[1] Article 8 of Law No. 78-17 of 6 January 1978 on information technology, files and freedoms (“The National Commission for Information Technology and Civil Liberties is an independent administrative authority. It is the national supervisory authority within the meaning and for the application of Regulation (EU) 2016/679 of 27 April 2016. It shall perform the following tasks: 1° It shall inform all data subjects and data controllers of their rights and obligations and may, to this end, provide appropriate information to local authorities, their groupings and small and medium-sized enterprises; 2° It shall ensure that the processing of personal data is carried out in accordance with the provisions of this Act and other provisions relating to the protection of personal data laid down by legislative and regulatory texts, European Union law and France’s international commitments”) [Free translation].
[2] Article 20 of Law No. 78-17 of 6 January 1978 on information technology, files and freedoms (“[…] III.- When the controller or its processor does not comply with the obligations resulting from Regulation (EU) 2016/679 of 27 April 2016 or from this law, the president of the National Commission on Information Technology and Civil Liberties may also, where appropriate, after having sent the warning provided for in I of this Article or after having imposed one or more of the corrective measures provided for in II, refer the matter to the restricted committee of the commission with a view to impose, after an adversarial procedure, one or more of the following measures: 1° A call to order; 2° An injunction to bring the processing into conformity with the obligations resulting from Regulation (EU) 2016/679 of 27 April 2016 or from this law or to comply with the requests made by the data subject with a view to exercising his or her rights, which may be accompanied, except in cases where the processing is implemented by the State, by a penalty payment, the amount of which may not exceed €100,000 for each day’s delay as from the date set by the restricted committee; 3° With the exception of processing operations concerning State security or defense or those covered by Title III of this Act when carried out on behalf of the State, the temporary or definitive restriction of the processing operation, its prohibition or the withdrawal of an authorization granted pursuant to the same regulation or to this Act; 4° Withdrawal of a certification or an injunction to the certifying organization concerned to refuse a certification or to withdraw the certification granted; 5° With the exception of processing that concerns State security or defense or that falls under Title III of this Act when implemented on behalf of the State, the suspension of data flows addressed to a recipient located in a third country or to an international organization; 6° Partial or total suspension of the decision approving the binding corporate rules; 7° With the exception of cases where the processing is implemented by the State, an administrative fine which may not exceed EUR 10 million or, in the case of an undertaking, 2% of the total annual worldwide turnover of the previous financial year, whichever is higher. In the cases referred to in Article 83(5) and (6) of Regulation (EU) 2016/679 of 27 April 2016, these ceilings are raised to EUR 20 million and 4% of the said turnover respectively. In determining the amount of the fine, the restricted committee shall take into account the criteria specified in Article 83 […]”) [Free translation].
[3] Ibid.
[4] “Press release – Presentation of the CNIL’s 2021 activity report and 2022 challenges”, 11 May 2022, p. 8 (“In 2021, the CNIL received 14,143 complaints and closed 12,522. It carried out 384 inspections, and the breaches observed during some of the investigations led to the issuing of 135 formal notices and 18 sanctions, for a total of fines never before reached”) [Free translation].
[5] “Communication – Cookie walls: CNIL publishes first evaluation criteria”, CNIL, 16 may 2022, accessible through this link (“The term “cookie wall”, refers to the fact of making access to a service dependent on the Internet user’s acceptance of the deposit of certain traces on his terminal”) [Free translation].
[6] Ibid., (“Does the user who refuses to accept cookies have a fair alternative to access the content? When a user refuses the use of cookies on a website (for example by clicking on a “refuse all” button), the CNIL recommends that publishers offer a real and fair alternative that allows access to the site and does not require consent to the use of their data”) [Free translation].
[7] Ibid., (“Paying alternative: is the price reasonable? The fact that a publisher makes access to its content dependent either on the acceptance of trackers contributing to the remuneration of its service, or on the payment of a sum of money, is not prohibited in principle since it constitutes an alternative to the consent to trackers. However, this monetary consideration must not be such as to deprive Internet users of a real choice: one can thus speak of a reasonable rate”) [Free translation].
