CE - 472221: Difference between revisions

CE - 472221
Court:	CE (France)
Jurisdiction:	France
Relevant Law:	Article 83(2)(a) GDPR Article 20-III-7 de la loi 78-17 du 6 janvier 1978 Article 82 de la loi 78-17 du 6 janvier 1978 L.761-1 Code de justice administrative
Decided:	29.04.2024
Published:	14.05.2024
Parties:	VOODOO
National Case Number/Name:	472221
European Case Law Identifier:	ECLI:FR:CECHR:2024:472221.20240514
Appeal from:	CNIL France SAN-2022-026
Appeal to:	Unknown
Original Language(s):	French
Original Source:	LegiFrance (in French)
Initial Contributor:	R_e_

Mobile game company's appeal against DPA €3,000,000 fine, in failing to obtain data subjects consent in collecting personal data for advertising purposes and in providing misleading information for tracking behaviour, rejected by the French courts.

English Summary

Facts

The controller sought to overturn deliberation no. SAN-2022-026 of the DPA before the Council of State (Conseil d'Etat - CE). The DPA fined the controller €3,000,000 for failing to obtain data subjects consent, regarding "Identifiers for Vendors" when using the controller's apps on Apple devices, for advertising purposes. Data subjects had no means to object to the controller offering non-personalized advertisements based on their browsing habits.

The DPA also ordered an injunction requiring the controller to bring its data processing into compliance within a period of three months from notification of the deliberation. The controller was subject to a fine of €20,000 per day of delay.

Failing an overturned decision, the controller sought to reduce the fine amount.

Holding

The Council of State rejected the controller's request and upheld the DPA's €3,000,000 fine. The DPA had sufficiently established on the facts a breach of Article 82 of the French Data Protection Act (loi 78-17 du 6 janvier 1978, Informatique et Libertés), as the controller did not obtain the necessary consent to collect data subjects data and its activities did not fall into one of the exceptions to this requirement (if the activity has the exclusive purpose of allowing or facilitating communication by electronic means or is strictly necessary to the provision of an online communication service at the express request of the user). Article 82 of the Data Protection Act requires that any operation of collection or deposit of information stored in the terminal of a data subject must be subject to prior, clear and complete information relating to the purpose of cookies or other tracers and the means available to data subjects to oppose them, as well as the prior collection of their consent.

The DPA had also followed the correct procedures when deciding the fine to be imposed on the controller. In making the decision, the DPA correctly had regard to several factors including:

- the number of data subjects and the seriousness of the breach (per Article 83(2)(a) GDPR);

- the financial situation of the controller in its economic sector; and

- the fact the controller derived more than 95% of its income from advertising, and thereby gained financial advantage from the breach (Article 83(2)(k) GDPR).

The Council of State further noted that neither the GDPR nor the Data Protection Act requires the DPA to explain the reasoning behind the amount of sanctions imposed, and therefore the DPA had not disregarded the principle of legality when deciding the penalty amount.

Comment

Share your comments here!

Further Resources

Share blogs or news articles here!

English Machine Translation of the Decision

The decision below is a machine translation of the French original. Please refer to the French original for more details.

Full Text

FRENCH REPUBLIC
IN THE NAME OF THE FRENCH PEOPLE

Given the following procedure:

By a request, a reply brief and a new brief, registered on March 16, September 19 and November 30, 2023 at the litigation secretariat of the Council of State, the Voodoo company requests the Council of State:

1°) to cancel deliberation n°SAN-2022-026 of December 29, 2022 by which the restricted formation of the National Commission for Informatics and Liberties pronounced against him a financial sanction of 3 million euros to due to a breach noted under article 82 of law no. 78-17 of January 6, 1978, accompanied by an injunction to bring its data processing into compliance within a period of three months from notification the deliberation, subject to a fine of 20,000 euros per day of delay, and the publication of the deliberation, which will no longer identify the company by name at the end of a period of two years;

2°) in the alternative, to reform this deliberation by reducing the amount of the fine imposed on it and to cancel it insofar as it provided for its publication;

3°) to charge the National Commission for Information Technology and Liberties the sum of 5,000 euros under article L. 761-1 of the administrative justice code.

