In January 2019, French regulators fined Google €50 million (approximately AUD$79 million) for breaching privacy rules under the General Data Protection Regulation (GDPR). The National Data Protection Commission (also known as the CNIL) found that Google had violated its obligations to be transparent by failing to obtain informed consent for its ad personalisation programs. This article will explain how this decision affects Australian businesses with European Union (EU) clients.
What is the GDPR?
The GDPR governs the processing of personal data in the EU. It came into effect in May 2018.
Companies can legally collect and process personal data on several legal bases. The most common legal basis is obtaining the informed consent of the user.
If a business relies on informed consent, they must prove that the:
- consent to use of personal data is separate to consent for other uses, so the user gives consent specifically for that purpose and not for all purposes;
- user must be asked to consent;
- user took active steps to consent to use of personal data; and
- individual does not need to consent to personal data collection to use the business’ service.
How Did Google Breach the GDPR?
The CNIL found that Google breached the GDPR by failing to:
- be transparent about the handling of personal data; and
- obtain informed consent from their users.
Transparency
Google made users step through five to six different web pages to access information about how the internet giant collects user data. The information was not easily accessible. Therefore, Google failed to be transparent about its handling of personal data to its users.
Informed Consent
Google claimed that they had obtained informed consent from their users, but they did not implement the right procedures. They did not explain to users about how they will use their data to run Google’s services. Therefore, users were not properly informed about the use of personal data and could not have given informed consent.
Furthermore, Google applied a pre-ticked box for users to consent to their use of personal data. The GDPR requires users to give active consent, such as the user clicking a box in a newsletter signup or a button in an email. A pre-ticked box indicates that the user did not give active consent, since the choice was already made for them.
However, even if Google had required users to tick the box, they faced an additional hurdle to prove informed consent. The tick box covered Google’s use of personal data for all kinds of uses as set out in Google’s privacy policy. Informed consent to use of personal data requires consent for a specific purpose only under the GDPR. Google breached this informed consent requirement by requiring users to consent to all those purposes in one tick box. Instead, Google should have asked for specific consent for ad personalisation for each of the services they offer.
The Fine
The CNIL imposed a €50 million fine for two main reasons.
Firstly, Google’s repeated breaches represented a serious threat to the GDPR’s core principles of informed consent and transparency.
Secondly, Google’s breaches could have ramifications for millions of individuals who use their services. CNIL imposed the heavy fines after taking into account:
- Google’s global reach;
- the number of people who use Google’s services (especially in France);
- the number of services that Google provides; and
- how much personal data Google collects from its users.
How Does This Decision Affect My Australian Business?
The Google decision confirms that European regulators can impose sanctions for GDPR breaches against businesses who operate in the EU.
For Australian businesses, the GDPR only applies if your business:
- is established in the EU (such as having an office in Germany);
- targets products or services for people living in the EU (such as advertisements targeted at French individuals); or
- monitors the behaviour of individuals located in the EU (such as tracking and profiling an EU-based individual using analytical software).
If you comply with the GDPR, you should:
- audit your business’ collection of personal data;
- analyse whether the collection is necessary to administer your service or business;
- decide the legal basis for collecting the data; and
- take steps to comply with that legal basis.
If you rely on consent as a legal basis, the Google case shows that French regulators (and potentially other European countries) intend to enforce the strict requirements for informed consent. If you collect any personal data, you must follow all the required steps to prove informed consent. Otherwise, regulators can impose heavy fines for non-compliance.
If the GDPR does not apply to your business, you should still be vigilant about how you collect personal data from your customers. The Digital Platforms inquiry by the Australian Competition and Consumer Commission (ACCC) has suggested introducing certain GDPR principles into Australian privacy law, such as stronger notification requirements when businesses collect personal data.
Next Steps Checklist
- Find out if the GDPR applies to your business.
- If the GDPR applies, ensure your customers know why you collect their personal information and follow the steps to ensure informed consent.
- Ensure your privacy policy is up-to-date.
- Consider creating a data privacy manual to ensure your business is across the privacy obligations under the Australian Privacy Principles (APPs) or GDPR (if applicable).
Key Takeaways
The huge fine for Google shows that European regulators are prepared to enforce the GDPR. Therefore, businesses complying with GDPR must ensure they have a legal basis to collect personal data.
If you are collecting personal data for different purposes, you must ensure that your business obtains informed consent for each purpose. For more information on your business obligations, our experienced privacy lawyers can assist as part of our LegalVision membership. For a low monthly fee, you will have unlimited access to lawyers to answer your questions and draft and review your documents. Call us today on 1300 544 755 or visit our membership page.
We appreciate your feedback – your submission has been successfully received.