[8] Ibid., (“Can a “cookie wall” or a “pay wall” systematically impose the acceptance of all the website’s trackers? As a reminder, in general, the absence of the possibility to accept or refuse trackers according to their objective, purpose by purpose, can affect the user’s freedom of choice and therefore the validity of his or her consent. While it is not forbidden to condition access to the site on consent to one or more purposes of the trackers, the publisher will have to demonstrate that its cookie wall is limited to the purposes that allow a fair remuneration of the proposed service. For example, if a publisher considers that the remuneration of its service depends on the revenues it could obtain from targeted advertising, only consent to this purpose should be necessary to access the service: refusal to consent to other purposes (personalization of editorial content, etc.) should not then prevent access to the content of the site”) [Free translation].
[9] Ibid., (“The user chooses paid access without consenting to cookies: in which (limited) cases can cookies still be deposited? In principle, no cookies requiring the user’s consent should be deposited when the user refuses the deposit of cookies and chooses the alternative proposed by the editor. Only cookies necessary for the functioning of the website can be used. […] In any event, the Internet user must always have the possibility of going to the site’s settings to consent to certain uses (for example, the personalization of editorial content)”) [Free translation].
[10] Article 82 of the Law No. 78-17 of January 6, 1978 on information technology, files and freedoms (“Any subscriber or user of an electronic communications service must be informed in a clear and complete manner, unless previously informed, by the controller or his representative: 1° Of the purpose of any action to access, by electronic transmission, information already stored in his or electronic communications terminal equipment, or to enter information on such equipment; 2° The means available to the user to oppose it. Such access or registration may only take place if the subscriber or user has expressed, after having received this information, his or her consent, which may result from appropriate settings of his or her connection device or any other device under his or her control. These provisions shall not apply if access to information stored in the user’s terminal equipment or the recording of information in the user’s terminal equipment: 1° Either, has the exclusive purpose of allowing or facilitating communication by electronic means; 2° Or, is strictly necessary for the provision of an online communication service at the express request of the user”) [Free translation].
[11] Deliberation SAN-2020-013 of 7 December 2020, CNIL (“The restricted committee of the CNIL, after having deliberated, decides to: impose against the company AMAZON EUROPE CORE, an administrative fine in the amount of 35 (thirty-five) million euros”) [Free translation].
[12] Ibid., § 78 (“The rapporteur considers that the operations of the company AEC regarding the deposit and reading of cookies present two series of serious negligence relating to: the deposit of cookies on the user’s terminal before any action on his or her part and without obtaining his or her consent; the information provided to the user regarding the operations of accessing or recording information in their terminal”) [Free translation].
[13] Ibid., § 89 (“The restricted committee observes that the information banner, written as follows: By using this site, you accept our use of cookies to offer and improve our services. For further details, it did not contain any precise information on the means available to users to express their choice regarding the registration of cookies. In any case, the cookies were deposited before any action of the Internet user”) [Free translation].
[14] Ibid., § 43 (“The rapporteur considers that the CNIL is territorially competent in application of these provisions since the processing that is the object of the present procedure, consisting of accessing or recording information in the terminal of users residing in France when using the Amazon.fr site, is carried out within the framework of the activities of the company AMAZON ONLINE France SAS, which constitutes the establishment on the French territory of the company AEC, which is actually responsible for the implementation of the cookies at issue in this procedure, which it has not disputed”) [Free translation].
