The French data protection regulator, the Commission Nationale de l’Informatique et des Liberties (CNIL), has levied a fine of €50 million ($80 million) against technology giant Google for breaches of the General Data Protection Regulation (GDPR). It is the largest administrative fine issued to date under the GDPR.
The fine arises from complaints made against Google by two European privacy rights groups. The first of these complaints was filed on May 25, 2018, the day the GDPR took effect. The complaints concerned Google’s use of its users’ personal data to personalise advertisements. The privacy groups claimed that Google did not have a valid basis under the GDPR to process its users’ personal data for this purpose.
While Google did obtain consent from users to ad personalisation, the CNIL said that this consent did not meet the standards required by the GDPR for several reasons:
- The option to personalise ads was ‘pre-ticked’ when creating an account;
- The consent was not specific to the personalisation of ads but encompassed a number of other processing activities; and
- The information necessary for users to understand ad personalisation was spread over several documents, and users had to take five or six steps to access all the information.
When does the GDPR apply to Australian startups?
The GDPR’s extraterritorial provisions mean is not necessary for a business to have operations in the European Union (EU) for the GDPR to apply to it. The GDPR may apply to an Australian startup if it:
- Has an establishment located in the European Union (such as an office or a sales representative) which processes personal information;
- Processes personal information in the course of offering goods or services to, or monitoring, individuals who are located in the EU (for example, if it runs an online store that targets European consumers); or
- Processes personal information on behalf of an EU business (for example, if it runs a cloud service on which European businesses store personal information of their customers or employees).
If the GDPR applies to your startup, it will apply in addition to the Australian Privacy Act. Generally speaking, the GDPR has much stricter requirements than the privacy act. Of particular importance to startups is that, unlike the Australian Privacy Act, there is no small business exception to the GDPR. Your startup needs to comply with the GDPR from day one.
The good news for Australian startups is that foreign penalties, such as GDPR fines, will not be enforced by Australian courts. As such, a startup that only has operations or assets in Australia might take the view that it can safely ignore the GDPR. That would be a mistake for two reasons. Firstly, an outstanding GDPR fine could hinder your startup from doing business in Europe in the future. Secondly, while foreign penalties are not enforceable in Australia, orders for compensation from certain European courts are. European consumers who suffer loss due to your breach of the GDPR could be awarded damages by a European court, and then seek to enforce that court order against you in Australia.
What lessons can Australian startups learn from Google’s fine?
There are several lessons Australian startups that are subject to the GDPR can take from the fine imposed on Google.
1. Opt-out consent mechanisms are no longer valid under the GDPR
Opt-out mechanisms, such as pre-ticked checkboxes, were sufficient to obtain consent under the old Directive 95/46/EC on Data Protection, and remain sufficient in most other jurisdictions. However, the GDPR requires that consent be obtained using ‘opt-in’ mechanisms and provides that pre-ticked boxes do not constitute valid consent.
2. You must obtain separate consent for each purpose
The GDPR requires that separate consent must be obtained for each proposed purpose for which the personal data will be processed. Individuals should be able to agree to some uses but not others. A common example is to provide one tick-box for consent to receive direct marketing of your own products, and a separate tick-box for consent to receive direct marketing of third-party products.
3. Make it easy for individuals to understand what they are consenting to
The GDPR requires that individuals be provided with sufficient information to allow them to make an informed choice about the proposed processing. This information should be easy for them to find and understand. Users should not have to click multiple hyperlinks and find information buried in lengthy documents. There are various ways of presenting information online which provide users with an overview of key points and allow them to drill down into the finer details.
4. Multi-million-dollar fines are not as unlikely as we first thought
GDPR penalty provisions allow regulators to issue administrative fines of up to €20 million or 4% of a company’s worldwide annual turnover for the preceding financial year, whichever is higher. While the magnitude of these penalties dominated the headlines when the GDPR was introduced, several European regulators stated publicly that they would use fines sparingly, and generally only against serious or repeat offenders.
By issuing such a substantial fine so early in the life of the GDPR, the CNIL appears to be taking a different approach, and sending the message that it will not hesitate to take punitive measures to enforce the GDPR. The fine stands in stark contrast to the £500,000 ($908,928) fine imposed by the UK Information Commissioner’s Office against Facebook last October, which was the maximum permitted under the directive. Of course, it could be argued that the fine only seems large because it was calibrated to the size of the offender — the fine amounts to approximately four hours’ worth of revenue for Google.
The good news for startups is that fines issued against smaller businesses under the GDPR have been much less dramatic. Last year, a Portuguese hospital was fined €400,000 for misuse of patient records, a German social media service was fined €20,000 for lack of password security, and an Austrian business was fined €4,800 for unlawful CCTV surveillance.
At the very least, however, the decision is a wake-up call to businesses of all sizes that non-compliance with the GDPR could be costly.