The Privacy Guardians of GDPR Make Violations Expensive
The First Six Months of GDPR
In May 2018, the General Data Protection Regulation (GDPR) came into effect in the EU after having been a work in progress for over two years. It was eagerly awaited as the first formal guardian of the common citizen’s right to privacy – a commodity that has completely vanished over time. Zealous guardians of privacy rights like NOYB (rather aptly standing for None of Your Business) have been raising complaints against the big internet players almost immediately. Subsequently, there has been a waiting period to determine how the regulators react as well as how the internet empire redefines itself. Most of the players self-certify themselves as committed to privacy protection as well as stating full compliance to GDPR. It had been predicted that the regulators were providing a six month leeway, to allow for appropriate compliance efforts and January of 2019 has seen the first attention-grabbing GDPR non-compliance penalty of significant value being announced against one of the biggest internet companies.
Google Non-compliance Investigation
The National Data Protection Commission of France (CNIL) received two complaints regarding GDPR non-compliance by Google LLC:
28 May 2018: LDQN (La Quadrature Du Net) questioned the legal basis of implementing the processing of personal data for behavior analysis and targeted advertising.
CNIL had immediately started its investigation process as per the standards laid down in GDPR and eventually laid down a fine in January 2019. Google has already announced intentions of raising an appeal against the ruling.
Google Investigation Timeline
The timeline evidences that CNIL performed an in-depth analysis of the complaints, following due procedure with early intimation to Google and reviewing their responses.
Main Findings of the Investigation
CNIL determined shortcomings in Google’s personal information collection and processing on two fronts – insufficient information provided to the user and invalid consent for personal data use. The text of the full report has been published (in French) as well as a summarized press-release (in English).
Failure to Comply with Transparency and Information Obligations
An example was provided for the advertising personalization process – listing the pages that the user has to click through in order to determine how personal information was being handled and demonstrating that this was cumbersome for the average user.
Further, accessing information on personal data retention period was also demonstrated as difficult requiring multiple actions, further obfuscated with a choice of non-explicit titles. There are four categories of retention periods:
- Information retained until you delete it
- Information with a timeout
- Information retained until you delete your Google Account
- Information kept for long periods of time for specific reasons
The information on the last category was considered inadequate, with only very general explanations of the purpose of this retention provided and no precise duration or the criteria used to determine that duration indicated.
Additionally the volume of data collected from the user in different categories was reviewed
- data "produced" by the person (for example, his name, password, phone number, email address, means of payment, content created, imported or received, such as writings, photos or videos) ;
- data generated by user activity (for example, IP address, unique user credentials, mobile network data, data related to wireless networks and Bluetooth devices, timestamp of actions performed, data geo-location, the technical data of the devices used including data relating to the sensors (accelerometer, etc.), the videos viewed, the searches made, the browsing history, the purchases, the applications used, etc .;
- derived or inferred data from the data provided by that person or his activity.
The intrusive nature of this significant volume of data collection, combined with lack of clarity on how the data is used to provide a personalized experience led to the conclusion that the information provided by Google does not allow users to understand sufficiently the particular consequences of the treatment of their personal information. As such, Google uses user consent as the basis of providing personalized advertising, however, CNIL concluded that the user does not fully understand the ramifications of the data collection and analysis under the consent framework.
Further, information on the usage of the data is to be made available from the beginning of the processing cycle under GDPR. The summary report on account creation provides a very high-level information and was considered insufficient for the information requirements.
Failure to Provide a Legal Basis for the Processing
While Google reaffirms that user consent is the main hallmark of its advertisement personalization, the legality of the consent in the absence of clarity of purpose (article 6 and article 7) is questionable.
As in the case of information requirements, the multiplicity of documents to be referred and the lack of clarity on the type and nature of use of the personal data across multiple Google applications was illustrated.
Further, consent requires to be provided via affirmative user action and cannot be bundled. As such, default ticking of check-boxes and combining multiple purposes (ie) applications into a single consent are both prevalent contravening recitals 32 and 43 of GDPR. The customization of advertisements is to be done under an optional menu which defaults to acceptance and hence does not require specific affirmative action from the user, thereby rendering the consent illegal as it is neither specific nor unambiguous.
Taking into account the serious nature of the breach (violation of information requirements and consent), as well the large customer base for Android phones in France and considering the fact that Google has multiple applications offered to a single user resulting in extensive processing of user data and subsequent advertising revenue generation, a penalty of 50 million Euros has been levied. Although this is the first large penalty under GDPR, it is actually not the maximum that could have been levied (4% of revenues) under Article 83.
Other GDPR Violations Reported until early 2019
While this is the first large GDPR penalty levied and against a prominent player, it is not the first penalty under GDPR. Some of the previously published penalties include:
- The Austrian Data Protection Authority (DSB) fined an entrepreneur Euro 4800 for installing a CCTV in front of the establishment that covered a large portion of the public sidewalk. This violates transparency obligations as the public users of the sidewalk have not consented to being video-graphed.
- The Portuguese Data Protection Authority (CNPD) fined the Barreiro hospital Euro 400000 for violating principles of integrity and confidentiality, data minimization in order to limit access to patients 'clinical data, and the controllers' inability to secure the confidentiality and integrity of the data in their system.
- The State Commissioner for Data Protection and Freedom of Information Baden-Wuerttemberg (LfDI) fined Knuddles.de (a social media company) Euro 20000 for violating data security by storing passwords in plain text. The early reporting of the breach by the data controller and full co-operation provided to LfDI was quoted as being responsible for the low quantum of fine.
Other reported data breaches that could be candidates for future penalties under GDPR include the British Airways customer data breach where hackers used cross-site scripting to steal personal and financial information of customers as well as the Facebook access token breach where code vulnerabilities allowed potential profile access to hackers.
One of the side-effects of GDPR is that breach reporting is being done earlier, especially when EU customer data is involved in order to comply with Article 33 that requires breaches to be notified within 72 hours.
Early enforcement experience with GDPR indicates that the European regulators are taking user privacy and personal information security very seriously and are penalizing both small and large companies (including global corporations) for proven violations. With these companies using their appellate rights, the investigation and final conclusion of the cases can get extended, however, the general European public can now put their faith in the fact that complaints can be registered and processed by their country regulators. It remains to be seen whether this eventually leads to a change in the internet economy where personal information is one of the most actively traded commodities. Analysis of the early enforcement also help companies understand how different regulators interpret the various articles and recitals of GDPR and can be used to audit existing privacy protection features for sufficiency.
The European Union has received 95000 complaints under GDPR as of January 2019, although five EU countries are yet to complete adoption of GDPR.
Note: The facts of the investigation discussed in this article have been translated from the original French using free internet tools. The author would be happy to correct any discrepancies in facts that arise due to such translation.
© 2019 Saisree Subramanian