GDPR Case 002. The CNIL’s restricted committee imposes a financial penalty of €50 Million against GOOGLE LLC
GDPR Case 002. The CNIL’s restricted committee imposes a financial penalty of €50 Million against GOOGLE LLC
GDPR:§6(1) (lawfulness of processing);§7 (conditions for consent)
日期:21 January 2019
國家:法國
關鍵字:Google;合法性(legal basis);當事人同意
GDPR:§6(1) (lawfulness of processing);§7 (conditions for consent)
裁決:罰鍰(€ 50,000,000)、命令、告誡
摘要:
(1) 法國監管機關(CNIL)接獲民眾團體申訴,主張 Google 提供服務欠缺合法性(legal basis);監管機關調查後發現,使用者在安卓手機創設帳號時的選項設定,有下列違反 GDPR 情事。
(2) 使用者在創設 Google 帳戶時,雖然可以點選「更多選擇」(more options),但是關於「個人化廣告」(ads personalization)這一個選項,卻是已經預選好的(pre-ticked),這與 GDPR 規定同意必須是「明確」(unambiguous)的意思表示有悖(例如,控管者應提供非預選的選項(by ticking a non-pre-ticked box)讓使用者自由選擇)。
(3) 在創設帳戶前,Google 要求使用者勾選下列兩個選項:
・ 《I agree to Google’s Terms of Service》
・ 《I agree to the processing of my information as described above and further explained in the Privacy Policy》
(4) 前述兩個選項,要求使用者全面地同意 Google 所進行的各式處理程序,包括個人化廣告、語音辨識等,亦與 GDPR 要求同意必須具體(specific)之要件有悖,因為所謂具體同意,必須由使用者針對個別目的直接表示同意。
(5) 考量到違反 GDPR 的情節,影響民眾的廣泛程度,以及涉及龐大的數據資料等因素,監管機關決定對 Google 課處 € 50,000,000 的行政罰鍰。
(6) 最後,監管機關強調,既然 Google 的商業模式,有部分是透過個人化廣告賺取利潤,當然必須要盡最大努力,以履行法律所課予的各項義務。
GDPR 前言 (32) Consent should be given by a clear affirmative act establishing a freely given, specific, informed and unambiguous indication of the data subject's agreement to the processing of personal data relating to him or her, such as by a written statement, including by electronic means, or an oral statement. This could include ticking a box when visiting an internet website, choosing technical settings for information society services or another statement or conduct which clearly indicates in this context the data subject's acceptance of the proposed processing of his or her personal data. Silence, pre-ticked boxes or inactivity should not therefore constitute consent. Consent should cover all processing activities carried out for the same purpose or purposes. When the processing has multiple purposes, consent should be given for all of them. If the data subject's consent is to be given following a request by electronic means, the request must be clear, concise and not unnecessarily disruptive to the use of the service for which it is provided.