France’s data protection authority is first out the gate with a big decision regarding a high-profile tech company, and every other enforcer in Europe is taking notes. On January 21, France’s CNIL fined Google 50 million Euros for breaches of the General Data Protection Regulation (GDPR). This is about 57 million U.S. dollars. The decision relates to Google’s intrusive ad personalization systems, and its inadequate systems of notice and consent when users create accounts for Google services on Android devices.

Since the GDPR came into effect on May 25, 2018, many companies have simulated compliance with the law while manipulating users into granting them consent by means of deceptive interface design and behavioral nudging. If a major company is seeking to get a free pass from another national data protection authority, that decision will now be critically contrasted with the approach of the CNIL.

Hopefully, the CNIL’s recent decision is a harbinger of a robust enforcement approach which will deliver critical privacy protections to users.

The Complaints from Privacy Advocates

Under the GDPR, processing of personal data is only allowed where there is a “legal basis.” such as the consent of the user, and users are granted extensive rights over their data. The CNIL found Google in breach of the law’s transparency and information requirements, and as a result found invalid the so-called “consent” that Google sought to rely upon.

The CNIL’s investigation was prompted by two complaints from digital rights organizations, None of Your Business (NOYB) and La Quadrature du Net (LQDN). NOYB was established by data protection activist Max Schrems, and this group filed similar complaints against Android, Facebook, Whatsapp and Instagram. NOYB objected to the privacy policy which Android users were asked to agree to, and argued that the consent was invalid and thus illegal.

LQDN’s complaint addresses the consent process around the creation of an account to access Google services. They argued that Google does not have a valid legal basis for using consumer data for the personalization of content, the behavioral analysis of users, and the targeting of ads on Youtube, Gmail, and Google Search.

Invalid Transparency and Information

The GDPR places much importance on companies informing users about how their data is used and what rights they have to intervene in the processing. Article 13 specifies information that must be disclosed to the user before any processing takes place, such as the nature and purpose of collection, and how long the data will be retained. Article 12 requires that this information be conveyed “in a concise, transparent, intelligible and easily accessible form.” The aim is to ensure that users have control over what data is taken from them, and how it is used and shared.

The CNIL found that Google violated its duties of transparency and information. Specifically, Google obfuscated “essential information” about data processing purposes, data storage periods, and categories of personal information used for ads personalization. For example, the relevant information was “excessively disseminated” over multiple documents, and required users to click through five or six pages. Moreover, information was “not always clear” due to “generic and vague” verbiage. Yet the “massive and intrusive” scope and detail of the data collected by Google from its array of services and sources placed an increased obligation on the company to make its practices clear and comprehensible to users.

Invalid Consent

In its communications with the CNIL, Google asserted that the legal basis for its personalization of ads was the consent of the user. The CNIL rejected this assertion, for two reasons. First, the CNIL found that due to the breaches of Articles 12 and 13 discussed above, the consent acquired by Google was not properly informed.

In the EU, the user must opt-in - consent cannot be implied on the basis that users theoretically have a way of opting out.

Second, the GDPR requires user consent to be specific and unambiguous, and the latter requires a positive act by the user to indicate their agreement. Yet Google had pre-ticked the boxes allowing it to use web and app history for behavioral targeting, a method specifically excluded by the Regulation. The CNIL cites Article 29 Working Party guidance which requires a user to take steps to consent. In the EU, the user must opt-in - consent cannot be implied on the basis that users theoretically have a way of opting out.

Unanswered Questions

While the CNIL found Google in breach of the GDPR, it left unaddressed key arguments of the complainants. NOYB hones in on the imbalance of power between Android and individual users. Its dominance of the market, and the absence of effective alternatives, means that users have little option but to “consent” or they will be excluded from the ecosystem. Recital 42 of the GDPR states that consent “should not be regarded as freely given if the data subject has no genuine or free choice or is unable to refuse or withdraw consent without detriment.” This is one more reason why companies must be required to offer access to their service even when users reject tracking and behavioral personalization.

LQDN challenge the practice of tying, or making acceptance of personalized advertising a condition of access to its services. Article 7(4) states that “when assessing whether consent is freely given, utmost account shall be taken of whether... the provision of a service is conditional on consent to the processing of personal data that is not necessary for the performance of that contract.” Behavioral analysis of user data for the personalization of advertising is not necessary to deliver mail or video hosting services to users. If tying is allowed, users will be confronted by cookie walls everywhere, requiring that they agree to tracking in exchange for access to services.

The Stakes Have Been Raised in Europe

The $57 million fine highlights the increased sanctions available under the GDPR. In November, the UK’s Information Commissioner’s Office imposed the then-maximum fine of £500,000 on Facebook for breaches uncovered as part of Cambridge Analytica investigations under the old law. $57 million is certainly manageable for a company with a turnover over €96 Billion, but the ramifications of this decision do not end with the payment of the fine.

Google is the subject of multiple other investigations in Europe, and this is unlikely to be the last finding that it violated the GDPR. It will have to remedy its violations and change its practices and improve user privacy. This decision sends a shot across the bows of other companies with worse transparency and few scruples in deceiving users into granting consent.

Google has four months to appeal this decision to the Conseil D’État, France’s Supreme Court for administrative matters.