Recently, the French regulator CNIL investigated and ultimately fined Google EU 50 million, over an alleged breach of the GDPR for its “lack of transparency, inadequate information and lack of valid consent regarding the ads personalization.”
Transparency and Information
Article 13 of the GDPR provides that information must be provided using clear and plain language in an easily accessible form, at the time the data are collected and amongst others specific information must be provided in order to ensure fair and transparent processing. The CNIL found that the general way that the information is displayed by Google does no comply with the GDPR, and amongst others (a) did not provide essential information such as data storage periods or the categories of personal data used for the ads personalization; (b) information used for ads personalization is disseminated over several documents, with buttons and links on which it is required to click to access full information (requiring sometimes up to 5 or 6 actions). Moreover, it found that some of the information is not clear or comprehensive.
In comparison, under Israeli law, requests for personal data must be accompanied by a notice to the data subject which indicates (i) whether the data subject is legally obligated to provide the information or whether delivery is voluntary; (ii) the purpose for which the data will be used; and (iii) to whom the data will be delivered and for what purpose (Section 11 of the Israeli Privacy Protection Law).
GOOGLE states that it obtains the user’s consent to process data for ads personalization purposes; however, CNIL determined that the consent is not valid because it is not sufficiently informed, and moreover some of the boxes are pre-ticked. Under the GDPR, consent is “unambiguous” only with a clear affirmative action from the user (by ticking a non-pre-ticked box for instance) and, that consent is “specific” only if it is given distinctly for each purpose.
The Israeli Courts, on the other hand, have been quite flexible with regard to their interpretation of consent with regard to electronic agreements, and in general have accepted click-wrap agreement with a minimal active step such as ticking a non-pre-ticked box. In one case, it was noted, that it does not matter if all the conditions are present, as long as they can be reached by a prominent link.
The CNIL imposed a financial penalty of EUR 50 million(!) against Google.
In the meantime, in Israel, although violations of Israeli privacy laws are subject to civil and criminal penalties and may be the subject of individual tort claims. Currently the maximum penalty is an amount not exceeding 50,000 New Israeli Shekels (about US$13,049) or double this amount in cases where an intent to harm is proved. under a proposed amendment to the Israeli Protection of Privacy Law (1981), this penalty will be significantly increased – but will still, the huge gap between the basic attitude towards privacy on the internet between the EU GDPR and the Israeli law, is amazing. Not anywhere near EUR 50 million.