The CNIL and recent cases on personal data protection
The French data protection authority, the CNIL, has recently imposed important sanctions against Google, Facebook and Amazon for violations of the provisions of the French Data Protection Act relating to the use of cookies.
Before turning to these historic decisions on the use of cookies (II), it is appropriate to present the CNIL and, in particular, its sanctioning power in the context of personal data protection (I).
I. The CNIL’s roles and powers of sanction in the context of personal data protection
The CNIL was created by the law No. 78-17 of 6 January 1978 on information technology, files and freedoms (the “French Data Protection Act”). It is responsible for ensuring that the processing of personal data complies with the provisions of this law and with European regulations.[1]
Thus, the CNIL pursues four main actions. Firstly, it informs and protects the rights of the persons concerned through communication actions and by receiving requests from individuals and professionals. Secondly, in order to help private and public organizations comply with Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data (“GDPR”), the CNIL supports these organizations and advises them on compliance issues. Thirdly, the CNIL monitors new technologies and new uses in order to innovate and to anticipate as far ahead as possible. Fourth, it has a control and sanction function.
Article 20 of the French Data Protection Act gives the CNIL the power to impose various sanctions in the case of breach of the applicable legal and regulatory provisions.[2] It may issue a call to order, order compliance of the processing, including under penalty payment, temporarily or permanently restrict processing, suspend data flows, order compliance with requests to exercise the rights of individuals and impose administrative fines.[3]
In 2021, it received a record of 14,143 complaints, carried out 384 inspections and issued 135 formal notices and 18 sanctions for an unprecedented cumulative amount.[4]
II. Recent sanctions imposed by the CNIL regarding the use of cookies
In anticipation of the future European ePrivacy Regulation, which is currently being drafted, the CNIL published on 16 May 2022 the first criteria for assessing the regularity of “cookie walls.” According to the CNIL, the expression “cookie wall” “refers to the fact of making access to a service dependent on the Internet user’s acceptance of the deposit of certain traces on his/her terminal”.[5]
Four questions must be asked in order to determine the validity of these “cookie walls”: (i) does the Internet user who has refused these tracers have a fair alternative to access the content,[6] (ii) is there a reasonable fee-based alternative,[7] (iii) does the site require you to accept all cookies,[8] and finally, (iv) if the choice to pay is made, is the deposit of tracers done in a manner consistent with the limited cases allowing it.[9]
In the light of these criteria, the CNIL recently handed down several important decisions against Amazon (1), Google (2) and Facebook (3) for breach of Article 82 of the French Data Protection Act concerning the use of cookies.[10]
A. The financial penalty of 35 million euros imposed on Amazon Europe Core
On 7 December 2020, the CNIL imposed a penalty of 35 million Euros on Amazon Europe Core.[11] It noted two breaches of Article 82 of the French Data Protection Act, concerning the use of cookies.[12] It found that, regardless of the route taken by users to visit the site, they were insufficiently – if at all – informed that cookies were being placed on their computers.[13]
Furthermore, the CNIL considered that it was territorially competent, as the use of cookies was carried out in the “framework of the activities” of the company Amazon France, which is the “establishment” of the company Amazon Europe Core on the French territory, and which promotes its products and services.[14]
In a decision of 27 June 2022, the French Conseil d’Etat recently confirmed the CNIL’s decision and validated the proportionality of the penalty by emphasizing that, due to the scale of the processing carried out by the company, the potentially sensitive nature of the data collected, and the financial advantage gained from the breaches which enabled it to personalize the advertisements sent to users, the breaches retained were particularly serious.[15] The French Conseil d’Etat noted that according to Article 83 of the GDPR, any fine imposed by supervisory authorities of Member States must be proportionate, in particular according to the nature, seriousness and duration of the breach, the degree of cooperation with the authority, the categories of personal data in question and any other aggravating or mitigating circumstances.[16] The French Conseil d’Etat ruled that, in view of the seriousness of the breaches and their effects on users located in France, the CNIL had sufficiently justified its decision and did not have to rule on all the criteria of Article 83 of the GDPR.[17]
B. The financial penalty of 150 million euros imposed on Google
On 31 December 2021, the CNIL imposed a fine of 90 million euros on Google LLC and 60 million euros on Google Ireland Limited.[18] In its decision, the CNIL found that the websites google.fr and youtube.com did not implement a solution to allow the user to easily refuse the deposit of cookies. Indeed, several clicks were required to refuse all cookies, as opposed to a single click to accept them, and this constituted an infringement on the freedom of consent of Internet users.[19]
With regard to its territorial jurisdiction, which was disputed, the CNIL found that the processing of access or registration operations in the terminal of users residing in France when using the Google Search engine and YouTube was carried out within the “framework of the activities” of the company Google France, which corresponds to the “establishment” on French territory of the Google group.[20]
This decision has not been challenged to this day.
