CE - 449209: Difference between revisions

From GDPRhub
No edit summary
Line 74: Line 74:
The Council of State rejected Google’s appeal.  
The Council of State rejected Google’s appeal.  


First, according to the Council, the ePrivacy Directive, implemented in the French Data Protection Act, does not provide for the application of the one-stop-shop mechanism as mentioned in [[Article 56 GDPR|Article 56 GDPR]]. Although the conditions for consent are regulated by the GDPR, in Article 7, the deposit of cookies is regulated by the ePrivacy Directive. Hence, even if cross-border processing takes place, the CNIL is competent to monitor compliance with the objectives of this Directive. The Council then notes that “it follows that, as regards the control of the operations of access and recording of information in the terminals of users in France of an electronic communications service, even if they are the result of cross-border processing, the measures to monitor the application of the provisions transposing the objectives of Directive 2002/58/EC fall within the competence conferred on the CNIL by the Law of 6 January 1978.” The Council stipulated that there is no need to refer preliminary questions to the CJEU, because it had no doubt as to whether the one-stop-shop mechanism should be excluded in the context of cookies.
First, according to the Council, the ePrivacy Directive, implemented in the French Data Protection Act, does not provide for the application of the one-stop-shop mechanism as mentioned in [[Article 56 GDPR|Article 56 GDPR]]. Although the requirements for consent are regulated by the GDPR the deposit of cookies is regulated by the ePrivacy Directive. Hence, even if cross-border processing takes place, the CNIL is competent to monitor compliance with the objectives of such Directive. The Council then notes that “it follows that, as regards the control of the operations of access and recording of information in the terminals of users in France of an electronic communications service, even if they are the result of cross-border processing, the measures to monitor the application of the provisions transposing the objectives of Directive 2002/58/EC fall within the competence conferred on the CNIL by the Law of 6 January 1978.” The Council stipulated that there is no need to refer preliminary questions to the CJEU, because it had no doubt as to whether the one-stop-shop mechanism should be excluded in the context of cookies.


Second, the Council rejected Google’s argument that their right of defense had been infringed by the CNIL because they did not provide a prior formal notice and Google had been very cooperative during the procedure, since it is not required to provide such a formal notice before imposing a sanction. Third, on the substance of the matter, the Council confirmed the three violations of Article 82 of the Data Protection Act: (1) not obtaining the user’s consent before depositing advertising cookies in the user’s terminal equipment, (2) not providing clear information on the deposit of cookies, and (3) not implementing a mechanism to refuse the cookies.  
Second, the Council rejected Google’s argument that their right of defense had been infringed by the CNIL because they did not provide a prior formal notice, since it is not required to provide such a formal notice before imposing a sanction.
 
Third, on the substance of the matter, the Council confirmed the three violations of Article 82 of the Data Protection Act: (1) not obtaining the user’s consent before depositing advertising cookies in the user’s terminal equipment, (2) not providing clear information on the deposit of cookies, and (3) not implementing a mechanism to refuse the cookies.  


Lastly, the Council stated that the fines were not disproportionate in light of the financial capacities of the “two” companies. It considered Google’s market share of more than 90% with (an estimated) 47 million users in France and the large profits that follow from the targeted online advertisement. Moreover, it stated that Google did not genuinely cooperated with the CNIL since it did not provide advertising revenues, and the breaches were serious.
Lastly, the Council stated that the fines were not disproportionate in light of the financial capacities of the “two” companies. It considered Google’s market share of more than 90% with (an estimated) 47 million users in France and the large profits that follow from the targeted online advertisement. Moreover, it stated that Google did not genuinely cooperated with the CNIL since it did not provide advertising revenues, and the breaches were serious.

Revision as of 15:38, 2 February 2022

CE - 449209
Courts logo1.png
Court: CE (France)
Jurisdiction: France
Relevant Law: Article 55(1) GDPR
Article 56(1) GDPR
Article 5(3) ePrivacy Directive
Article 16 of the Law of 6 January 1978 on data processing, files and freedoms
Article 8 of the Law of 6 January 1978 on data processing, files and freedoms
Article 82 of the Law of 6 January 1978 on data processing, files and freedoms
Decided: 28.01.2022
Published: 28.01.2022
Parties: CNIL
Google LLC and Google Ireland Ltd.
National Case Number/Name: 449209
European Case Law Identifier: ECLI:EN:CECHR:2022:449209.20220128
Appeal from: CNIL (France)
SAN-2020-012
Appeal to: Not appealed
Original Language(s): French
Original Source: Légifrance Lebon Collection (in French)
Initial Contributor: Giel Ritzen

The French DPA (CNIL) rejected Google’s appeal to annul the CNIL’s fine of € 100 million, imposed for three violations of Article 82 of the French Data Protection Act, since the one-stop-shop mechanism did not apply to the CNIL’s obligation to monitor compliance with the act.