[15] Decision No. 451423 of 27 June 2022, French Conseil d’Etat, § 30 (“It results from the investigation that, in order to set the amount of the penalty imposed on Amazon Europe Core, the CNIL’s restricted committee took into account the seriousness of the breach observed, due to the automatic deposit of advertising “cookies” as soon as the user arrives on the website and in the absence of any information to the interested parties when this arrival is made from a third party site, the extent of the processing carried out by the company thanks to the deposit of these tracers and the potentially sensitive nature of the data collected by this means, the significant financial advantage gained by the company from the use of this data by the personalization of advertisements, as well as the annual worldwide turnover of the company Amazon Europe Core on which the CNIL based itself, estimated at 7.7 billion euros”) § 31 (“In view of the particular seriousness of the breaches committed, due to the nature of the requirements disregarded and their effects on users located in France, the financial benefits that the company was able to derive from the collection of data resulting from the exploitation of connection tracers illegally deposited on the terminals of these users, the ceilings provided for in Article 83 of the GDPR and the company’s financial situation, the CNIL’s restricted committee, which gave sufficient reasons for its decision and did not have to rule on all the criteria provided for in Article 83 of the GDPR, did not, by imposing a fine of 35 million euros, impose a disproportionately high penalty on Amazon Europe Core”) [Free translation].
[16] Decision No. 451423 of 27 June 2022, French Conseil d’Etat, § 29 (“On the other hand, under Article 83 of the General Data Protection Regulation of April 27, 2016, to which Article 15(2) of Directive 2002/58/EC now refers, in view of Article 94 of the Regulation, administrative fines imposed by the supervisory authorities of the Member States must, in each case, be “effective, proportionate and dissuasive.” In setting the amount of the fine, the following must be taken into account: “(a) the nature, seriousness and duration of the breach, having regard to the nature, scope or purpose of the processing operation concerned, and to the number of data subjects affected and the level of damage suffered; (…) ) / f) the degree of cooperation established with the supervisory authority with a view to remedying the breach and mitigating any negative effects; g) the categories of personal data affected by the breach; (…) / k) any other aggravating or mitigating circumstances applicable to the circumstances of the case, such as the financial benefits obtained or losses avoided, directly or indirectly, as a result of the breach””) [Free translation].
[17] Decision No. 451423 of 27 June 2022, French Conseil d’Etat, § 31 (“In view of the particular seriousness of the breaches committed, due to the nature of the requirements disregarded and their effects on users located in France, the financial benefits that the company was able to derive from the collection of data resulting from the exploitation of connection tracers illegally deposited on the terminals of these users, the ceilings provided for in Article 83 of the GDPR and the company’s financial situation, the CNIL’s restricted committee, which gave sufficient reasons for its decision and did not have to rule on all the criteria provided for in Article 83 of the GDPR, did not, by imposing a fine of 35 million euros, impose a disproportionately high penalty on Amazon Europe Core”) [Free translation].
[18] Deliberation SAN-2021-023 of 31 December 2021, CNIL (“The restricted committee of the CNIL, after deliberation, decides to: impose against the company GOOGLE LLC an administrative fine of 90,000,000 euros (ninety million euros) for failure to comply with Article 82 of the Data Protection Act, impose against the company GOOGLE IRELAND LIMITED an administrative fine of 60,000,000 euros (sixty million euros) for failure to comply with Article 82 of the Data Protection Act”) [Free translation].
[19] Ibid., § 41 (“[…] companies were reminded that it must be as easy to give consent as it is to refuse to give it or to withdraw it, and they were advised that it would be up to them to insert an “I refuse” button next to the “I accept” button on the information banner, while specifying that they could “of course change the titles of these buttons as long as they allow the user to understand clearly and directly the consequences of its choices”). [Free translation].
[20] Ibid., § 69 (“The rapporteur considers that the CNIL is territorially competent in application of these provisions since the processing subject of the present procedure, consisting of operations of access or registration of information in the terminal of users residing in France when using the search engine Google Search and YouTube, in particular for advertising purposes, is carried out within the “framework of the activities” of the company GOOGLE FRANCE, which constitutes the “establishment” on the French territory of the GOOGLE group”) [Free translation].
