés (‘CNIL’) imposed on Google the first major fine - €50 million - for failing to comply with the GDPR.

This decision is significant for New Zealand businesses: many New Zealand businesses are directly subject to the GDPR, and the first extra-territorial action under the GDPR was taken late last year.

Even for those businesses who are not subject to the GDPR, the decision gives a taster of how New Zealand privacy law is likely to develop as the Privacy Bill makes its way before the New Zealand Parliament, and an indication of how global consumer trends are likely to influence how personal information is collected not only in the EU but further afield.

The CNIL’s decision followed complaints by two consumer rights organisations. In reaching its decision, the CNIL analysed a user's journey when creating a Google account during the configuration of mobile equipment, using the Android operating system. The CNIL’s analysis identified a lack of transparency, insufficient information to the data subject and a lack of valid consent from users to process their data to personalise ads.

According to the CNIL, the fine imposed takes into account the widespread use of Android devices in the French market, and the fact that Google’s economic model relies on personalised ads. The CNIL warned that if Google continues its practices without correction, then Google may face further sanctions

Google has indicated that it will appeal the decision.

The decision

The CNIL reached its decision on the basis that Google did not have a valid basis for processing personal information for the purposes of personalising ads for users. Specifically, the consent Google purported to obtain from users (as a basis for processing) was not valid under the GDPR.

In particular:

  • The consent was not ‘sufficiently informed’ – information disclosed regarding the processing of a user’s data was diluted in several documents which did not allow the user to become aware of the scope of their purported consent;

  • The consent sought was not ‘specific’ and ‘unambiguous’, in that the consent sought was ‘bundled’ with consent for all of Google’s many processing operations with personal data (for example, customised advertising and speech recognition).

In reaching its decision, the CNIL noted that:

  • Essential information provided by Google (including the purposes for which data was processed, the length of time the data is stored, and the categories of data used to personalise ads to users) was not easily accessible to users, and that up to five or six actions (involving buttons and links) could be required to access the relevant information;

  • When creating an account, it was possible for a user to set display modes for personalised ads, but the user was required to click on ‘more options’ to access this setting and the display of personalised ads was pre-checked by default (rather than requiring users to actively consent);

  • When creating a Google account, the user would not be able to understand the scope of processing undertaken by Google, and in particular, that the purposes for processing data and the data retention periods disclosed by Google were too general and vague, considering the wide range of services that data was being used for (approximately 20 different services).

Our two cents (or ‘deux centimes’): takeaways for NZ businesses

  • Level of fines

The level of the fine – €50 million – makes this decision noteworthy.

That said, the GDPR gives authority for data protection regulators to impose substantial fines of €20 million or 4 per cent of its global turnover (whichever is higher). While €50 million may seem like a huge fine, it could have been a lot worse for Google had the maximum fine been imposed.

The level of potential fines shows how seriously the EU is taking privacy. For New Zealand businesses who are or may be directly subject to the GDPR, the fine comes as a warning.

On the other hand, the maximum fine for a breach of New Zealand privacy law under the proposed new regime is yet to be concluded. While it is highly unlikely to be anywhere near the maximum contemplated by the GDPR, we expect that it will nevertheless be significant for most New Zealand businesses.

  • Requirement for transparency

The decision highlights that transparency is crucial.

Organisations cannot rely on fine print or vague, broad disclosures in privacy policies. They must consider not only what their privacy policies say (in plain English, without legalese) but also how they shape the user journey to ensure that individuals are expressly aware of how their personal information is going to be used.

New Zealand businesses – whether or not subject to the GDPR – should consider building privacy disclosures directly into product design and the user experience. A layered approach to privacy policies (a shorthand description linking to a more general policy) is not always the best approach. Businesses should strive to have an adequate and understandable description of each service using personal data in one easily accessible place.

Businesses cannot achieve transparency without themselves understanding how they use personal information. New Zealand businesses should consider undertaking a data audit, to fully understand the who/what/where/when/how as it applies to the collection of personal information in their business and operations, to assist them to prepare appropriate privacy disclosures. A privacy policy shouldn’t be prepared in a vacuum, and it is no longer appropriate to use a ‘vanilla/standard/boilerplate’ document as a basis for a privacy policy.

  • Consumer expectations are driving change

Even though New Zealand privacy law doesn’t go anywhere near as far as the GDPR, consumer expectations and the global privacy environment are changing thanks to the publicity the GDPR is bringing to the privacy landscape.

Consumers are becoming more aware of where and to whom their personal information is being disclosed and how it is being collected, and have elevated their expectations of how transparent they expect businesses to be when it comes to the use of their online footprint.

All New Zealand businesses – regardless of whether they are subject to the GDPR – should consider getting ahead of the curve, and ensuring that they engage with their consumers regarding privacy in a transparent and open manner, by developing user interfaces and processes which incorporate ‘privacy by design’ as a core principle.

Hayley Miller, and Campbell Featherstone are from Kensington Swan’s national technology, media and telecommunications practice

Hayley Miller
Hayley Miller
Campbell Featherstone
Campbell Featherstone

Get the latest on digital transformation: Sign up for  CIO newsletters for regular updates on CIO news, career tips, views and events. Follow CIO New Zealand on Twitter:@cio_nz

gdpr-3385166_1280-100758160-orig.jpgCredit: TheDigitalArtist
gdpr-3385166_1280-100758160-orig.jpg