As we reported on this blog, just after GDPR became applicable, noyb.eu (None of Your Business), the non-profit privacy organization set up by Max Schrems, the Austrian lawyer who initiated the action against Facebook that led to the invalidation of the Safe Harbor, and a French organization called "La Quadrature du Net", filed the first complaints based on GDPR. These complaints targeted major technology companies such as Google, Facebook, Instagram, Whatsapp and Linkedin before various European DPAs. The French DPA is the first one to render a decision against one of these tech giants.

In its decision, the DPA explains that it investigated the Android's user "click path" from the creation of a Google account to the day-to-day use of the smartphone and found that Google was in breach of two of the GDPR main principles:

  • Lack of transparency and inadequate information

Under the GDPR, data controllers must disclose to individuals whose personal data is processed certain information, and that information must be written in a concise, transparent, intelligible and easily accessible way, using clear and plain language.

According to the French DPA, the information provided by Google to its users is not sufficiently clear and plain. The DPA also noted that key information, such as the data processing purposes, the data storage periods or the categories of personal data used for Google ads personalization, is excessively disseminated across several documents (sometimes requiring 5 or 6 clicks by the user before reaching the actual information).

  • Lack of valid consent regarding the ads personalization

The GDPR provides that any data processing must be done on the basis of one of the legal basis listed in the GDPR, which includes consent.

Google argued that they rely on users' consent to process data for ads personalization purposes. However, the French DPA found that this was not a valid legal basis, because Google users' consent is not sufficiently informed and is neither "specific" nor "unambiguous". In particular, the French DPA noted that Google users are asked to tick the boxes "I agree to Google's Terms of Service" and "I agree to the processing of my information as described above and further explained in the Privacy Policy" in order to create a Google account; the French DPA concluded this method of securing was inappropriate because it was "bundled".

This is not the first time a fine is issued for breach of the GDPR, but it is by far the biggest although still far away from the maximum limit which is 4% of the worldwide sales. The French DPA explained that the amount fined and the publicity of the decision are justified by "the severity of the infringements observed regarding the essential principles of the GDPR: transparency, information and consent".

To view Foley Hoag's Security, Privacy and The Law Blog please click here

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.