By Leonardo Neri
On January 21, 2019, the French National Data Protection Authority imposed a fine of 50 million euros against Google, which was the largest sanction ever imposed on the basis of General Data Protection Regulation (GDPR).
This event is of great value to the national market, since the General Data Protection Law (LGPD) largely follows the most current standard in terms of data protection, which is the European regulation highlighted above.
Thus, the practical cases analyzed by data protection authorities in the European Union highlight relevant aspects so that Brazilian companies can take precautions, with the aim of acquiring greater legal certainty in adapting everyday facts to the Brazilian standard, which comes into force in August 2020.
The decision now handed down in Europe brought up some extremely important points. The investigation began on June 1, 2018, as explained by the CNIL.
In short, the topics raised in the decision issued demonstrate that the procedures adopted by the company are of weak practical application, given:
- Insufficient transparency of information;
- Invalid user consent; and
- Fine amount
1. Insufficient transparency of information
The adjudicating authority understood that the information provided by the company is not easily accessible to users and that the most valuable information is subject to lengthy and obscure procedures. Furthermore, it was understood that the descriptions illustrated on the platform are generic and vague.
Furthermore, it was also argued that there was a lack of clarity regarding the link between the information and the need for user consent, as well as the lack of precise information about the retention period of personal data.
2. Invalid consent
A crucial point discussed in the new legislation is that user consent was not sufficiently informed, according to allegations by the French authority. In addition to the lack of awareness of the plurality of services, websites and applications involved in the operations, the user would also not be able to have full knowledge of the extent of the content for personalizing ads, given the scattering of information across several documents.
Thus, the user is induced to give his/her full consent, for all purposes of processing operations carried out by the company, however, the GDPR provides that consent must be specific to each purpose.
3. Amount of fine
According to the French National Authority, the amount of the fine and its publicity are justified by the violation of the essential principles of the GDPR, namely: transparency, information and consent. Thus, such affronts deprive users of essential guarantees in relation to processing operations that may reveal important parts of their private life.
It is worth highlighting the Authority's understanding that the aforementioned violations were considered to be of a continuous nature and of unlimited scope.
Depending on what happened, let's look at some points of congruence in relation to the LGPD.
4.Transparency
According to this principle, the user may have control over their data, as provided for in national legislation. The concept of transparency is expressed in the LGPD, as a guarantee to data subjects, in obtaining clear, precise and easily accessible information about the processing of their data.
Furthermore, the standard determines free and easy access to consultation for users regarding the form and duration of processing, as well as the completeness of their personal data.
In the same sense, the holder has the right to easy access to information about the processing of his/her data, which must be made available in a clear, adequate and obvious manner regarding the specific purpose of the processing, the form and duration of the processing, observing commercial and industrial secrets, the identification of the controller, among other rights expressed in the law.
5. Consent must be valid
As widely disclosed in the LGPD, user consent must be free, informed and unequivocal, for a specific purpose. It must be included in a clause separate from the others, and refer to specific purposes. Generic authorizations for the processing of personal data will be considered null and void, as well as information that contains misleading or abusive content or has not been previously presented transparently, clearly and unequivocally.
6. Fine
It is worth noting that the sanctions in Brazil can reach 2% of the turnover of the private legal entity, group or conglomerate in Brazil in its last fiscal year, excluding taxes, limited, in total, to R$ 50 million per infringement.
Therefore, the CNIL's position indicates that the Brazilian regulatory authority may also adopt a repressive stance towards digital advertising that does not comply with privacy standards, so that those who collect personal information without evident transparency in the information provided and express consent from users, with the aim of increasing the targeting of the offer of their products and services, may incur high financial infractions.