Data Protection - In the name of transparency
- AuthorTracey Dickens
GDPR has only been in force for just about eight months and the first casualties are starting to appear. The record fine (so far) of €50million is imposed on Google for its breach of data protection rules. This could be a starting point to what might follow next for instance, in the case of Apple.
While we sit tight awaiting the outcome of the allegations made against a string of household names in the entertainment streaming industry, let’s see what we can learn from the investigation by the French regulator CNIL into Google’s breaches relating to personalised marketing and advertising, of which there were a few.
There are seven core data protection principles which must be complied with under GDPR when processing personal data:
- Lawfulness, fairness and transparency;
- Collected for legitimate purposes;
- Collected data should be relevant and limited to the organisation and its business activities;
- Data should be accurate and up to date;
- It should not be stored longer than is necessary;
- It should be stored and processed in a way that protects the data’s integrity and confidentiality.
Putting some of these principles into context, Google’s breaches related to:
Transparency (or lack of!)
Google had failed to obtain clear consent from its users to process data because it had sought to discharge its obligations by making its users read through several notices/documents which had made accessing "essential information" (for the purposes of obtaining their consent) very difficult.
Remember – regardless of whether, as far as you are concerned, you have made your notices and/or policies publicly available, if accessing this information is so convoluted so as to prevent the user’s understanding of such information virtually impossible, you could be in trouble.
The essence of the transparency requirement is that if users are not able to fully understand the extent to which your business processes personal data, perhaps due to a complex set of notices the essence of which is deliberately disguised, then the user’s consent is unlikely to be a valid one.
The information provided within your policy and/or notices has to be adequate and thus enable the user/data subject to make an informed choice as to how their data might be shared, who with and for what purposes.
In Google’s case it was held that people were “not sufficiently informed” about how Google collected data to personalise advertising.
Furthermore, and related to the transparency point, is Google’s failure to obtain appropriate consent from its users to process user data. Such consent has to be given specifically and distinctly for each purpose of data processing.
Where the optional consent to receive personalised advertising is “pre-ticked” at the time when the account is created, this will be in breach of the GDPR rules. Accordingly, the user cannot possibly be aware of the significance of his/her “consent” or to be considered to have given a real consent where the critical information relating to data processing, as required by GDPR, is in some way disguised or presented in several documents, which the user is expected to carefully look for.
Will Amazon, Apple, Netflix and Spotify follow suit?
It looks like further complaints have been filed against other giants, including Google’s YouTube, which relate to the customer’s/user’s right to request and obtain a copy of their personal data held by companies. Such data is required to be held both in a machine-readable format and also a format that can be understood by customers.
It has now transpired that Amazon, Apple, Spotify and Google’s YouTube allow customers to download a copy of their personal information, most of which was not in a machine-readable format. They have also failed to advise their users as to what other companies they share personal data with.
Let’s wait and see what happens next!
In any event, no business should underestimate their data protection obligations, or shy away from seeking advice, either from a legal practitioner and/or by contacting the Information Commissioner’s Office https://ico.org.uk/for-organisations/.
If you would like to discuss matters relating to data protection/GDPR, I will be happy to assist. I can be contacted on 01268 244 141 or email@example.com.