French data protection watchdog fines Google $57 million under the GDPR

The CNIL, the French data protection watchdog, has issued its first GDPR fine of $57 million (€50 million). The regulatory body claims that Google has failed to comply with the General Data Protection Regulation (GDPR) when new Android users set up a new phone and follow Android’s onboarding process. Two nonprofit organizations called ‘None Of […]

The CNIL, the French data protection watchdog, has issued its first GDPR fine of $57 million (€50 million). The regulatory body claims that Google has failed to comply with the General Data Protection Regulation (GDPR) when new Android users set up a new phone and follow Android’s onboarding process.

Two nonprofit organizations called ‘None Of Your Business’ (noyb) and La Quadrature du Net had originally filed a complaint back in May 2018 — noyb originally filed a complaint against Google and Facebook, so let’s see what happens to Facebook next. Under the GDPR, complaints are transferred to local data protection watchdogs.

While Google’s European HQ is in Dublin, the CNIL first concluded that the team in Dublin doesn’t have the final say when it comes to data processing for new Android users — that decision probably happens in Mountain View. That’s why the investigation continued in Paris.

The CNIL then concluded that Google fails to comply with the GDPR when it comes to transparency and consent.

Let’s start with the alleged lack of transparency. “Essential information, such as the data processing purposes, the data storage periods or the categories of personal data used for the ads personalization, are excessively disseminated across several documents, with buttons and links on which it is required to click to access complementary information,” the regulator writes.

For instance, if a user wants to know how their data is processed to personalize ads, it takes 5 or 6 taps. The CNIL also says that it’s often too hard to understand how your data is being used — Google’s wording is broad and obscure on purpose.

Second, Google’s consent flow doesn’t comply with the GDPR according to the CNIL. By default, Google really pushes you to sign in or sign up to a Google account. The company tells you that your experience will be worse if you don’t have a Google account. According to the CNIL, Google should separate the action of creating an account from the action of setting up a device — consent bundling is illegal under the GDPR.

If you choose to sign up to an account, when the company asks you to tick or untick some settings, Google doesn’t explain what it means. For instance, when Google asks you if you want personalized ads, the company doesn’t tell you that it is talking about many different services, from YouTube to Google Maps and Google Photos — this isn’t just about your Android phone.

In addition to that, Google doesn’t ask for specific and unambiguous consent when you create an account — the option to opt out of personalized ads is hidden behind a “More options” link. That option is pre-ticked by default (it shouldn’t).

Finally, by default, Google ticks a box that says “I agree to the processing of my information as described above and further explained in the Privacy Policy” when you create your account. Broad consent like this is also forbidden under the GDPR.

The CNIL also reminds Google that nothing has changed since its investigation in September 2018.

Max Schrems, Chairman of noyb has sent us the following statement:

“We are very pleased that for the first time a European data protection authority is using the possibilities of GDPR to punish clear violations of the law. Following the introduction of GDPR, we have found that large corporations such as Google simply ‘interpret the law differently’ and have often only superficially adapted their products. It is important that the authorities make it clear that simply claiming to be complaint is not enough. We are also pleased that our work to protect fundamental rights is bearing fruit. I would also like to thank our supporters who make our work possible.”

Update: A Google spokesperson has sent us the following statement:

“People expect high standards of transparency and control from us. We’re deeply committed to meeting those expectations and the consent requirements of the GDPR. We’re studying the decision to determine our next steps.”

Advisor to Europe’s top court favors regional limit to ‘right to be forgotten’

Google will be cheered by the view of an influential advisor to Europe’s top court vis-a-vis the territorial scope of the so-called ‘Right to be Forgotten’. Since a 2014 Court of Justice decision, search engines operating in Europe have been required to accept and review requests from private citizens to delist outdated or irrelevant search […]

Google will be cheered by the view of an influential advisor to Europe’s top court vis-a-vis the territorial scope of the so-called ‘Right to be Forgotten’.

Since a 2014 Court of Justice decision, search engines operating in Europe have been required to accept and review requests from private citizens to delist outdated or irrelevant search results associated with their name, balancing decisions against any public right to know.

Google has been carrying out these delistings on regional European subdomains, rather than globally. But in 2016 the French data protection agency, CNIL, fined it for failing to delist results globally — arguing that regional delistings were not strong enough to comply with the law.

Google filed an appeal against the CNIL’s order for global delisting and a French court later decided to refer questions vis-a-vis the scope of the rtbf to the Court of Justice of the EU.

The CJEU heard the case last fall, with Google arguing that global delistings would damage free speech, and enable authoritarian regimes to get stuff they don’t like scrubbed off the Internet.

On the flip side those who advocate for global delistings argue without them there’s a trivial workaround to the rtbf.

Although the intent of the rtbf ruling was never to remove information from the Internet but rather to allow old and erroneous data to sediment (rather than be artificially kept in public view by algorithms). And given most web users don’t look past the first page (or even the first few) search results regional delistings seems a fair enough balance — at least as things stand.

That balanced view is also now the published opinion of an influential advisor to Europe’s top court.

