Review of Information Obligation in light of CNIL’s Google Decision
One of the most important obligations of data controllers under data protection laws is to inform the data subjects concerning data processing activities. Accordingly, the Turkish Law on Protection of Personal Data numbered 6698 (“DPL”) also imposes an obligation on data controllers to provide certain information to data subjects before processing their data. Pursuant to Article 10 of the DPL regulating the information obligation, a data controller must inform the data subjects about the identity of the data controller, the purposes of the processing, to whom and for which purposes the processed personal data will be transferred, the method and legal ground of collection of personal data and the rights of the data subject under the DPL. Under the DPL, data controllers are obliged to give the required information to data subjects in all circumstances regardless of the legal ground of the data processing. The DPL sets forth significant administrative fines that the data controllers may face if they fail to comply with this obligation.
Due to the importance of the information obligation and to provide clarity as to how the data controllers should fulfil their obligation, the Turkish Data Protection Authority (the “Authority”) issued the Communiqué on the Obligation of Information (the “Communiqué”) and the Guidelines to Fulfil the Information Obligation (the “Guidelines”). Among others, the Communiqué and the Guidelines provided clarification concerning the time of fulfilment of this obligation and the transparency principles to be considered. Also, the Guidelines shared good practise examples that data controllers could benefit while fulfilling their obligations.
Information forms of data controllers prepared to comply with the information obligation should be prepared specifically for each different data subject group and data processing activity. Furthermore, the language used in the information forms must be simple, easy to understand and accessible by data subjects.
Unfortunately, despite the great importance attached to the information obligation by data protection laws, data controllers tend to ignore this obligation or do not properly fulfil it (due to practical reasons or by negligence…etc). In this scope, data controllers do not provide all the information required by the DPL or they do not provide it in a proper format. In practice, such obligation can be fulfilled by providing the required information on a website (requiring the data subject to open a separate page or a pop-up window) or through a link or SMS. Also, they use layered information forms where the data subjects can reach the required information by clicking layers. Alternatively, they provide the required information verbally, through face-to-face discussions or call centres. Since there is not a specific format to comply with this obligation under the relevant legislation, it is possible for data controllers to use different mechanisms considering the scope of the data processing activity or the platform where the data processing activity will take place.
Actually, many of these formats (e.g. layered information forms) are also supported by data protection authorities due to their ease of use and practicality. However in any case data controllers must ensure that their information forms are in full compliance with the legislation. They must act in accordance with the principle of good faith and must not abuse the flexibility given to them by the relevant laws and not use it to mislead the data subjects.
As in the DPL, information obligation is also a crucial obligation under the GDPR and data protection authorities in the EU also give great importance to compliance with such obligation. In fact, in January 2019, French Data Protection Authority (CNIL) imposed a penalty on Google LLC in the amount of 50 million Euros due to breach of the obligations concerning information, transparency and consent. It is noted in the decision that Google breached its information obligation since the information provided by Google is not easily accessible by the users. CNIL further notes that Google has designed its processes for giving information about its data processing purposes and activities for the ads personalization in a very complicated way; the information about the processing purposes is given by Google in a disseminated manner and the users may only reach relevant information in 5-6 steps by clicking various tabs, pages and links. According to the decision, these complicated processes prevent the users of Google’s services from learning the extent of Google’s processing activities and purposes. CNIL has highlighted in its decision that compliance with information obligation has an utmost importance for Google due to the use of Google’s operating system (Android) by large masses of people in their smart phones during their daily life and thus decided to impose a penalty on Google due to breach of its obligations.
Although the discussions in Google decision are not limited with information obligation, it is still an important decision to remind the data controllers the importance of compliance with the information obligation. Data controllers must therefore reconsider the mechanisms that they use to comply with information obligation and they must pay attention to the importance of providing the required information to the data subjects in a clear, accurate and easily accessible manner. The effort and time spent by data controllers for compliance with information obligation is very valuable and also necessary to ensure compliance with the laws, to avoid from penalties, to meet the customer satisfaction and to protect their reputation for sure.