CNIL (France) - SAN-2021-024: Difference between revisions

From GDPRhub
 

Latest revision as of 17:02, 6 December 2023

CNIL (France) - Délibération SAN-2021-024
LogoFR.png
Authority: CNIL (France)
Jurisdiction: France
Relevant Law:
Article 82 Loi "Informatique et Libertés"
Type: Investigation
Outcome: Violation Found
Started:
Decided: 31.12.2021
Published:
Fine: 60,000,000 EUR
Parties: Facebook Ireland Limited
National Case Number/Name: Délibération SAN-2021-024
European Case Law Identifier: n/a
Appeal: Unknown
Original Language(s): French
Original Source: Légifrance (in FR)
Initial Contributor: Frederick Antonovics

The French DPA fined Facebook Ireland Limited €60,000,000 for failing to comply with Article 82 of the Loi 'Informatique et Libertés', and ordered the company to modify the website "facebook.com" to offer French users a means of refusing to give consent that is as simple as the mechanism provided for their acceptance.

English Summary

Facts

Facebook Ireland Limited (hereafter 'FIL') is a subsidiary owned wholly by Meta Platforms Inc.

In April 2021 the French DPA (CNIL) carried out an online inspection of the website "facebook.com" in the context of an investigation into the processing of the personal data of French individuals visiting the website. The purpose of this inspection was to verify the company's compliance with the Loi 'Informatique et Libertés', and in particular with Article 82 thereof.

In September 2021, the case manager that carried out the inspection issued a report to the restricted panel (that ultimately determines whether a breach occurred) that recommended the latter issue a fine and an injunction (to bring its processing activities into compliance with Article 82 Loi 'Informatique et Libertés') against the company.

The restricted panel considered the evidence that was gathered by the case manager, and drew the conclusions below.

Holding

On the competence of the CNIL

First, the CNIL had to justify that it was the competent authority in this case.

The material competence of the CNIL and the non-application of the "one-stop shop" mechanism provided for by the GDPR

FIL argued the CNIL was not the competent authority because the alleged breach did not fall within the material scope of the ePrivacy Directive. However, the CNIL considered the contrary, namely that it was materially competent under the Loi 'Informatique et Libertés' (which implemented the ePrivacy Directive) to monitor and sanction the access or registration of information by companies in the terminals of users of the "facebook.com" website in France.

After a lengthy discussion of national authorities' powers under the "one-stop shop" mechanism provided for by the GDPR, the CNIL held that it was in fact competent to control and initiate a sanction procedure against the aforementioned processing, provided that the latter was related to its territorial jurisdiction.

On the territorial jurisdiction of the CNIL

The CNIL considered it was territorially competent under Article 3 GDPR since the processing that was the subject of the present procedure, namely consisting of accessing or recording information on the terminals of users residing in France when using the Facebook website, in particular for advertising purposes, was carried out within the "framework of the activities" of the company Facebook France, which constituted the "establishment" of the Facebook group in France.

In response, Facebook argued that its establishment in the EU was located in Ireland. The CNIL considered a range of CJEU case law (included but not limited to Google Spain C-131/12, Weltimmo C-230/14, Wirtschaftsakademie C-210/16) and its findings in the previous decision SAN-2020-012, which pointed towards a broad interpretation of 'establishment' and 'in the context of the activities' and rejected this argument.

As such, it held that French law was applicable and that it was materially and territorially competent to exercise its powers, including the power to impose sanctions on processing operations falling within the scope of the ePrivacy Directive.

On the failure to comply with the obligations relating to cookies

Second, the CNIL assessed whether the company had complied with Article 82 of the Loi 'Informatique et Libertés'.

It noted that users visiting the "facebook.com" website were confronted with a pop-up window with the title "accept Facebook cookies in this browser" and that at the bottom of this window there were two buttons entitled "Manage data settings" and "Accept all". It was also found that at this stage no cookies were deposited on the user's terminal and that the user was obliged to click on one of these two buttons in order to continue browsing the social network. However, if users wanted to use the website any further without accepting cookies, they had to click on two further buttons.

As such, the CNIL considered that the company failed to comply with Article 82 of the Loi 'Informatique et Libertés'Loi 'Informatique et Libertés', as clarified by the stricter requirements regarding consent set out in the GDPR, as it did not "provide users residing in France with a means of freely giving their consent by refusing to read and/or write information to their terminal that [was] as simple as the one provided for accepting its use." It also held that the information provided to users did not make it clear to them that they even could refuse cookies.

Corrective measures

In light of the above, the CNIL:

  • imposed a fine of €60,000,000 on Facebook Ireland Limited for failing to comply with Article 82 of the Loi 'Informatique et Libertés',
  • ordered Facebook Ireland Limited to modify, on the website "facebook.com", the methods for obtaining the consent of users located in France to the reading and/or writing of information in their terminal, by offering them a means of refusing these operations that is as simple as the mechanism provided for their acceptance, in order to guarantee the freedom of their consent;
  • attached to the injunction a penalty of 100,000 euros (one hundred thousand euros) per day of delay at the end of a period of three months following notification of this decision, with proof of compliance to be sent to the select committee within this period;
  • made its decision public on the CNIL website and on the Légifrance website, which will no longer identify the companies by name at the end of a two-year period from the date of its publication.

Comment

This decision was published on the same day as the €150,000,000 fine the CNIL issued against Google for very similar reasons. The summary available here explains in further detail some of the issues mentioned above.

Further Resources

Share blogs or news articles here!

English Machine Translation of the Decision

The decision below is a machine translation of the French original. Please refer to the French original for more details.

Deliberation of the restricted formation n°SAN-2021-024 of December 31, 2021 concerning the company FACEBOOK IRELAND LIMITED

The National Commission for Computing and Liberties, meeting in its restricted formation composed of Messrs Alexandre LINDEN, president, Philippe-Pierre CABOURDIN, vice-president, Mesdames Christine MAUGÜE and Anne DEBET and Mr Alain DRU, members;

Having regard to Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 relating to the protection of personal data and the free movement of such data;

Having regard to Directive 2002/58/EC of the European Parliament and of the Council of July 12, 2002 concerning the processing of personal data and the protection of privacy in the electronic communications sector;

Considering the law n° 78-17 of January 6, 1978 relating to data processing, files and freedoms, in particular its articles 20 and following;

Having regard to decree no. 2019-536 of May 29, 2019 taken for the application of law no. 78-17 of January 6, 1978 relating to data processing, files and freedoms;

Having regard to deliberation no. 2013-175 of July 4, 2013 adopting the internal regulations of the National Commission for Computing and Liberties; Having regard to decision no. 2021-044C of April 6, 2021 of the President of the National Commission for Computing and Liberties to instruct the Secretary General to carry out or have carried out a mission to verify the processing accessible from the "facebook.com" domain or relating to personal data collected from the latter;

Having regard to the decision of the President of the National Commission for Computing and Freedoms appointing a rapporteur before the restricted formation, dated July 26, 2021;

Considering the report of Mrs Valérie PEUGEOT, commissioner rapporteur, notified to the company FACEBOOK IRELAND LIMITED on September 1, 2021;

Having regard to the written observations submitted by the board of FACEBOOK IRELAND LIMITED on October 8, 2021;

Having regard to the rapporteur's response to these observations notified to FACEBOOK IRELAND LIMITED on October 28, 2021;

Given the new written observations submitted by the board of FACEBOOK IRELAND LIMITED, received on November 21, 2021;

Having regard to the letter sent by the company FACEBOOK IRELAND LIMITED to the chairman of the restricted committee and to the rapporteur on December 6, 2021;

Having regard to the oral observations made during the session of the Restricted Committee;

Having regard to the other documents in the file;

Were present at the restricted training session of December 2, 2021:

- Mrs. Valérie PEUGEOT, commissioner, heard in her report;

As representatives of FACEBOOK IRELAND LIMITED:

- […];

FACEBOOK IRELAND LIMITED having the last word;

The Restricted Committee adopted the following decision:

I. Facts and procedure

1. Created in 2004 and having its registered office in the United States (Menlo Park, California), FACEBOOK INC., renamed META PLAFORMS INC. since October 28, 2021, has developed a social network (hereinafter "the Facebook social network"), available on the web and on a mobile application, which allows users who have created an account to share their experiences and exchange views. The latter currently has more than 2.5 billion monthly active users worldwide.