Advocate general Maciej Szpunar’s opinion, released today — ahead of the court making its own judgement on the matter — proposes that the regional rtbf should be limited in scope to local sub-domains, rather than being applied globally as the French data protection agency has been pushing for for several years.

In a press release summarizing the AG’s opinion, the court writes that Szpunar believes “a distinction must be made depending on the location from which the search is performed” and that “[h]e is therefore not in favour of giving the provisions of EU law such a broad interpretation that they would have effects beyond the borders of the 28 Member States”.

“[I]f worldwide de-referencing were permitted, the EU authorities would not be able to define and determine a right to receive information, let alone balance it against the other fundamental rights to data protection and to privacy,” it continues.

“This is all the more so since such a public interest in accessing information will necessarily vary from one third State to another depending on its geographic location. There would be a risk, if worldwide de-referencing were possible, that persons in third States would be prevented from accessing information and, in turn, that third States would prevent persons in the EU Member States from accessing information.”

That said, the AG is not ruling out the possibility that “in certain situations” a search engine operator may need to delist something “at the worldwide level”.

Rather, the court emphasizes, “he takes the view that the situation at issue in the present case does not justify this”.

So his current advice to the court is summarized as follows:

… the search engine operator is not required, when acceding to a request for de-referencing, to carry out that de-referencing on all the domain names of its search engine in such a way that the links in question no longer appear, irrespective of the location from which the search on the basis of the requesting party’s name is performed.

At the same time the AG emphasizes that — for valid requests — search engines must “take every measure available to it to ensure full and effective de-referencing within the EU, including by use of the ‘geo-blocking’ technique, in respect of an IP address deemed to be located in one of the Member States, irrespective of the domain name used by the internet user who performs the search”.

While the AG’s opinion is not binding on the CJEU the court tends to take a similar view so it’s a good indicator of where the final judgement will land, likely in three to six months’ time.

We reached out to Google for comment and a spokesperson emailed us the following statement, attributed to Peter Fleischer, its senior privacy counsel:

Public access to information, and the right to privacy, are important to people all around the world, as demonstrated by the number of global human rights, media and other organisations that have made their views known in this case. We’ve worked hard to ensure that the right to be forgotten is effective for Europeans, including using geolocation to ensure 99% effectiveness.

The search giant, which remains massively dominant in the European market, publishes a report detailing the proportion of requests it accepts and declines here, which shows both a steady growth in requests and that Google continues to grant only a minority of delisting requests.

Since the original 2014 rtbf decision, the EU has doubled down on the right — extending the principle by baking it into an updated data protection framework, the GDPR, which came into force in May last year and gives EU citizens rights to ask data controllers to rectify or delete their personal information.

French data protection watchdog fines Uber $460,000 for data breach

One by one, European countries are slapping Uber with a penalty for the way it handled its 2016 data breach. Today, France’s data protection watchdog, the CNIL, announced it was fining Uber $460,000 (€400,000). This event was a combination of bad security with bad reaction and good timing. Back in 2016, Uber faced a data […]

One by one, European countries are slapping Uber with a penalty for the way it handled its 2016 data breach. Today, France’s data protection watchdog, the CNIL, announced it was fining Uber $460,000 (€400,000).

This event was a combination of bad security with bad reaction and good timing. Back in 2016, Uber faced a data breach that affected 57 million users, including 1.4 million users in France.

According to the CNIL’s report, hackers managed to connect to Uber’s Github repositories using some employee’s login and password. They then managed to connect to Uber’s Amazon Web Services account and download user data.

How? Very simple. AWS login information was stored in plain text on Github.

The CNIL said that it could have been avoided if:

  • Uber had made two-factor authentication mandatory for the private Github repositories.
  • Uber didn’t store AWS login information in plain text on Github.
  • Uber used an IP whitelist to connect to AWS.

Uber first tried to cover-up the breach by paying hackers $100,000 to make them delete the data set. It eventually disclosed the breach last year.

The only good news for Uber is that the breach happened slightly too early for European Union’s GDPR. Right now, if a company doesn’t report a breach to relevant authorities within 72 hours, they can end up paying a fine of up to 4 percent of the company’s global annual turnover.

British and Dutch authorities previously fined Uber $490,000 and $690,000 respectively (£385,000 and €600,000). Overall, it represents $1.6 million in fines.

France records big jump in privacy complaints since GDPR

Another European data protection agency has reported a sharp rise in the numbers of complaints since the EU updated its privacy framework four months ago, when GDPR came into force, updating regional data protection rules and introducing much higher penalties for privacy violations. France’s CNIL agency said today that it’s received 3,767 complaints since May 25, when GDPR […]

Another European data protection agency has reported a sharp rise in the numbers of complaints since the EU updated its privacy framework four months ago, when GDPR came into force, updating regional data protection rules and introducing much higher penalties for privacy violations.

France’s CNIL agency said today that it’s received 3,767 complaints since May 25, when GDPR came into force, up from 2,294 complaints over the same period last year — which it notes was already a record year.

