GDPR bites: clarifying data consent transparency
May 2019 | FEATURE | RISK MANAGEMENT
Financier Worldwide Magazine
May 2019 Issue
Since it came into force one year ago, the General Data Protection Regulation (GDPR) has put the cat among the pigeons for organisations in the EU – as well as those based outside but offering goods and services inside – which process personal data as part of their core business.
A high-profile manifestation of the GDPR’s remit occurred early in 2019 when France’s data protection regulator, the National Commission on Informatics and Liberty (CNIL), imposed a €50m fine on Google for failing to provide a transparent and understandable data use policy for its users.
Significantly, the fine is the biggest issued by a European regulator on account of a GDPR compliance breach and is also the first time one of the tech giants has fallen foul of the GDPR.
“The general architecture of the information chosen by Google does not allow for the obligations of the GDPR to be respected,” said CNIL. “Essential information, such as the purposes for which the data is processed, the length of time the data is stored, or the categories of data used to personalise the advertisement, are excessively scattered throughout several documents, which include buttons and links that it is necessary to activate to read additional information.
“Relevant information is accessible only after several steps, sometimes involving up to five or six actions,” continued the regulator. “This is for example the case if a user wants to have complete information on the collection of its information for the personalisation of advertisements, or for its geolocation.”
While the reality is that the fine imposed on Google is inconsequential in the context of its global revenues – more than $33bn in Q4 2018, for example – it nevertheless signifies that the GDPR is no toothless legislation. Furthermore, the size of the fine issued by the French regulator also serves to reinforce why it is imperative for organisations to make their data usage policies as clear and transparent as possible.
The GDPR is unequivocal in setting out the data consent transparency it requires of organisations within its scope, as well as the potential penalties for non-compliance: a maximum of 4 percent of annual global turnover for serious offences – a penalty which, if it had been imposed on Google (it is unclear as to why it was not), would have resulted in a billion-dollar fine.
“The GDPR requires that organisations carefully examine the full spectrum of their data practices and their potential effects on individuals and society in general,” says Müge Fazlıoğlu, senior Westin research fellow at the International Association of Privacy Professionals (IAPP). “Organisations’ efforts to become GDPR-compliant include hiring new employees to carry out GDPR-related tasks, promoting employees to fulfil privacy-specific roles and engaging external consultants.”
Dr Julie Nixon, an associate at Morton Fraser LLP, believes that many organisations are still in the process of becoming GDPR compliant. “Time and money are huge factors in ensuring that policies and processes meet the standards set out in the GDPR,” she suggests. “There is genuine intent, especially given the risk of higher fines under the new regime, to become more transparent and I believe there may be genuine misunderstanding at times in how organisations interpret the regulation.”
According to Dr Nixon, it is important that organisations assess every personal data processing activity they undertake and not focus solely on their core activities. “Many IT companies, for example, will anonymise and aggregate user personal data across all of their customers to provide statistical reports on end users’ use of their technology,” she says. “Such organisations may not appreciate that this is a separate processing activity and its legal basis should be set out in their privacy notices.”
A useful tool to help organisations understand transparency under the GDPR is the European Commission’s ‘Article 29 Working Party’ guidelines on transparency. “The guidelines emphasise that transparency obligations are not limited to a single point in time, but rather they begin at the data collection stage and continue throughout the entire lifecycle of processing,” explains Ms Fazlıoğlu. “This necessitates constant evaluation and monitoring of how organisations are informing people about their practices, ensuring they are doing it in a timely way and updating people about any changes that are made.”
As intended, fines for violation of the GDPR, such as that imposed by CNIL on Google, send out a powerful message as to the standards of data consent transparency expected of organisations today.
“The Google case also shows that various supervisory authorities are willing to work together and we envisage that closer cooperation will evolve,” says Dr Nixon. “Accountability is a key principle of the GDPR and the standards of transparency and clarity expected of companies is high. The €50m fine should be a stark warning to those companies which may have thought investing in GDPR compliance was unnecessary.”
© Financier Worldwide