Recently, the industry has been paying close attention to the news that Google was heavily punished by CNIL in France for violating GDP R. However, what is the underlying reason why Google was heavily punished? How to analyze the reasons for CNIL's actions from the legal, regulatory and market perspectives? How can large multinational companies avoid similar penalties? No article in the industry has yet answered these questions in detail.
Key words in this article
Google was fined 50 million euros.
Detailed graphic and text analysis of Google violations;
How can Chinese enterprises avoid similar violations?
Who will be the next penalized enterprise?
Background of Google's 50 million Euro Fine for GDP R
Second, in June 2018, CNIL immediately launched an investigation into Google based on the above two complaints.
Third, on January 21, 2019, CNIL issued Google the first huge fine since the entry into force of the General Data Protection Regulation (hereinafter referred to as GDP R) in May, 2018, with a fine of up to 50 million euros (about 380 million yuan).
Fourthly, the fundamental reason for the fine is that Google violates the transparency principle of GDP R in providing personalized advertising push services for users, and fails to obtain effective consent before processing user information.
As a world-class Internet leader, Google has launched more than 20 Internet services, such as Google Search, Google Advertising, Google Maps, YouTube, Android, Chrome, Google Earth, Gmail and so on. Without exception, these services collect and process huge personal data. According to the provisions of GDP R, it can be inferred that in the process of making privacy policies, enterprises should not only put forward general policy provisions according to the requirements of GDP R, but also customize privacy policies differently according to different business modules, so as to make users know how different services collect, process and use their personal data.
As an operating system developed by Google, Android has a share of 85% in the European market and 80% in France in 2018.
Figure 4: Android's market share in France in 2018
3. Personalized advertising is the main revenue business, and high fines can be followed.
As of June 30, 2018, Google Alphabet had revenue of $32.66 billion and net profit of $8.266 billion, higher than market expectations, according to Google's 2008 financial report. The main support for Google's revenue is still no doubt that its advertising business contributed $28 billion in revenue in the second quarter of 2018, up 24% year-on-year and accounting for 85.7% of total revenue.
One of the important reasons why CNIL fines Google for this violation is that its personalized advertising push business fails to meet the relevant requirements of GDP R in the process of collecting and processing users'personal data. In GDP R, there are two levels of penalty according to the different clauses violated. They are:
The maximum penalty amount is 10 million euros or 2% of the global turnover of the enterprise in the previous year (select the higher number).
The second level is the maximum penalty of 20 million or 4% of the company's global turnover in the previous year (the higher figure).
It can be seen that the number of users based on Google services, the types of personal data processing and the large number of large, and in the field of advertising to obtain high profits, CNIL issued a huge fine this time, is also evidence-based.
Figure 5: Google's 2008 earnings data
Detailed Analysis of Violations
|A List of Google Violations|
|3. Google has not fulfilled its duty of prompting users to inform them of the decentralization of privacy policies in personalized advertising, which makes it impossible for users to obtain complete data processing information.|
|5. When Google registers, the pre-checking behavior is intentionally hidden and is not easily detected by users.|
Figure 8: Multiple other interfaces (documents) also have privacy descriptions related to personalized advertising push, not all descriptions that make it easy for users to get the most profitable business in one place.
3. Google has not fulfilled its duty of prompting users to inform them of the decentralization of privacy policies in personalized advertising, which makes it impossible for users to obtain complete data processing information.
Figure 11: If you don't register, using Google services anonymously will also default to check personalized advertising options
5. The Biggest Crime: Google's pre-checked behavior is deliberately hidden from users.
A Brief Survey of GDP R-related Laws
The Controller shall take appropriate measures to provide the data subject with the information provided in Articles 13 and 14 of this Regulation and any information exchanged in accordance with Articles 15 to 22 and 34 of this Regulation relating to data processing, in particular any information that needs to be provided to children. Such information should be provided in an accurate, transparent, easy to understand and easy to access manner, and should be in clear and plain language.
If the data subject agrees by means of a written declaration and the written declaration involves other matters, the request for the consent of the data subject shall be presented in a form that meets the following requirements: distinct from other matters; easy to understand and obtain; clear and plain language. If any part of the declaration violates the provisions of this Ordinance, it shall not be binding.
Interpretation of PricewaterhouseCoopers (Enlightenment to Chinese Enterprises)
What should enterprises do in order to truly comply with the provisions of the principle of transparency in information processing in GDP R? What can we do to obtain the customer's consent effectively?
|proposal||Come on, can you put it simply?|
|Businesses need to ensure that customers have a clear understanding of what businesses are collecting and processing their personal data and their purposes.||Please write your privacy statement simply and let it be read once in a whitewash. If the GDP R whitewash doesn't understand, then fire the consultant or lawyer, or prepare for a fine of 50 million euros.
Write details as far as possible, how user data are processed and stored in the system, and what services they are used for.
|Users are told that enterprises will not find any deceptive and misleading wording when dealing with the relevant information of their personal data.|
|Enterprises must provide users with the information they need to meet the relevant transparency requirements, and keep it accessible and up-to-date.|
|proposal||Come on, can you put it simply?|
|Put the information in the same document. Don't let the user click on it and go to other places to view it. Even check several documents.
Business related to fees, as far as possible, I mean, as far as possible, do not pre-select for users.
|Privacy policies used to obtain customer consent should not be mixed with other types of user agreements|
Jurisdiction Judgment of Data Protection Regulatory Authority
Who will be the next person to be fined after Google?
1. Where is NOYB sacred?
Figure 13: List of HOYB Complaints
2. Real estate companies, airlines, large multinational hotels and other large-scale enterprises dealing with user data should be vigilant against being punished by data regulatory agencies.
It is not difficult to see from the case that Google was fined that European regulators launched a systematic investigation immediately after receiving complaints of corporate irregularities and issued huge fines in only four months. At the same time, industry giants dealing with large amounts of personal data are at the forefront of complaints. It can be inferred that the industry giants with huge market share may not be able to fully comply with the rules when they face the emergence and entry into force of GDP R.
Therefore, in 2019, the above-mentioned multinational enterprises should pay close attention to privacy protection legislation, law enforcement and NOBY complaints in Europe and the world, actively invest capital and human resources, and accelerate the establishment of personal data compliance system and risk prevention and control mechanism.