Considering the other documents in the file;

Seen :
- the Constitution ;
- the European Convention for the Protection of Human Rights and Fundamental Freedoms;
- Directive 2002/58/EC of the European Parliament and of the Council of July 12, 2002;
- Regulation (EU) 2016/679 of the European Parliament and of the Council of April 27, 2016;
- Law No. 78-17 of January 6, 1978;
- Decree No. 2019-536 of May 29, 2019;
- the administrative justice code;

After hearing in public session:

- the report of Mr. Philippe Bachschmidt, master of requests for extraordinary service,

- the conclusions of Ms. Esther de Moustier, public rapporteur;

The floor having been given, after the conclusions, to SCP Foussard, Froger, lawyer for the Voodoo company;

Considering the following:

1. The Voodoo company requests the cancellation of the deliberation of December 7, 2020 by which the restricted formation of the National Commission for Information Technology and Liberties (CNIL) pronounced against it an administrative fine in the amount of 3 million of euros, due to a breach noted under article 82 of the law of January 6, 1978 relating to data processing, files and freedoms, for not having obtained users' consent to use of the "Identifier for vendors" (IDFV) of their Apple brand telephone for advertising purposes, ordered it to bring its data processing into compliance with the obligations resulting from this article, subject to a penalty of 20,000 euros per day of delay at the end of a period of three months following notification of its deliberation, and decided to make its deliberation public, which will no longer identify the company by name at the end of a period of two years.

On the lack of awareness of the rights of the defense:

2. The applicant company maintains that the procedure followed before the restricted panel of the CNIL would have disregarded the rights of the defense, in that the report of the online inspection carried out on July 18, 2022, at the request of the rapporteur before this panel , would have only been communicated to him on July 22, 2022, at the same time as he was notified of the report provided for by article 22 of the law of January 6, 1978, setting out the alleged breach and proposing a sanction, preventing him from presenting comments on these minutes before the report is drawn up. However, the principle of the rights of the defense applies only to the procedure opened by notification of the report provided for by article 22 of the law of January 6, 1978, under the conditions provided for by the first paragraph of this article and by Article 40 of the decree of May 29, 2019, and not the prior diligence carried out by the rapporteur or the checks carried out at his request in application of article 39 of this decree. If these diligences and these controls must take place under conditions guaranteeing that there is no irreparable harm to the rights of defense of the persons to whom the report is subsequently notified, it has not been established in this case, nor even alleged, that such an irremediable infringement had been caused to the rights of the applicant company. Furthermore, it follows from the investigation that the company presented written observations on this minute on August 3, 2022, then on the report on September 26, 2022, that it presented new written observations on November 21, 2022, in response to the rapporteur's observations dated October 21, 2022, and that she was able to make oral observations during the session of the restricted panel on December 8, 2022. Consequently, the plea can only be rejected.

On the breach of article 82 of the law of January 6, 1978:

3. On the one hand, in application of 2° of I of article 8 of the law of January 6, 1978, the CNIL "ensure that the processing of personal data is implemented in accordance with the provisions of the this law and other provisions relating to the protection of personal data provided for by legislative and regulatory texts, European Union law and France's international commitments. Under the terms of article 16 of the same law: "The restricted body takes measures and imposes sanctions against data controllers or subcontractors who do not comply with the obligations arising from Regulation (EU) 2016/ 679 of April 27, 2016 and this law under the conditions provided for in section 3 of this chapter (...)".

4. On the other hand, under the terms of article 82 of the same law: "Any subscriber or user of an electronic communications service must be informed clearly and completely, unless he has been informed previously , by the data controller or his representative: / 1° The purpose of any action tending to access, by electronic transmission, information already stored in his electronic communications terminal equipment, or to enter information in this equipment / 2° The means available to him to oppose it / These accesses or registrations can only take place on condition that the subscriber or the user has expressed, after having received this information, his consent which may result. appropriate parameters of his connection device or any other device placed under his control / These provisions are not applicable if access to information stored in the user's terminal equipment or the registration of information in the user's terminal equipment. the user's terminal equipment: / 1° Either, has the exclusive purpose of enabling or facilitating communication by electronic means; 2° Either, is strictly necessary for the provision of an online communication service at the express request of the user. It follows from these provisions that any operation of collection or deposit of information stored in the terminal of a user must be subject to prior, clear and complete information relating to the purpose of cookies or other tracers and the means available to users to oppose them as well as the prior collection of their consent.

