Analysis
26 October 2022

The CNIL and recent cases on personal data protection

The French data protection authority, the CNIL, has recently imposed important sanctions against Google, Facebook and Amazon for violations of the provisions of the French Data Protection Act relating to the use of cookies.

 

In recent years, the National Commission for Information Technology and Civil Liberties (the “CNIL”) has issued significant sanctions against several US tech companies, including Google, Facebook and Amazon.

Before turning to these historic decisions on the use of cookies (II), it is appropriate to present the CNIL and, in particular, its sanctioning power in the context of personal data protection (I).

 

I. The CNIL’s roles and powers of sanction in the context of personal data protection

The CNIL was created by the law No. 78-17 of 6 January 1978 on information technology, files and freedoms (the “French Data Protection Act”). It is responsible for ensuring that the processing of personal data complies with the provisions of this law and with European regulations.[1]

Thus, the CNIL pursues four main actions. Firstly, it informs and protects the rights of the persons concerned through communication actions and by receiving requests from individuals and professionals. Secondly, in order to help private and public organizations comply with Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data (“GDPR”), the CNIL supports these organizations and advises them on compliance issues. Thirdly, the CNIL monitors new technologies and new uses in order to innovate and to anticipate as far ahead as possible. Fourth, it has a control and sanction function.

Article 20 of the French Data Protection Act gives the CNIL the power to impose various sanctions in the case of breach of the applicable legal and regulatory provisions.[2] It may issue a call to order, order compliance of the processing, including under penalty payment, temporarily or permanently restrict processing, suspend data flows, order compliance with requests to exercise the rights of individuals and impose administrative fines.[3]

In 2021, it received a record of 14,143 complaints, carried out 384 inspections and issued 135 formal notices and 18 sanctions for an unprecedented cumulative amount.[4]

 

II. Recent sanctions imposed by the CNIL regarding the use of cookies

In anticipation of the future European ePrivacy Regulation, which is currently being drafted, the CNIL published on 16 May 2022 the first criteria for assessing the regularity of “cookie walls.” According to the CNIL, the expression “cookie wall” “refers to the fact of making access to a service dependent on the Internet users acceptance of the deposit of certain traces on his/her terminal”.[5]

Four questions must be asked in order to determine the validity of these “cookie walls”: (i) does the Internet user who has refused these tracers have a fair alternative to access the content,[6] (ii) is there a reasonable fee-based alternative,[7] (iii) does the site require you to accept all cookies,[8] and finally, (iv) if the choice to pay is made, is the deposit of tracers done in a manner consistent with the limited cases allowing it.[9]

In the light of these criteria, the CNIL recently handed down several important decisions against Amazon (1), Google (2) and Facebook (3) for breach of Article 82 of the French Data Protection Act concerning the use of cookies.[10]

 

A. The financial penalty of 35 million euros imposed on Amazon Europe Core

On 7 December 2020, the CNIL imposed a penalty of 35 million Euros on Amazon Europe Core.[11] It noted two breaches of Article 82 of the French Data Protection Act, concerning the use of cookies.[12] It found that, regardless of the route taken by users to visit the site, they were insufficiently – if at all – informed that cookies were being placed on their computers.[13]

Furthermore, the CNIL considered that it was territorially competent, as the use of cookies was carried out in the “framework of the activities” of the company Amazon France, which is the “establishment” of the company Amazon Europe Core on the French territory, and which promotes its products and services.[14]

In a decision of 27 June 2022, the French Conseil d’Etat recently confirmed the CNIL’s decision and validated the proportionality of the penalty by emphasizing that, due to the scale of the processing carried out by the company, the potentially sensitive nature of the data collected, and the financial advantage gained from the breaches which enabled it to personalize the advertisements sent to users, the breaches retained were particularly serious.[15] The French Conseil d’Etat noted that according to Article 83 of the GDPR, any fine imposed by supervisory authorities of Member States must be proportionate, in particular according to the nature, seriousness and duration of the breach, the degree of cooperation with the authority, the categories of personal data in question and any other aggravating or mitigating circumstances.[16] The French Conseil d’Etat ruled that, in view of the seriousness of the breaches and their effects on users located in France, the CNIL had sufficiently justified its decision and did not have to rule on all the criteria of Article 83 of the GDPR.[17]

 

B. The financial penalty of 150 million euros imposed on Google

On 31 December 2021, the CNIL imposed a fine of 90 million euros on Google LLC and 60 million euros on Google Ireland Limited.[18] In its decision, the CNIL found that the websites google.fr and youtube.com did not implement a solution to allow the user to easily refuse the deposit of cookies. Indeed, several clicks were required to refuse all cookies, as opposed to a single click to accept them, and this constituted an infringement on the freedom of consent of Internet users.[19]

With regard to its territorial jurisdiction, which was disputed, the CNIL found that the processing of access or registration operations in the terminal of users residing in France when using the Google Search engine and YouTube was carried out within the “framework of the activities” of the company Google France, which corresponds to the “establishment” on French territory of the Google group.[20]

This decision has not been challenged to this day.