English Summary

Facts

On 7 December 2020, the French DPA (CNIL) imposed two fines totaling € 100 million on Google LLC and Google Ireland Ltd for violating Article 82 of the French Data Protection Act (which transposes the ePrivacy Directive). Google (1) had not obtained the user’s consent before depositing advertising cookies in the user’s terminal equipment, (2) had lacked to provide information, and (3) had not implemented a mechanism to refuse the cookies.

Google did not agree with the CNIL’s decision and brought the issue before court. First, it claimed that, since there is cross-border processing, the Irish DPA (DPC) is the lead supervisory authority since Google’s main establishment in the EU is in Ireland, and the CNIL therefore did not have competence to rule on this matter according to the one-stop-shop mechanism. Second, it found the fine to be disproportionate. Hence, it requested the Council of State to annul the decision, and to refer two preliminary questions to the CJEU, asking:

(1) whether the one-stop-shop mechanism provided for in Article 56 GDPR is excluded in the context of cross-border processing that falls within the scope of both the ePrivacy Directive and the GDPR, and

(2) whether Article 15a ePrivacy Directive violates the right to data protection because does not provide an obligation, but rather an option, “for the competent national regulatory authorities to adopt measures to ensure effective cross-border cooperation in the enforcement of national laws adopted pursuant to the directive and to create harmonised conditions for the provision of services involving cross-border data flows”.

Holding

The Council of State rejected Google’s appeal.

First, according to the Council, the ePrivacy Directive, implemented in the French Data Protection Act, does not provide for the application of the one-stop-shop mechanism as mentioned in Article 56 GDPR. Although the requirements for consent are regulated by the GDPR the deposit of cookies is regulated by the ePrivacy Directive. Hence, even if cross-border processing takes place, the CNIL is competent to monitor compliance with the objectives of such Directive. The Council then notes that “it follows that, as regards the control of the operations of access and recording of information in the terminals of users in France of an electronic communications service, even if they are the result of cross-border processing, the measures to monitor the application of the provisions transposing the objectives of Directive 2002/58/EC fall within the competence conferred on the CNIL by the Law of 6 January 1978.” The Council stipulated that there is no need to refer preliminary questions to the CJEU, because it had no doubt as to whether the one-stop-shop mechanism should be excluded in the context of cookies.

Second, the Council rejected Google’s argument that their right of defense had been infringed by the CNIL because they did not provide a prior formal notice, since it is not required to provide such a formal notice before imposing a sanction.

Third, on the substance of the matter, the Council confirmed the three violations of Article 82 of the Data Protection Act: (1) not obtaining the user’s consent before depositing advertising cookies in the user’s terminal equipment, (2) not providing clear information on the deposit of cookies, and (3) not implementing a mechanism to refuse the cookies.

Lastly, the Council stated that the fines were not disproportionate in light of the financial capacities of the “two” companies. It considered Google’s market share of more than 90% with (an estimated) 47 million users in France and the large profits that follow from the targeted online advertisement. Moreover, it stated that Google did not genuinely cooperated with the CNIL since it did not provide advertising revenues, and the breaches were serious.

Comment

It seems that, whereas the CNIL had formulated an extensive doctrine regarding the material and territorial competence, the Council of State mainly looked at the physical location of the terminal of the user, to determine the territorial competence.

Further Resources

Share blogs or news articles here!

English Machine Translation of the Decision

The decision below is a machine translation of the French original. Please refer to the French original for more details.