5. It results from the instruction and particularly from the control carried out by the CNIL, on July 18, 2022, from an Apple brand mobile phone, that, when the user, after opening one of the eleven published applications by the applicant company and presented by it as the most downloaded, refused to authorize the monitoring of its activities for advertising purposes, under the consent collection system set up on its devices by the Apple company, called " ATT request ("App Tracking Transparency"), he was given information, without a device for collecting his consent, according to which technical data could be collected, by reading the IDFV, a unique identifier assigned to each mobile phone by the operating system of the Apple company, to offer him “non-personalized advertisements based on his browsing habits”. It is not disputed by the applicant company that the users had no means to object to the collection of this information, even though it had an advertising purpose, so that it could not fall within the exceptions provided for by article 82 of the law of January 6, 1978, authorizing the reading of data by cookies or other tracers without the consent of the user when this operation has the exclusive purpose of allowing or facilitating communication by electronic means or is strictly necessary to the provision of an online communication service at the express request of the user. Consequently, the restricted panel of the CNIL was right to consider that the applicant company's breach of Article 82 of the law of January 6, 1978 was characterized by failure to obtain users' consent to the collection. of their data. It follows that the argument that this breach has not been established must be rejected.

On the sanction:

Regarding the motivation for the sanction:

6. On the one hand, 2 of Article 83 of Regulation (EU) 2016/679 of April 27, 2016 relating to the protection of natural persons with regard to the processing of personal data and the free movement of these data, known as the General Data Protection Regulation (GDPR), provides that: "Depending on the specific characteristics of each case, administrative fines are imposed in addition to or instead of the measures referred to in Article 58, paragraph 2, points a) to h), and j). In deciding whether to impose an administrative fine and in deciding the amount of the administrative fine, due account shall be taken, in each individual case, of following elements: / a) the nature, severity and duration of the violation, taking into account the nature, scope or purpose of the processing concerned, as well as the number of data subjects affected and the level of damage caused they suffered; / b) the fact that the violation was committed deliberately or through negligence; / c) any measure taken by the controller or processor to mitigate the damage suffered by the data subjects; / d) the degree of responsibility of the controller or processor, taking into account the technical and organizational measures they have implemented pursuant to Articles 25 and 32; / e) any relevant breach previously committed by the controller or processor; / f) the degree of cooperation established with the supervisory authority with a view to remedying the violation and mitigating any negative effects; / g) the categories of personal data affected by the violation; / h) the manner in which the supervisory authority became aware of the violation, in particular whether and to what extent the controller or processor notified the violation; / i) where measures referred to in Article 58(2) have previously been ordered against the controller or processor concerned for the same purpose, compliance with these measures; / j) the application of codes of conduct approved pursuant to Article 40 or certification mechanisms approved pursuant to Article 42; and/k) any other aggravating or mitigating circumstances applicable to the circumstances of the case, such as financial benefits obtained or losses avoided, directly or indirectly, as a result of the violation."

7. On the other hand, under the terms of article 43 of the decree of May 29, 2019 taken for the application of the law of January 6, 1978: "The decision of the restricted panel sets out the legal and factual considerations on which it is founded".

8. It follows from the preceding provisions that, in the event that the legality of an administrative decision is based on the taking into account of a certain number of considerations, compliance with the requirement of motivation which they provide does not lead its author to only have to state those on which the decision he has taken is based. Furthermore, it does not follow from any provision that the restricted body of the CNIL should provide an explanation of the amount of the sanctions it imposes. It follows from this that the restricted training of the CNIL, which had neither to comment on all of the criteria provided for in Article 83 of the aforementioned GDPR, nor to indicate the numerical elements relating to the method of determining the amount of the sanction imposed, but was notably based precisely on the criteria provided for in a and k of 2 of article 83 of the GDPR as well as on the business model of the requesting company and the weight that it represents in its economic sector, did not provide sufficient reasons for its decision.

