First major GDPR fine

Only now I realize there should have been a pool around GDPR enforcement. We could have placed bets on the first company fined, the first country to fine, over/under on the fine amount, month and year of action. But, it’s too late, all bets are closed, we have our first action.

Today the French National Data Protection Commission’s (CNIL) announced that they fined Google €50 million for violations of GDPR. The announcement is well worth a read fully, but here are some of the highlights.

Jurisdiction

Under GDPR the countries where the company is headquartered has preference in handling issues. In this case, Google is headquartered here in Ireland. However, as I read the CNIL press release, it seems that, in discussion with other European Data Protection Authorities (DPA), the decision was made that there was no primary jurisdiction.

In this case, the discussions with the other authorities, in particular with the Irish DPA, where GOOGLE’s European headquarters are situated, did not allow to consider that GOOGLE had a main establishment in the European Union. Indeed, when the CNIL initiated proceedings, the Irish establishment did not have a decision-making power on the processing operations carried out in the context of the operating system Android and the services provided by GOOGLE LLC, in relation to the creation of an account during the configuration of a mobile phone.

As the “one-stop-shop mechanism” was not applicable, the CNIL was competent to take any decision regarding processing operations carried out by GOOGLE LLC, as were the other DPA. The CNIL implemented the new European Framework as interpreted by all European authorities in the European Data Protection Board’s (EDPB) guidelines.

Transparency

The CNIL determined that it was difficult for consumers to access information about what data Google collects and how they use it. The information may be available on the Google website, but involves clicking through multiple documents and lots of cross referencing. And, as the committee notes, sometimes what is there isn’t clear or comprehensive. The crux is that it’s difficult for users to understand what data Google is collecting, how they’re collecting it and what they’re doing with it.

Consent acquisition

Google says they get the consumer’s consent to process data, but the committee determined that consent is not validly obtained for two reasons. First, the information on processing is spread across multiple documents and does not truly give the user information about the extent of data collected. Secondly, even though it is possible to configure the display of personal ads, the configuration is only accessed through a “more options” button. Users who do click on the more options button are presented with pre-ticked boxes. However, pre-ticked boxes are not unambiguous consent, GDPR requires some action by the user.

CNIL does acknowledge that users are asked to tick multiple boxes « I agree to Google’s Terms of Service» and « I agree to the processing of my information as described above and further explained in the Privacy Policy» during account creation. This is not, however, sufficient to comply with GDPR as consent is required for each distinct purpose.

Hints of things to come

Reading between the lines in the CNIL press release the fines seem to to be specific to creation of Google accounts associated with Android phones. While it’s not stated directly, Android is mentioned both in the jurisdictional section and in the conclusion:  “… taking into account the important place that the operating system Android has on the French market, thousands of French people create, every day, a GOOGLE account when using their smartphone …”

The CNIL also drops a broad hint that these issues are still happening and this is not a one-off infringement. It’s possible that these fined are also not a one-off.

Now what?

I’ve always said the first targets of GDPR were Google and Facebook. I’m unsurprised that Google received not only the first fine, but more than the statutory €20 million. They did not receive anything close to the 4% of global revenue as allowed – that would be closer to €4 billion if my back of the envelope math is correct. However, I do think this is a warning to all of us. Make it clear what you’re doing with data and how you’re collecting it.

Google has made trillions of dollars by collecting data and selling it to the highest bidder. Throughout their existence they’ve been apologetic about it. This isn’t new. I was in the courtroom back in 2013 when they argued users should have no expectation of privacy when using Google services. Even during that case, the privacy policies were a twisty maze of documents that made it difficult to understand what they were collecting.

Facebook is likely next. They are collecting so much information from users including listening into conversations and selling advertising based on keywords. We just recently experienced this. We were sitting at a bar watching the bartender making a drink and discussing the ingredients with him, and in the next 2 days started getting Facebook ads for chocolate martini ingredients. I didn’t, and wouldn’t, give active consent for Facebook to access my phone’s microphone, but that doesn’t mean there’s not a checkbox somewhere that included the consent.

This is the first. it won’t be the last. It may not even be the last fine leveed on Google for this by France.

Related Posts

Google makes connections

One of the client projects I’m working on includes doing a lot of research on MXs, including some classification work. Part of the work involves identifying the company running the MX. Many of the times this is obvious; mail.protection.outlook.com is office365, for instance.

There are other cases where the connection between the MX and the host company is not as obvious. That’s where google comes into play. Take the domain canit.ca, it’s a MX for quite a few domains in this data set. Step one is to visit the website, but there’s no website there. Step 2 is drop the domain into google, who tells me it’s Roaring Penguin software.
In some cases, though, the domain wasn’t as obvious as the Roaring Penguin link. In those cases, Google would present me with seemingly irrelevant hosting pages. It didn’t make sense until I started digging through hosting documentation. Inevitably, whenever Google gave me results that didn’t make sense, they were right. The links were often buried in knowledge base pages telling users how to configure their setup and mentioning the domain I was searching for.
The interesting piece was that often it was the top level domain, not the support pages, that Google presented to me. I had to go find the actual pages. Based on that bit of research, it appears that Google has a comprehensive map of what domains are related to each other.
This is something we see in their handling of email as well. Gmail regularly makes connections between domains that senders don’t expect. I’ve been speaking for a while about how Gmail does this, based on observation of filtering behavior. Working through multiple searches looking at domain names was the first time I saw evidence of the connections I suspected. Gmail is able to connect seemingly disparate hostnames and relate them to one another.
For senders, it means that using different domains in an attempt to isolate different mainstreams doesn’t work. Gmail understands that domainA in acquisition mail is also the same as domainB in opt-in mail is the same as domainC in transactional mail. Companies can develop a reputation at Google which affects all email, not just a particular mail stream. This makes it harder for senders to compartmentalize their sends and requires compliance throughout the organization.
Acquisition programs do hurt all mail programs, at least at Gmail.
 

Read More

GDPR and the EU and Opt-in Confirmation

There’s a lot of discussion going on about just what GDPR requires, and of who, and in which jurisdictions. German organizations in particular have been more aggressive than most about wanting to see opt-in confirmation for years and now seem to be adding “because GDPR” to their arguments.
I’m still not sure how this is going to shake out, but I’m beginning to see list owners take externally visible action.

I’ve been a subscriber for four or five years – it’s a good mailing list, run well, and I doubt it has any delivery issues beyond the unavoidable.
So this is a permission pass solely because they’re not sure whether I’m an EU resident, and aren’t 100% sure their opt-in confirmation data is squeaky clean (I subscribed as part of downloading an app of theirs, but after five years I couldn’t tell you whether that was technically confirmed opt-in or not, and I’m sure they can’t either).
Zoomdata aren’t taking any chances on confirmation. This isn’t a single “click to confirm you want to stay on the list” permission pass, rather it goes to a form that asks whether I’m an EU resident and if I am requires me to check an “Opt-in to email communications” checkbox and then click on a link in a confirmation email.
I’m not an EU resident today but may be an EU resident in the near future – yet my email address won’t change and nor will my mailing list subscriptions. That does make me wonder how valid it is to be capturing opt-in permission solely for recipients who are EU residents today.
Also are non-EU residents likely to claim they live in the EU because they’ll be treated better as far as their privacy is concerned, much the same as telling Facebook or Twitter you live in Germany provides you with better content filters?
I guess I’ll be seeing more of this in my inbox over the next few weeks. How are all y’all handling GDPR compliance?

Read More

GDPR and Whois data

For folks who aren’t following the discussion about whois records and GDPR compliance there’s a decent summary at vice.com: What Is Going to Happen With Whois?

Read More