26 October 2022

The CNIL and recent cases on personal data protection

The French data protection authority, the CNIL, has recently imposed important sanctions against Google, Facebook and Amazon for violations of the provisions of the French Data Protection Act relating to the use of cookies.


In recent years, the National Commission for Information Technology and Civil Liberties (the “CNIL”) has issued significant sanctions against several US tech companies, including Google, Facebook and Amazon.

Before turning to these historic decisions on the use of cookies (II), it is appropriate to present the CNIL and, in particular, its sanctioning power in the context of personal data protection (I).


I. The CNIL’s roles and powers of sanction in the context of personal data protection

The CNIL was created by the law No. 78-17 of 6 January 1978 on information technology, files and freedoms (the “French Data Protection Act”). It is responsible for ensuring that the processing of personal data complies with the provisions of this law and with European regulations.[1]

Thus, the CNIL pursues four main actions. Firstly, it informs and protects the rights of the persons concerned through communication actions and by receiving requests from individuals and professionals. Secondly, in order to help private and public organizations comply with Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data (“GDPR”), the CNIL supports these organizations and advises them on compliance issues. Thirdly, the CNIL monitors new technologies and new uses in order to innovate and to anticipate as far ahead as possible. Fourth, it has a control and sanction function.

Article 20 of the French Data Protection Act gives the CNIL the power to impose various sanctions in the case of breach of the applicable legal and regulatory provisions.[2] It may issue a call to order, order compliance of the processing, including under penalty payment, temporarily or permanently restrict processing, suspend data flows, order compliance with requests to exercise the rights of individuals and impose administrative fines.[3]

In 2021, it received a record of 14,143 complaints, carried out 384 inspections and issued 135 formal notices and 18 sanctions for an unprecedented cumulative amount.[4]


II. Recent sanctions imposed by the CNIL regarding the use of cookies

In anticipation of the future European ePrivacy Regulation, which is currently being drafted, the CNIL published on 16 May 2022 the first criteria for assessing the regularity of “cookie walls.” According to the CNIL, the expression “cookie wall” “refers to the fact of making access to a service dependent on the Internet users acceptance of the deposit of certain traces on his/her terminal”.[5]

Four questions must be asked in order to determine the validity of these “cookie walls”: (i) does the Internet user who has refused these tracers have a fair alternative to access the content,[6] (ii) is there a reasonable fee-based alternative,[7] (iii) does the site require you to accept all cookies,[8] and finally, (iv) if the choice to pay is made, is the deposit of tracers done in a manner consistent with the limited cases allowing it.[9]

In the light of these criteria, the CNIL recently handed down several important decisions against Amazon (1), Google (2) and Facebook (3) for breach of Article 82 of the French Data Protection Act concerning the use of cookies.[10]


A. The financial penalty of 35 million euros imposed on Amazon Europe Core

On 7 December 2020, the CNIL imposed a penalty of 35 million Euros on Amazon Europe Core.[11] It noted two breaches of Article 82 of the French Data Protection Act, concerning the use of cookies.[12] It found that, regardless of the route taken by users to visit the site, they were insufficiently – if at all – informed that cookies were being placed on their computers.[13]

Furthermore, the CNIL considered that it was territorially competent, as the use of cookies was carried out in the “framework of the activities” of the company Amazon France, which is the “establishment” of the company Amazon Europe Core on the French territory, and which promotes its products and services.[14]

In a decision of 27 June 2022, the French Conseil d’Etat recently confirmed the CNIL’s decision and validated the proportionality of the penalty by emphasizing that, due to the scale of the processing carried out by the company, the potentially sensitive nature of the data collected, and the financial advantage gained from the breaches which enabled it to personalize the advertisements sent to users, the breaches retained were particularly serious.[15] The French Conseil d’Etat noted that according to Article 83 of the GDPR, any fine imposed by supervisory authorities of Member States must be proportionate, in particular according to the nature, seriousness and duration of the breach, the degree of cooperation with the authority, the categories of personal data in question and any other aggravating or mitigating circumstances.[16] The French Conseil d’Etat ruled that, in view of the seriousness of the breaches and their effects on users located in France, the CNIL had sufficiently justified its decision and did not have to rule on all the criteria of Article 83 of the GDPR.[17]


B. The financial penalty of 150 million euros imposed on Google

On 31 December 2021, the CNIL imposed a fine of 90 million euros on Google LLC and 60 million euros on Google Ireland Limited.[18] In its decision, the CNIL found that the websites and did not implement a solution to allow the user to easily refuse the deposit of cookies. Indeed, several clicks were required to refuse all cookies, as opposed to a single click to accept them, and this constituted an infringement on the freedom of consent of Internet users.[19]

With regard to its territorial jurisdiction, which was disputed, the CNIL found that the processing of access or registration operations in the terminal of users residing in France when using the Google Search engine and YouTube was carried out within the “framework of the activities” of the company Google France, which corresponds to the “establishment” on French territory of the Google group.[20]

This decision has not been challenged to this day.


