Google's recent GDPR fine is a wake-up call for data-driven companies, including payment companies, with operations in Europe.
On Jan. 21, France’s privacy regulator, the CNIL,
The CNIL’s action portends a significant shift from the relatively low penalties obtained in the initial spate of GDPR enforcement (including for such violations as a CCTV camera that captured broader than necessary images and a social network’s failure to properly secure user data) to the start of high-profile enforcement and big fines for violations of core GDPR obligations. At a minimum, EU regulators can be expected to intensely scrutinize privacy notices and consent forms for adequate transparency about data practices; and companies’ selection of their primary regulator.
The action was initiated by two nonprofits on behalf of nearly 10,000 individuals. The complaint claimed that Google allegedly forced Android users to accept Google’s privacy terms or lose access to the services; and violated the GDPR’s transparency and informed consent requirements.
As a threshold matter Google argued that the Irish privacy regulator — not France’s — had jurisdiction over the case because Google’s “main establishment” (i.e., headquarters) in the EU was in Ireland. The CNIL rejected this argument and asserted jurisdiction, contending that, while Google Ireland had a number of functions involving finance and HR, it lacked decision-making power involving the personal data processing that was the subject of the complaints. Google now faces potential enforcement actions by other EU member states.
The CNIL
Google made it difficult for users to find information on how their personal data was used. Users had to browse numerous pages to access this information.
Google’s privacy disclosures were too generic and vague. Therefore, it was difficult for users to understand the impact of consenting to Google’s use of their data, including in relation to serving targeted ads across multiple services such as YouTube, Google Maps and Google Play.
Before creating an account, users were prompted to “agree” to Google’s privacy policy, but no specific consent was sought. Users were essentially forced to accept all or no use of their personal data instead of being able to consent for the data processing associated with specific uses.
Applying a competition framework, and without explaining its methodology, the CNIL assessed the €50,000,000 fine by taking into account the annual global “turnover” (i.e., revenues) of the entire “undertaking” (i.e., enterprise), in this case Alphabet, Google’s parent, and its subsidiaries.
This action ushers in a new era in GDPR enforcement. The CNIL paved the way for other regulators to drive the behavior of global companies through enforcement of the GDPR’s framework and threat of hefty new fines.
In anticipation of stepped-up enforcement, payment companies would be wise to review privacy notices and consent mechanisms to ensure they clearly explain all data sharing in the payment processing ecosystem, particularly for targeted advertising, in easily understood and readily actionable terms without requiring users to go through a lot of steps.
Disclosures should not be generic; they should inform users about product- and use-specific processing of their personal data. EU-based payment companies should be strategic about where decision making over personal data processing occurs to manage exposure in the EU. In particular, companies should ensure that the “main establishment” is reflected in organizational structure, records, and privacy policies to head off this issue at the outset of an action.