With regard to respect for the principle of legality of offenses and penalties:

9. On the one hand, under the terms of III of article 20 of the law of January 6, 1978: "When the data controller or its subcontractor does not respect the obligations resulting from Regulation (EU) 2016/679 of April 27, 2016 or of this law, the president of the National Commission for Information Technology and Liberties may also, where applicable after having sent him the warning provided for in I of this article or after having pronounced against him one or several of the corrective measures provided for in II, refer the matter to the restricted committee of the commission with a view to pronouncing, after adversarial procedure, one or more of the following measures: (...) 2° An injunction to bring the processing into compliance with the obligations resulting from Regulation (EU) 2016/679 of April 27, 2016 or from this law or to comply with requests presented by the data subject with a view to exercising his or her rights, which may be accompanied, except in cases where the processing is implemented by the State, a penalty the amount of which cannot exceed 100,000 euros per day of delay from the date set by the restricted training; (...) 7° With the exception of cases where the processing is implemented by the State, an administrative fine not exceeding 10 million euros or, in the case of a company, 2% of the figure total global annual sales for the previous financial year, whichever is greater. In the hypotheses mentioned in 5 and 6 of Article 83 of Regulation (EU) 2016/679 of April 27, 2016, these ceilings are increased, respectively, to 20 million euros and 4% of said turnover. The restricted panel takes into account, in determining the amount of the fine, the criteria specified in the same article 83 (...)".

10. On the other hand, under the terms of the second paragraph of article 22 of the same law: "The restricted formation may make public the measures it takes. It may also order their insertion in publications, newspapers and media that "it designates, at the expense of the sanctioned persons".

11. The restricted body of the CNIL, in imposing a fine of 3 million euros, respected the rules set by article 20 of the law of January 6, 1978, cited in point 9. In addition, it does not result in There is no provision, as stated in point 8, that it should provide an explanation of the amount of the sanctions it imposes. Consequently, the restricted formation of the CNIL did not disregard the principle of legality of offenses and penalties.

Regarding the proportionate nature of the sanction and corrective measures:

12. Firstly, it follows from the investigation that, to set the amount of the financial penalty imposed on the applicant company, the restricted panel of the CNIL took into account, under the criteria provided for in a and k of 2 of article 83 of the GDPR, cited in point 3, of the number of users of the applications of the requesting company, according to the numerical elements at its disposal and without the law of January 6, 1978 imposing a particular methodology for this purpose, weight of the company in its economic sector as well as the fact that it derives more than 95% of its revenue from advertising. The restricted panel did not retain an amount exceeding the ceiling set by 7° of III of Article 20 of the law of January 6, 1978, cited in point 9, calculated by reference to worldwide turnover. Furthermore, the fact that fines of a lower amount, in proportion to their worldwide turnover, would have been pronounced by the restricted body of the CNIL against other companies has no impact on the proportionality of the sanction imposed on the applicant company. The same applies to the circumstance that this sanction would be excessive in relation to its turnover generated in France or would deprive it of all of its revenue generated from French users, since it must be calculated, in application of 7° of III of article 20 of the law of January 6, 1978, by reference to worldwide turnover. Taking into account the seriousness of the breach observed, which is due to the nature of the unknown requirements and its effect on users, the financial advantages which could be derived from it and the financial situation of the company, the restricted training of the CNIL does not did not, by withholding a fine of 3 million euros, impose a sanction of a disproportionate amount on the applicant company.

13. Secondly, by deciding, as permitted by article 22 of the law of January 6, 1978, cited in point 10, taking into account the seriousness of the breach in question and the large number of users concerned, to make public its deliberation, which will no longer identify the company by name at the end of a period of two years, the restricted formation of the CNIL did not take a disproportionate measure.

14. It follows from all of the above that the applicant company is not justified in requesting the annulment of the deliberation of the restricted body of the CNIL which it is attacking.

15. The provisions of article L. 761-1 of the code of administrative justice prevent a sum from being charged to the CNIL in this respect, which is not, in the present case, the losing party.

DECIDED :
--------------

Article 1: The request from the Voodoo company is rejected.
Article 2: This decision will be notified to the Voodoo company and to the National Commission for Information Technology and Liberties.
Deliberated at the end of the session of April 29, 2024 at which sat: Mr. Rémy Schwartz, deputy president of the litigation section, presiding; Mr. Bertrand Dacosta, Ms. Anne Egerszegi, presidents of chambers; Mr. Olivier Yeznikian, Ms. Rozen Noguellou, Mr. Nicolas Polge, Mr. Vincent Daumas, Mr. Didier Ribes, State Councilors, and Mr. Philippe Bachschmidt, master of requests in extraordinary service-rapporteur.

Returned on May 14, 2024.

President :
Signed: Mr. Rémy Schwartz

The rapporteur :
Signed: Mr. Philippe Bachschmidt

The Secretary :
Signed: Ms. Claudine Ramalahanoharana

ECLI:FR:CECHR:2024:472221.20240514