On 16th of March 2020, the CNIL carried out an inspection on the google.fr website with a purpose of verifying whether Google complies with all the provisions of the French Data Protection Act and in particular, Article 82 thereof. The Article 82 transposes the provisions of Directive 2002/58/EC (“ePrivacy Directive”) relating to storing of information or accessing information already stored in the terminal equipment are transposed into French national law.
The inspection revealed that when a user goes to the google.fr website, seven cookies were automatically stored in the terminal equipment of the end users without any action of the on their part. Four of these cookies were used for advertising purposes. In addition, CNIL found that the information provided to the end users was insufficient and unclear, in violation of the requirements of the Article 82.
Based on the findings, Google was found in breach of Article 82 of the French Data Protection Act to obtain prior consent from end users before placing cookies in their terminal equipment.
Google challenged the competence of the CNIL
Google argued that the case should have been subject to the procedural framework provided by the GDPR. Applying the cooperation mechanism of the GDPR, known as the one-stop-shop mechanism, the competent supervisory authority would have been the Irish Data Protection Authority (“DPC”) and not CNIL. Further, to support the argument, Google stated that exclusion of the one-stop-shop mechanism would lead to the fragmentation of the ‘cookie rules’.
CNIL noted, that under the French Data Protection Act, it has all the powers to impose penalties for infringements of the Article 82. This competence was already recognised by the Council of State (“Conseil d’État”) in its earlier decision. CNIL also reminded that the ePrivacy Directive does in fact provide, specific obligations and its own mechanisms to monitor its application. The Article 15 of the ePrivacy Directive obliges Member States to lay down rules on penalties applicable to infringements of the national provisions adopted pursuant to the ePrivacy Directive. Such penalties must be ‘effective’, ‘proportionate’ and ‘dissuasive’.