Full Text

FRENCH REPUBLIC
IN THE NAME OF THE FRENCH PEOPLE

Given the following procedure:

By a summary request, an additional memorandum, a memorandum in reply and a new memorandum, registered on January 29, April 28 and October 29, 2021 and January 10, 2022 at the litigation secretariat of the Council of State, the companies Google LLC and Google Ireland Limited ask the Council of State:

1°) to cancel deliberation no. SAN-2020-012 of December 7, 2020 of the restricted formation of the National Commission for Computing and Liberties (CNIL) imposing administrative fines against them of a respective amount of 60 and 40 million euros;

2°) in the alternative, to refer the following questions to the Court of Justice of the European Union for a preliminary ruling:

" 1) Should Articles 1st §2 and 15 bis §4 of Directive 2002/58/EC of July 12, 2002 and Article 56 §1 of Regulation (EU) 2016/679 of April 27, 2016 be interpreted in meaning that, in the context of cross-border processing falling within the material scope of Directive 2002/58/EC and Regulation (EU) 2016/679, the "one-stop shop" mechanism provided for in Article 56 § 1 of this regulation is excluded for this cross-border processing '

" 2) Does Article 15 bis of Directive 2002/58/EC of July 12, 2002 violate the right to the protection of personal data enshrined in Article 16 § 1 of the Treaty on the Functioning of the European Union? European Union and Article 8 §1 of the Charter of Fundamental Rights of the European Union as well as the freedom to conduct a business protected by Article 16 of the same Charter, in that it merely provides for an option - and not an obligation - for the competent national regulatory authorities to adopt measures to ensure effective cross-border cooperation in monitoring the application of national laws adopted pursuant to the Directive and to create harmonized conditions for the provision of services involving cross-border data flows' ".

Having regard to the other documents in the file;

Seen :
- the Constitution ;
- the European Convention for the Protection of Human Rights and Fundamental Freedoms;
- the Treaty on the Functioning of the European Union;
- the Charter of Fundamental Rights of the European Union;
- Directive 2002/58/EC of the European Parliament and of the Council of July 12, 2002;
- Regulation (EU) 2016/679 of the European Parliament and of the Council of April 27, 2016;
- Law No. 78-17 of January 6, 1978;
- the code of administrative justice;

After having heard in public session:

- the report of Mrs Christelle Thomas, Master of Requests,

- the conclusions of Mr. Laurent Domingo, public rapporteur;

The floor having been given, after the conclusions, to SCP Spinosi, lawyer for Google LLC and Google Ireland Limited;

Having regard to the note under advisement, recorded on January 12, 2022, presented by the National Commission for Computing and Liberties;

Considering the following:

1. The companies Google LLC and Google Ireland Limited request the cancellation of the deliberation of December 7, 2020 by which the restricted formation of the National Commission for Computing and Liberties (CNIL) imposed an administrative fine of an amount, respectively, of 60 million euros for the company Google LLC and 40 million euros for the company Google Ireland Limited, for breach of article 82 of the law of January 6, 1978 relating to data processing, files and freedoms, ordered them to bring the processing into compliance with the resulting obligations, subject to a penalty of 100,000 euros per day of delay at the end of a period of three months following notification of its deliberation, and decided to make its deliberation public, subject to an anonymization procedure at the end of a two-year period.

On the competence of the CNIL:

2. By virtue of the provisions of I of article 8 of the law of January 6, 1978 relating to data processing, files and freedoms, the CNIL, national supervisory authority within the meaning and for the application of the regulation (EU ) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of individuals with regard to the processing of personal data and on the free movement of such data and repealing Directive 95/46/EC of 24 October 1995, known as the General Data Protection Regulation (GDPR), is responsible in particular for informing all data subjects and all data controllers of their rights and obligations and for ensuring that the processing of personal data are implemented in accordance with the provisions of the law of January 6, 1978 and the other provisions relating to the protection of personal data provided for by the legislative and regulatory texts, the law of the European Union and the s France's international commitments.

3. In particular, the first paragraph of article 16 of the law of January 6, 1978 provides that the restricted formation of the CNIL "takes measures and pronounces sanctions against data controllers or subcontractors who do not comply with the obligations arising from Regulation (EU) 2016/679 of 27 April 2016 and from this law under the conditions provided for in section 3 of this chapter". Pursuant to article 20 of the same law, the president of the CNIL may seize the restricted committee with a view to the pronouncement, after adversarial procedure, of one or more measures, among which are in particular the injunction to bring the processing with the obligations resulting from the law and the GDPR, which may be accompanied by a penalty payment the amount of which may not exceed 100,000 euros per day of delay, and an administrative fine which may not exceed 10 million euros or, s in the case of a business, 2% of its total worldwide annual turnover.

