On 21st January 2019, theFrench National Data Protection Commission (CNIL) fined Google 50 million euros for breaches of the General Data Protection Regulation (GDPR). This is the biggest financial penalty issued so far by any European regulator under the new law. But the decision goes far beyond Google or even the tech sector.
In May 2018 CNIL received complaints from two privacy groups; None Of Your Business and La Quadrature du Net. They argued, amongst other things, that Google did not have a valid legal basis to process the personal data of the users of its services, particularly for ads personalisation purposes, as they were in effect forcing users to consent.
CNIL agreed citing a “lack of transparency, inadequate information and lack of valid consent” regarding ad personalisation for users. It said users were “not sufficiently informed” about what they were agreeing to. Google made it too difficult for users to find essential information, “such as the data-processing purposes, the data storage periods or the categories of personal data used for the ads personalisation”, by splitting them across multiple documents, help pages and settings screens. That lack of clarity meant that users were effectively unable to exercise their right to opt out of data-processing for personalisation of ads.
GDPR (Article 4) standard consent must be, amongst other things, “specific” and “unambiguous”. Google consent failed as users were not asked specifically to opt in to ad targeting but were asked simply to agree to Google’s terms and privacy policy bundled together.
Google is appealing the decision. Meanwhile the Swedish data protection the Swedish Data Protection Authority (Datainspektionen) has also announced an investigation Google’s slurping of location and web histories.
This decision requires all Data Controllers to think carefully how they go about obtaining consent for personal data processing. Article 7 and 8 of GDPR must be considered as well as the Article 29 Working Party guidance.
Article 13 and 14 set out what information should be given to data subjects when processing their personal data. This is a stand-alone right but it also helps to ensure that the processing is fair and transparent as per Article 5(1)(a). Our blog on what to include in a privacy notice (including examples) will help those revising their notices in the light of this decision.
BREXIT UPDATE: Draft regulations have been laid before Parliament to amend GDPR and the Data Protection Act 2018 will change as a result of Brexit. If you want to know more, Ibrahim Hasan is presenting a webinar on 12th and 21st February 2019 at 10am.
On 24th October the Information Commissioner imposed a fine (monetary penalty) of £500,000 on Facebook Ireland and Facebook Inc (which is based in California, USA) for breaches of the Data Protection Act 1998. In doing so the Commissioner levied the maximum fine that she could under the now repealed DPA 1998. Her verdict was that the fine was ‘appropriate’ given the circumstances of the case. For anyone following the so-called Facebook data scandal the fine might seem small beer for an organisation that is estimated to be worth over 5 billion US Dollars. Without doubt, had the same facts played out after 25th May 2018 then the fine would arguably have been much higher, reflecting the gravity and seriousness of the breach and the number of people affected.
The Facts
In summary, the Facebook (FB) companies permitted Dr Aleksandr Kogan to operate a third-party application (“App”) that he had created, known as “thisisyourdigitallife” on the FB platform. The FB companies allowed him and his company (Global Science Research (GSR) to operate the app in conjunction with FB from November 2013 to May 2015. The app was designed to and was able to obtain a significant amount of personal information from any FB user who used the app, including:
Their public FB profile, date of birth and current city
Photographs they were tagged in
Pages they liked
Posts on their time lime and their news feed posts
Friends list
Facebook messages (there was evidence to suggest the app also accessed the content of the messages)
The app was also designed to and was able to obtain extensive personal data from the FB friends of the App’s users and anyone who had messaged the App user. Neither the FB friends or people who had sent messages were informed that the APP was able to access their data, and nor did they give their consent.
The APP was able to use the information that it collected about users, their friends and people who had messaged them, in order to generate personality profiles. The information and also the data derived from the information was shared by Dr Kogan and his company with three other companies, including SCL Elections Ltd (which controls the now infamous Cambridge Analytica).
In May 2014 Dr Kogan sought permission to migrate the App to a new version of the FB platform. This new version reduced the ability of apps to access information about the FB friends of users. FB refused permission straight away. However, Dr Kogan and GSR continued to have access to, and therefore retained, the detailed information about users and the friends of its users that it had previously collected via their App. FB did nothing to make Dr Kogan or his company delete the information. The App remained in operation until May 2015.
