Analysis
25 January 2022

CNIL imposes the largest sanctions in its history on Facebook and Google

CNIL issued the largest fines in its history against Facebook and Google for infringements of the existing regulations on cookies.

 

On 31 December 2021, in two high-profile decisions, the “Commission Nationale de l’Informatique et des Libertés” (“CNIL”)[1], after considering that it had jurisdiction to “verify and sanction operations related to cookies deposited by the company on the terminals of Internet users located in France[2]”, issued the largest fines in its history: 60 million euros against Facebook[3], 60 million euros against Google Ireland Limited[4] and 90 million euros against Google LLC[5] (“Google”).

It warned the web giants of the consequences if they failed to comply with their obligations under Article 82 of the French Data Protection Act concerning the procedure for accepting and refusing cookies[6], a cookie being defined as a “small computer file, a tracer, deposited and read, for example, when consulting a website, reading an e-mail, installing or using software or a mobile application, regardless of the type of terminal used (computer, smartphone, digital reader, video game console connected to the Internet, etc.)”[7].

These two decisions, which were handed down on the same day, provide an opportunity to review the failings of Facebook, which was accused of setting up an overly complex and discouraging cookie handling process for its users, pushing them to accept them, and Google for failing to respect its users’ consent to cookies, shortly after being warned by the CNIL. Finally, with these two decisions, the CNIL points out the methods used, and the criteria retained for the calculation of fines.

 

I.  The CNIL criticized Facebook for having set up a complex and discouraging process for users wishing to refuse cookies

Since the implementation of Regulation (EU) 2016/679 of the European Parliament and of the Council called the General Data Protection Regulation, consent means “any freely given, specific, informed and unambiguous indication of the data subject’s wishes by which he or she, by a statement or by a clear affirmative action signifies agreement to the processing of personal data relating to him or her” [8]. Thus, “consent should not be regarded as freely given if the data subject has no genuine or free choice or is unable to refuse or withdraw consent without detriment [9].

Consequently, the CNIL’s restricted committee considered that both the method of collecting consent proposed to users by Facebook and the obvious lack of clarity of the information[10] were a clear violation of Article 82 of the French Data Protection Act[11].

Indeed, the CNIL criticized Facebook for having set up a complex and discouraging process for the user wishing to refuse the cookies[12]. Thus, the CNIL noted that “while it offers a button to immediately accept cookies, it does not offer an equivalent solution (button or other) enabling the user to refuse the deposit of cookies as easily[13]”. In practice, if a user wished to refuse the cookies, a single click was not enough, he had to refuse them one by one[14]. According to the CNIL, this procedure for refusing cookies, considered to be complex and time-consuming, dissuades the user from refusing them[15] and “affects the freedom of consent of Internet users[16]”.

Facebook was also criticized for the information path explaining to the user how to refuse cookies. This was considered confusing and unclear as the user, in order to refuse the deposit of cookies, had to click on a button entitled “Accept cookies”[17]. Specifically, once the user arrived on the “com” website, he had to “refuse the deposit of advertising cookies, first click on the “Manage data settings” button in the first window, scroll through the entire second window that appears, leaving the two sliding buttons deactivated so as not to accept cookies, and then click on the “Accept cookies” button at the bottom of the second window[18]”. The CNIL considered that such a process necessarily led to confusion in the mind of the user, who could imagine that it was not possible to refuse the deposit of cookies and that he had no control over this[19].

 

II.  The CNIL criticized Google for not allowing users to refuse cookies as easily as to accept them

 Concerning the websites “fr” and “youtube.fr” of the Google companies, the latter were accused of having only provided the acceptance of cookies when opening a web page[20], whereas to refuse them it was necessary to go to the browser settings[21] and to have set up a single action to consent to cookies but no less than five actions to refuse them[22].

In response, Google argued that “neither the “ePrivacy” Directive, nor the GDPR, nor Article 82 of the French Data Protection Act provided that the action of refusing cookies should be as simple as accepting them[23]”. Google added that “the fact of not proposing, at the first level of information, a “Refuse all” button is not contrary to the principle of freedom of consent insofar as users have the possibility of refusing cookies by clicking on the “Personalise” button[24].

 Nevertheless, the CNIL specified in its decision of 31 December 2021 that in its recommendation of 17 September 2020, it had already advised data controllers to set up a mechanism allowing the user to choose at the same time, on the same page and through the same window, whether to refuse cookies or accept them[25].

