The French data protection authority’s decisions cite violations of the cookie rules under the ePrivacy Directive and provide important insights on explicit consent.

Between December 2019 and May 2020, the French data protection authority (CNIL) conducted multiple online investigations by visiting google.fr and amazon.fr, before launching a full-scale investigation into Google LLC, Google Ireland, and Amazon Europe Core. On 7 December 2020, the CNIL handed down two decisions, one against Google LLC (€60 million fine) and Google Ireland (€40 million fine), and another against Amazon Europe Core (€35 million fine). Contrary to a previous sanction against Google LLC, which was triggered by specific complaints about its practices, the CNIL’s decisions indicate that the investigations were launched sua sponte with the specific aim of controlling the companies’ cookie practices.

The ePrivacy Directive, an Alternative to Competence Under the GDPR?

The CNIL’s decisions were based on Article 82 of the French Data Protection Act (Loi Informatique et libertés, or LIL), which transposes Article 5(3) of the EU Directive on privacy and electronic communications 2002/58/CE (ePrivacy Directive). By basing its decision on the ePrivacy Directive rather than the General Data Protection Regulation (GDPR), the CNIL refuted the arguments advanced by Google and Amazon regarding the CNIL’s lack of competence due to their one-stop-shop structures.

Under the GDPR, the “one-stop-shop” mechanism stipulates that the national data protection authority (DPA) of the EU Member State in which an entity’s main establishment is located shall take on the role of the lead authority for investigations and sanctions. As neither Google nor Amazon’s main EU establishments were located in France, but in Ireland and Luxembourg, respectively, both companies argued that the CNIL lacked competence to launch procedures under the GDPR. To recall, Google had advanced a similar argument in 2019, in a CNIL investigation that resulted in a €50 million fine against Google LLC.

The CNIL responded that it had authority to control and sanction the use of cookies dropped on devices belonging to users located in France under the French Data Protection Act and the ePrivacy Directive. Therefore, according to the CNIL, the “one-stop-shop” mechanism did not apply, as the decisions were not based on the GDPR. Although the ePrivacy Directive refers to the GDPR on various points, such as the criteria used to assess consent or clear and precise information, the CNIL referred to GDPR Recital 173 and to the European Data Protection Board’s opinion affirming that the GDPR shall only apply to processing of personal data that is not subject to specific obligations set out in the ePrivacy Directive. Finally, the CNIL justified its territorial competence based on the existence of Google France and Amazon France, the respective French “establishments” of Google and Amazon.

The CNIL’s Decision

As mentioned above, Article 82 of the French Data Protection Act applies the ePrivacy Directive rather than the GDPR. Article 82 transposes the cookie rules as stipulated by Article 5(3) of the ePrivacy Directive, and requires that all non-essential cookies be subject to:

• Clear and complete information regarding the purposes of the cookies and the mechanisms through which the user may oppose their use
• Prior consent of the user after the communication of such information

In its decisions, the CNIL found that:

1. Google was in breach of Article 82 in three respects: lack of consent, insufficient information, and non-compliance with the right to object, as not all cookies were deleted even after the user choose to object to their use.
2. Amazon was in breach of Article 82 in two respects: lack of consent and insufficient information. Since Amazon deleted all cookies upon the user’s decision to refuse consent, it was not found in violation of the right to object.

The CNIL was particularly attentive to the fact that cookies were dropped immediately upon a user’s visit to the websites, prior to the communication of the relevant information and the user’s consent.

Determination of Data Controllers and Joint Controllership

In the case of Google, the CNIL considered Google LLC and Google Ireland to be joint controllers, since they determined, together, the purposes and means of data processing relative to cookies and access to user terminals. Although Google argued that Google LLC should be considered a data processor rather than a joint controller, the CNIL took into consideration the participation of Google LLC in decisions related to product deployment in the European Economic Area and Switzerland. Moreover, the CNIL noted that Google Ireland’s data protection officers were based in California and employed by Google LLC in order to maintain proximity to key decision makers.