2. META PLAFORMS INC. has several dozen offices in around thirty countries and has more than 35,000 employees worldwide. It has its own advertising agency and, since its creation, it has notably acquired the Instagram photo sharing service (2012) as well as the WhatsApp instant messaging service (2014). In 2020, it achieved a turnover of nearly 86 billion dollars for a net profit of more than 29 billion dollars. 98% of this turnover is generated by income from advertising implemented as part of its products and services.

3. FACEBOOK IRELAND LIMITED (hereafter "WIRE"), located at 4 Grand Canal Square, Grand Canal Harbor in Dublin, Ireland, represents itself as the headquarters of the Facebook group for its activities in the European region since 2008. Subsidiary of META PLAFORMS INC. it employs about […] people. In 2019, it achieved a turnover of more than […] euros for a net result of more than […] euros.

4. FACEBOOK FRANCE, located at 6 rue Ménars in Paris (75002), is the establishment of META PLAFORMS INC. in France. A subsidiary of META PLAFORMS INC., it employs […] employees. In 2019, it achieved a turnover of more than […] euros for a net profit […] euros.

5. On April 8, 2021, following four referrals recorded between October 2020 and March 2021, a CNIL delegation carried out an online check on the "facebook.com" website pursuant to decision no. 2021-044C of April 6, 2021 from the President of the National Commission for Computing and Liberties (hereinafter "the CNIL" or "the Commission").

6. The purpose of this mission was to verify compliance by the company with the provisions of law no. Computing and Liberties "" or "law of January 6, 1978"), in connection with processing consisting of operations of reading and/or writing information in the terminal of users residing in France during their visit to the site website "facebook.com".

7. On April 16, 2021, the delegation sent two questionnaires to the companies FACEBOOK FRANCE and FIL in order in particular to have them specify the purposes of the reading and/or writing operations carried out from the "facebook.com" website in the terminal of users residing in France and to have them confirm that FIL was indeed responsible for processing these transactions. The companies were also invited to specify their organization, their activities and the links that unite them.

8. The latter respectively responded to these questionnaires on May 21 and June 11, 2021, confirming in particular that the company FIL acted as "controller for the processing of personal data implemented in the context of the supply of the Facebook service to users in the European region, including for the operations of writing and reading cookies on the "facebook.com" website.

9. On July 26, 2021, on the basis of Article 22 of the Law of January 6, 1978, the President of the Commission appointed Ms Valérie PEUGEOT as rapporteur for the purposes of examining these elements.

10. On September 1, 2021, at the end of her investigation, the rapporteur notified FIL of a report detailing the breach of the "Informatique et Libertés" law that she considered constituted in this case with regard to freedom of consent, the company in particular not making available to users located in France, on the "facebook.com" website, a means of refusing operations to read and/or write information in their terminal presenting the same degree of simplicity as that intended to accept its use. Also attached to the report was a convocation to the restricted committee meeting of December 2, 2021.

11. This report proposed that the restricted committee of the Commission impose an administrative fine on the company FIL, as well as an injunction to bring into compliance the processing consisting of reading and/or writing operations of information made from the "facebook.com" website in the terminal of users residing in France with the provisions of article 82 of the "Informatique et Libertés" law, accompanied by a penalty payment. He also proposed that this decision be made public and no longer allow the company to be identified by name after the expiry of a period of two years from its publication.

12. By letter dated September 6, 2021, the company requested additional time from the chairman of the Restricted Committee to produce its observations in response to the rapporteur's report, which was granted to it on the following September 9, on the basis of the article 40, paragraph 4, of decree n° 2019-536 of May 29, 2019 taken for the application of the law "Informatique et Libertés" (hereinafter "the decree of May 19, 2019").

13. On October 8, 2021, the company submitted observations in response to the rapporteur's report.

14. On October 18, 2021, the rapporteur asked the chairman of the Restricted Committee for additional time to respond to the company's observations, which was granted to her on the following October 21, of which the company was informed on the same day.

15. On October 28, 2021, the rapporteur replied to the company's observations.

16. On October 29, 2021, the company asked the chairman of the Restricted Committee for an extension of the deadline for submitting its observations to the rapporteur's response, which was granted on November 4.

17. On 21 November 2021, the company submitted new observations in response to those of the rapporteur.

18. On November 29, 2021, the company made the request that the data expressly identified in its pleadings as subject to business secrecy not be disclosed to the public during the restricted training session, at which the chairman of the restricted training granted by letter dated November 30, 2021.

19. The company and the rapporteur presented oral observations during the restricted training session of December 2, 2021.

20. On December 6, 2021, the company sent the chairman of the Restricted Committee and the rapporteur additional information reporting on an update being rolled out on the "facebook.com" website.

II. Reasons for decision

A. On the competence of the CNIL

1. On the material competence of the CNIL and the non-application of the "one-stop shop" mechanism provided for by the GDPR

21. The provisions of Directive 2002/58/EC of the European Parliament and of the Council of 12 July 2002 concerning the processing of personal data and the protection of privacy in the electronic communications sector - as amended by Directive 2006/24/EC of March 15, 2006 and by Directive 2009/136/EC of November 25, 2009 (hereinafter the "ePrivacy Directive") - which relate to the storage or access to information already stored in the terminal equipment of a subscriber or user, have been transposed into domestic law in article 82 of the "Informatique et Libertés" law, within chapter IV "Rights and obligations specific to processing in the electronic communications" of this law.

22. Under the terms of article 16 of the "Informatique et Libertés" law, "the restricted committee takes measures and pronounces sanctions against data controllers or subcontractors who do not respect the obligations arising [ …] of this law". According to Article 20, paragraph III, of this same law, "when the data controller or its subcontractor does not comply with the obligations resulting from […] this law, the president of the National Commission for Informatics and freedoms […] can seize the restricted formation".

23. The rapporteur considers that the CNIL is materially competent pursuant to these provisions to control and, if necessary, sanction the operations of access or registration of information carried out by the company in the terminals of users of the social network Facebook residing in France and, more particularly, the fact that the company ignores the freedom of consent of Internet users by not providing them with a means of refusing operations to read and/or write information in their terminal which presents the same degree of simplicity as that intended to accept its use.

24. The company contests this jurisdiction on the grounds that the breach of which it is accused does not come under the "ePrivacy" directive.

25. It argues that, unlike the companies Google and Amazon which were sanctioned by the Restricted Committee in December 2020 for a breach of the ban on placing cookies without having previously obtained the consent of the persons (CNIL decisions, Restricted Committee, 7 December 2020, SAN-2020-012 and SAN-2020-013), he is only accused, under this procedure, of having violated the rule according to which it must be as simple for users to refuse the filing of cookies than to consent to it.

26. However, according to the company, this rule would not result as such from any applicable legal or regulatory provision and would be a creation of the CNIL, formalized in the deliberations of September 17, 2020 No. 2020-091 adopting guidelines relating to the application of article 82 of the law of January 6, 1978 as amended to read and/or write operations in a user's terminal (in particular to "cookies and other tracers") and n° 2020- 092 adopting a recommendation proposing practical compliance procedures in the event of the use of "cookies and other tracers" (hereinafter the guidelines and recommendation of September 17, 2020").

27. The company considers that assuming that this rule actually exists, it could only materially fall under Regulation (EU) 2016/679 of the European Parliament and of the Council of April 27, 2016 (hereinafter the "Regulation" or the " GDPR"), as the CNIL would also have partially recognized in a communication of April 2, 2021 posted on its website, indicating that "the mere presence of a "Configure" button in addition to the "Accept all" button "tends, in practice, to dissuade refusal and therefore does not allow compliance with the requirements laid down by the GDPR".

