Location Amsterdam
Jollemanshof 12
1019 GW Amsterdam
Phone
020 663 1941
E-mail
info@ictrecht.nl
KvK
34216164
BTW
NL8223.30.040.B01
Location Groningen
Leonard Springerlaan 35
9727 KB Groningen
Phone
050 209 34 99
E-mail
info@ictrecht.nl
KvK
68038712
BTW
NL857275835.B01
Location Brussel
Avenue Louise 65
1000 Brussel
Phone
+32 (0)2 535 77 55.
E-mail
info@legalict.com
Ondernemingsnummer
0696.909.465
BTW
BE 0696.909.465
Back to home

Google’s appeal of the €50 million GDPR penalty: what is at stake? (part 2)

Recently, we provided a summary and initial analysis of the first major fine under the GDPR, which was issued by the French data protection authority (the CNIL). In a series of three blogs, we provide further analysis of this landmark decision and its implications. In the first part, we provided information about the motivation of the penalty and Google’s decision to appeal. In this second part of the series, we will consider potential future GDPR fines and draw a link between privacy and competition considerations. In the third part, we will provide practical advice to improve compliance.

Transparency and consent

As stated in our previous article, the penalty was imposed on Google for failing to provide sufficient information and transparency as required under articles 5, 12 and 13 of the GDPR, and for processing personal data without a valid legal basis, constituting a violation of article 6 GDPR, in the context of creating a Google account when setting up an Android phone.

The first of many privacy fines?

Considering what’s at stake, it is understandable that Google and others will keep trying to minimise what is required of them. While it may seem trivial to some, an issue such as whether pre-ticking a checkbox for ad personalisation is permissible or not can have significant consequences. This is because users tend not to change default settings, and in general, personalised ads attract considerably greater revenue than non-personalised ads. Furthermore, it will require more resources to provide more complete and accurate information, which is continuously kept up-to-date (particularly challenging in the fast-changing world of technology) and provided at the right time and in the right way. It seems likely, however, that tech companies across the board will have to step up their privacy game substantially or risk serious fines. At a maximum of 4% of global turnover, these could be far higher than the CNIL’s €50 million opening salvo.

Google probably wouldn’t be wrong if it claimed on appeal that it already provides data subjects with more information and choices about how their personal data will be used than some others. However, it could prove difficult to convince a judge that the CNIL was wrong to demand a particularly high level of transparency from Google, given how much information Google processes about almost everybody. Your ongoing smartphone usage enables Google to continuously process an enormous amount of data about you: your exact whereabouts over time; every search you type into your browser; all the names, numbers and other contact details of (nearly) everybody you know; and all your calendar appointments, including the details as to where and with whom. Do you know what you were doing and where you were at 16:15 on September 4th, 2018? You may not remember, but chances are that Google has the exact data. It doesn’t seem like an exaggeration to say that these services and apps probably know you better than you know yourself.

Weighing all factors, it doesn’t seem difficult to argue that a company which may know you better than you know yourself, and which is making (nearly all of) its billions of euros of annual turnover by helping other companies sell you things, can and should be held to a high standard of transparency about how its vast data troves about you may be used. It still remains unclear, for instance, if switching off Google’s ad personalisation setting will delete your existing ad profile completely. Another possibility could be that the profile is retained, and perhaps even fed with new data, but this data merely is no longer used to show personalised ads. This point was not mentioned by the CNIL, but it appears that it potentially could (or even should) have been.

If Google has indeed done as much or even more than others to comply with the GDPR, this may be further indication that more fines can be expected soon. In this respect, it is worth noting that NOYB — one of the associations that filed the collective complaint against Google that ultimately resulted in the penalty — also filed complaints against Facebook, Amazon, LinkedIn, and several other companies.

Privacy and competition

Another interesting development in this sphere is that Germany’s competition authority recently decided (on February 7th) that Facebook abused its market power by combining user data collected from the Facebook website and app with user data collected through “like” and “share” buttons found on many external websites. A novelty in this case is that privacy considerations have helped shape the assessment under competition law about which forms behaviour should be considered as abusive (in this case: combining data from several sources).

Such interplay between the competition and privacy spheres may also be possible in the opposite direction, as competition considerations could help to shape assessment under privacy law as well. For example, the fact that a given provider is dominant within its market may imply the risk that consent won’t be deemed freely given, because the alternative (i.e. not using its services) is arguably too detrimental. So-called “network effects” can also play a role here — for instance, it is difficult to avoid Facebook if all your friends are on Facebook. Further consequences of a provider being dominant are that the amount of personal data processed will usually be far higher and there will be far more data to potentially combine across different sources. As a result, the insight that such a company may have into individuals’ (private) activities and personal characteristics can be far more comprehensive and intrusive. Here is an interesting read about an experiment to try to avoid any personal data processing by Google. Spoiler alert: it’s nearly impossible.

Read our next blog for practical advice to improve GDPR compliance!

Matthijs van Bergen

Managing director Legal ICT
Matthijs manages Legal ICT’s Brussels office and advises clients mostly in matters concerning EU and international law. Matthijs has extensive experience in drafting and negotiating (international) ICT contracts and has substantial knowledge about intellectual property, privacy, information security, Internet, freedom of speech, net neutrality, and broadband in rural areas.

There are no comments yet

Leave a Reply

Your email address will not be published. Required fields are marked *

Your personal information will only be used to publish and process your response. Please read the privacy statement for more information