CNIL says this represents a 64% increase in complaints, which it suggests shows that EU citizens have “seized the GDPR strongly” — attributing public engagement on the issue to media attention on the new regulation and on data protection stories such as the Facebook-Cambridge Analytica data misuse scandal.

It also reports receiving more than 600 data breach notifications, affecting a total of around 15 million people, since GDPR D-Day.

Last month data from the UK’s Information Commissioner’s Office also showed a big rise in privacy complaints since the new regulation came into force, with 6,281 filed between May 25 and July 3 — more than double the 2,417 complaints lodged during the same period a year earlier.

A report in The Irish Times at the end of July also indicated similar increases in Ireland. The Irish Data Protection Commission was reported to have received 1,184 data breach reports two months after GDPR — up significantly on the average of 230 reported each month in 2017. The DPC also logged 743 complaints in the first two months of GPDR, with the regulation reportedly applying in 267 cases.

As well as receiving record numbers of privacy complaints from individuals, CNIL notes that two organizations have filed complaints on behalf as consumers (a ‘collective redress‘ capacity introduced by GDPR, at least in EU countries where the national government chose to adopt it).

The two organizations filing complaints on consumers’ behalf in France are Max Schrems’ privacy NGO, noyb (which was one of the first out of the gate to file GDPR complaints over ‘forced consent’, including in France against Google); and the French digital rights group, La Quadrature du Net, which CNIL says has lodged complaints with it against Google, Amazon, Facebook, LinkedIn and Apple.

In its four month update since GDPR the regulator also notes that European data protection authorities are currently handling and co-operating to investigate more than 200 cross-border complaints.

“These complaints raise questions about consent in general, and in particular that of minors,” it notes.

It also says 24,500 organizations have appointed a data protection officer, since GDPR came into force and ushered in a general requirement for a DPO (at least in most cases).

More privacy-related developments look to be in the pipe too, as CNIL says it will be proposing some new regulatory tools — including a biometrics standard regulation, which it says has been in consultation since September 3. “It will set a demanding and protective environment,” it writes of that.

Standards for a certification for DPOs is also slated to be finalized during September.

And the regulator says it’s working on a number of codes of conduct — to cover specific tech areas, such as medical research and cloud infrastructure.

France records big jump in privacy complaints since GDPR

Another European data protection agency has reported a sharp rise in the numbers of complaints since the EU updated its privacy framework four months ago, when GDPR came into force, updating regional data protection rules and introducing much higher penalties for privacy violations. France’s CNIL agency said today that it’s received 3,767 complaints since May 25, when GDPR […]

Another European data protection agency has reported a sharp rise in the numbers of complaints since the EU updated its privacy framework four months ago, when GDPR came into force, updating regional data protection rules and introducing much higher penalties for privacy violations.

France’s CNIL agency said today that it’s received 3,767 complaints since May 25, when GDPR came into force, up from 2,294 complaints over the same period last year — which it notes was already a record year.

CNIL says this represents a 64% increase in complaints, which it suggests shows that EU citizens have “seized the GDPR strongly” — attributing public engagement on the issue to media attention on the new regulation and on data protection stories such as the Facebook-Cambridge Analytica data misuse scandal.

It also reports receiving more than 600 data breach notifications, affecting a total of around 15 million people, since GDPR D-Day.

Last month data from the UK’s Information Commissioner’s Office also showed a big rise in privacy complaints since the new regulation came into force, with 6,281 filed between May 25 and July 3 — more than double the 2,417 complaints lodged during the same period a year earlier.

A report in The Irish Times at the end of July also indicated similar increases in Ireland. The Irish Data Protection Commission was reported to have received 1,184 data breach reports two months after GDPR — up significantly on the average of 230 reported each month in 2017. The DPC also logged 743 complaints in the first two months of GPDR, with the regulation reportedly applying in 267 cases.

As well as receiving record numbers of privacy complaints from individuals, CNIL notes that two organizations have filed complaints on behalf as consumers (a ‘collective redress‘ capacity introduced by GDPR, at least in EU countries where the national government chose to adopt it).

The two organizations filing complaints on consumers’ behalf in France are Max Schrems’ privacy NGO, noyb (which was one of the first out of the gate to file GDPR complaints over ‘forced consent’, including in France against Google); and the French digital rights group, La Quadrature du Net, which CNIL says has lodged complaints with it against Google, Amazon, Facebook, LinkedIn and Apple.

In its four month update since GDPR the regulator also notes that European data protection authorities are currently handling and co-operating to investigate more than 200 cross-border complaints.

“These complaints raise questions about consent in general, and in particular that of minors,” it notes.

It also says 24,500 organizations have appointed a data protection officer, since GDPR came into force and ushered in a general requirement for a DPO (at least in most cases).

More privacy-related developments look to be in the pipe too, as CNIL says it will be proposing some new regulatory tools — including a biometrics standard regulation, which it says has been in consultation since September 3. “It will set a demanding and protective environment,” it writes of that.

Standards for a certification for DPOs is also slated to be finalized during September.

And the regulator says it’s working on a number of codes of conduct — to cover specific tech areas, such as medical research and cloud infrastructure.