28. The company concludes that it would be appropriate to apply the "one-stop shop" mechanism provided for in Chapter VII of these Rules to the present proceedings. Under this mechanism, when the company FIL, which has the status of controller in question, is established in Ireland and its central administration is located in this country, the supervisory authority competent to know the facts which against him would not be the CNIL but the Irish data protection authority, the Data Protection Commissioner (hereinafter "the DPC").

29. Firstly, the Restricted Committee recalls that a distinction should be made between, on the one hand, the operations consisting in depositing and reading cookies in a user's terminal and, on the other hand, the subsequent use that is made of the data generated by these cookies, for example for profiling purposes, referred to as "subsequent processing" (also called "subsequent").

30. It stresses that each of these two successive stages is subject to a different legal regime: while the read and/or write operations are governed by special rules, laid down by Article 5(3) of the "ePrivacy" directive, subsequent processing is subject to the GDPR and, as such, may be subject to the "one-stop shop" mechanism in the event that it is cross-border.

31. It recalls that it is apparent from the provisions cited above that the French legislator has instructed the CNIL to ensure compliance with the provisions of the "ePrivacy" directive transposed into Article 82 of the "Informatique et Libertés" law, in entrusting it in particular with the power to penalize any breach of this article. It emphasizes that this competence was recognized in particular by the Council of State in its decision Association of communication consulting agencies of June 19, 2020 concerning the deliberation of the CNIL n ° 2019-093 adopting guidelines relating to the application of article 82 of the law of January 6, 1978 as amended to read and/or write operations in a user's terminal. The Council of State has indeed noted that "article 20 of this law entrusts [to] the president [of the CNIL] the power to take corrective measures in the event of non-compliance with the obligations resulting from regulation (EU) 2016 /279 or of its own provisions, as well as the possibility of seizing the restricted formation with a view to imposing the sanctions likely to be pronounced "(CE, June 19, 2020, req. 434684, pt. 3).

32. In the present case, the Restricted Committee notes that the present procedure only covers the read and/or write operations implemented in the terminal of the user located in France visiting the Facebook social network, the material findings made by the delegation during the online check of April 8, 2021 that only related to these operations, without looking at the subsequent processing implemented from the data collected via these cookies.

33. Secondly, the Restricted Committee recalls that under the rules providing for the relationship between the "ePrivacy" directive and the GDPR, Article 1(2) of this directive provides that "the provisions of this directive specify and supplement Directive 95/46/EC "of the European Parliament and of the Council of 24 October 1995 on the protection of personal data [hereinafter "Directive 95/46/EC"]), it being recalled that, since the entry into application of the Regulation, references to Directive 95/46/EC should be understood as references to the GDPR, in accordance with Article 94 of the latter.

34. Similarly, it follows from recital 173 of the GDPR that this text explicitly provides not to be applicable to the processing of personal data "subject to specific obligations having the same objective [of protection of fundamental rights and freedoms] set out in Directive 2002/58/EC of the European Parliament and of the Council, including the obligations of the controller and the rights of natural persons”.

35. The Restricted Committee points out that this articulation was confirmed by the Court of Justice of the European Union (hereinafter "the CJEU") in its Planet49 decision of October 1, 2019 (CJEU, Grand Chamber, October 1, 2019, Planet49 , C-673/17, point 42).

36. It also recalls that the "ePrivacy" directive provides, for the specific obligations it entails, its own mechanism for implementing and monitoring its application by leaving to the Member States, through its Article 15 bis , the care to specify, within the framework of their national law, the system of sanctions that they wish to implement in order to guarantee its effectiveness.

37. It notes in this case that the rule laid down in Article 5(3) of the "ePrivacy" directive, according to which read and/or write operations must systematically be the subject of an agreement of the user, after information, constitutes a specific obligation since it prohibits an actor from availing himself of the legal bases mentioned in article 6 of the GDPR in order to be able to lawfully carry out these reading and/or writing operations in the terminal. As a result, the violation of this rule falls under the special control and sanction mechanism provided for by the "ePrivacy" directive and not that provided for by the GDPR.

38. The Restricted Committee also notes that the EDPS, in his Opinion No. 5/2019 of 12 March 2019 on the interactions between the "privacy and electronic communications" directive and the GDPR, explicitly excluded the application of "one-stop shop" to facts materially falling under the "ePrivacy" directive in these terms: "in accordance with Chapter VII of the GDPR, the cooperation and consistency mechanisms available to the data protection authorities under the GDPR relate to the control the application of the provisions of the GDPR The mechanisms of the GDPR do not apply to the control of the application of the provisions of the "privacy and electronic communications" directive as such" (EDPS, opinion 5/2019, 12 March 2019, pt. 80).

39. It also notes that the CJEU, in a Facebook Belgium judgment delivered on 15 June 2021, took up the aforementioned Opinion 5/2019 of the EDPS, while following the conclusions of its Advocate General, Mr BOBEK, on this point, which considered that "in order to decide whether a case does indeed fall within the material scope of the GDPR, a national court, including any referring court, is required to seek the precise source of the legal obligation weighing on an economic operator which he is alleged to have breached. If the source of this obligation is not the GDPR, the procedures established by this instrument, which are linked to its main objective, are logically not applicable either" (CJEU , Opinion of Advocate General M. BOBEK, 13 January 2021, Facebook Belgium, C 645/19, points 37 and 38).

40. In the present case, the Restricted Committee notes that, in the present proceedings, the precise source of the legal obligation subject to the control finds its origin only in the specific obligation laid down in Article 5, paragraph 3, of the "ePrivacy" directive, transposed into French law in article 82 of the "Informatique et Libertés" law.

41. Thirdly, with regard to the scope to be given to this specific obligation, the Restricted Committee recalls that the operations of reading and/or writing in the user's terminal must systematically be subject to "consent prerequisite" of the user. It points out that under Article 2, paragraph f) of the "ePrivacy" Directive, consent must be understood in the sense of "consent of the data subject" as set out in Directive 95/46/EC. However, insofar as, as already mentioned, since the entry into force of the Regulation, the references made to Directive 95/46/EC must be understood as being made to the GDPR, it follows that the "consent" provided for in Article 5, paragraph 3, of the "ePrivacy" directive as transposed in article 82 of the "Informatique et Libertés" law must now be understood within the meaning of the GDPR.

42. In this regard, the Restricted Committee notes that consent within the meaning of the GDPR sets more requirements in this area than what was provided for in Article 2, h) of Directive 95/46/EC. In particular, under these new requirements, article 4, paragraph 11 of the GDPR requires that the consent now be unambiguous, which implies that it be given by a "clear positive act" and recital 42 of the GDPR reinforces its character. free, specifying that the person must now have a "true freedom of choice" when giving consent.

43. With regard to the operations of reading and/or writing information, this reinforcement of the free nature of consent implies that the methods which are offered to the user to express his choice are such that they do not encourage accepting cookies any more than rejecting them.

44. The Restricted Committee notes that it is in this sense that the communication from the CNIL of April 2, 2021 published on its website and denounced by the company should be understood. Indeed, by writing that "the mere presence of a "Configure" button in addition to the "Accept all" button tends, in practice, to dissuade refusal and therefore does not allow compliance with the requirements set by the GDPR", the CNIL only wanted to emphasize the strengthening of the requirements relating to the collection of the user's consent before any operation of reading and/or writing information in his terminal generated by the entry into application of the GDPR.

45. The Restricted Committee nevertheless stresses that while the GDPR does indeed support the conditions of consent, compliance with the special provisions resulting from the "ePrivacy" directive which impose this consent, now reinforced, of the user before any reading and/or writing in his terminal continues to come under, by virtue of the adage specialia generalibus derogant, the special rule laid down by article 5, paragraph 3, of the "ePrivacy" directive and, therefore, the special mechanism of control and penalty provided for in Article 15a of the same directive.

