In recent years, the National Commission for Information Technology and Civil Liberties (the “CNIL”) has issued significant sanctions against several US tech companies, including Google, Facebook and Amazon.

Before turning to these historic decisions on the use of cookies (II), it is appropriate to present the CNIL and, in particular, its sanctioning power in the context of personal data protection (I).

I. The CNIL’s roles and powers of sanction in the context of personal data protection

The CNIL was created by the law No. 78-17 of 6 January 1978 on information technology, files and freedoms (the “French Data Protection Act”). It is responsible for ensuring that the processing of personal data complies with the provisions of this law and with European regulations.[1]

Thus, the CNIL pursues four main actions. Firstly, it informs and protects the rights of the persons concerned through communication actions and by receiving requests from individuals and professionals. Secondly, in order to help private and public organizations comply with Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data (“GDPR”), the CNIL supports these organizations and advises them on compliance issues. Thirdly, the CNIL monitors new technologies and new uses in order to innovate and to anticipate as far ahead as possible. Fourth, it has a control and sanction function.

Article 20 of the French Data Protection Act gives the CNIL the power to impose various sanctions in the case of breach of the applicable legal and regulatory provisions.[2] It may issue a call to order, order compliance of the processing, including under penalty payment, temporarily or permanently restrict processing, suspend data flows, order compliance with requests to exercise the rights of individuals and impose administrative fines.[3]

In 2021, it received a record of 14,143 complaints, carried out 384 inspections and issued 135 formal notices and 18 sanctions for an unprecedented cumulative amount.[4]

II. Recent sanctions imposed by the CNIL regarding the use of cookies

In anticipation of the future European ePrivacy Regulation, which is currently being drafted, the CNIL published on 16 May 2022 the first criteria for assessing the regularity of “cookie walls.” According to the CNIL, the expression “cookie wall” “refers to the fact of making access to a service dependent on the Internet user’s acceptance of the deposit of certain traces on his/her terminal”.[5]

Four questions must be asked in order to determine the validity of these “cookie walls”: (i) does the Internet user who has refused these tracers have a fair alternative to access the content,[6] (ii) is there a reasonable fee-based alternative,[7] (iii) does the site require you to accept all cookies,[8] and finally, (iv) if the choice to pay is made, is the deposit of tracers done in a manner consistent with the limited cases allowing it.[9]

In the light of these criteria, the CNIL recently handed down several important decisions against Amazon (1), Google (2) and Facebook (3) for breach of Article 82 of the French Data Protection Act concerning the use of cookies.[10]

A. The financial penalty of 35 million euros imposed on Amazon Europe Core

On 7 December 2020, the CNIL imposed a penalty of 35 million Euros on Amazon Europe Core.[11] It noted two breaches of Article 82 of the French Data Protection Act, concerning the use of cookies.[12] It found that, regardless of the route taken by users to visit the site, they were insufficiently – if at all – informed that cookies were being placed on their computers.[13]

Furthermore, the CNIL considered that it was territorially competent, as the use of cookies was carried out in the “framework of the activities” of the company Amazon France, which is the “establishment” of the company Amazon Europe Core on the French territory, and which promotes its products and services.[14]

In a decision of 27 June 2022, the French Conseil d’Etat recently confirmed the CNIL’s decision and validated the proportionality of the penalty by emphasizing that, due to the scale of the processing carried out by the company, the potentially sensitive nature of the data collected, and the financial advantage gained from the breaches which enabled it to personalize the advertisements sent to users, the breaches retained were particularly serious.[15] The French Conseil d’Etat noted that according to Article 83 of the GDPR, any fine imposed by supervisory authorities of Member States must be proportionate, in particular according to the nature, seriousness and duration of the breach, the degree of cooperation with the authority, the categories of personal data in question and any other aggravating or mitigating circumstances.[16] The French Conseil d’Etat ruled that, in view of the seriousness of the breaches and their effects on users located in France, the CNIL had sufficiently justified its decision and did not have to rule on all the criteria of Article 83 of the GDPR.[17]

B. The financial penalty of 150 million euros imposed on Google

On 31 December 2021, the CNIL imposed a fine of 90 million euros on Google LLC and 60 million euros on Google Ireland Limited.[18] In its decision, the CNIL found that the websites google.fr and youtube.com did not implement a solution to allow the user to easily refuse the deposit of cookies. Indeed, several clicks were required to refuse all cookies, as opposed to a single click to accept them, and this constituted an infringement on the freedom of consent of Internet users.[19]

With regard to its territorial jurisdiction, which was disputed, the CNIL found that the processing of access or registration operations in the terminal of users residing in France when using the Google Search engine and YouTube was carried out within the “framework of the activities” of the company Google France, which corresponds to the “establishment” on French territory of the Google group.[20]

This decision has not been challenged to this day.

C. 60 million euros financial penalty imposed on Facebook Ireland Limited

On 31 December 2021, the CNIL fined Facebook Ireland Limited 60 million euros.[21] It pointed out that making the opt-out mechanism more complex discouraged users from refusing cookies and encouraged them to use the more easily accessible consent button.[22] In addition, it considered that the informational pathway implemented by Facebook Ireland Limited was not clear since, in order to refuse the deposit of cookies, Internet users had to scroll down the data settings and click on a button entitled “Accept cookies”.[23] Consequently, the CNIL considered that the company had violated the French Data Protection Act.[24]

In the context of this sanction, the CNIL also ordered Facebook to “modify, on the “facebook.com” website, the methods for obtaining the consent of users located in France to the reading and/or writing of information on their terminal, by offering them a means of refusing these operations that is as simple as the mechanism provided for their acceptance, in order to guarantee the freedom of their consent”[25] under penalty of a fine of 100,000 euros per day of delay.[26]

On 11 July 2022, the CNIL’s restricted committee terminated the injunction issued. In its press release, however, the CNIL specified that this decision did not prejudge its analysis of the requirement to provide clear and complete information or to obtain consent for each purpose.[27]

In conclusion, the aforementioned developments show that the CNIL does not hesitate to impose heavy sanctions to guarantee effective protection of Internet users’ rights, even against foreign operators. Moreover, according to whistleblower Peiter Zatko, a former Twitter employee, “Twitter is terrified of the CNIL, much more than it is of the FTC [i.e. the US Federal Trade Commission].”[28]