Deliberations SAN-2021-023 & SAN-2021-024 of 31 December 2021
Cookies have now been a hot regulatory topic for some time, especially in France where the CNIL ranked cookies in its top-three investigation priorities for the last two years and initiated a variety of guidance and enforcement actions. In this context, the French authority concluded year 2021 with two significant decisions against Google and Facebook regarding the means to refuse cookies.
In the two decisions, the CNIL criticized Google and Facebook for not offering internet users a means to refuse cookies as easily as they can accept them. The French authority fined Google a total of 150 million euros (€90M for Google LLC and €60M for Google Ireland Limited) and fined Facebook 60 million euros. It also enjoined both to “modify. . .the methods for obtaining the consent of users located in France to the reading and/or writing of information in their terminal, by offering them a means of refusing these operations that is as simple as the mechanism for their acceptance” with a daily penalty of €100,000 per day of delay in complying with the injunction after three months of the notification of the decision.
The sanction procedures were based on online investigations led by the CNIL agents on the websites google.fr and youtube.fr (for Google) as well as facebook.fr (for Facebook). These investigations showed that while these three sites display a button to accept all cookies immediately on the first layer of the cookies’ information notice, internet users must go through several steps in secondary layers in order to refuse the cookies. In the case of Facebook, the CNIL agents noted that, in order to confirm their choice regarding the placing of cookies, users must click on a button entitled “Accept cookies” at the bottom of the second layer, even if they chose to refuse the cookies.
The CNIL – through its restricted committee which is the body responsible for issuing sanctions – held that the process described above affects the users’ freedom of consent and therefore its validity, under the more stringent consent rules set forth by the GDPR. The rationale of the authority is that making the mechanism for refusing cookies more complex than accepting them would unduly influence users in favor of consent, especially since users expect to be able to quickly consult websites.
The position of the CNIL’s restricted committee is consistent with the CNIL’s doctrine on this issue, which the authority promoted in its guidance on cookies and imposed on other website publishers last year. Indeed, the French data protection authority reported the sending of more than ninety formal notices to various website publishers during 2021, enjoining them, inter alia, to make refusing cookies as easy as accepting them.
Contrary to these other websites’ publishers, Google and Facebook were not sent prior formal notices by the CNIL but were directly subject to a sanction procedure. Both companies claimed that this difference in treatment infringed upon the principal of equality before the law and should have invalidated the sanction procedures. The CNIL’s restricted committee rejected this claim on the ground that the decision to issue a formal notice is at the discretion of the President of the CNIL and is not a legal obligation. It also added that both companies had recently faced sanction procedures on their cookies practices so that they should have been particularly vigilant and aware of the CNIL’s action.
In the two decisions, Google and Facebook also challenged the jurisdiction of the CNIL, both on a material and territorial point of view. First, they claimed that the GDPR’s one-stop-shop mechanism should have applied, hence excluding the CNIL’s jurisdiction to hear and decide this case alone, since both their principal places of establishment within the EU are Ireland and not France. Second, they also claimed that the CNIL had no territorial jurisdiction since the cookies were not placed within the activities of their establishments in France. The restricted committee rejected both claims. In summary, the committee considers that the GDPR’s one-stop-shop does not apply since the cookies’ rules in question stem from the e-Privacy Directive which constitutes a specific text and which, according to the committee, provides for its own implementation and enforcement mechanism that does not rely on the GDPR’s one-stop-shop. On territoriality, the restricted committee considered that the placement of cookies was in fact carried out within the activities of Google’s and Facebook’s French establishments. To reach this conclusion, it relied on the CJEU’s “Google Case”, “Wirtschaftsakademie”, and “Facebook Belgium” cases in which the EU Court interpreted the notion of “processing carried out within the activities of an establishment”, notably concerning Google and Facebook, but under the former EU Directive No. 95/46.
Google also developed additional arguments:
- Non bis in idem: Google asserted that the new sanction procedure violated the non bis in idem principle since Google had already been subject to a sanction procedure regarding its cookie’s practices in 2020. The restricted committee rejected this argument on the ground that the subject-matter of both procedures were different: the 2020 procedure focused on the information delivered to the data subjects, while the 2021 procedure focused on the means to reject cookies.
- Referral of a question for a preliminary ruling to the CJUE: Google asked the restricted committee to refer a question for a preliminary ruling to the CJUE regarding the compliance of not proposing a “refuse all” button next to the “accept all” button in the first layer of the cookie notices, where a means to refuse the cookies is made available to users in a second layer. The restricted committee declined to refer the question, stating that it is not considered a “jurisdiction” for that purpose and therefore does not have such power.
- Stay of the proceeding: Google requested the stay of the CNIL’s proceeding to wait for the Council of State’s decision on the appeal against the previous case, but the restricted committee refused on the ground that this was not permitted by the law.
- Joint controllership: There was also a discussion regarding the joint controllership of Google LLC and Google Ireland Limited. Google argued that only Google Ireland Limited was the relevant controller in relation to the placing of cookies, while the restricted committee considered that both entities were joint-controllers and therefore jointly liable.
These two decisions show that compliance with the cookies’ regulation is still a very important enforcement topic for the CNIL, which can lead to substantial monetary fines and mandatory injunctions to modify the controlled entities’ practices. This trend should continue in 2022, as cookies could well make the CNIL’s top-three investigation priorities for the third year in a row.