Notably, this qualification was retained despite the existence of a formal contract stipulating that Google LLC shall act as a data processor and Google Ireland as a data controller for the processing of personal data of European users collected through cookies.

The Fine

Both Google and Amazon argued that the respective fines were disproportionate. Google invoked the lack of formal guidelines regarding the calculation of fines and its active cooperation in the process. Amazon argued that the CNIL did not take into consideration the measures that it had already undertaken or the fact that it had never been subject to an investigation, and that the fines far exceeded fines imposed by other authorities for the violation of cookie rules.

The CNIL disagreed, stating that it had discretionary powers to impose sanctions that it considered appropriate and within the limits set by the French Data Protection Act — that is, 2% of the worldwide revenues of the company. The CNIL also stated in its findings that:

• Measures implemented by Amazon were non-compliant and measures adopted following the investigation did not impact the calculation of fines for violations observed during the CNIL’s investigations
• Cooperation with the CNIL as demonstrated by the companies was within the scope of their legal obligations; certain information, in particular regarding Google’s ad revenues generated in France, was not provided
• The infringements were particularly serious because users were given no choice or information regarding the use of cookies, and a large number of users were impacted
• The infringements concerned basic rules regarding prior consent and information for the use of cookies that predate both the GDPR and the more recent recommendations issued by the CNIL

In the case of Google, the CNIL noted the company’s dominant position in the search engine market and the importance of revenues derived from targeted advertising. As for Amazon, the CNIL emphasized that users visiting amazon.fr through ads placed on third-party websites were allegedly provided no information regarding the use of cookies.

Both Google and Amazon are under an injunction to bring their practices into compliance within three month of the decision, under penalty of €100,000 fine per day.

Although no official declaration has been announced, Google and Amazon will likely exercise their right to appeal the decisions with the French State Council (Conseil d’Etat).

Key Takeaways

While the CNIL’s decisions will likely be tested on appeal, they provide several takeaways for businesses in the interim:

Use of online controls: The two decisions show that the CNIL is willing to actively use its capacity to launch investigations without being prompted by complaints from users or organizations. The ability to simply visit websites and observe a company’s practices is a low-cost and rapid way for authorities to select entities against which to launch full-scale investigations. The authors of this post have observed comparable exercises by DPAs in other EU Member States, for example in Germany. Organizations should review their website and cookie practices with care, ensuring that no non-essential or functional cookies are dropped prior to user consent, and that adequate information notices are provided in the form of banners and more detailed policies.

Watch out for the ePrivacy Directive: Although a proposal to update the ePrivacy Directive is in the pipeline, these CNIL decisions signal that control and sanction under the current ePrivacy Directive remain a real risk for organizations. Unburdened by the GDPR’s “one-stop-shop” mechanism, the ePrivacy Directive can provide greater territorial reach for national authorities that are willing to take on independent investigations and sanctions.

Transparency: As already flagged in the €50 million fine against Google, transparency remains at the core of the CNIL’s decisions. Although various DPA guidance has encouraged the use of different approaches, including layers of information or privacy centers, striking a balance between a wide range of product offerings and ensuring that users are able to easily understand core processing activities remains difficult.

Contractual provisions must be consistent with practice: Contractual provisions allocating responsibilities will be examined in light of actual practice. In this case, the CNIL requalified Google LLC as a joint controller despite a written contract specifying that Google LLC shall act as data processor, imposing a greater fine than on Google Ireland. This case-by-case analysis and willingness to override contractual qualifications is not limited to the CNIL, as shown in recent decisions by the Court of Justice of the European Union.

Divergence among national authorities: Different practices and priorities among DPAs add another layer of uncertainty and risk. As a consequence, Latham continues to recommend a high-water-mark approach in order to minimize the risk of investigations and sanctions.

Latham & Watkins will continue to report on developments in these cases.