CNIL’s sanctions against Google LLC and Google Ireland Limited and against Amazon Europe Core: summary and main findings
Set out below is a summary of both decisions, with a specific focus on the arguments and reasoning relating to the CNIL’s competence to enforce the provisions of the LIL against Google and Amazon, which is the subject of substantial and interesting developments. The two decisions have a number of points in common, although some of the interesting nuances are noted in our summary.1. Background
In relation to Google, the CNIL conducted an online audit of google.fr on 16 March 2020. It found that when a user accessed the site, seven cookies were placed on the user’s device prior to any positive action being taken by the user, including for advertising purposes.
Relating to Amazon, the CNIL conducted (i) three online audits of www.amazon.fr on 12 December 2019, 6 March 2020 and 19 May 2020, as well as (ii) an onsite audit in the offices of Amazon Online France SAS, the French establishment of Amazon Group, on 30 January 2020. It found that when a user accessed the site, whether directly or indirectly via an ad published on a third party website, more than forty cookies with an advertising purpose were placed on the user’s device prior to any positive action being taken by the user.As a result of the violations found during its investigations, and the report issued by the rapporteur in both cases that recommended to impose a financial sanction on the company, as well as an injunction to comply with the LIL and to publish the sanction, the CNIL issued its final decisions against both companies.
2.1. Subject matter competence and applicability of the one-stop-shop mechanism
Google and Amazon argued that the CNIL was not competent to seek to enforce the LIL against them on the grounds that the one-stop shop procedural framework of the EU General Data Protection Regulation 2016/679 (‘GDPR’) should apply. According to the one-stop shop mechanism, the competent authority is the lead authority, which for Google would be the Irish data protection authority (Data Protection Commissioner) and for Amazon the Luxembourg data protection authority (National Data Protection Commission). Google and Amazon both argued that the ePrivacy Directive does not contain any specific provisions regarding competence in case of a cross-border processing and that therefore the GDPR procedural framework should apply.
The CNIL held that the GDPR one-stop-shop mechanism is not applicable in the circumstances, and that it has subject-matter competence for the following reasons, developed similarly in both decisions:
- French law has given the CNIL competence to ensure compliance with Article 82 of the LIL which transposes the ePrivacy Directive, as well as to sanction any violation thereof (confirmed by a decision of the French Council of State of 19 June 2020).
- The CNIL cites in support of its position the provisions of the ePrivacy Directive and of the GDPR that explain the articulation between both texts. In particular, the ePrivacy Directive states that it “particularizes and complements” the GDPR (Article 1, §2). In addition, the GDPR indicates (recital 173) that is does not apply to personal data processing activities that are subject to specific obligations under the ePrivacy Directive. In light of these provisions, the CNIL considers that Article 5.3 of the ePrivacy Directive constitutes a specific rule which differs from the GDPR rules (in particular from its Article 6, regarding the requirement for a legal basis) and the ePrivacy Directive contains its own enforcement mechanism (Article 15a – introduced by the 2009 amendment). Therefore, the enforcement of Article 5.3 of the ePrivacy Directive falls under the ePrivacy enforcement mechanism, and not under that of the GPDR. The ePrivacy Directive enforcement mechanism is set out at article 15 a) of the Directive, which states that Member States shall ensure that “competent national authorities, or other national organizations”, have authority regarding application of (notably) the Article 5.3 rules. According to the CNIL, this provision excludes per se the one-stop-shop mechanism.
- The CNIL maintains that its analysis is corroborated by the fact that Member States could decide that the national authority competent under the ePrivacy Directive could be an authority other than the data protection regulator – for instance the telecommunications authority – which are not part of the European Data Protection Board (EDPB). The EDPB playing a major role in the consistency mechanism, it is impossible to apply the one-stop-shop mechanism to actions that may be sanctioned by authorities that are not part of it. This interpretation is confirmed by the EDPB opinion n°5/2019, regarding the interactions between the ePrivacy Directive and the GDPR.
- Finally, the CNIL decision refers to the numerous discussions currently ongoing regarding application of the one-stop-ship mechanism in the context of the ePrivacy Regulation, which indicate that the mechanism is not applicable to the current ePrivacy Directive.
2.2. Territorial competence
Google argued that GDPR competence and cooperation provisions should apply and that the actual headquarters of Google in Europe is located in Ireland. Amazon argued that the CNIL should not have competence since Amazon Online France SAS does not intervene in the placement of cookies on the terminal equipment of French users.
The CNIL, however, held in both cases that the processing at issue is undertaken in the context of the activities of the French establishment of both of the groups (respectively Google France and Amazon Online France SAS). The CNIL applied the criteria of Article 3 of the LIL (Article 3, 1 of the GDPR), interpreted in accordance with the European Court of Justice decisions in Google Spain and Weltimmo, in reaching its decision.
The CNIL concluded that the processing activities in question, consisting of the accessing and storing of information on the terminal equipment of users residing in France, notably for advertising purposes, occurs in the context of the activities of the French establishment of each of the two groups, each being responsible for promoting and commercializing the products and advertising solutions of Google and Amazon, respectively, in France. Therefore, the processing undertaken by both companies is “sufficiently territorialized in France”, and is therefore subject to French law.
