back

Google fined 100mEUR by French CNIL for unlawful use of cookies


On 10th December 2020, the French supervisory authority, Commission nationale de l'informatique et des libertés (“CNIL”), announced that is had issued a 100mEUR fine against Google LLC and Google Ireland Limited for unlawful use of cookies. The case is interesting taking into account the material competence of the CNIL and the applicability of the one-stop-shop mechanism provided by the GDPR.

 

Failures

 

On 16th of March 2020, the CNIL carried out an inspection on the google.fr website with a purpose of verifying whether Google complies with all the provisions of the French Data Protection Act and in particular, Article 82 thereof. The Article 82 transposes the provisions of Directive 2002/58/EC (“ePrivacy Directive”) relating to storing of information or accessing information already stored in the terminal equipment are transposed into French national law.

 

The inspection revealed that when a user goes to the google.fr website, seven cookies were automatically stored in the terminal equipment of the end users without any action of the on their part. Four of these cookies were used for advertising purposes. In addition, CNIL found that the information provided to the end users was insufficient and unclear, in violation of the requirements of the Article 82.

 

Google had an information banner displayed on its website. After the CNIL’s findings, the banner was modified and rolled out to all users on September 10 2020. However, the CNIL points out in its decision that the updated banner is still not clear and complete within the meaning of Article 82 of the French Data Protection Act. The information Google uses remains ‘too general for users to be able to easily and clearly understand for what specific purposes cookies are placed on their terminal equipment’. Moreover, the information was found incomplete as the users are not informed about their possibility to refuse cookies and not about the means available for them to do this.      

 

According to the Article 5(3) of the ePrivacy Directive reads as follows: “Member States shall ensure that the storing of information, or the gaining of access to information already stored, in the terminal equipment of a subscriber or user is only allowed on condition that the subscriber or user concerned has given his or her consent, having been provided with clear and comprehensive information, in accordance with (EU) 2016/679, inter alia, about the purposes of the processing”. Similarly, under the Article 82 of the French Data Protection Act, the use of cookies can only take place on the condition that the end user has consented after having received [clear and complete] information relating to the purposes of the cookies and the means to oppose them. Naturally the aforementioned requirement applies to cookies that are not “strictly necessary”.

 

Based on the findings, Google was found in breach of Article 82 of the French Data Protection Act  to obtain prior consent from end users before placing cookies in their terminal equipment.

 

Google challenged the competence of the CNIL

 

Google argued that the case should have been subject to the procedural framework provided by the GDPR. Applying the cooperation mechanism of the GDPR, known as the one-stop-shop mechanism, the competent supervisory authority would have been the Irish Data Protection Authority (“DPC”) and not CNIL. Further, to support the argument, Google stated that exclusion of the one-stop-shop mechanism would lead to the fragmentation of the ‘cookie rules’.

 

CNIL noted, that under the French Data Protection Act, it has all the powers to impose penalties for infringements of the Article 82. This competence was already recognised by the Council of State (“Conseil d’État”) in its earlier decision. CNIL also reminded that the ePrivacy Directive does in fact provide, specific obligations and its own mechanisms to monitor its application. The Article 15 of the ePrivacy Directive obliges Member States to lay down rules on penalties applicable to infringements of the national provisions adopted pursuant to the ePrivacy Directive. Such penalties must be ‘effective’, ‘proportionate’ and ‘dissuasive’.

 

Link to CNIL’s press release here.
Link to CNIL’s decision here.