man entering search query into Google search bar
PHOTO: Benjamin Dada

Organizations on the hook for General Data Protection Regulation (GDPR) compliance need a data protection officer (DPO) to audit all personal data and an automated, centralized process for managing data in order to avoid hefty fines like the one France leveraged on Google last month. Experts shared that and other advice with CMSWire in light of the French National Data Protection Commission (CNIL)'s $56.5 million fine on the American search giant.

“The complaint seems to be based on Google’s practice of not moving toward clearer, less legally-oriented language on their data collection disclosures,” said Rob Perry, vice president of product marketing at ASG Technologies. “Google collects substantial data on users’ internet usage, which drives its business model. And, being a high profile internet business, it stands out for careful scrutiny.”

Privacy Organizations Generated Google Complaints

Google violated its obligations under GDPR — the European law for protecting citizens' privacy and access to personal data that went into effect last May — in the areas of (1) obligations of transparency and information, and (2) having a legal basis for ads personalization processing. The findings stem from an investigation launched last May by privacy-rights groups None Of Your Business (NOYB) and La Quadrature du Net (LQDN). Those organizations claimed Google did not have a valid legal basis to process the personal data of Google users, particularly for ads personalization purposes.

GDPR complaints are rolling in, according to numbers released last month by the European Commission (EC), a branch of the European Union. Data Protection Authorities (DPA), or EU independent law enforcers, have received 95,180 complaints under GDPR from May 2018 to January 2019, the majority of which are related to telemarketing, promotional emails and video surveillance/CCTV. The French $56.5 million fine is one of most notable under the GDPR, others include, an Austrian entrepreneur who was fined for placing a CCTV outside his establishment that was not sufficiently marked, and an unnamed German social media platform that compromised the personal information of 330,000 users, including their passwords and email addresses.

Related Article: What We Can Learn from the GDPR's First Fines

Not Easily Accessible Information

Back to the French fine against Google. The CNIL found that information provided by Google “is not easily accessible for users” and that Google’s “general structure of the information” is not GDPR-compliant. Information such as data processing purposes, data storage periods or the categories of personal data used for the ads personalization are available but “excessively disseminated across several documents with buttons and links on which it is required to click to access complementary information.” 

Ultimately, it's not easy to find privacy stuff on Google. The search company is not transparent in these key GDPR compliance arenas, according to regulators. Some information-gathering by users could take “5 or 6 actions,” according to the CNIL. Some information, investigators added, is not always clear nor comprehensive. Users can’t easily understand that the legal basis of processing operations for the ads personalization is the consent, and not the legitimate interest of the company, CNIL reported. 

Related Article: Will Google's $57M Fine Finally Push the US Toward Comprehensive Privacy Regulation? 

Consent Obtained Not Valid

Google also does not validly obtain user consent for processing data for personalizing ads, CNIL investigators found. User consent is not “sufficiently informed because the information on processing operations for the ads personalization is “diluted in several documents and does not enable the user to be aware of their extent.” CNIL cited Google’s “Ads Personalization” section, in which it is “not possible to be aware of the plurality of services, websites and applications involved in these processing operations (Google search, YouTube, Google home, Google maps, Playstore, Google pictures…) and therefore of the amount of data processed and combined.”

Further, the collected consent is neither “specific” nor “unambiguous” as GDPR requires. Consent is “unambiguous” according to the GDPR with “a clear affirmative action from the user (by ticking a non-pre-ticked box for instance),” the CNIL reported. 

Start With Audit, Central Data Management 

So, what can your organization do to ensure GDPR compliance in these specific arenas? Have a DPO appointed to initially audit where personal data exists in an organization, according to Peter Gillett, CEO of Zuant. Put in place a process to centralize it and ensure that all future contacts with the outside world use a GDPR permission process for the defined purpose requested, Gillett added.

The key aspects moving forward include:

  • Make sure that the process is recorded and shared with all customer-facing personnel.
  • Make sure that IT puts in place the software to allow easy opt-ins and access to a “customer preference center” and ways of handling data access requests and the requests for erasure.

Related Article: GDPR Is Tough and Set to Get Even Tougher

Have Clear, Common Language

Perry of ASG Technologies said clear disclosure of what data is collected and how it is used, written in common language, is a core requirement of GDPR. “That consent for the collection of the data,” he said, “is obtained based on this clear language. While the definition of what disclosures do and do not meet the regulation will evolve and become clearer over time, companies should focus on being upfront and clear about their data collection and usage policies and assure they capture users consent.”

Automating Data Management

Being careful with how you collect data is important, but once you have the data, you need automated and effective data management processes, Perry said. This will ensure you are aware of all the personal data you’re managing, that you’re protecting it properly, that you’ve done the appropriate privacy impact assessments, and that you can demonstrate your efforts through reports and dashboards. “Being able to show prevention and mitigation efforts will reduce any potential penalties,” he added.

Related Article: GDPR Skeptics Would Like to Relax the Regulation. That Would Be a Mistake

What to Watch for Next With GDPR

Gillett said that it appears Google “simply used contact data beyond the original task consented to.” He cautioned organizations to watch for GDPR-targeted investigations in the “wide open and uncontrolled storage of personal data on mobile devices.” 

What’s important to the enforcers of the GDPR? In a statement that marked Data Protection Day, European Union officials said: “One of the main aims of the GDPR is to empower people and give them more control over one of the most valuable resources in our modern economy — their data. We can only reach this goal if and when people have become fully aware of their rights and the consequences of their decisions.”