LITIGATION SUPPORT TIP OF THE NIGHT

Ireland's Data Protection Commission announced an investigation this week into whether or not Google's processing of data during advertising transactions violates the General Data Protection Regulation, and whether or not Google complies with the provisions of the GDPR on data minimization and transparency.

This investigation arose from a complaint filed by an executive of a software company. It concerns an online behavioral advertising system, known as DoubleClick, Google's ad service. The complaint alleges that Google's system collects data from users that visit websites with its ads. The data controller loses control over how his or her data is used, when it is 'broadcast' on the site. The data processed includes special category data under the GDPR - that which reveals ethnic origin; political opinions; health data; religious beliefs; sexual orientation and other personal background information. The system does not require the controller's consent. Article 9 of the GDPR requires explicit consent for the processing of special category data.

The complaint alleges a violation of Article 5's requirement that the amount of data processed not be excessive for the purpose for which it is collected, and not be retained longer than necessary.

The complaint asserts that a data protection impact assessment is needed because processing poses a, 'a high risk to the rights and freedoms of natural persons'. See, ¶ 38.

France's Commission Nationale Informatique & Libertes (CNIL) has published a guide to assist the processors of personal data comply with the General Data Protection Regulation. It provides answers to 12 key questions:

1. Are you a processor in the meaning of the General Data Protection Regulation?

The guide specifically identifies, "IT service providers (hosting, maintenance, etc.), software integrators, cybersecurity companies or IT consulting companies" as processors under the definition given by the GDPR, but not software publishers or hardware manufacturers who do not have access to personal data.

2. Are you subject to the General Data Protection Regulation?

Processors will be subject to the GDPR if they are 'established' in the EU, or if processing is related to the offering of goods and services in EU, or monitoring of their behavior in the EU.

3. What is the primary change introduced by the General Data Protection Regulation for processors?

Contracts between a controller and processor must state the processor's obligation to protect the security and confidentiality of personal data.

4. What are your obligations from 25 May 2018?

A record must be maintained of any processing that is performed. Services should by default only collect data that is necessary for the purposes of processing.

5. Where should you start?

a. Determine if it is necessary to have a data protection officer.

b. Analyze contracts.

c. Record processing activities.

6. If I use another processor, what are my obligations?

"As a processor, you may only recruit another processor after obtaining written authorisation from your client."

7. Do the current contracts with my clients need to be amended?

Existing contracts had to be amended by May 25, 2018 to include the compulsory clauses specified by the GDPR.

8. What is my role in the event of a data breach?

Both clients and the authorities have to be notified immediately.

9. What is my role with regard to the impact assessment?

The controller, not the processor, must assess the impact of processing operations.

10. Am I able to benefit from the one-stop-shop mechanism?

A single country's supervisory authority may make decisions for entities conducting cross border processing.

11. What are my obligations if I am not established in the EU?

A body will be subject to the GDPR if it processes data pertaining to EU data subjects. A representative must be appointed to field the questions of EU authorities and the data subjects.

12. What are the risks if I do not comply with my obligations?

Liability for damages suffered, or administrative penalties of between 10-20 million euros, or 2-4% of "total worldwide annual turnover", whichever is higher.

Today, the French data regulation agency, Commission nationale de l'informatique et des libertés, (CNIL), fined Google €50 million for violating the GDPR. See the decision posted here. The fine relates to Google's collection of data used to personalize advertisements.

The decision found that Google's policy for collecting personal data was not sufficiently transparent. A user of its services would have to take 5 or 6 actions in order to get a complete description of how his or her data would be processed.

Consent was ruled not to be valid when information about how data would be used for personalizing advertisements could only be located in several different documents. CNIL also faulted Google for pre-selecting the option to consent to the data collection.

The regulator ruled that the GDPR requires specific consent for each purpose to which an individual's data is to be used. In assessing the €50 million fine, the CNIL emphasized the importance of the fact that Google's practices have been ongoing for a long period of time (rather than being an isolated incident), and the large amount of data collected by Google. The official statement of the CNIL about the decision states that, ". . . given the dominance of the Android operating system on the French market, every day thousands of French people create GOOGLE accounts when using their smartphones. Similarly, this review takes into account that the company's economic model is partly based on the personalization of advertising. A special responsibility therefore falls on it to comply with its obligations in this area."