46. Thus, the simple reference to the GDPR operated by the provisions of the "ePrivacy" directive on the definition of consent is not sufficient to bring with it the applicability of the "one-stop shop" mechanism to the facts of the case.

47. Fourthly, the Restricted Committee observes that it would in any event be materially impossible in the current state of the law to apply the "one-stop shop" mechanism to facts falling within the scope of the "ePrivacy" directive and that this position is also the subject of a consensus at European level.

48. Indeed, the Member States, which are free to determine the national authority competent to hear violations of the national provisions adopted pursuant to the "ePrivacy" Directive, may have attributed this competence to an authority other than their national authority of data protection instituted by the GDPR, in this case to their telecommunications regulatory authority. Consequently, insofar as these latter authorities are not part of the EDPS, while this committee plays an essential role in the consistency control mechanism implemented in Chapter VII of the GDPR, it is in fact impossible to apply the "one-stop shop" to practices likely to be penalized by national supervisory authorities not sitting on this committee.

49. The Restricted Committee also points out that other national data protection authorities have also already imposed sanctions relating to breaches relating to the operations of reading and/or writing information in the user's terminal. The Spanish authority has thus issued several sanction decisions against various data controllers in exclusive application of the national provisions transposing the "ePrivacy" directive, in this case article 22, paragraph 2 of Ley 34/2002 of July 11 of Servicios de la Sociedad de la Información y de Comercio Electrónico, without implementing the cooperation procedure established by the GDPR.

50. Finally, the Restricted Committee notes that the question of a possible future application of the "one-stop shop" mechanism to the processing currently governed by the current "ePrivacy" directive is the subject of numerous discussions within the framework of the drafting of the "ePrivacy" regulation, which has been under negotiation for more than four years at European level. The very existence of these debates confirms that, as it stands, the "one-stop shop" mechanism provided for by the GDPR is not applicable to matters governed by the current "ePrivacy" directive.

51. It follows from the above that the "one-stop shop" mechanism provided for by the GDPR is not applicable to this procedure and that the CNIL is competent to monitor and initiate a sanction procedure against the processing implemented by the company consisting of information reading and/or writing operations carried out from the "facebook.com" website in the terminal of users residing in France falling within the scope of the "ePrivacy" directive, under provided that this processing falls within its territorial jurisdiction.

2. On the territorial jurisdiction of the CNIL

52. The rule of territorial application of the requirements set out in Article 82 of the "Informatique et Libertés" law is specified in Article 3, paragraph I, of this law, which provides: "without prejudice, as regards processing falling within the scope of Regulation (EU) 2016/679 of 27 April 2016, the criteria provided for in Article 3 of this regulation, all the provisions of this law apply to the processing of personal data carried out within the framework of the activities of an establishment of a data controller (…) on French territory, whether or not the processing takes place in France”.

53. The rapporteur considers that the CNIL has territorial jurisdiction pursuant to these provisions when the processing covered by this procedure, consisting of operations to access and/or register information in the terminal of users residing in France when using the social network Facebook, in particular for advertising purposes, is carried out within the "framework of the activities" of the company FACEBOOK FRANCE, which constitutes the "establishment" on French territory of the Facebook group.

54. The company maintains that insofar as it would be appropriate to apply the rules of jurisdiction and cooperation procedures defined by the GDPR, the CNIL would not have territorial jurisdiction to hear this case given that the "real head office " of the Facebook group in Europe, i.e. the place of its central administration within the meaning of Article 56 of the GDPR, is located in Ireland.

55. The Restricted Committee notes that in order to determine whether the CNIL has jurisdiction to monitor compliance, by the company FIL, with the requirements provided for in Article 82 of the "Informatique et Libertés" law in the context of the processing in question , it is necessary to examine in this case whether the two criteria for the territorial application of the "Informatique et Libertés" law, provided for in paragraph I of its article 3, are met: namely, on the one hand, if Facebook has of an "establishment on French territory" and if, on the other hand, the processing in question is carried out "in the context of the activities of this establishment".

56. The Restricted Committee recalls in this sense that the "ePrivacy" directive does not itself explicitly set the rule of territorial application of the various transposition laws adopted by each Member State. However, this directive indicates that it "clarifies and complements Directive 95/46.EC", which provided at the time, in its Article 4, that "each Member State applies the national provisions which it adopts pursuant to this Directive to the processing of personal data when: a) the processing is carried out in the context of the activities of an establishment of the controller in the territory of the Member State; if the same controller is established in the territory of several Member States, it must take the necessary measures to ensure that each of its establishments complies with the obligations provided for by the applicable national law".

57. If this rule for determining the national law applicable within the Union is no longer relevant for the application of the rules of the GDPR, which replaced Directive 95/46/EC and applies uniformly throughout the territory of the Union, the Restricted Committee notes that the French legislator has maintained these two criteria of territorial application for the specific rules contained in the "Informatique et Libertés" law, in particular those which transpose the "ePrivacy" directive. As a result, as will be developed below, the case law of the CJEU on the application of Article 4 of Directive 95/46/EC remains relevant to clarify the scope to be given to these two criteria.

58. Firstly, on the existence of a Facebook establishment on French territory, the Restricted Committee recalls that the CJEU has consistently considered that the notion "in the context of the activities of an establishment" does not cannot be interpreted restrictively in data protection law and that to know whether a data controller had an "establishment" it was necessary to assess both the degree of stability of the installation and the reality of the exercise activities in a Member State, taking into account the specific nature of the economic activities and the provision of services in question (see in particular, CJEU, 1 October 2015, Weltimmo, C 230/14, pts. 25 to 31).

59. The Court has clarified in particular that "the concept of 'establishment', within the meaning of Directive 95/46, extends to any real and effective activity, even minimal, exercised by means of a stable establishment" (idem , pt. 30), the criterion of stability of the installation being examined with regard to the presence of "human and technical means necessary for the supply of concrete services in question" (idem, pt. 31). The Court further considered that a company, an autonomous legal person, from the same group as the data controller, may constitute an establishment of the data controller within the meaning of these provisions (CJEU, 13 May 2014, Google Spain, C -131/12, point 48).

60. In this case, the company FACEBOOK FRANCE, registered in France since February 3, 2011, is the headquarters of the French subsidiary of the company META PLAFORMS INC. It has premises located in Paris and employs approximately […] people. It is specified in the articles of association of this company, updated and filed with the registry of the Paris Commercial Court on July 9, 2020, that its purpose is "any activity relating, directly or indirectly, to the purchase, the sale or intermediation of advertising space on the Facebook Online Social Networking Platform or any other platform operated by the Facebook group, or any other commercial agreement, in its broadest sense, relating to online advertising space and in particular, without this list being exhaustive, the offer to buy, sell or provide online advertising space, the negotiation of contracts concerning online advertising space, the implementation of marketing strategies relating to offers for the sale of advertising space and any other advertising service that may be provided to advertisers, advertising agencies or any other third party".

61. As regards the links of this company with the company FIL, the Restricted Committee notes that they are both subsidiaries of the parent company of the group, the company META PLAFORMS INC., and that they are linked in particular to each other by a contract for the resale of advertising space and by a contract for the provision of services, in force since July 1, 2018.

62. In this regard, the Restricted Committee notes that if, in its response of May 21, 2021, the company FACEBOOK FRANCE stated that "in principle, FIL is the contracting company for advertisers and partners in France wishing to use the products and services advertising services "(…) for the creation, submission or distribution of advertisements or any other activity or any other commercial or sponsored content" (…)", it also clearly states that its role consists of "the provision of local support for advertisers and partners in France and for placing orders and invoicing for certain customers".

63. In particular, the Restricted Committee notes that under the contract for the provision of services, the company FACEBOOK FRANCE provides, on a non-exclusive basis, numerous services to the company FIL, including general, administrative, human resources, accounting, legal services , policies, marketing and partnership management.

64. Therefore, with regard to the nature of these services, the Restricted Committee considers that the company FACEBOOK FRANCE must be regarded as the establishment in France of the company FIL.

