The new year for EU data protection enforcement has rung in with an early bang courtesy of the France's data protection authority, the Commission nationale de l'informatique et des libertés. The CNIL fined Google and Facebook up to a combined 210 million euros for alleged cookie violations under the ePrivacy Directive.
Allegations against the companies focus on French users' inability to easily decline tracking via cookies. Google's U.S. and Irish operations received penalties of up to 90 and 60 million euros, respectively, while Facebook Ireland will pay up to 60 million euros. Additional daily penalties of 100,000 euros are possible if users are not given sufficient means to opt out of tracking within three months.
Spokespeople for Google and Meta, Facebook's parent company, responded to the fines with comments to Politico. Google said it understands its "responsibility to protect" user trust and it is "committing to further changes and active work with the CNIL in light of this decision." Meta said its cookie controls "provide people with greater control over their data," adding that it continues to "develop and improve" its tools.
Fining under the ePrivacy Directive brings into question whether the CNIL did so based on the specific violation or as a way to maintain control of the case and its outcome, which would've been relinquished had the complaint been deemed a violation of the EU General Data Protection Regulation. Had it been a GDPR violation, the matter would've reverted to the GDPR's one-stop shop mechanism and been referred to the lead supervisory authority for Google and Facebook.
"A previous 50 million euro GDPR fine that was pronounced by CNIL against Google in January 2019 was an exception because at the time, the CNIL had considered that Google did not have a main establishment in the EU, and thus, the one-stop shop mechanism did not apply." Fieldfisher Partner Olivier Proust, CIPP/E, said. "Since then, Google has made the necessary internal changes to ensure that the Ireland's Data Protection Commission is its lead authority and, as a result, the CNIL has 'lost' its power to investigate Google on GDPR compliance."
Baker McKenzie Partner and IAPP Country Leader for France Yann Padova believes the CNIL's decision reflects a circumvention of one-stop shop.
"This interpretation is legally debatable and could lead to more fragmentation within the EU," Padova said. "This risk is already materializing when considering the divergences of approaches among data protection authorities on cookie consent or the mandatory information to be provided. This is not good news for companies' right to legal certainty and regulatory predictability, especially for the ones operating at an EU level."
On the other hand, Privacy Management Partners Partner and IAPP Netherlands Country Leader Jeroen Terstegge, CIPP/E, CIPP/US, viewed the use of ePrivacy as simply procedural under French law.
"France has chosen to transpose the ePrivacy Directive into its Data Protection Act. This makes the CNIL the competent authority for cookie law enforcement," Terstegge said. "EU member states are free to choose into which law to transpose a directive. Other member states have chosen to make other authorities competent for the enforcement of their cookie laws. So, the fact that the CNIL takes a decision about cookies based on Article 82 French Data Protection Act should not be interpreted as a disqualification of the GDPR."
Cookies crackdown
The penalties come two years after the CNIL fined Google and Amazon a combined 135 million euros in December 2020 for violation of ePrivacy provisions on consent for placement of cookies. In addition to similar accusations regarding opt-out options, Google's prior fine came on allegations that it did not provide sufficient transparency to users regarding its tracking with cookies. Proust believes the increased fine Google saw with this new action shows the CNIL is clearly "attempting to put more pressure on Google to comply."
Cookies compliance and enforcement was a priority for the CNIL in 2021, with Wednesday's announcement showing that priority status is likely to continue in 2022. Following the release of new cookie guidance in October 2020 and audit recommendations in February 2021, the CNIL issued three rounds of warnings and noncompliance notices to several unnamed companies during the final six months of 2021.
"The CNIL seems to be fairly isolated in this cookie focus enforcement policy and in the amount of the fines issued," Padova said. "However, one cannot rule out the fact that other DPAs may follow CNIL's path, in particular in light of the recent cookies enforcement task force that has been created by the EDPB at an EU level."
With respect to the EDPB task force, Padova added the creation of the group by the board is a clear indication that cookies cases are GDPR matters and not exclusive to ePrivacy provisions.
Photo by Samuel Zeller on Unsplash