C. 60 million euros financial penalty imposed on Facebook Ireland Limited

On 31 December 2021, the CNIL fined Facebook Ireland Limited 60 million euros.[21] It pointed out that making the opt-out mechanism more complex discouraged users from refusing cookies and encouraged them to use the more easily accessible consent button.[22] In addition, it considered that the informational pathway implemented by Facebook Ireland Limited was not clear since, in order to refuse the deposit of cookies, Internet users had to scroll down the data settings and click on a button entitled “Accept cookies”.[23] Consequently, the CNIL considered that the company had violated the French Data Protection Act.[24]

In the context of this sanction, the CNIL also ordered Facebook to “modify, on the “” website, the methods for obtaining the consent of users located in France to the reading and/or writing of information on their terminal, by offering them a means of refusing these operations that is as simple as the mechanism provided for their acceptance, in order to guarantee the freedom of their consent”[25] under penalty of a fine of 100,000 euros per day of delay.[26]

On 11 July 2022, the CNIL’s restricted committee terminated the injunction issued. In its press release, however, the CNIL specified that this decision did not prejudge its analysis of the requirement to provide clear and complete information or to obtain consent for each purpose.[27]

In conclusion, the aforementioned developments show that the CNIL does not hesitate to impose heavy sanctions to guarantee effective protection of Internet users’ rights, even against foreign operators. Moreover, according to whistleblower Peiter Zatko, a former Twitter employee, “Twitter is terrified of the CNIL, much more than it is of the FTC [i.e. the US Federal Trade Commission].”[28]


Related content

Focus on the French financial markets authority activity (AMF)
13 July 2023
[Infography] Focus on the French financial markets authority activity (AMF)
The French Financial Markets Authority (“AMF”) intensive enforcement activity again demonstrates the regulator’s ambition to continuously strengthen market surveillance, through...
13 July 2023
[Infographie] Focus on the French data protection authority activity (CNIL)
Over the past months, the French Commission Nationale de l’Informatique et des Libertés (“CNIL”), regulator of personal data, imposed tremendous...
La 32e chambre correctionnelle du tribunal judiciaire de Paris se prononce pour la première fois en matière de délit de manipulation de marché
7 July 2023
The Paris Criminal Court issues its first decision on a market manipulation case
On 25 May 2023, the Paris Criminal Court (32nd Chamber) ruled for the first time on the offence of market...
Press review
Press review
9 June 2023
Press review – Week of 5 June 2023
This week's press review details the suspicions of favoritism hanging over Olivier Dussopt, Minister of Labor, Employment and Integration, and...
Press review
Press review
2 June 2023
Press review – Week of 29 May 2023
This week, the 32nd chamber of the Paris judicial court handed down its first conviction for price manipulation against Thierry...
DPA ABA 2023
26 April 2023
Deferred Prosecution Agreements and how much do they shield from litigation and arbitration?
During the American Bar Association International Law Section 2023 conference, Stéphane de Navacelle will discuss Corporate criminal liability frameworks which...
9 March 2023
Historical sanctions by the Financial Markets Authority
The Financial Markets Authority’s Enforcement Committee imposes record-breaking fines on a British asset management company and two of its executives...
24 January 2023
Sanctioning obstructions to AMF investigations: Update from the Constitutional Court in its decision of 28 January 2022
On 28 January 2022, the Constitutional Court ruled that Article L. 621-15, II, f of the Monetary and Financial Code...
Press review
Week of 21 November 2022
25 November 2022
Press review – Week of 21 November 2022
In this press review, you will discover the opening of a preliminary investigation by the French National Financial Prosecutor’s Office...
21 November 2022
Judicial Agreement of Public Interest for aggravated tax fraud laundering and illegal canvassing
Credit Suisse escapes prosecution and agrees to pay a public interest fine of 123,000,000 euros under the 13th deferred prosecution...
Press review
Week of 14 November 2022
18 November 2022
Press review – Week of 14 November 2022
In this press review, you will find three significant events: the first conviction in France of a former Liberian rebel...
Autorité de la concurrence - Google
18 November 2022
Recent sanctions against Google by the French Competition Authority: ad servers and related rights
In 2021, the French Competition Authority imposed several fines on Google for anti-competitive practices related, on the one hand, to...