65. Secondly, on the existence of processing carried out "in the context of the activities" of the company FACEBOOK FRANCE, the Restricted Committee recalls that in its Wirtschaftsakademie decisions (CJEU, Grand Chamber, June 5, 2018, Wirtschaftsakademie, C -210/16, pts. 56 to 60) and Facebook Belgium (CJEU, grand chamber, June 15, 2021, Facebook Belgium, C-645/19, pts. 92 to 95), which are in line with the case law Google Spain of 13 May 2014 relating to the activities of the search engine Google in Spain (CJEU, Grand Chamber, 13 May 2014, Google Spain, C-131/12, pt. 55), the Court of Justice considered that the processing consisting in the collection of personal data by means of cookies deposited in the terminals of users visiting, in Germany and Belgium, pages hosted on the social network Facebook was respectively carried out "within the framework of the activities" of the companies FACEBOOK GERMANY and FACEBOOK BELGIUM, German establishments nd and Belgian of the Facebook group, insofar as these establishments are intended to ensure, in their respective countries, the promotion and sale of the advertising space offered by this social network, which serves to make the service offered by Facebook profitable.

66. Thus, in the Facebook Belgium judgment, the Court of Justice noted "on the one hand, a social network such as Facebook generates a substantial part of its income thanks, in particular, to the advertising which is broadcast there and which the The activity carried out by the establishment located in Belgium is intended to ensure, in this Member State, even if only incidentally, the promotion and sale of advertising space which serves to make Facebook services profitable. on the other hand, the main activity carried out by Facebook Belgium, consisting in maintaining relations with the institutions of the Union and constituting a point of contact with them, aims in particular to establish the policy for the processing of personal data by Facebook Ireland. Under these conditions, the activities of the establishment of the Facebook group located in Belgium must be considered to be inseparably linked to the processing of personal data at issue in the main proceedings, for which Facebook Ireland is responsible with regard to the territory of the Union" (pts. 94-95).

67. Even if these three judgments concerned more specifically the subsequent processing implemented from cookies deposited in users' terminals – which justified the application of Directive 95/46/EC for the Google Spain and Wirtschaftsakademie cases and of the GDPR for the Facebook Belgium case – this case law remains relevant to clarify the scope to be given to the notion of processing carried out "in the context of the activities" of an establishment, the French legislator having taken it up, when transposing the "ePrivacy" directive, to establish the territorial jurisdiction of the CNIL with regard to processing covered by this directive.

68. In the present case, the Restricted Committee notes that the analyzes carried out in Germany and Belgium by the German and Belgian data protection authorities with regard to the companies FACEBOOK GERMANY and FACEBOOK BELGIUM, and confirmed by the CJEU, can be reproduced in France by the CNIL concerning the company FACEBOOK FRANCE.

69. Indeed, it appears from the response of the company FACEBOOK FRANCE of May 21, 2021 that its activities consist in providing "advertising support services to advertisers and partners in France on behalf of FIL". More specifically, "it informs advertisers and partners in France about the use they can make of the Facebook advertising services offered by FIL. By way of illustration, FB France provides advice on how to use the tools and features of Facebook products in order to optimize advertising budgets or improve the quality of advertising campaigns”. Finally, "since July 1, 2018, [elle] also interacts with certain advertisers and partners in France, with regard to placing their orders and invoicing related to the resale of advertising space for their benefit".

70. Consequently, the Restricted Committee considers that the processing in question – consisting of operations to access or register information in the terminal of users residing in France when using the Facebook social network, in particular for advertising purposes – is carried out "as part of the activities of FACEBOOK FRANCE", a company which is "the establishment of Facebook on French territory" and participates, as such, in the promotion and marketing of Facebook products and their advertising solutions in France. Since the two criteria provided for in Article 3, paragraph I, of the "Informatique et Libertés" law are met, the processing is subject to French law.

71. The Restricted Committee emphasizes that the application of French law only concerns read and/or write operations carried out on French territory (Article 4 of Directive 95/46/EC moreover specified that the law of the Member State applied only to the activities of the establishment "on the territory of the Member State").

72. Finally, it notes that this has been a constant position on its part since the intervention of the Google Spain case law in 2014 (see in particular the CNIL decisions, restricted formation, April 27, 2017, SAN-2017-006 ; CNIL, restricted training, December 19, 2018, SAN-2018-011; CNIL, restricted training, December 7, 2021, SAN-2020-012 and CNIL, restricted training, December 7, 2021, SAN-2020-013).

73. It follows from the foregoing that French law is applicable and that the CNIL is materially and territorially competent to exercise its powers, including that of taking a sanction measure concerning the processing in question which falls within the scope of application of the "ePrivacy" directive.

B. On the complaint alleging the illegality of this sanction procedure

74. The company denounces the fact of not having benefited from a prior formal notice, like the sixty players who were the subject of this corrective measure between May and July 2021 for similar facts, and invokes the violation of the principle of equality before the law which would result therefrom.

75. She maintains that this principle would also be disregarded because of the severity of the corrective measures proposed by the rapporteur in comparison with the recent decisions of the Restricted Committee pronounced against major players for non-compliance with the provisions of Article 82 of the "Informatique et Libertés" law (see CNIL decisions, restricted panel, November 18, 2020, SAN-2020-009, Carrefour Banque; December 7, 2020, SAN-2020-012, Amazon and SAN-2020-013, Google ; July 27, 2021, SAN-2021-013, Le Figaro).

76. With regard firstly to the lack of prior formal notice, the Restricted Committee notes that under Article 20, paragraph III, of the "Informatique et Libertés" law, the referral of a file to a sanction procedure belongs to the president of the CNIL alone, so that the restricted committee does not have to decide on the principle of its referral.

77. It also recalls that it follows from these provisions that the President of the CNIL is not required to send a formal notice to a data controller before initiating sanction proceedings against him. It adds that the possibility of directly initiating sanction proceedings has been confirmed by the Council of State (see, in particular, CE, 4 Nov. 2020, No. 433311, pt. 3).

78. Moreover, the Restricted Committee notes that a prior formal notice was all the less justified in this case as the company has already, following a prior formal notice, been the subject of a sanction from the Restricted Committee for breaches relating to cookies in 2017. The company therefore had to be both particularly vigilant in terms of compliance with its obligations in terms of cookies and also attentive to changes in the regulations in this area. matter, in particular following the strengthening of the conditions of consent following the entry into force of the GDPR.

79. The Restricted Committee notes, finally, that the CNIL has communicated in particular on these developments, in particular by defining an action plan relating to cookies, the terms of which were detailed in 2019 in a press release published on its website on 28 June 2019. The CNIL specified in particular that it would leave a "transitional period" to data controllers so that they have the time necessary to bring their reading and/or writing operations into compliance with the new requirements following the the entry into application of the GDPR and which would be enshrined in the new recommendation which was to be drafted. It was already stressing that it would carry out checks on compliance with this future recommendation within six months of its final adoption. Extended once, this adaptation period came to an end on April 1, 2021.

80. As regards, next, the amount of the fine proposed by the rapporteur, this has no impact on the legality of the procedure.

81. Consequently, the Restricted Committee considers that the complaint based on the illegality of the procedure must be dismissed.

C. On the breach of cookie obligations

82. Under the terms of article 82 of the "Informatique et Libertés" law, which transposes into French law the provisions of article 5, paragraph 3, of the "ePrivacy" directive, "any subscriber or user of a of electronic communications must be informed in a clear and complete manner, unless it has been informed beforehand, by the data controller or his representative:

1° The purpose of any action seeking to access, by electronic transmission, information already stored in its electronic communications terminal equipment, or to enter information in this equipment;

2° The means at his disposal to oppose it

These accesses or registrations can only take place on condition that the subscriber or user has expressed, after having received this information, his consent (…)”.

83. Under Article 2(f) of the ePrivacy Directive, consent has to be understood within the meaning of “consent of the data subject” as set out in Directive 95/46/EC. According to Article 94 of the GDPR "references to the repealed directive must be understood as references to the [GDPR]".

