As everyone is (surely) now aware, new data protection legislation came into force across Europe on 25 May 2018. Attracting somewhat less attention on the same date (amidst, no doubt, the spontaneous street parties and celebrations) complaints were filed by two well-known privacy rights campaign groups, NOYB (an Austrian group whose director Max Schrems is well known in data protection litigation circles) and the French group LQDN. They sought to challenge Google’s compliance with the new legislation, specifically in connection with their methodology for obtaining user consents around advertising.
Under GDPR (and the associated domestic legislation) data controllers will breach the legislation if they process personal data without a valid lawful basis for doing so. There are a range of these, but perhaps the most well-known is processing with the consent of the data subject. Such consent, post-GDPR, must be informed (i.e. the data subjects must know what they are agreeing to) and it must be clear, specific and unequivocal.
The French data protection authority (CNIL) concluded that Google’s procedures for obtaining consent to share personal data with advertisers were deficient. The consent that was obtained was held not to be sufficiently clear and unequivocal, and Google was held not to have adequately informed data subjects about what they were being asked to consent to.
Now, Google will have taken plenty of advice in formulating their privacy notices and I would not be surprised if they will have more to say about these conclusions. But I want to focus on the latter point, which has troubling implications for other businesses that do not have the resources and appetite for litigation that Google has.
Article 12(1) of the GDPR spells out that the information which data controllers must provide to data subjects has to be provided in a form which is “concise, transparent, intelligible and easily accessible”. Guidance from the UK’s data authority (the ICO) helpfully suggests that there are a range of techniques by which this may be achieved. These include a “layered approach” where short privacy notices containing significant privacy information link to progressively more and more in depth explanations of the privacy position. They also suggest the use of dashboards, where privacy options and implications are graphically represented, or “just-in-time” notices informing data subjects of relevant data protection information, at the point at which their data is being collected.
What makes the CNIL’s conclusion on this complaint so troubling, is that it involves criticism of precisely the approach recommended by the ICO. Thus, the CNIL concluded that clear and informed consent could not have been given because “essential information” had been “disseminated across several documents… The relevant information is accessible after several steps only, implying sometimes up to five or six actions”.
The result of this, said the French authority, was that data subjects were “not able to fully understand the extent of the processing operations carried out by Google.”
Where does that leave other businesses, looking to achieve a functional balance between adequately informing their customers on the one hand, and not making their interactions with those customers so unwieldy that they lose their custom? The layered approach to provision of relevant information to data subjects has a number of benefits. It ensures that detail is there for those who want it, but it also keeps the primary interaction with customers streamlined and manageable. But for as long as this CNIL decision stands, businesses will have to proceed with increased caution before adopting this straightforward and common-sense solution.
This is one of the very first decisions on an aspect of data protection legislation that has been updated by the GDPR and there is the prospect of many more such decisions in the weeks and months ahead. For anyone who thought that last May marked the end of the journey towards GDPR compliance, it is clear that we still have a long road ahead of us.