This week, France's data watchdog, CNIL, delivered the largest ever fine for breaches of data protection legislation in history to Google for breaches of the GDPR. Google failed to establish a valid legal basis for processing personal information and breached the fundamental duty of transparency.
Consent as the basis for processing
Data processors must establish a legal basis for processing personal information. In some circumstances consent is a valid legal basis. The GDPR, however, made the requirements for a valid consent stricter than they had been before. Consent must satisfy several criteria, including being "specific", and "unambiguous". Google had presented users with a consent page with boxes to be filled in if the individual consented to the processing of their personal information. These boxes were pre-selected. Equally, the users only had the choice between consenting to everything or nothing at all. CNIL decided that this meant that the consent relied on was not "specific" or "unambiguous" and therefore Google was in breach.
A key point for employers to note is that although consent was a potential legal basis for processing personal information between Google and its users, consent will rarely be a sufficient legal basis for processing by an employer of its employee's personal information. Employers may process the personal information of clients and customers and in that context consent may be a valid legal basis for the processing. Nonetheless, the Information Commissioner's Office (the "ICO") guidance has made clear that it will rarely be sufficient in relation to an employee. This reflects the asymmetry between an employer and employee's bargaining position and for this reason if it will seldom be advisable for employers to rely on consent as the basis for processing personal information.
The issue of transparency
Data processors are required to be transparent and upfront about their processing of personal information. This is a fundamental requirement of GDPR and one which the ICO always said it would take seriously. The process of providing all of the necessary information about processing activities is usually called providing the "privacy notice".
. The GDPR does not prescribe the form of a privacy notice. As long as all of the information regarding how and why personal information is processed is made clear and easily accessible to the data subjects, the data controller/processor has discretion as to how they discharge the duty. This means that the term "privacy notice" can be misleading as all of the necessary information does not have to be contained in a single document.
Unfortunately for Google, in the eyes of CNIL they had pushed this flexibility to an unacceptable degree. Google had included the necessary information about how and why they processed personal information in a disparate set of multiple documents. CNIL found that the way Google had structured its privacy notice meant that information on Google's processing activities was not easily accessible.
What it means for employers
Although this decision related to the users of Google's targeted app technology rather than employees, CNIL's findings regarding the privacy notice is important to note for all employers. Many employers many have attempted to discharge their duty of transparency by indicating that processing will take place in accordance with certain policy documents. These are often incorporated in the staff handbook or on the staff intranet.
CNIL's decision does not necessarily mean that these employers now find themselves in breach. It is, however, a prompt to review practically how easily it is for employees to find the information on how their data will be processed. In particular, it is worth considering whether it will be sufficient just to refer to these policy documents in the contract or whether it would be prudent to attach these to the initial contract when an offer is made. This would be the most water-tight way of ensuring compliance as the employee could never claim to have not been aware of the relevant policies.
This decision is a decisive warning shot. If there were suspicions that the ICO's claims to be a more proactive regulator than previously were empty threats, these should have now been dispelled.
There can be no doubting that a high standard of compliance is required of data processors and controllers, including employers. The burden is on them to discharge their enhanced obligations under the GDPR and in light of CNIL's decision all should be considering whether they are currently doing enough to protect themselves.