84. Under Article 4, paragraph 11, of the GDPR, to be validly obtained, consent must be a "manifestation of will, free, specific, informed and unambiguous by which the data subject accepts, by a declaration or by a clear positive act".

85. The scope of this article is informed by recital 42 of the GDPR, according to which "consent should not be considered to have been freely given if the data subject does not have a genuine freedom of choice or is not able to refuse or withdraw consent without prejudice”.

86. In the present case, the delegation noted in the context of the online check of 8 April 2021 that, when a user goes to the Facebook social network, a pop-up window whose title is "Accept cookies from Facebook in this browser" appears and, at the bottom of this window, there are two buttons labeled "Manage data settings" and "Accept all". It was also noted that at this stage no cookie was deposited in the user's terminal and that the latter was obliged to click on one of these two buttons in order to be able to continue browsing the social network.

87. Thus, when the user clicks on the "Accept all" button appearing at the bottom of this first window and gives his consent by this action to the reading and/or writing of information in his terminal, the window disappears , which allows him to continue browsing the social network.

88. When the user clicks on the "Manage data settings" button, a new pop-up window appears, including the two main purposes pursued by cookies subject to consent – personalized advertising carried out by Facebook and personalized advertising carried out by third parties – and next to which there are sliding buttons, disabled by default.

89. The delegation observed that when the user scrolls this second window, leaves the two sliding buttons disabled, and then clicks on the "Accept cookies" button at the bottom of this window, the latter disappears, allowing him to continue browsing the social network without advertising cookies having been placed on their terminal.

90. In the light of these findings, the rapporteur considers that the company has breached Article 82 of the "Informatique et Libertés" law, as clarified by the reinforced requirements in terms of consent laid down by the GDPR, as soon as when it does not make available to users residing in France, on the "facebook.com" website, a means of freely consenting by refusing the operations of reading and/or writing information in their terminal presenting the same degree of simplicity as that intended to accept its use. The rapporteur also considers that the information provided to the user does not allow him to clearly understand that he can refuse cookies.

91. It also notes by way of clarification that under the terms of its guidelines 5/2020 on consent within the meaning of Regulation (EU) 2016/679, adopted on 4 May 2020, the EDPS recalled that "the adjective "free" implies real choice and control for the persons concerned" (§13).

92. Similarly, in the context of its deliberation no. 2020-092 of September 17, 2020 adopting a recommendation proposing practical methods of compliance in the event of the use of "cookies and other tracers", the Commission considered , taking into account the aforementioned applicable texts, that "the controller must offer users both the possibility of accepting and refusing read and/or write operations with the same degree of simplicity".

93. The company argues that neither the "ePrivacy" directive, nor its transposition into French law in article 82 of the "Informatique et Libertés" law provides for the rule that it must be as easy to refuse cookies as to accept them. She adds that this rule is not provided for by the GDPR either, whose Article 7(3) only introduces an obligation relating to the withdrawal of consent, which does not extend to the initial refusal to consent to Cookies.

94. It argues that the CNIL's guidelines and recommendation of September 17, 2020 do not have mandatory value and in any event do not refer to any binding provision of the GDPR or the "ePrivacy" directive when they refer to this rule which, in these two instruments of the CNIL, appears moreover under titles relating to the refusal of the consent and not to the freedom of the consent.

95. Finally, it maintains that its information path complies with the applicable rules since it does indeed provide, from the first window, information relating to the setting of cookies and that a distracted user reaches the second window allowing this setting, who would click on the "Accept cookies" button appearing at the bottom of this second window, would not see any advertising cookies deposited in their terminal.

96. Firstly, with regard to the terms of the refusal, the Restricted Committee refers to the provisions recalled in points 41 to 43 and in points 82 and following of this deliberation. It considers that, to guarantee the freedom of consent, it should in this case be as easy to refuse cookies as to accept them. She points out that the EDPS clarifies this point in his guidelines on consent adopted on 4 May 2020 by specifying that "the adjective 'free' implies real choice and control for the data subjects".

97. By applying this requirement of freedom of consent to cookies, it considers that making the refusal mechanism more complex than that allowing them to be accepted, for example by relegating the button allowing them to be refused to a second window, generally comes down to , in the context of web browsing, in reality to alter the freedom of choice of users by encouraging them to favor the acceptance of these cookies rather than their refusal.

98. It notes that this conclusion is corroborated in particular by an academic study entitled "Dark Patterns after the GDPR: Scraping Consent Pop-ups and Demonstrating their Influence" demonstration of their influence") conducted in 2020 from different cookie banners offered to a panel of users. In this study, researchers from the universities of Cambridge and MIT in particular demonstrated that 93.1% of Internet users confronted with cookie banners stop at the first level and that only a small minority of them go to the second level to personalize or refuse. This study also showed that relegating the opt-out button to the second level increased the cookie consent rate by an average of 23.1 percentage points.

99. It also recalls that, to take into account the changes brought about by the entry into force of the GDPR and in particular to clarify the scope to be given to the disputed rule in this procedure, the CNIL has changed its deliberation No. 2013 -378 of December 5, 2013 adopting a recommendation relating to cookies and other tracers (hereinafter "the recommendation of December 5, 2013").

100. This change was reflected first in the adoption of deliberation no. 2019-093 of July 4, 2019 adopting guidelines relating to the application of article 82 of the law of January 6, 1978 as amended to read and/or write operations in a user's terminal (in particular to cookies and other tracers) (hereinafter "the guidelines of July 4, 2019), which already provided in its article 2, "that it must be as easy to refuse or withdraw consent as to give it ", then by that of the guidelines and the recommendation of September 17, 2020, which respectively repealed the guidelines of July 4, 2019 and the recommendation of December 5, 2013 .

101. The Restricted Committee underlines that the two instruments adopted in 2020 aim to interpret the legislative provisions and to enlighten the players on the implementation of concrete measures to guarantee compliance with these provisions, so that they implement these measures. or measures having equivalent effect, without however providing for new legal obligations. It notes that the guidelines of September 17, 2020 specify that their "main purpose is to recall and explain the law applicable to the operations of reading and/or writing information […] in the terminal equipment of electronic communications of the subscriber or user, and in particular the use of cookies (hereinafter "cookies") ".

102. It notes that article 2 of the guidelines of September 17, 2020 and article 2.4 of the recommendation of September 17, 2020 are very clear, the latter recalling that "the data controller must offer users both the possibility of accept than to refuse read and/or write operations with the same degree of simplicity".

103. It underlines that if, for the sake of pedagogy, these clarifications appear in these two instruments under titles which evoke its content rather than the legal source from which it proceeds ("As regards the modalities of refusal" for the recommendation of 17 September 2020, "On the refusal and withdrawal of consent" for the guidelines of September 17, 2020), it is indeed the requirement of freedom of consent laid down by the GDPR which implies, with regard to the deposit of cookies, that the methods offered to the user to express this choice are such that they do not encourage him to accept cookies any more than to refuse them.

104. The Restricted Committee notes, moreover, that the Council of State has already had the opportunity to rule on this question in its decision Association desagences-conseils en communication, in which it examined the guidelines of July 4, 2019. It thus ruled that: "the CNIL which, by indicating that it should "be as easy to refuse or withdraw consent as to give it", limited itself to characterizing the conditions of the user's refusal, without to define specific technical methods for expressing such a refusal, did not taint its deliberation with any ignorance of the rules applicable in the matter" (CE, June 19, 2020, n° 434684, T., pt 15).

105. It notes that this recital must be read in the light of the conclusions of the public rapporteur on this judgment, which noted: “As indicated by the CNIL, the contested guidelines do not impose any technical procedure for collecting this refusal. They limit themselves to requiring, generally and rightly, that it should not be more complicated to refuse than to accept" (CE, conclusions of the public rapporteur on judgment no. 434684, p. 17).

