On December 7, 2020, the CNIL (the French data protetion authority) pronounced two record sanctions of €100 million against GOOGLE LLC and GOOGLE IRELAND LIMITED (€60 and €40 million respectively), and €35 million against AMAZON EUROPE CORE for non-compliance with rules relating to cookies.
The CNIL reproaches them for having :
- deposited advertising cookies without the prior consent of the users;
- a lack or non-existence of complete information; and
- for Google only, a partial failure of the means of opposition.
In both cases, the CNIL considered itself competent because, according to it, the mechanism of cooperation between data protection authorities, provided for in the RGPD does not apply to what falls under the cookie provisions of the e-privacy directive 2002/58/EC.
Following two audits carried out on December 12, 2019, and May 19, 2020, on the amazon.fr website and an audit carried out on the google.fr website on March 16, 2020, the CNIL found that cookies, some of which were for advertising purposes, were automatically dropped on users’ computers, without any action on their part.
The shortcomings identified by the CNIL
The CNIL has identified three violations of Article 82 of the French Data Protection Act (relating to cookies).
Failure to obtain the users’ prior consent
As mentioned above, Google and Amazon automatically dropped advertising cookies on the computers of users of their respective websites without any action on their part and therefore, without obtaining their prior consent.
Thus, the CNIL considered that the companies had not complied with the requirements under Article 82 of the French Data Protection Act to obtain prior consent before dropping cookies that are not essential to the service.
Failure to inform users beforehand
This information was also not provided after clicking on the “View Now” button.
According to the CNIL, the user was not able to understand that the cookies placed on his computer were intended to display personalized advertising and did not indicate to the user his right and means to refuse.
Furthermore, when the user visited the amazon.fr website after clicking on an advertisement published on a third party website, no prior information was provided.
The partial failure of the mechanism of “opposition”.
In the case of Google, if the user deactivated the personalization of ads on Google search, one of the advertising cookies would remain stored on his computer and would continue to read information to the server to which it is attached.
The CNIL, therefore, considered that the “opposition” mechanism was partially defective.
Two records sanctions pronounced by the CNIL
The CNIL fined GOOGLE LLC 60 million euros and GOOGLE IRELAND LIMITED 40 million euros, and Amazon Europe Core 35 million euros, i.e. 2% of its annual turnover.
The CNIL has therefore also adopted an injunction under penalty of 100,000 euros per day of delay requesting Amazon and Google to bring their information notice in compliance with Article 82 of the French Data Protection Act within 3 months of the notification.
Competence of the CNIL
Had the one-stop-shop mechanism of the GDPR been applied, the data protection authorities of Ireland and Luxembourg would have been competent respectively.
However, the CNIL recalled that it was materially and territorially competent to control and sanction cookies dropped by companies on the computers of users located in France insofar as these provisions are not covered by the GDPR but by the e-privacy directive 2002/58/EC.
With regard to the material competence and the non-application of the one-stop-shop provisions
The decision indicates that the CNIL is competent as long as:
“The operations concerned are carried out in the context of the provision of electronic communications services accessible to the public on public communications networks (i.e. internet) and that they exclusively concern read and write actions on the terminal of Internet users located in France when they visit the Amazon.fr site, operations that materialize by the deposit and reading of cookies. “
To do so, the CNIL relies in particular on recital 173 of the GDPR, which states that the GDPR does not apply to the specific provisions of the e-privacy directive.
Indeed, it considers that article 5 of the e-privacy directive is a special provision since it requires obtaining consent to the deposit of cookies without leaving the possibility of relying on other legal bases provided for in the GDPR. Moreover, Article 15a of the same directive, amended in 2009 by Directive 2009/136, provides for specific control mechanisms that are the responsibility of each Member State and not of the one-stop-shop mechanism.
Moreover, the competent supervisory authority for the regulation of cookies is not always an authority in charge of data protection in all Member States, which excludes, according to the CNIL, the possibility of applying the one-stop-shop procedure, which only applies to data protection authorities.
With regard to the territorial jurisdiction of the CNIL
The CNIL applies Article 3 of the French Data Protection Act insofar as, in this case, Directive 2002/58/EC does not have any specific provisions in this respect and the provisions relating to the one-stop-shop are not applicable.
Thus, as the GDPR also provides, the CNIL is competent as soon as the operations are carried out within the framework of the activities of an establishment of these companies located in France (e.g. AMAZON ONLINE France SAS or Google France) even if the parent company is in practice the person responsible for implementing cookies (e.g. Amazon Europe Core and Google Ireland Limited jointly with Google LLC).