On 21 January 2019, France's data-privacy regulator, Commission nationale de l'information ed des libertes (CNIL), imposed a fine of €50 million (NZ$85 million) on Google for two breaches of the General Data Protection Regulation (GDPR).
We set out below the key aspects of CNIL's investigation and the factors behind the scale of the fine imposed, along with the potential risks and implications this penalty signals for New Zealand businesses required to comply with the GDPR.
CNIL investigation and conclusions
The penalty follows an investigation by CNIL into complaints brought by two European consumer rights organisations concerning the legal basis upon which Google processed the personal data of users of its services, in particular for "ad personalisation" purposes. This investigation commenced on 25 May 2018, the same day that the GDPR came into effect.
Both of the complaints were principally about "forced consent" – CNIL accused Google of lacking a transparent legal basis for processing people's personal data by forcing to consent to processing that they did not understand.
CNIL concluded that Google had violated two requirements of the GDPR:
- Obligations of transparency: The GDPR requires that information relating to the processing of personal data must be provided in a "concise, transparent, intelligible and easily accessible form". However, CNIL held that Google's "essential information" regarding processing was difficult to access and separated across multiple documents. This meant that "users are not able to fully understand the extent of the processing operations carried out by Google". Customers were therefore unable to exercise their right to opt out of Google using their personal data in this way. CNIL described Google's information processing practices as being "particularly massive and intrusive".
The fine imposed was calculated using the second tier penalty formula under the GDPR, as CNIL deemed Google to have unlawfully processed the personal data of its users. This formula enables the regulator to impose a fine of up to €20 million (NZ$34 million) or 4% of total worldwide annual turnover (whichever is highest). This meant that the theoretical maximum fine for Google was nearly €4 billion (NZ$6.75 billion).
CNIL identified a number of aggravating factors in respect of Google's breaches that justified both the quantum of the fine imposed and the publicity that it would entail. These included:
- the severity of Google's infringements of the "essential" GDPR principles of transparency, information and consent;
- the breaches by Google were continuous and did not constitute a mere one-off infringement;
- the widespread use of Google's operating software, Android, within the French marketplace; and
- the fact that Google's economic model "is partly based on ads personalisation" and therefore they had "utmost responsibility to comply" with the GDPR.
Google have advised in a statement that they are "studying the decision to determine our next steps", and it is not yet known whether they will appeal the decision or the fine.
Impact and risks to New Zealand businesses
The substantial penalty handed down to Google highlights the willingness of regulators to impose considerable fines for unlawful processing of personal data. New Zealand businesses who are required to be GDPR-compliant should be conscious of the risk of substantial financial penalties and reputational consequences should they fail to meet the requirements of the GDPR. It is noteworthy that in this case the fine imposed by the regulator exceeded the €20,000,000 specified in the second tier penalty formula, and was instead calculated as a portion of 4% of Google's total worldwide annual turnover.
Although Google had implemented some processes to obtain user consent to processing of their personal data, the regulator considered these were insufficient to meet the "essential" GDPR principles of transparency, information and consent. New Zealand businesses should therefore be conscious of the requirement to obtain clear, unambiguous consent from data subjects for each specific instance where the user's personal data is processed.