C. 60 million euros financial penalty imposed on Facebook Ireland Limited
On 31 December 2021, the CNIL fined Facebook Ireland Limited 60 million euros.[21] It pointed out that making the opt-out mechanism more complex discouraged users from refusing cookies and encouraged them to use the more easily accessible consent button.[22] In addition, it considered that the informational pathway implemented by Facebook Ireland Limited was not clear since, in order to refuse the deposit of cookies, Internet users had to scroll down the data settings and click on a button entitled “Accept cookies”.[23] Consequently, the CNIL considered that the company had violated the French Data Protection Act.[24]
In the context of this sanction, the CNIL also ordered Facebook to “modify, on the “facebook.com” website, the methods for obtaining the consent of users located in France to the reading and/or writing of information on their terminal, by offering them a means of refusing these operations that is as simple as the mechanism provided for their acceptance, in order to guarantee the freedom of their consent”[25] under penalty of a fine of 100,000 euros per day of delay.[26]
On 11 July 2022, the CNIL’s restricted committee terminated the injunction issued. In its press release, however, the CNIL specified that this decision did not prejudge its analysis of the requirement to provide clear and complete information or to obtain consent for each purpose.[27]
In conclusion, the aforementioned developments show that the CNIL does not hesitate to impose heavy sanctions to guarantee effective protection of Internet users’ rights, even against foreign operators. Moreover, according to whistleblower Peiter Zatko, a former Twitter employee, “Twitter is terrified of the CNIL, much more than it is of the FTC [i.e. the US Federal Trade Commission].”[28]
Related content
Press review
13 June 2025
Press review – Week of 9 June 2025
This week's press review covers the indictment of Pascaline Bongo in a corruption and money laundering case, the designation of...
Press review
6 June 2025
Press review – Week of 2 June 2025
This week’s press review covers the coordination at the French national level of the economic sanctions decided by the European...
Press review
30 May 2025
Press review – Week of 26 May 2025
This week’s press review covers the conviction of the Edmond de Rothschild bank for money laundering in the case of...
Event
26 May 2025
[Webinar] Enhanced Anti-Corruption Cooperation: A UK–Switzerland–France Perspective
Co-chairs of the American Bar Association International Law Section's International Anti-Corruption Committee suggested a discussion of anti-corruption efforts outside the...
Press review
23 May 2025
Press review – Week of 19 May 2025
This week’s press review covers Emmanuel Macron's position in favor of abolishing the European directive on corporate sustainability due diligence....
Press review
16 May 2025
Press review – Week of 12 May 2025
This week’s press review covers German Chancellor Friedrich Merz's call to abandon the European directive on corporate due diligence, amid...
Press review
2 May 2025
Press review – Week of 28 April 2025
This week’s press review covers the requisitions made against François Fillon in the fictitious employment case following a cassation ruling,...
Press review
25 April 2025
Press review – Week of 21 April 2025
This week’s press review covers the release of Prince Paul of Romania by French authorities, despite a European arrest warrant...
Press review
11 April 2025
Press review – Week of 7 April 2025
This week’s press review covers the European Parliament's vote to postpone the application of the CSRD to certain companies, as...
Press review
4 April 2025
Press review – Week of 31 March 2025
This week’s press review covers the 150 million euro fine imposed by the French Competition Authority on several subsidiaries of...
Press review
28 March 2025
Press review – Week of 24 March 2025
This week’s press review covers the summoning of Élysée Secretary General Alexis Kohler to a Senate committee of inquiry into...
Press review
21 March 2025
Press review – Week of 17 March 2025
This week’s press review covers the lawsuit filed by two NGOs against Carrefour for failing to exercise due diligence in...
We use cookies to optimize our website and our services.
Functional
Always active
The technical storage or access is strictly necessary for the legitimate purpose of enabling the use of a specific service explicitly requested by the subscriber or user, or for the sole purpose of carrying out the transmission of a communication over an electronic communications network.
Préférences
The technical storage or access is necessary for the legitimate purpose of storing preferences that are not requested by the subscriber or user.
Statistics
The technical storage or access that is used exclusively for statistical purposes.The technical storage or access that is used exclusively for anonymous statistical purposes. Without a subpoena, voluntary compliance on the part of your Internet Service Provider, or additional records from a third party, information stored or retrieved for this purpose alone cannot usually be used to identify you.
Marketing
The technical storage or access is required to create user profiles to send advertising, or to track the user on a website or across several websites for similar marketing purposes.