In January 2019, French regulators fined Google €50 million (approximately AUD$79 million) for breaching privacy rules under the General Data Protection Regulation (GDPR). The National Data Protection Commission (also known as the CNIL) found that Google had violated its obligations to be transparent by failing to obtain informed consent for its ad personalisation programs. This article will explain how this decision affects Australian businesses with European Union (EU) clients.

What is the GDPR?

The GDPR governs the processing of personal data in the EU. It came into effect in May 2018.

Companies can legally collect and process personal data on several legal bases. The most common legal basis is obtaining the informed consent of the user.

If a business relies on informed consent, they must prove that the:

  • consent to use of personal data is separate to consent for other uses, so the user gives consent specifically for that purpose and not for all purposes;
  • user must be asked to consent;
  • user took active steps to consent to use of personal data; and
  • individual does not need to consent to personal data collection to use the business’ service.

How Did Google Breach the GDPR?

The CNIL found that Google breached the GDPR by failing to:

  1. be transparent about the handling of personal data; and
  2. obtain informed consent from their users. 

Transparency

Google made users step through five to six different web pages to access information about how the internet giant collects user data. The information was not easily accessible. Therefore, Google failed to be transparent about its handling of personal data to its users.  

Informed Consent

Google claimed that they had obtained informed consent from their users, but they did not implement the right procedures. They did not explain to users about how they will use their data to run Google’s services. Therefore, users were not properly informed about the use of personal data and could not have given informed consent.

Furthermore, Google applied a pre-ticked box for users to consent to their use of personal data. The GDPR requires users to give active consent, such as the user clicking a box in a newsletter signup or a button in an email. A pre-ticked box indicates that the user did not give active consent, since the choice was already made for them.

However, even if Google had required users to tick the box, they faced an additional hurdle to prove informed consent. The tick box covered Google’s use of personal data for all kinds of uses as set out in Google’s privacy policy. Informed consent to use of personal data requires consent for a specific purpose only under the GDPR. Google breached this informed consent requirement by requiring users to consent to all those purposes in one tick box. Instead, Google should have asked for specific consent for ad personalisation for each of the services they offer.

For example, the user should know if they are consenting to ad personalisation for Google search, YouTube or the Google Play store. If the user wants to consent to the collection of personal data for one of those services but not the others, their choice should be respected.

The Fine

The CNIL imposed a €50 million fine for two main reasons.

Firstly, Google’s repeated breaches represented a serious threat to the GDPR’s core principles of informed consent and transparency.  

Secondly, Google’s breaches could have ramifications for millions of individuals who use their services. CNIL imposed the heavy fines after taking into account:

  • Google’s global reach;
  • the number of people who use Google’s services (especially in France);
  • the number of services that Google provides; and
  • how much personal data Google collects from its users.

How Does This Decision Affect My Australian Business?

The Google decision confirms that European regulators can impose sanctions for GDPR breaches against businesses who operate in the EU.

For Australian businesses, the GDPR only applies if your business:

  • is established in the EU (such as having an office in Germany);
  • targets products or services for people living in the EU (such as advertisements targeted at French individuals); or
  • monitors the behaviour of individuals located in the EU (such as tracking and profiling an EU-based individual using analytical software).

If you comply with the GDPR, you should:

For example, if you are an e-commerce business that sells to EU customers, your customers can demonstrate informed consent to the collection of personal data by ticking a box that signals consent for the purpose of personalising email newsletters with special offers. 

If you rely on consent as a legal basis, the Google case shows that French regulators (and potentially other European countries) intend to enforce the strict requirements for informed consent. If you collect any personal data, you must follow all the required steps to prove informed consent. Otherwise, regulators can impose heavy fines for non-compliance.

If the GDPR does not apply to your business, you should still be vigilant about how you collect personal data from your customers. The Digital Platforms inquiry by the Australian Competition and Consumer Commission (ACCC) has suggested introducing certain GDPR principles into Australian privacy law, such as stronger notification requirements when businesses collect personal data.

Next Steps Checklist

  • Find out if the GDPR applies to your business.
  • If the GDPR applies, ensure your customers know why you collect their personal information and follow the steps to ensure informed consent.
  • Ensure your privacy policy is up-to-date.
  • Consider creating a data privacy manual to ensure your business is across the privacy obligations under the Australian Privacy Principles (APPs) or GDPR (if applicable).

Key Takeaways

The huge fine for Google shows that European regulators are prepared to enforce the GDPR. Therefore, businesses complying with GDPR must ensure they have a legal basis to collect personal data.

If you are collecting personal data for different purposes, you must ensure that your business obtains informed consent for each purpose. If you have any questions or require assistance on how to comply with the GDPR, get in touch with LegalVision’s IT lawyers on 1300 544 755 or fill out the form on this page.

Jacqueline Gibson
If you would like further information on any of the topics mentioned in this article, please get in touch using the form on this page.
  • We will be in touch shortly with a quote. By submitting this form, you agree to receive emails from LegalVision and can unsubscribe at any time. See our full Privacy Policy.
  • This field is for validation purposes and should be left unchanged.
If you would like to receive a free fixed-fee quote for a legal matter, please get in touch using the form on this page.
  • We will be in touch shortly with a quote. By submitting this form, you agree to receive emails from LegalVision and can unsubscribe at any time. See our full Privacy Policy.
  • This field is for validation purposes and should be left unchanged.

Privacy Policy Snapshot

We collect and store information about you. Let us explain why we do this.

What information do you collect?

We collect a range of data about you, including your contact details, legal issues and data on how you use our website.

How do you collect information?

We collect information over the phone, by email and through our website.

What do you do with this information?

We store and use your information to deliver you better legal services. This mostly involves communicating with you, marketing to you and occasionally sharing your information with our partners.

How do I contact you?

You can always see what data you’ve stored with us.

Questions, comments or complaints? Reach out on 1300 544 755 or email us at info@legalvision.com.au

View Privacy Policy