4. Directive 2002/58/EC of the European Parliament and of the Council of 12 July 2002 concerning the processing of personal data and the protection of privacy in the electronic communications sector (directive on privacy and electronic communications) specifically governs the processing of personal data in the electronic communications sector, specifying and supplementing, for this sector and for what it specifically deals with, Directive 95/46/EC of the European Parliament and of the Council of 24 October 1995 relating to the protection of natural persons with regard to the processing of personal data and the free movement of such data, now replaced by the GDPR, article 94 of which repeals this directive while specifying that references to the repealed directive s understand as made under the GDPR.

5. Under paragraph 3 of Article 5 of Directive 2002/58/EC: "Member States shall ensure that the storage of information, or obtaining access to information already stored, in the terminal equipment of a subscriber or user is permitted only on condition that the subscriber or user has given his consent, after having received, in compliance with Directive 95/46/EC, information clear and complete information, including on the purposes of the processing. to the provider for the provision of an information society service expressly requested by the subscriber or user.

6. Under the terms of article 82 of the law of January 6, 1978 relating to data processing, files and freedoms, which proceeded to the transposition of paragraph 3 of article 5 of directive 2002/58/EC : "Any subscriber or user of an electronic communications service must be informed in a clear and complete manner, unless he has been informed beforehand, by the controller or his representative: 1° Of the purpose of any action tending to access, by electronic transmission, information already stored in its terminal electronic communications equipment, or to enter information in this equipment; / 2° The means at its disposal to oppose it. / Such access or registrations can only take place on the condition that the subscriber or the user has expressed, after having received this information, his consent which may result from appropriate parameters of his connection device or any other device placed under his control. trolling. / These provisions are not applicable if access to information stored in the user's terminal equipment or the recording of information in the user's terminal equipment: / 1° Either, has the exclusive purpose of enable or facilitate communication by electronic means; / 2° Either, is strictly necessary for the provision of an online communication service at the express request of the user".

7. It follows from the investigation that, pursuant to a decision of March 15, 2020 by the President of the CNIL, the services of this authority carried out, on March 16, an online check intended to verify compliance, on the "google.fr" website, the provisions of the law of January 6, 1978 and, in particular, its article 82. By the contested decision of December 7, 2020, the restricted committee of the CNIL ruled against companies Google LLC and Google Ireland Limited an injunction under penalty to bring the processing into conformity with the obligations resulting from article 82 of the law of January 6, 1978 as well as an administrative fine with regard to each of these companies for breach of the obligations of this article 82.

8. The CNIL Restricted Committee held to the provisions of article 16 of the law of January 6, 1978, cited in point 3, competence to take these measures due to breaches of the obligations resulting from article 82 of this law, transposing the objectives of paragraph 3 of Article 5 of Directive 2002/58/EC.

9. The applicant companies argue, invoking the provisions of Article 56 of the General Data Protection Regulation of April 27, 2016 (GDPR), that the competent authority to act in this case is not the CNIL. but, in the case of cross-border processing, the national supervisory authority of the establishment of the controller, that is to say in this case the Irish authority, which would be competent to act as lead supervisory authority for such cross-border processing.

10. According to paragraph 1 of article 55 of the regulation of 27 April 2016 (GDPR): "Each supervisory authority is competent to exercise the missions and powers vested in it in accordance with this regulation on the territory of the State member to which it belongs". Under the terms of paragraph 1 of Article 56 of the same regulation: "Without prejudice to Article 55, the supervisory authority of the main establishment or of the sole establishment of the controller or processor is competent to act as lead supervisory authority in relation to the cross-border processing carried out by that controller or processor, in accordance with the procedure provided for in Article 60".

11. However, according to Article 15a of Directive 2002/58/EC, relating to the penalties applicable to breaches of the objectives of this directive: "1. Member States shall determine the system of penalties, including criminal penalties if applicable, applicable to breaches of the national provisions adopted pursuant to this Directive and take all necessary measures to ensure that they are implemented.The penalties thus provided for must be effective, proportionate and dissuasive and may be applied to cover the duration of the infringement, even if it has subsequently been corrected (...) / 2. Without prejudice to any judicial remedy which may be available, Member States shall ensure that the competent national authority and, where appropriate, other national bodies shall have the power to order the cessation of the infringements referred to in paragraph 1. / 3. Member States shall ensure that the competent national authority and, the c where appropriate, other national bodies shall have the necessary investigative powers and resources, including the power to obtain any relevant information they may need, in order to monitor and control compliance with the national provisions adopted pursuant to this directive. / 4. The competent national regulatory authorities may adopt measures to ensure effective cross-border cooperation in the enforcement of national laws adopted pursuant to this Directive and to create harmonized conditions for the provision of services involving cross-border data flows".