Breach of the DPA
The Commissioner’s findings about the breach make sorry reading for FB and FB users. Not only did the FB companies breach the Data Protection Act, they also failed to comply or ensure compliance with their own FB Platform Policy, and were not aware of this fact until exposed by the Guardian newspaper in December 2015.
The FB companies had breached s 4 (4) DPA 1998 by failing to comply with the 1stand 7th data protection principles. They had:
Unfairly processed personal data in breach of 1st data protection principle (DPP1). FB unfairly processed personal data of the App users, their friends and those who exchanged messages with users of the APP. FB failed to provide adequate information to FB users that their data could be collected by virtue of the fact that their friends used the App or that they exchanged messages with APP users. FB tried, unsucesfully and unfairly, to deflect responsibility onto the FB users who could have set their privacy settings to prevent their data from being collected. The Commissioner rightly rejected this. The responsibility was on Facebooks to inform users about the App and what information it would collect and why. FB users should have been given the opportunity to withhold or give their consent. If any consent was purportedly given by users of the APP or their friends, it was invalid because it was not freely given , specific or informed. Conseqauntly, consent did not provide a lawful basis for processing
Failed to take appropriate technical and organisational measures against unauthorised or unlawful processing of personal data, in breach of the 7th data protection principle (DPP7). The processing by Dr Kogan and GSR was unauthorised (it was inconsistent with basis on which FB allowed Dr Kogan to obtain access of personal data for which they were the data controller; it breached the Platform Policy and the Undertaking. The processing by DR Kogan and his company was also unlawful, because it was unfair processing. The FB companies failed to take steps (or adequate steps) to guard against and unlawful processing. (See below). The Commissioner considered that the FB companies knew or ought to have known that there was a serious risk of contravention of the data protection principle sand they failed to take reasonable steps to prevent such a contravention.
Breach of FB Platform Policy
Although the FB companies operated a FB Platform Policy in relation to Apps, they failed to ensure that the App operated in compliance with the policy, and this constituted their breach of the 7th data protection principle. For example, they didn’t check Dr Kogan’s terms and conditions of use of the APP to see whether they were consistent with their policy (or presumably whether they were lawful). In fact they failed to implement a system to carry out such a review. It was also found that the use of the App breached the policy in a number of respects, specifically:
Personal data obtained about friends of users should only have been used to improve the experience of App users. Instead Dr Kogan and GSR was able to use it for their own purposes.
Personal data collected by the APP should not be sold or third parties. Dr Kogan and GSR had transferred the data to three companies.
The App required permission from users to obtain personal data that the App did not need in breach of the policy.
The FB companies also failed to check that Dr Kogan was complying with an undertaking he had given in May 2014 that he was only using the data for research, and not commercial, purposes. However perhaps one of the worst indictments is that FB only became aware that the App was breaching its own policy when the Guardian newspaper broke the story on December 11 2015. It was only at this point, when the story went viral, that FB terminate the App’s access right to the Facebook Login. And the rest, as they say, is history.
Joint Data Controllers
The Commissioner decided that Facebook Ireland and Facebook Inc were, at all material times joint data controllers and therefore jointly and severally liable. They were joint data controllers of the personal data of data subjects who are resident outside Canada and the USA and whose personal data is processed by or in relation to the operation of the Facebook platform. This was on the basis that the two companies made decisions about how to operate the platform in respect of the personal data of FB users.
The Commissioner also concluded that they processed personal data in the context of a UK establishment, namely FB UK (based in London) in respect of any individuals who used the FB site from the UK during the relevant period. This finding was necessary in order to bring the processing within scope of the DPA and for the Commissioner to exercise jurisdiction of the two Facebook companies.
The Use of Data Analytics for Political Purposes
The Commissioner considered that some of the data that was shared by Dr Kogan and his company, with the three companies is likely to have been used in connection with, or for the purposes of, political campaigning. FB denied this as far as UK residents were concerned and the Commissioner was unable, on the basis of information before her, whether FN was correct. However, she nevertheless concluded that the personal data of UK users who were UK residents was put at serious risk of being shared and used in connection with political campaigning. In short Dr Kogan and/or his company were in apposition where they were at liberty to decide how to use the personal data of UK residents, or who to share it with.