106. Finally, it emphasizes that in the guidelines and in the recommendation of September 17, 2020, the CNIL does not necessarily require the insertion of a "Refuse all" button, but recalls the importance of setting up an alternative simple allowing the user to refuse cookies as simply as accepting them, by giving examples of wording and methods that can be used by organizations so that the freedom of consent of users is truly respected.

107. Thus, under the recommendation of September 17, 2020, the CNIL proposes: "For example, at the first level of information stage, users can have the choice between two buttons presented at the same level and on the same format, on which are written respectively "accept all" and "reject all", "authorize" and "prohibit", or "consent" and "not consent", or any other equivalent and sufficiently clear wording. The Commission considers that this modality constitutes a simple and clear way to allow the user to express his refusal as easily as his consent. The expression of the refusal to consent can however result from other types of actions than that consisting in clicking on one of the buttons described above. In any event, the Commission recalls that the procedures allowing users to consent or refuse must be presented in a clear and understandable manner. In particular, when the refusal p Whether manifested by the simple closing of the consent collection window or by the absence of interaction with it for a certain period of time, this possibility must be clearly indicated to users on this window. Indeed, failing this, the user would be likely not to understand that these actions lead to the fact that no read or write operation subject to consent can legally take place. Appropriate design and information should allow him to fully understand the options available to him".

108. In the present case, the Restricted Committee recalls that, as appears from the findings made during the online check of April 8, 2021, when a user residing in France visits the "facebook.com" website, he can accept the deposit of advertising cookies in a single action, by clicking on the button entitled "Accept cookies" appearing on the first window.

109. It notes that, on the other hand, to refuse these cookies, the user must perform no less than three actions: first click on the button entitled "Manage data settings" located above the "Accept cookies" button " of the first window, scroll through the entire content of the second window, in particular to note that the two sliding buttons controlling the deposit of advertising cookies are deactivated by default, and finally click on the "Accept all" button located at the bottom of this second window.

110. In this case and as it has already mentioned, the Restricted Committee considers that the fact, for the company, of making the mechanism for refusing cookies more complex than that consisting in accepting them actually amounts to discouraging users to refuse cookies and to encourage them to favor the ease of the "Accept cookies" button. Indeed, a web user is generally led to consult many sites. Browsing the web is characterized by its speed and fluidity. Having to click on "Manage data settings" and having to understand how the page to refuse cookies is constructed is likely to discourage the user, who would nevertheless wish to refuse the deposit of cookies. It is not disputed that in this case, the company offers a choice between the acceptance or refusal of cookies, but the methods by which this refusal can be expressed, in the context of web browsing, skews expression of choice in favor of consent in such a way as to impair freedom of choice.

111. Secondly, with regard to the information provided, the Restricted Committee recalls that under Article 82 of the "Informatique et Libertés" law, the user must in particular be informed, before consenting to cookies , "the means at his disposal to oppose them", that is to say to refuse them, and that the information provided must be "clear and complete". It stresses that these provisions must be read in the light of recital 66 of the amending Directive 2009/136/EC "ePrivacy" which provides that "the methods chosen to provide information and offer the right of refusal should be as user-friendly as possible" .

112. It emphasizes that, in the context of its recommendation of 17 September 2020, the Commission took care to specify that this requirement for "clear and complete" information should be interpreted in such a way that "the information accompanying each actionable element allowing to express a consent or a refusal is easily understandable and does not require efforts of concentration or interpretation on the part of the user. Thus, it is particularly recommended to ensure that it does not is not worded in such a way that a cursory or careless reading might suggest that the selected option produces the opposite of what users thought they were choosing".

113. In the present case, it recalls that it appears from the online check of April 8, 2021 that once arrived on the "facebook.com" website, the user must, to refuse the deposit of advertising cookies, d first click on the "Manage Data Settings" button in the first window, scroll through the entire second popup window leaving both sliders disabled to not accept cookies, then click on the "Accept Cookies" button. cookies" appearing at the bottom of this second window.

114. If, as the company argues in defence, the Restricted Committee recognizes that a distracted user who clicks on the "Accept cookies" button appearing at the bottom of the second window would not see any advertising cookie deposited in his terminal from then on that the sliding buttons allowing to activate the deposit of these cookies are deactivated by default, it notes that it is particularly counter-intuitive to have to click on a button entitled "Accept cookies" to actually refuse their deposit.

115. The Restricted Committee considers that these methods rather encourage the user to think that it is ultimately not possible to continue browsing after having refused the deposit of advertising cookies since the entire process of refusing cookies is based on information referring to the acceptance of cookies.

116. It points out that this feeling can only be accentuated by the not very explicit nature of the "Manage data parameters" button proposed in the context of the first window, which does not clearly mention the existence of means for refusing Cookies.

117. It considers that the fact that ultimately cookies are not deposited has no effect on the confusion generated by this contradictory information path which can give the user the feeling that it is not possible to refuse the deposit. of cookies and that it does not have any control methods in this regard.

118. In view of these elements, the Restricted Committee considers that the information provided to users residing in France visiting the "facebook.com" page as well as the procedures for obtaining consent offered to them by the company on this site web do not comply with the provisions of article 82 of the law "Informatique et Libertés" as clarified by the reinforced requirements in terms of consent laid down by the GDPR.

III. On the pronouncement of corrective measures and publicity

119. Article 20 of Law No. 78-17 of 6 January 1978 as amended provides that: "when the data controller or its subcontractor does not comply with the obligations resulting from Regulation (EU) 2016/679 of 27 April 2016 or this law, the president of the National Commission for Computing and Liberties may […] seize the restricted formation of the commission with a view to the pronouncement, after adversarial procedure, of one or more of the following measures : […]

2° An injunction to bring the processing into compliance with the obligations resulting from Regulation (EU) 2016/679 of 27 April 2016 or from this law or to satisfy the requests presented by the person concerned with a view to exercising their rights, which may be accompanied, except in cases where the processing is implemented by the State, with a penalty payment the amount of which may not exceed €100,000 per day of delay from the date set by the restricted body; […]

7° With the exception of cases where the processing is implemented by the State, an administrative fine not exceeding 10 million euros or, in the case of a company, 2% of the annual worldwide turnover total for the previous year, whichever is higher. In the cases mentioned in 5 and 6 of Article 83 of Regulation (EU) 2016/679 of April 27, 2016, these ceilings are increased, respectively, to 20 million euros and 4% of said turnover. The restricted formation takes into account, in determining the amount of the fine, the criteria specified in the same article 83. "

Article 83 of the GDPR, as referred to in Article 20, paragraph III, of the "Informatique et Libertés" law, provides that "Each supervisory authority shall ensure that the administrative fines imposed under this Article for breaches of this Regulation referred to in paragraphs 4, 5 and 6 are, in each case, effective, proportionate and dissuasive", before specifying the elements to be taken into account in deciding whether to impose a administrative fine and to decide on the amount of this fine.

A. On the pronouncement of an administrative fine and its amount

120. The company first argues that the demonstration by the rapporteur of the seriousness of the breach and the number of people concerned in support of her proposed sanction is insufficient.

121. She also argues that the rapporteur's developments relating to the scope of the breach and the financial benefits perceived as a result of the breach would be ineffective when the sliding buttons appearing on the second window are deactivated by default, so that a user distracted person who clicks on the "Accept cookies" button located at the bottom of this second window will not see any cookies deposited in their terminal.

122. The Restricted Committee recalls, in general terms, that Article 20, paragraph III, of the "Informatique et Libertés" law gives it jurisdiction to impose various sanctions, in particular administrative fines, the maximum amount of which may be equivalent to 2% the total worldwide annual turnover of the previous financial year achieved by the data controller. The determination of the amount of these fines is assessed in the light of the criteria specified by Article 83 of the GDPR to which this article refers.

123. Firstly, with regard to the imposition of an administrative fine, the Restricted Committee considers that it is first necessary to apply the criterion provided for in subparagraph a) of Article 83, paragraph 2, of the GDPR relating to the seriousness of the breach taking into account the nature, the scope of the processing and the number of people concerned by the latter.