 

C. 60 million euros financial penalty imposed on Facebook Ireland Limited

On 31 December 2021, the CNIL fined Facebook Ireland Limited 60 million euros.[21] It pointed out that making the opt-out mechanism more complex discouraged users from refusing cookies and encouraged them to use the more easily accessible consent button.[22] In addition, it considered that the informational pathway implemented by Facebook Ireland Limited was not clear since, in order to refuse the deposit of cookies, Internet users had to scroll down the data settings and click on a button entitled “Accept cookies”.[23] Consequently, the CNIL considered that the company had violated the French Data Protection Act.[24]

In the context of this sanction, the CNIL also ordered Facebook to “modify, on the “facebook.com” website, the methods for obtaining the consent of users located in France to the reading and/or writing of information on their terminal, by offering them a means of refusing these operations that is as simple as the mechanism provided for their acceptance, in order to guarantee the freedom of their consent”[25] under penalty of a fine of 100,000 euros per day of delay.[26]

On 11 July 2022, the CNIL’s restricted committee terminated the injunction issued. In its press release, however, the CNIL specified that this decision did not prejudge its analysis of the requirement to provide clear and complete information or to obtain consent for each purpose.[27]

In conclusion, the aforementioned developments show that the CNIL does not hesitate to impose heavy sanctions to guarantee effective protection of Internet users’ rights, even against foreign operators. Moreover, according to whistleblower Peiter Zatko, a former Twitter employee, “Twitter is terrified of the CNIL, much more than it is of the FTC [i.e. the US Federal Trade Commission].”[28]

 

Related content

Press review
Week of 21 November 2022
25 November 2022
Press review – Week of 21 November 2022
In this press review, you will discover the opening of a preliminary investigation by the French National Financial Prosecutor’s Office for misappropriation of public f...
Analysis
21 November 2022
Judicial Agreement of Public Interest for aggravated tax fraud laundering and illegal canvassing
Credit Suisse escapes prosecution and agrees to pay a public interest fine of 123,000,000 euros under the 13th deferred prosecution agreement concluded by the National an...
Press review
Week of 14 November 2022
18 November 2022
Press review – Week of 14 November 2022
In this press review, you will find three significant events: the first conviction in France of a former Liberian rebel leader by the Paris criminal Court; the sanction o...
Analysis
Autorité de la concurrence - Google
18 November 2022
Recent sanctions against Google by the French Competition Authority: ad servers and related rights
In 2021, the French Competition Authority imposed several fines on Google for anti-competitive practices related, on the one hand, to the remuneration of the related righ...
Press review
Week of 24 October 2022
28 October 2022
Press review – Week of 24 October 2022
In this press review, there are several important events on the judicial level. Indeed, a judicial public interest agreement (“CJIP”) between Credit Suisse AG and th...
Analysis
12 October 2022
Discussions on secrecy in law enforcement proceedings and on AML/FT regulation
On October 5th, 2022, the annual conference of the AMF Enforcement Committee was held. During this event, members of regulatory authorities, magistrates, professors and a...
Analysis
The right to silence during investigations by the Autorité des Marchés Financiers
14 July 2022
The right to silence during investigations by the Autorité des Marchés Financiers
The right to silence is a constitutional principle in criminal proceedings. However, it turns out that this principle can be restricted in the context of investigations t...
Press review
Press review - Week of 25 April 2022
29 April 2022
Press review – Week of 25 April 2022
In this press review, you will find articles presenting the latest developments in criminal procedure, such as the liability of legal entities, specifically in the contex...
Event
25 April 2022
A global trend: The introduction of Deferred Prosecution Agreement regimes across the World
Stéphane de Navacelle spoke at the International Law Section Annual Conference hosted by the American Bar Association.
Press review
Press review - Week of 18 April 2022.
22 April 2022
Press review – Week of 18 April 2022
In this press review, you will find articles on recent developments in criminal business law and criminal procedure, in particular on breach of trust and negligence of th...
Analysis
Framework document of 11 October 2021 on competition compliance programmes
14 March 2022
The French Competition Authority : new draft guide on compliance programs
On 11 October 2021, almost ten years after its first publication [1], the French Competition Authority has published, for consultation, a new draft framework document on ...
Press review
Press review - week of 7 march 2022
14 March 2022
Press review – Week of 7 march 2022
This press review highlights the various news items related to the Russian-Ukrainian conflict, and also looks at compliance issues in white collar crime, including the At...