What Single Client Counsel Should Know About Worldwide Data Protection and GDPR Compliance Part II

The Legal Wilderness

Dedicated to Searching and Exploring our Legal Frontiers to Find, Categorize, and Tag the wild, Untamed and Predatory Applications of the Law

What Single Client Counsel Should Know About Worldwide Data Protection and GDPR Compliance

Part II

A GDPR Compliance Action Threatens To Become A Global Privacy Compliance Dispute

Joseph F. Speelman
General Counsel
Petro-Logistics S.A.
Geneva, Switzerland

“…you don’t need a weatherman to know which way the wind blows.”
Subterranean Homesick Blues
Bob Dylan

On October 27, 2018 Wall Street Journal writer Christopher Mims wrote that US Tech giants, including Google, Apple, Facebook, and Amazon, were experiencing a backlash against their size and power in the form of several policy and regulatory proceedings, including a strong focus by EU regulators on compliance by the US companies with the data protection provisions of the EU GDPR. [Wall Street Journal, “A Global Tech Backlash”; Christopher Mims, October 27-28, 2018, Section B, page B4].

On 24 January 2019, The Economist Magazine print edition, published an article entitled “The French Fine Against Google Is The Start of a War” in which they disclosed that on 21 January, 2019 the French data protection regulator, CNIL, published a finding that Google’s data collection and protection practices were found to be in breach of the EU General Data Protection Regulation (GDPR). The CNIL issued a fine against Google of $57 million, the largest fine yet levied under the GDPR. [The Economist Magazine, “The French Fine Against Google is the Start of a War”, 24 January, 2019, print edition].

The findings of the CNIL indicated a “failure to be clear and transparent when gathering data from users”. The findings went into detail about complex, “eight click deep” (eight pages of documents) to even allow a potential user to understand what data about the applicant Google was attempting to collect. [Economist Magazine, 24 January 2019, cited above.] Essentially, the findings were a sharp focus on the multitude of paragraphs of “words” that were accompanying an application to Google for access to its process. This is not unlike the pages upon pages of mind numbing information that banks demand for mortgage approvals and similar types of data, except this is to merely gain use of Google’s system. This really seems to be aimed at the very business mode upon which Google and many other online services are based. It could be deemed a fundamental strike at how internet processes work globally…..not just US Tech companies. [Economist Magazine, 24 January 2019, cited above].

CNIL posted their findings on 21 January 2019 in their official website. The findings included two major violations:

1. A violation of the obligations of transparency and information;
2. A violation of the obligation to have a legal basis for ads personalization processing. [CNIL, www.cnil.fr/en/cnils-restricted-committee-imposes-financial-penalty-50-million-euros-against-google-LLC. 21 January 2019]

The finding also notes the violations are “still ongoing” breaches of the GDPR. This is important as the fine is much more serious and more difficult to abate if violations are on going. [CNIL, website cited above]

The history of the complaint traces back to the result of a collective action filed by an Austrian not-for-profit association “None Of Your Business” (NOYB) filed on 25 May 2018. The proceedings on the complaints suggest that CNIL “pushed” the issue and attendant proceeding to the “front of the line” for review and decision. This is not unlike many if not all regulatory agencies in the US. [Privacy & Information Security Blog, Hunton, Andrews Kurth, www.huntonprivacyblog.com 23 January, 2019.]

Google has indicated it will appeal the findings and the fine including the basis for finding “an illegal act” by Google based upon what the CNIL deems a violation of the principle of “informed consent” and related notions imbedded within the GDPR. Concerns are being privately expressed that CNIL is using a different, more aggressive approach to “informed consent” when dealing with “Silicon Valley” Tech giant companies as opposed to EU based, smaller “adtech” companies whose practices are essentially identical to Google’s approach regarding gaining consent from digital customers. [Economist Magazine, cited above.]

There is a darker side to this developing dispute. What this really may be about, or a large part of the reason for the dispute, is a focus on the business mode and supporting software upon which Google and many other online service companies are based. A final, non-appealable finding by EU Courts that the Android operating system violates, per se, the GDPR would be a serious strike at how internet processes work globally. This is a very serious matter. Perhaps, that is why a respected publication such as The Economist used “War” versus some less provocative word in its article title.

Much will be written and said about this developing issue in the next weeks and months. At the IADC Mid Year meeting a major CLE presentation is scheduled on EU Enforcement Action relating to the GDPR. I am certain this issue will be a part of a very thorough and well presented program. It is scheduled at 8:45 am on Monday, 25 February. If you are attending the Mid Year Meeting, plan to attend this program. If not, either consider attending or seek the presentation packages for your use from the panel members.

The Role of Single Client Counsel in This Matter

In Part I of this article series, I discussed the EU approach to facilitating Block Chain technology into GDPR compliance. It was clear the EU is sensitive to issues created by new technologies on privacy and data protection. It may be, in this second part, that we become acquainted with another, much more aggressive approach the EU might take regarding GDPR compliance and existing, broad based and sophisticated operating systems.

In house counsel need to become fully knowledgeable regarding the data handling and privacy features of all technologies their client uses, or is considering using in the future. The risk management process within their company must ensure that legal counsel are fully engaged in analyzing the type of issues set out above in this article. In house counsel, at their best, are vigilant and intimately knowledgeable of every aspect of how their client operates, where, what technology is being used, what protections are needed (before it become apparent they are needed) including proper contractual protections as well as regulatory responsibilities. An attorney is a very well trained risk manager. They have to be viewed and utilized that way by their client. That is your initial job. Get your role established. Use the expertise of experienced outside counsel in that process.

In the near future we will talk about existential events and risks for the single client counsel. Depending upon how events partially out of your control develop, this topic could be such an event.

Be Careful Out There!

Read Part I: What Single Client Counsel Should Know About Worldwide Data Protection and GDPR Compliance