12. It follows from the provisions cited in points 10 and 11, as interpreted by the Court of Justice of the European Union in its judgment of 1 October 2019, Bundesverband der Verbraucherzentralen und Verbraucherverbände Verbraucherzentrale Bundesverband eV/Planet49 GmbH (C-673 /17) and in its judgment of June 15, 2021, Facebook Ireland Ltd and others (C-645/19), only if the conditions for obtaining the user's consent provided for in the regulation of April 27, 2016 are applicable to the operations of reading and writing in a user's terminal, provision has not been made for the application of the so-called "one-stop shop" mechanism applicable to cross-border processing, defined in Article 56 of this regulation, for implementation and monitoring of Directive 2002/58/EC of 12 July 2002, which fall within the competence of the national supervisory authorities by virtue of Article 15a of this directive. It follows that, with regard to the control of operations for accessing and recording information in the terminals of users in France of an electronic communications service, even if proceeding from cross-border processing, the measures of control of the application of the provisions which transposed the objectives of Directive 2002/58/EC fall within the competence conferred on the CNIL by the law of January 6, 1978. Consequently, while in this case the contested decision intended ensure compliance with the sole obligations resulting from Article 82 of the Law of 6 January 1978 transposing the requirements of paragraph 3 of Article 5 of Directive 2002/58/EC, the applicant companies are not justified in maintaining that the CNIL's restricted training body would not have been competent, that it would have applied the disputed provisions incorrectly and made an error of assessment in considering that its competence excluded the application of the so-called "one-stop shop" mechanism. fuck".

13. In the absence of any reasonable doubt as to the correct application of the provisions of European Union law in question, there is no need to refer a matter to the Court of Justice of the European Union for a preliminary ruling. a question relating to the interpretation of the provisions of EU law at issue in this case. In addition, the option provided for in Article 15a of Directive 2002/58/EC of 12 July 2002, allowing national authorities to engage in cross-border cooperation with regard to monitoring the application of the provisions resulting from this directive, is not such as to deprive those authorities of the means to ensure the protection of personal data. It cannot, moreover, be regarded as hindering freedom of enterprise. It follows that, in the absence of any serious difficulty, the challenge by the applicant companies of the validity of Article 15a of Directive 2002/58/EC, with regard to the right to the protection of personal data and freedom of enterprise, can only be set aside, without there being any reason to refer this question of assessment of validity to the Court of Justice.

14. It follows from all of the foregoing that the pleas questioning the competence of the restricted formation of the CNIL to take the contested decision must be rejected.

On the regularity of the sanction procedure:

15. If the applicant companies maintain that the CNIL's restricted formation would have disregarded the rights of the defense and the requirements of the contradiction, in the absence of prior formal notice and taking into account the cooperation they provided during the procedure, it follows from the investigation that following the online check carried out on March 16, 2020 by the CNIL services on the "google.fr" website and the report drawn up in this context and sent to the applicant companies, they produced a response on April 30, 2020, before their hearing at the CNIL premises on July 22, 2020, after which they sent additional information on July 29, 2020. After the applicants were notified of the rapporteur's report on August 12, 2020, written observations were produced by the two companies on September 25, 2020. New observations were produced by them on October 26, 2020 in response to the observations. ion of the rapporteur dated 9 October. The applicant companies made oral observations during the session of the Restricted Committee and again produced written observations after this session, on December 2, 2020. Under these conditions, and while the pronouncement of a sanction is not subject to the prior intervention of a formal notice to the controller or its subcontractor by the president of the CNIL, the means can only be dismissed.

On breaches of cookie obligations:

16. It follows from the investigation that, as part of the online check carried out on March 16, 2020 on the "google.fr" website, it was found that, when a user went to the "google. fr", seven cookies were automatically placed on his terminal, without action on his part, as soon as he arrived on the site. Upon arrival on the "google.fr" page, an information banner was displayed at the bottom of the page, containing the words "Reminder concerning Google's privacy rules", opposite which appeared two buttons entitled " Remind me later” and “Consult now”. By clicking on the "Consult now" button, the user was not informed of the confidentiality rules applicable to cookies, nor of the possibility of refusing that they be installed on his terminal. To reach this information, it was necessary to scroll the content of the whole window, not to click on one of the five thematic hypertext links appearing in the content, and to click on the button "other options".