As readers will know, this aspect of the story continues to attract much media attention about the possible impact of the data sharing scandal on the US Presidential elections and the Brexit referendum. The Commissioner’s conclusions are quite guarded, given the lack of evidence or information available to her.
In March 1998, High Court Judge Lord Justice Brown threw a claim out of court by the Police against a motorist who was caught using a Radar Detector. The Police claimed that under the Wireless Telegraphy Act of 1949, the motorist was illegally using the device. The Judge ruled that the Radar Detector did not actually receive any intelligible police information and that the Detector was only picking up the presence of radar and not any information within it. This case set a precedent and made the use of Radar Detectors legal in the UK. To over-rule this judgement, the Road Safety Act 2006 specifically bans the use of radar and laser detectors. Most drivers are happy with this situation. They know where cameras are because a fair processing notice is in place (to comply with principle 1 of the DPA) and this is usually a picture of an old fashioned camera recognised by millions. Even the mobile cameras that travel to different locations have their way of delivering an FPN although it is usually found on the web rather than in situ.
So we’re relatively happy. We know where all the speed cameras are and we see them in map books, on the net; We hear about mobile cameras on local radio and TV and we’re cool about it. We buy our TomToms and justify using them saying “it’s just an electronic version of publicly available database”. Then we go to France on holiday.
Since decree n°2012-3 was introduced on 3 January 2012 it has been illegal to be warned about the position of fixed or mobile speed cameras while you are driving in France. If your sat nav has this function and you continue to use the service, you risk a fine of up to €1500. Even if the device is switched off and not operational the possession of such witchcraft is the work of the devil. Ken Russell would have loved to have made a film about it. Good old data subjects from Blighty being thwarted by sneaky foreigners not even bothering to use Schedule 2 (6) just ignoring the rights of individuals and worse disapplying the Subject Information Provisions.
Initially this sounds quite tough. There have been discussions on the web, advice from motoring lobbys and horror stories of motorists having their boot searched by a bold gendarme emerging triumphantly from black plastic sacks of dirty washing with an old device and demanding instant payment of a fine. There is also the other view that the law is unenforceable; that Gendarmes cannot search for satnavs, cannot operate them if they see one as it is technically a computer and their common law powers don’t extend to interrogating them, they cannot check your smart phone for that app you downloaded for free…
The truth naturally lies in the middle. There’s been discussions between french satnav manufacturers and government (one french firm feared 2,000 job losses) and they’ve come up with a concept of danger zones. Instead of listing cameras they list danger zones where there may be a hazard (such as a level crossing or a school or where people might speed) and the satnav can issue a warning of the danger.
The french authorities meanwhile are pushing ahead with a programme of taking down existing signs warning of cameras; they are setting up new cameras and not telling drivers where they are and generally acting very french. Pah! I spit on your schedule 2 requirement.
Other solutions suggested in hyperspace include modifying your satnav camera POIs and labelling them lay bys. (or transport caffs); Registering your car in Lithuania; Buying your next satnav from France and specifying UK maps…(although we did hear that french spoken instructions interpret M25 as Monsieur Vingt Cinq) or exploring Germany which has excellent weissbier and many ancient castles.
Glossary.
A speed camera is un radar (pronounced rad – ah).
A satnav is a GPS (pronounced shay pay ess)
Zones of danger – zits noirs
Breathalyser is un alcooltest (did we forget to tell you that by law you must carry two of these in your car as well as a dayglo yellow vest for each passenger)
Useful phrases
Bordelle de merde, espece de radar
Fer cryin’ out loud a bloody speed camera
Est-ce qu’il y a une brasserie independante dans ce trou a rat, j’ai envie d’une biere?
Please direct me to a real ale pub if you have one in this dump of a town.
Martin Gibson, of Buckinghamshire County Council, reflects on the challenges facing a Data Protection Officer and how relationships with the Information Commissioner’s Office have changed over the years.