3. Regarding the identity of the Controller (concerns the Google decision only)
The CNIL considered that Google Ireland and Google LLC are joint controllers, whereas Google argues that only Google Ireland is a controller, and that Google LLC is the processor of Google Ireland for the processing at stake (the processing agreement between the two entities covers European cookie data).
The CNIL decision sets out four reasons to support its conclusion that Google LLC is also a controller in relation to the processing (based on articles 4, 7° and 26, 1 of the GDPR, as well as on the CJEU Jehovah’s Witnesses decision), in particular:
- Google LLC is the party conceiving and developing the Google products technology (notably the cookies technology), and there is no difference in the technologies used for the different versions of the search engine.
- Google LLC (like Google Ireland) participates to the meetings / bodies adopting decisions related to the deployment of products in the EEA and has a significant influence. In addition, Google Ireland’s DPO, as well as the DPO’s deputies, are based in California and employed by Google LLC, in order for Google Ireland’s DPOs to be the “closest possible to the decision makers of the company”, according to the declarations of the representative of the company made during the investigations.
- The differences existing between the processing of cookie placed in Europe and that placed throughout the rest of the world (e.g. in relation to retention period, rules regarding minors, etc.) are only differences in implementation, but do not impact the global advertising purpose, which is determined by Google LLC.
- Although the processing agreement between Google LLC and Google Ireland states that Google LLC acts as a processor, the real implication of Google LLC in the processing at stake goes beyond a mere processor role.
4. Regarding the violations
During the audits, the CNIL found that when users access the www.google.fr and the www.amazon.fr websites, cookies, some of these for advertising purposes, were recorded in the user’s device before any action being taken by the user. On google.fr, seven cookies are placed before any action on the part of the user, four of which are for advertising purposes. On amazon.fr, forty advertising cookies are placed before any action on the part of user.
- Failure to obtain consent: the CNIL notes that the advertising cookies are placed on the user’s terminal before any action on the part of the user.
- Breach of the information obligation (as required by Article 82 LIL):
- in the Google case, the CNIL held that the information provided to the users when arriving on the www.google.fr page did not allow them to be aware, before the cookies were actually placed on the terminal, of the actual existence and recording of such cookies, nor a fortiori, of the purposes of the processing nor of their possibility to oppose to them. Even if adjustments have been made by Google in 2020, it considers that the information provided before placing the cookies is still not clear and complete notably since it does not inform the user about all the purposes of the cookies places nor about the means to oppose to them.
- In the Amazon case, the CNIL decision distinguishes between two situations: (i) first, when the user arrives directly on www.amazon.fr home page, the CNIL considers that the information given only provides for a general and approximate description of the purposes of all the cookies placed and does not mention the means to object to them; (ii) second, if the user arrives on www.amazon.fr via an ad published in a third party website, there is no information at all provided to the user regarding cookies.
- Failure regarding the objection mechanism: in the Google case, the CNIL noted that even when opting out the use of advertising cookies in Google settings, one advertising cookie still remained placed on the equipment terminal.
5. Regarding the sanction
As a general remark, the CNIL indicated (in response to arguments made by both Google and Amazon in this regard), that the legal basis for the sanction is only Article 82 of the LIL, and not the CNIL’s recommendations/communications regarding cookies which are non-binding. The CNIL states that although the CNIL’s communications regarding cookies have recently evolved, the failures reproached to Google and Amazon have always been considered illegal. In particular, the CNIL had made it clear that although it was giving 6 months for companies to comply with its new guidelines as from their final publication, the CNIL would continue to enforce compliance with other obligations, including the collection of prior consent and the objection mechanism, during this period.
In the Google case, the CNIL took in to account the dominant position of Google (90% of the market of online search in France, more than 47 million users in France), which gives an unrivalled value to cookies used by Google through their online search engine. The CNIL also took into account the financial advantages obtained from the breach, since Google makes most of its profits through online advertising (Display Advertising and Search Advertising), in which cookies play an obvious role. Finally, the CNIL noted that Google’s cooperation was “barely compliant” with what the CNIL is entitled to expect from a controller since it never provided the French advertising revenues, despite repeated requests from the CNIL.
In the Amazon case, the CNIL focused on the extent of the processing made possible by cookies, the number of person concerned (300 million Amazon identifiers attributed over a nine-months period), and the variety of the information collected by the cookies which might be characterized as sensitive data under Article 9 of the GDPR. In addition, the CNIL took into account the financial advantage derived by Amazon from the breach of the law, which allowed to increase the visibility of Amazon products.
In both the Google and Amazon decisions, the CNIL issued injunctions ordering Google Ireland, Google LLC and Amazon Europe Core to comply with article 82 of the LIL, in particular by providing data subjects with prior, clear and complete information regarding the purposes of all cookies subject to consent, and the available means of objection. The CNIL is able to impose a €100 000 daily fine in case of non-compliance with such injunctions.
Both companies have four months to appeal the decisions to the French Conseil d’Etat.