[21] Deliberation SAN-2021-024 of 31 December 2021, CNIL (“The restricted committee of the CNIL, after deliberation, decides to: impose an administrative fine against the company FACEBOOK IRELAND LIMITED in the amount of sixty million euros (60,000,000 euros) for the breach of Article 82 of the Data Protection Act”) [Free translation].
[22] Ibid., § 110 (“In this case and as it has already mentioned, the restricted committee considers that the fact that the company has made the mechanism for refusing cookies more complex than the one for accepting them actually discourages users from refusing cookies and encourages them to prefer the ease of the “Accept Cookies” button. Indeed, a web user is generally driven to visit many sites. Web browsing is fast and fluid. Having to click on “Manage data settings” and having to understand how the page for refusing cookies is constructed is likely to discourage the user, who would nevertheless like to refuse the deposit of cookies. It is not disputed that in this case, the company offers a choice between accepting or refusing cookies, but the way in which this refusal can be expressed, in the context of web browsing, distorts the expression of choice in favor of consent in such a way as to alter the freedom of choice”) [Free translation].
[23] Ibid., § 113 (“In this case, it recalls that it appears from the online control of 8 April 2021 that once arrived on the website “facebook.com”, the user must, in order to refuse the deposit of advertising cookies, first click on the button “Manage data settings” of the first window, scroll through the entire second window appearing leaving the two sliding buttons disabled to not accept cookies, and then click on the button “Accept cookies” appearing at the bottom of the second window. If, as the company argues in its defense, the restricted committee recognizes that a distracted user who clicks on the “Accept cookies” button at the bottom of the second window would not see any advertising cookies deposited in his terminal since the sliding buttons allowing the deposit of these cookies are deactivated by default, it notes that it is particularly counter-intuitive to have to click on a button entitled “Accept cookies” to actually refuse their deposit”) [Free translation].
[24] Ibid., § 118 (“In view of these elements, the restricted committee considers that the information provided to users residing in France who visit the “facebook.com” page, as well as the methods of collecting consent offered to them by the company on this website, do not comply with the provisions of Article 82 of the Data Protection Act, as clarified by the reinforced requirements for consent set out in the GDPR”) [Free translation].
[25] Ibid. (“FOR THESE REASONS: The restricted formation of the CNIL, after having deliberated, decides to : […] to issue an injunction against the company FACEBOOK IRELAND LIMITED, to modify, on the website “facebook. com” website, the procedures for obtaining the consent of users located in France to read and/or write information on their terminal, by offering them a means of refusing these operations that is as simple as the mechanism provided for their acceptance, in order to guarantee the freedom of their consent; to attach to the injunction a penalty of one hundred thousand euros (100,000 euros) per day of delay at the end of a period of three months following notification of this decision, with proof of compliance to be sent to the restricted committee within this period […]”) [Free translation].
[26] Ibid., § 145 (“In the light of these elements, the restricted committee considers that the imposition of a fine of 100,000 euros per day of delay and liquidated after a period of three months is justified”) [Free translation].
[27] “ Cookies: closure of the injunction against FACEBOOK ”, CNIL, 28 July 2022, accessible through this link (“Indeed, this decision to close the case does not prejudge the CNIL’s analysis of the compliance of the new cookie consent walls deployed on the site “facebook.com” with all the provisions of Article 82 of the Data Protection Act, in particular the requirement to provide “clear and complete” information or the requirement to collect consent on a purpose-by-purpose basis. The CNIL therefore reserves the right to control in the future the compliance of the site “facebook.com” with these other requirements and, if necessary, to mobilize its entire repressive chain”).
[28] “La peur de Paris agite les Gafa”, David PARGAMIN, Challenges, 22 September 2022 (“On 14 September [2022], whistleblower Peiter Zatko, a former Twitter employee, stunned U.S. senators with this revelation: ‘Twitter is terrified of the CNIL, much more than it is of the FTC’”) [Free translation].
