Google was fined in France in December for lack of transparency, inadequate information and lack of valid consent on ads personalisation.
French data protection authority National Data Protection Commission (CNIL) received group complaints from the associations None Of Your Business (NOYB) and La Quadrature du Net (LQDN).
LQDN was mandated by 10,000 people to refer to CNIL the lack of a valid legal basis for processing the personal data of the users of its services, particularly for ad personalisation.
‘Excessively disseminated’
Google violated the obligations of transparency and information by not making information easily accessible, CNIL said in its decision.
Essential information, such as data-processing purposes, data-storage periods or the data categories used for ad personalisation, are “excessively disseminated across several documents, with buttons and links on which it is required to click to access complementary information”, CNIL says.
'Not always clear'
“The relevant information is accessible after several steps only, implying sometimes up to five or six actions … some information is not always clear nor comprehensive.
“Users are not able to fully understand the extent of the processing operations carried out by Google. But the processing operations are particularly massive and intrusive because of the number of services offered (about 20), the amount and the nature of the data processed and combined,” CNIL says.
The body complains that processing purposes are described in too generic and vague a manner, and the information communicated is not clear enough so that the user can understand the legal basis for ad personalisation.
CNIL says that Google’s consent for data processing is not validly obtained because it is not sufficiently informed, and the collected consent is neither “specific” nor “unambiguous”.
Surveillance cameras
On a smaller scale, a café in Spain was last month fined €1,500. According to the Spanish data protection authority (AEPD), Cafetería Nagasaki did not comply with GDPR obligations, because it installed surveillance cameras in a way that monitored public space outside of the restaurant, which also captured pedestrians on the street.
The Italian data-protection authority (Garante) last month fined telecom provider TIM €27.8 million for a violation of article 58(2) of the GDPR.
Unlawful
Garante said that TIM had been fined due to numerous unlawful data-processing activities related to marketing and advertising, which included unsolicited promotional calls and prize competitions in which data subjects were entered without consent.
The fine was large because the unlawful data processing activities involved several million individuals.
One individual, for example, was called a total of 155 times in a month, while TIM refused to add the affected individual on a ‘no-call’ list, even after several requests.
Garante determined that the company lacked control over call centres, and did not have adequate measures to add people to ‘no-call’ lists.
Informed
TIM also did not provide accurate and detailed enough privacy policies and data-processing policies and, as such, consumers were not efficiently informed about the data collected and processed.
The company’s management of data breaches was also not efficient, according to Garante.
The Italian data-protection authority also imposed 20 corrective measures, prohibiting TIM from processing the marketing-related data of anyone who declined promotional calls.
A €3 million fine was imposed on Italian company Eni Gas e Luce for non-compliance with the lawful basis for data processing of personal data during an advertising campaign, and for activating unsolicited electricity and gas contracts.
A large number of individuals reported that they had only learned of the new contracts after they received a termination letter from their old provider. Some complaints even reported false data, as well as forged signatures.
Employees not notified
The Hellenic Data Protection Authority (HDPA) imposed a €15,000 on Allseas Marine for unlawfully introducing a video-surveillance system at its workplace to monitor employee activity.
HDPA said that the installation of the system was unlawful because the employees were not notified of the existence of the system.
In Cyprus, its Data Protection Commissioner fined a government agency €9,000 for granting the police access to data, and failing to implement sufficient measures to ensure information security.
The top five biggest GDPR final and binding fines to date, are:
- Google – €50 million,
- TIM – telecom provider – €27.8 million,
- Austrian Post – €18 million,
- Deutsche Wohnen – €14.5 million,
- 1&1 Telekom GmbH €9.55 million.
Austrian Post processed the political affiliation of data subjects, and carried out “further processing of data on package frequency, and the frequency of relocations, for the purpose of direct marketing”, both of which are infractions under the European rules.
‘Privacy by design’
In October 2019, Deutsche Wohnen was fined €14.5 million for storing the personal data of tenants without a legal basis. This violated the GDPR principle of ‘privacy by design’.
1&1 Telekom (Germany) did not authenticate callers properly before handing out account information by phone.
A name and birthdate was enough to get access to account details.
Better security
1&1 was “very cooperative and implemented better security immediately”, the German data protection authority said.
Nevertheless, a fine of €9.55 million was imposed.
The www.PrivacyAffairs.com site operates a GDPR fines tracker and statistics tool that includes every known GDPR fine and their value.
(Copyright: Law Society Gazette ©. Please attribute the Law Society Gazette or Gazette.ie)