The CNIL also reminded Google that “the companies were recently sanctioned for breaches of Article 82 of the French Data Protection Act regarding the information and gathering of consent from individuals before the deposit of cookies on their terminal. Although this sanction is not final since it is being appealed to the Council of State, the restricted committee nevertheless notes that the companies’ attention had been explicitly drawn by the CNIL services to the methods for refusing cookies[26]”. In this regard, after an unsuccessful appeal to the Council of State on 7 March 2021 in order to invalidate the injunction made to the Google companies to comply with the decisions[27], the latter once again pleaded before the same jurisdiction in early January 2022 in order to obtain the cancellation of the fine imposed by the CNIL in December 2020[28].

The CNIL therefore considered that Google had not been aware of the consequences of such successive breaches.

 

III.   An illustration of the criteria used by the CNIL to determine the fines and its assessment of the need to impose a penalty payment

 In order to determine the amount of the fines imposed on Facebook, the CNIL applied certain criteria provided for in Article 83(2) of the GDPR. It took into account the “gravity of the infringement taking into account the nature scope or purpose of the processing concerned as well as the number of data subjects affected[29]”but also the financial benefits gained as a result of the infringement[30] and the financial capacity of Facebook[31].

In assessing the amount of the fines imposed on Google, the restricted committee considered that the violation was committed deliberately[32]. Indeed, the two Google companies had already been sanctioned recently for infringements of Article 82 of the French Data Protection Act concerning the information and gathering of consent from individuals prior to the gathering of cookies on their terminal[33].

Finally, for both Facebook and Google, the CNIL relied on their influence and prominence online[34], their revenue from advertising[35] and the number of visitors over the past twelve months.

In addition, considering that the compagnies had already been alerted to the necessity of changing their practices and in order to ensure that the required steps would be taken in the future, the CNIL imposed injunction under penalty to modify the modalities of the gathering of users’ consent to cookies.

Related content

Analysis
The right to silence during investigations by the Autorité des Marchés Financiers
14 July 2022
The right to silence during investigations by the Autorité des Marchés Financiers
The right to silence is a constitutional principle in criminal proceedings. However, it turns out that this principle can be restricted in the context of investigations t...
Press review
Press review - Week of 25 April 2022
29 April 2022
Press review – Week of 25 April 2022
In this press review, you will find articles presenting the latest developments in criminal procedure, such as the liability of legal entities, specifically in the contex...
Event
25 April 2022
A global trend: The introduction of Deferred Prosecution Agreement regimes across the World
Stéphane de Navacelle spoke at the International Law Section Annual Conference hosted by the American Bar Association.
Press review
Press review - Week of 18 April 2022.
22 April 2022
Press review – Week of 18 April 2022
In this press review, you will find articles on recent developments in criminal business law and criminal procedure, in particular on breach of trust and negligence of th...
Analysis
Framework document of 11 October 2021 on competition compliance programmes
14 March 2022
The French Competition Authority : new draft guide on compliance programs
On 11 October 2021, almost ten years after its first publication [1], the French Competition Authority has published, for consultation, a new draft framework document on ...
Press review
Press review - week of 7 march 2022
14 March 2022
Press review – Week of 7 march 2022
This press review highlights the various news items related to the Russian-Ukrainian conflict, and also looks at compliance issues in white collar crime, including the At...
Press review
Weekly press review - Semaine du 07.02.2022
11 February 2022
Press review – Week of 07 February 2022
The press review covers all the latest court rulings and new regulations on different branches of law, as well as events that have been in the legal news in recent days.
News
GIR 100 Navacelle
10 November 2021
Navacelle identified in GIR 100 2021
Navacelle identified as the French independent leading crossborder investigations practice by Global Investigations Review (GIR).
Analysis
20 October 2021
Analysis of the bill to reinforce the fight against corruption by Deputy Gauvain
Navacelle team has examined the “Bill to reinforce the fight against corruption” which has just been submitted by the Deputy Raphaël Gauvain at the National Assembly...
Event
14 October 2021
The French criminal procedural law
Thomas Lapierre presents the main elements of the French criminal procedural law for #LAWYEREX by European Lawyers Foundation.
News
27 September 2021
Update of French Financial Market Regulator (AMF) of its control charters (in French)
This update specifies the procedures for carrying out control missions, the principles of good conduct followed by those in charge of a control as well as the behavior ex...
News
27 September 2021
Update of French Financial Market Regulator (AMF) of its investigation charters (in French)
This update specifies the procedures for carrying out investigation missions, the principles of good conduct followed by those in charge of an investigation as well as th...