124. It notes first of all that by not complying with the requirements of Article 82 of the "Informatique et Libertés" law, the company does not allow users residing in France to visit the "facebook.com" web page " to refuse cookies as easily as to accept them. By depriving them of this real freedom of choice, the company strongly encourages users to consent to the deposit of advertising cookies.

125. The Restricted Committee underlines the scope of the Facebook social network and the essential place it occupies in France, since it dominates the social network market by far, as noted by the Autorité de la concurrence in its Opinion No. 18-A-03 of March 6, 2018. It also notes the "network effects" generated by this dominant position, highlighted by the German competition authority in a decision of February 6, 2019.

126. It insists on the fact that this failure is all the more harmful for the persons concerned since, alongside its traditional function of maintaining and developing interpersonal relationships, this social network is also taking on an increasing role in areas as diverse as access to information, public debate, even civil security via the "Facebook danger check" (or "safety check") functionality in the event of a natural disaster or an attack, which are of certain importance in a democratic society.

127. It also stresses that the tracing of the persons concerned, which begins with the collection of information linked to the user account and which continues throughout the user's browsing on Facebook, for an advertising purpose clearly recognized by the data controller , does not stop at the borders of the social network.

128. It is not disputed that Facebook makes available to very many third-party sites a set of tracking tools – such as social plugins, connection buttons or the Facebook pixel – which will continue to collect data from users visiting these third-party sites to cross them with the data already collected within the framework of the social network in order to increase the valuation of this data. A 2019 study revealed the presence of these Facebook tracking tools on 44% of the world's 65,000 most visited websites, so the indirect scope of the processing is considerable.

129. Finally, with regard to the number of people concerned by the processing in question, the Restricted Committee recalls that, according to the own volumetric data provided by the company, the social network counts approximately […]monthly users in France, which corresponds to […] % of the population.

130. Secondly, the Restricted Committee considers that the criterion provided for in subparagraph k) of Article 83(2) of the GDPR relating to the financial benefits obtained as a result of the breach should be applied.

131. In this regard, it notes that insofar as Facebook follows a business model known as "targeted content matching", operating both in the collection of data, their valuation and the operational implementation of the advertisements broadcast in the banners deployed within the social network, the performance of its business model is mainly based on targeting tools and in particular on cookies, which make it possible to distinguish and reach the identified user in order to offer him advertising content adapted to his centers of interest and his profile.

132. In this case, the Restricted Committee considers that the breach in question provides undeniable financial advantages to the company, since the fact of opting for a process that facilitates the deposit of cookies more than refusal increases the share of users from which advertising cookies are likely to be deposited and therefore also increases the volume of advertising revenue generated by the profiling in which these cookies participate.

133. In this perspective, it appears from the financial elements of the company FACEBOOK INC., communicated by the company FIL, that the first derives nearly 98% of its gross income from the online advertising segment and that it operates a margin worldwide operational by around 40% in this segment. Even if all of these revenues are not directly linked to cookies, the Restricted Committee emphasizes that this segment is essentially based on the targeting of Internet users, in which the cookie participates directly by making it possible to single out and reach the identified user with a view to to display advertising content corresponding to their areas of interest and profile.

134. In this case, if it is not aware of the amount of profit made by the Facebook group from the collection and use of cookies on the French market via the income generated by targeted advertising aimed at French Internet users, the Restricted Committee notes that a proportional approximation based on the figures available to it, in particular the average income generated by a European user for the online advertising segment and the number of users residing in France, would lead to an estimate that the France would contribute to the net result of the company FACEBOOK INC., the parent company of the Facebook group, today named META PLAFORMS INC., for an amount between 550 and 660 million euros.

135. Secondly, with regard to the determination of the amount of the fine, the Restricted Committee recalls that pursuant to the provisions of Article 20, paragraph III, of the "Informatique et Libertés" law, the company FIL incurs a financial penalty of a maximum amount of 2% of its turnover, which was EUR […] in 2019.

136. Therefore, with regard to the liability of the company, its financial capacities and the relevant criteria of Article 83, paragraph 2, of the Rules mentioned above, the Restricted Committee considers that a fine of 60 million euros against the company appears justified.

B. On the issuance of an injunction accompanied by a penalty payment

137. In its writings of October 8, 2021, the company indicated that an update of its interface for collecting consent to cookies would be being deployed in the European region, including in France, without however producing any proof. It specified that "this update for the European region does not introduce additional purposes for cookies, nor does it add new cookies" and that it aims to "improve the ergonomics of the interface ".

138. On December 6, 2021, the company shared screenshots documenting the nature of this update.

139. Firstly, the Restricted Committee notes that this update modifies in particular the content of the buttons of the first window "Manage data parameters" and "Accept all", which are now respectively entitled "Other options" and " Allow all cookies" and that in the second window the old single button "Allow cookies" is now called "Allow only essential cookies" and that next to it the company has introduced a second button called "Allow all Cookies ".

140. The Restricted Committee notes that, in accordance with the explanations already mentioned during the meeting and repeated by the company in the letter accompanying these screenshots, this update only concerns "users connected to the site www.facebook .com", which informal checks did indeed allow him to see.

141. Furthermore, and above all, the Restricted Committee notes that this update still does not put in place the means to refuse cookies as easily as they can accept them.

142. Consequently, since the interface resulting from this update still does not comply with the provisions of article 82 of the "Informatique et Libertés" law, as clarified by the reinforced requirements in terms of consent required by the GDPR, the Restricted Committee considers it necessary to issue an injunction so that the company complies with the applicable obligations in this area.

143. Secondly, the Restricted Committee recalls that a daily fine is a financial penalty per day of delay that the data controller will have to pay in the event of non-compliance with the injunction at the end of the execution period provided for . Its pronouncement may therefore sometimes prove necessary to ensure compliance of the data controller within a certain period.

144. The Restricted Committee adds that in order to keep the penalty payment its threatening function, its amount must be both proportionate to the seriousness of the breaches committed and adapted to the financial capacities of the controller. It also notes that for the determination of this amount it must also be taken into account that the breach concerned by the injunction indirectly contributes to the profits generated by the data controller.

145. In view of these elements, the Restricted Committee considers as justified the pronouncement of a penalty payment in the amount of 100,000 euros per day of delay and liquidable at the end of a period of three months.

C. Publicity of the decision

146. The company asks the restricted committee not to make its decision public.

147. The Restricted Committee considers, on the contrary, that the publication of this decision is justified in view of the seriousness of the breach in question, the scope of the processing and the number of persons concerned.

148. It also notes that this measure will make it possible to alert users of the Facebook social network residing in France of the characterization of the breach of Article 82 of the "Informatique et Libertés" law in its various branches and to inform them of the persistence the breach on the day of this deliberation and the injunction issued against the company to remedy it.

149. Finally, it considers that this measure is not disproportionate since the decision will no longer identify the company by name at the end of a period of two years from its publication.

FOR THESE REASONS

The CNIL Restricted Committee, after having deliberated, decides to:

• impose an administrative fine against the company FACEBOOK IRELAND LIMITED in the amount of sixty million euros (60,000,000 euros) with regard to the breach of article 82 of the law "Informatique et Libertés ";

• pronounce against the company FACEBOOK IRELAND LIMITED, an injunction to modify, on the website "facebook.com", the procedures for obtaining the consent of users located in France to the operations of reading and/or writing of information in their terminal, by offering them a means of refusing these operations presenting a simplicity equivalent to the mechanism provided for their acceptance, in order to guarantee the freedom of their consent;

• accompany the injunction with a penalty payment of one hundred thousand euros (100,000 euros) per day of delay at the end of a period of three months following the notification of this deliberation, the supporting documents for compliance must be sent to the restricted training within this period;

• make public, on the CNIL website and on the Légifrance website, its deliberation, which will no longer allow the company to be identified by name after a period of two years from its publication;

• send its deliberation to the company FACEBOOK FRANCE for its execution.

President

Alexander LINDEN

This decision may be appealed to the Council of State within four months of its notification.