Skip to main content

CNIL’s decision against Google relating to the use of cookies: result of the appeal before the French Conseil d’Etat

On 4 March 2021, the French Conseil d’Etat rendered its decision in the Google vs CNIL case.

As a reminder, on 7 December 2020, the CNIL imposed a sanction on Google LLC and Google Ireland Limited (together “Google”) for a total amount of 100 million euros for breach of Article 82 of the French Loi Informatique et Libertés (the “LIL”) relating to the use of cookies and other tracking technologies (Article 82 transposes Article 5.3 of the ePrivacy Directive). The CNIL found in particular that Google failed to obtain proper consent from data subjects, breached its information obligation and did not provide an efficient objection mechanism, in relation to the use of cookies. The CNIL also issued an injunction ordering Google to comply with article 82 of the LIL within three months, the CNIL being able to impose a €100 000 daily fine in case of non-compliance with such injunction.

Google appealed the CNIL’s decision, by way of interim proceedings, in order to obtain the suspension of the decision. The grounds for appeal mainly focused on the CNIL’s jurisdiction to act against the Google entities in France, given that Google’s lead supervisory authority in Europe is the Irish data protection authority..

Before the CNIL, Google had argued that the French data protection authority did not have jurisdiction since the GDPR procedural framework should apply, i.e. the one-stop-shop mechanism applicable to cross-border data processing activities..

The CNIL decided that the GDPR one-stop-shop mechanism did not apply and that it had subject-matter jurisdiction notably because (i) French law has given the CNIL jurisdiction to ensure compliance with Article 82 of the LIL which transposes the ePrivacy Directive, as well as to sanction any violation thereof, and (ii) the control of Article 5.3 of the ePrivacy Directive falls under the ePrivacy control mechanism, and not under that of the GPDR (and therefore the one-stop-shop mechanism).

In its decision of 4 March 2021, the Conseil d’Etat upheld the CNIL’s position and ruled that the French data protection authority had jurisdiction in the Google case. The Conseil d’Etat recalled that, while the GDPR consent requirements in relation to the use of certain cookies, interpreted in accordance with the ECJ decision in the Planet49 case, do not apply to the implementation and control of the ePrivacy Directive, which has its own specific enforcement mechanism. Indeed, the ePrivacy Directive enforcement mechanism is set out at article 15 a) of the Directive, and provides that Member States shall ensure that “competent national authorities, or other national organizations”, have authority regarding application of (notably) the Article 5.3 rules. According to the CNIL, as confirmed by the decision of the Conseil d’Etat, this provision excludes per se the one-stop-shop mechanism.

Google is therefore bound to respect the CNIL’s injunction to comply with Article 82 of the LIL. A proceeding on the merits is also ongoing in parallel before the Conseil d’Etat, and another decision will therefore be rendered by the Conseil d’Etat in this matter within a few months.

Comments

Popular posts from this blog

Proposition de règlement sur les marchés numériques ou Digital Markets Act (« DMA ») et Proposition de règlement sur les services numériques ou Digital Services Act (« DSA ») : principales dispositions

La publication des propositions de règlements DMA et DSA intervenue le 15 décembre 2020 constitue une étape importante de l’ambitieuse réforme de l'espace numérique envisagée par la Commission européenne. Dans le cadre du processus législatif européen, ces propositions doivent maintenant être soumises à l’approbation du Parlement et du Conseil qui leur apporteront probablement des amendements. Le délai moyen pour l’adoption d'un règlement est de 18 mois mais peut être significativement allongé pour des textes très discutés ou controversés ce qui sera vraisemblablement le cas du DMA et du DSA, compte tenu de leur vaste champ d’application, de l’importance des acteurs concernés ainsi que des pouvoirs conséquents qu’ils prévoient de conférer à la Commission.  La présente note donne un aperçu de la structure et des principales obligations applicables aux " gatekeepers ", dans le cas de la DMA (Partie I) et aux fournisseurs de " intermediary services " en ligne,

CNIL’s sanctions against Google LLC and Google Ireland Limited and against Amazon Europe Core: summary and main findings

 On 10 December 2020, the CNIL made public two decisions regarding the use of cookies in breach of Article 82 of the French Loi Informatique et Libertés (the “LIL”), which transposes the ePrivacy Directive 2002/58/EC (“ePrivacy Directive”). The first sanction, against a Google LLC and Google Ireland Limited (together “ Google ”) was for a total amount of €100 million (€60m for Google LLC and €40m for Google Ireland Limited, or “GIL”). The other sanction was imposed on Amazon Europe Core (“ Amazon ”) for €35m.  Set out below is a summary of both decisions, with a specific focus on the arguments and reasoning relating to the CNIL’s competence to enforce the provisions of the LIL against Google and Amazon, which is the subject of substantial and interesting developments. The two decisions have a number of points in common, although some of the interesting nuances are noted in our summary.  1. Background In relation to Google, the CNIL conducted an online audit of google.fr on 16 March 20