On 31 December 2021, the restricted committee of the French Data Protection Supervisory Authority (“CNIL”) (i) fined Facebook Ireland 60 million euros and Google a total of 150 million euros (i.e., 90 million euros for Google LLC and 60 million euros for Google Ireland Limited) for failing to allow the users of facebook.com, google.fr and youtube.com to reject cookies as easily as they may accept them and (ii) issued an injunction to remedy to such infringement within 3 months under penalty of 100,000 euros per day of delay.
Regardless of the very substantial amount of fines applied, in a context where the CNIL’s issues several formal notices for non-compliances with cookies regulations since the end of March 2021, these decisions give an opportunity to analyze what are the CNIL’s expectations and what sanctions may be anticipated for companies targeting French users through their websites.
1. Context of the infringements sanctioned
The CNIL’s decisions were taken further to:
- online investigations conducted by the CNIL onto the Companies’ websites, which revealed that they were failing to comply with the requirements governing cookies under Article 82 of the French Data Protection Act.
Article 82 of the French Data Protection Act and the CNIL guidelines dated and 17 September 2020, require that the Website cookies banner offers users the option to reject cookies as easily as they may accept them. However, although the Companies banner displayed a button allowing to immediately accept cookies, it does not offer an equivalent solution (button or other) enabling the user to reject the deposit of cookies as easily. Several clicks were necessary to reject all cookies (3 for Facebook and 5 for Google), when only one click was necessary to accept them all.
2. Justification of the sanctions level
Based on the above infringement, the restricted committee issued:
- two fines against Google for a total amount of 150 million euros (i.e., 90 million euros for Google LLC and 60 million euros for Google Ireland Limited); and
- one fine against Facebook Ireland of 60 million euros
Such fines are based on the following considerations:
- the scope of the processing;
- the high number of data subjects;
- the substantial profits generated by the Companies from advertising, using the data collected through cookies placed with a biased consent whereas other companies which have duly offered users the opportunity to reject all cookies as easily as to accept them have seen a decrease in the number of consents and thus their advertising revenues;
- the fact that the Companies were already made aware of their lack of compliance with Article 82 of the French Data protection Act, by the CNIL; and
- the continuous CNIL’s communication on the necessity to ensure that refusal of cookies should be as easy of their acceptance
It is interesting to note that while the fine issued against Facebook was applied to Facebook Ireland Limited considered as the sole data controller, Facebook France being the “establishment” of the Facebook group in France, the fine against Google was applied to both Google LLC based in California and Google Ireland Limited considered as joint controllers.
In addition, the CNIL issued an injunction for each Company to remedy to their practices in order to guarantee the users’ freedom of consent within three months as from the notification of the CNIL’s decision, subject to a late payment penalty of 100.000 EUR per day.
These sanctions fall within the global conformity strategy regarding cookies that the CNIL started about 2 years ago. Since 31 March 2021, the CNIL has issued almost 100 formal notices related to cookies infringements of French and Foreign websites (including order to comply with the Cookies regulation and sanctions).
3. CNIL remains competent even if a Lead Authority has been appointed
The Companies attempted to challenge the CNIL’s competence as they appointed a Lead Authority which is the Irish Data Protection Commissioner.
The restricted committee decision is grounded on the following considerations:
a. Material competence
The CNIL held that the “one stop shop” mechanism set forth in the GDPR does not apply to the extent its action was related to Article 82 of the French Data Protection Act, which transposes the provisions of the “e-Privacy” directive into French law.
According to the restricted committee:
- a distinction has to be made between on the one hand, the operations consisting in depositing and reading cookies in a user’s terminal and, on the other hand, the subsequent use made of the data generated by these cookies, for example for profiling purposes, referred to as “subsequent processing” (also known as “post processing”).
- Each of these two successive stages is subject to a different legal regime: while read and/or write operations are governed by special rules, set out in Article 5(3) of the ePrivacy Directive and thus to the CNIL’s competence, further processing is subject to the GDPR and, as such, may be subject to the “one-stop shop” mechanism, if they relate to transborder data processing activities.
Therefore, as the present procedure related only to the reading and/or writing operations in the terminal of users located in France, the CNIL’s competence is confirmed.
b. Territorial competence
Each Company has the opportunity to lodge an appeal against the CNIL decisions before the Council of State, highest French Administrative Court.
Google already appealed the previous CNIL’s decision on cookies dated December 2020 but such appeal was rejected by the Council of State in March 2021.
Authors: Denise Lebeau-Marianna, Yaël Hirsch, Paul Sierzputowski