The long and winding road
If the GDPR was supposed to clarify companies’ data privacy compliance obligations, the recent fine levied by the CNIL against Google underscores how far we still have to go – writes Will Richmond-Coggan, director specialising in data privacy issues at Freeths LLP
As everyone is (surely) now aware, new data protection legislation came into force across Europe on 25 May 2018. Attracting somewhat less attention on the same date (amidst, no doubt, the spontaneous street parties and celebrations) complaints were filed by two well-known privacy rights campaign groups, NOYB (an Austrian group whose director Max Schrems is well known in data protection litigation circles) and the French group LQDN. They sought to challenge Google’s compliance with the new legislation, specifically in connection with their methodology for obtaining user consents around advertising.
Under GDPR (and the associated domestic legislation) data controllers will breach the legislation if they process personal data without a valid lawful basis for doing so. There are a range of these, but perhaps the most well-known is processing with the consent of the data subject. Such consent, post-GDPR, must be informed (i.e. the data subjects must know what they are agreeing to) and it must be clear, specific and unequivocal.
The French data protection authority (CNIL) concluded that Google’s procedures for obtaining consent to share personal data with advertisers were deficient. The consent that was obtained was held not to be sufficiently clear and unequivocal, and Google was held not to have adequately informed data subjects about what they were being asked to consent to.
Now, Google will have taken plenty of advice in formulating their privacy notices and I would not be surprised if they will have more to say about these conclusions. But I want to focus on the latter point, which has troubling implications for other businesses that do not have the resources and appetite for litigation that Google has.
Article 12(1) of the GDPR spells out that the information which data controllers must provide to data subjects has to be provided in a form which is “concise, transparent, intelligible and easily accessible”. Guidance from the UK’s data authority (the ICO) helpfully suggests that there are a range of techniques by which this may be achieved. These include a “layered approach” where short privacy notices containing significant privacy information link to progressively more and more in depth explanations of the privacy position. They also suggest the use of dashboards, where privacy options and implications are graphically represented, or “just-in-time” notices informing data subjects of relevant data protection information, at the point at which their data is being collected.
What makes the CNIL’s conclusion on this complaint so troubling, is that it involves criticism of precisely the approach recommended by the ICO. Thus, the CNIL concluded that clear and informed consent could not have been given because “essential information” had been “disseminated across several documents… The relevant information is accessible after several steps only, implying sometimes up to five or six actions”.
The result of this, said the French authority, was that data subjects were “not able to fully understand the extent of the processing operations carried out by Google.”
Where does that leave other businesses, looking to achieve a functional balance between adequately informing their customers on the one hand, and not making their interactions with those customers so unwieldy that they lose their custom? The layered approach to provision of relevant information to data subjects has a number of benefits. It ensures that detail is there for those who want it, but it also keeps the primary interaction with customers streamlined and manageable. But for as long as this CNIL decision stands, businesses will have to proceed with increased caution before adopting this straightforward and common-sense solution.
This is one of the very first decisions on an aspect of data protection legislation that has been updated by the GDPR and there is the prospect of many more such decisions in the weeks and months ahead. For anyone who thought that last May marked the end of the journey towards GDPR compliance, it is clear that we still have a long road ahead of us.
More in HR
Time to Prioritise Mental Health in the Workplace: World Mental Health...
In case you haven’t seen Jonna Mundy, CEO of You Consultancy Ltd. is hosting a CIPD event not to be missed! Whether you are an HR professional or specialise / have an interest in Health and Wellbeing, why don’t you join Jonna and a fabulous line-up of guests at the Mercure Oxford Hawkwell House Hotel. […]
Unlocking Excellence
In the ever-evolving realm of human resources and organisational development, leaders consistently grapple with pivotal decisions in shaping their core people functions. Traditionally, many have opted for in-house resources to bolster internal teams for managing people matters. However, in the face of contemporary employment challenges and evolving expectations, leaders are increasingly turning to a more […]
Navigating HR & OD Challenges in 2024: A Guide to a...
Introduction: As we step into the New Year, the ever-evolving landscape of human resources (HR) and organisational development (OD) presents both exciting opportunities and unique challenges for HR Professionals, Leaders, and Managers. From adapting to accommodate ongoing workforce needs or addressing emerging trends, January 2024 sets the stage for those responsible to proactively shape the […]
From this author
Freeths advises Veriflo on its sale to Celnor Group
National law firm Freeths has advised the shareholders of Veriflo Limited on its sale to Celnor Group.
Freeths advises Oakford on sale to Centralis
National law firm Freeths has advised the shareholders of Oakford Advisors on its sale to Luxembourg-based Centralis.
Freeths introduces new Oxford service line with two new hires
National law firm Freeths has appointed Directors Caroline Benfield and Elizabeth Taylor, launching a new Restructuring and Insolvency offering in Oxford. They both join from Wright Hassall.