17. After the initiation of the penalty procedure, the applicant companies updated their system, from August 17, 2020, so that, since September 10, 2020, the user arriving on the "google .fr" now sees displaying, in the middle of its screen before being able to access the search engine, a pop-up window entitled "Before continuing", which contains preliminary information on the use of cookies by Google and includes two buttons titled "More information" and "I accept". However, the indications thus provided do not directly and explicitly inform the user about the purposes of cookies and the means of opposing them.

18. Furthermore, it also follows from the instruction that, of the seven cookies automatically placed on the user's terminal during the inspection of March 16, 2020, four pursued an advertising purpose and thus did not have the exclusive purpose of allow or facilitate communication by electronic means or were strictly necessary for the provision of an online communication service at the express request of the user. Following the update made from August 17, 2020, after the initiation of the sanction procedure, advertising cookies are no longer automatically deposited as soon as the user arrives on the page. " Google FR ". Despite the deactivation of the personalization of ads by the user, at least one cookie not falling under the category of so-called "opposition" cookies remained stored on the user's terminal. Google Ireland Limited, which itself acknowledged during the sanction procedure that this cookie had an advertising purpose, has not provided any convincing evidence to establish that in practice it would have had the exclusive purpose of allowing or to facilitate communication by electronic means or would have been necessary for the provision of the service at the request of the user.

19. It follows from the provisions of article 82 of the law of January 6, 1978 cited in point 6 that any operation to collect or deposit information stored in a user's terminal must be the subject of information prior, clear and complete relating to the purpose of cookies or other tracers and the means available to users to oppose them. It is with good reason that, by a sufficiently reasoned decision on this point and not vitiated by an error of assessment, the Restricted Committee of the CNIL held that the facts set out in the previous points characterized a lack of clear and complete information users, a lack of prior collection of their consent and a faulty mechanism for opposing cookies, as provided for by article 82 of the law of January 6, 1978.

20. Although the applicant companies invoke the principle of legality of offenses and penalties and the principles of legal certainty and legitimate expectations, arguing that the legal framework applicable to cookies was not consolidated on the date of the contested decision, it results from the investigation that after the entry into force, on May 25, 2018, of the regulation of April 27, 2016 (GDPR), the CNIL, by a deliberation dated July 4, 2019, adopted guidelines relating to the the application of article 82 of the law of January 6, 1978 to read or write operations in a user's terminal and repealed its previous recommendation of December 5, 2013. In order to allow players to integrate these new lines guidelines, the CNIL, in two press releases published on its website on June 28 and July 18, 2019, announced the establishment of an adaptation period during which it would refrain from prosecuting and sanctioning those responsible for ment under the new regulations applicable to cookies and other tracers, which was due to end six months after the adoption of its new deliberation relating to the operational procedures for obtaining consent in this area. However, these new guidelines of July 4, 2019, intended to adapt the reference framework for consent taking into account the modification of the law of January 6, 1978 by the ordinance of December 12, 2018 as a result of the GDPR, have not in question the pre-existing regime, provided for in II of article 32 of this same law, which already laid down the principle of prior consent to the deposit of cookies, that of clear and complete information for the user, as well as a right of opposition. It follows, since the procedure initiated by the CNIL against the two companies only related to rules prior to the GDPR and supervised by the CNIL from 2013, that the restricted formation of the CNIL was able, without disregarding the principle of the legality of offenses and penalties, nor, in any event, the principles of legal certainty and legitimate expectation, to initiate a procedure of control and sanction as to the respect, by the applicant companies, of the obligations provided for in Article Article 82 of the law of January 6, 1978, the scope of which has not been modified in this respect by bringing the law of January 6, 1978 into compliance with the GDPR, in particular with regard to the prior nature of consent.

On the proportionate nature of the sanction and corrective measures imposed:

21. On the one hand, under the terms of III of article 20 of the law of January 6, 1978: "When the data controller or its subcontractor does not comply with the obligations of Regulation (EU) 2016/679 of 27 April 2016 or of this law, the president of the National Commission for Computing and Liberties may also, if necessary after having sent him the warning provided for in I of this article or, if necessary in addition to a formal notice provided for in II, seize the restricted formation of the commission with a view to the pronouncement, after adversarial procedure, of one or more of the following measures: / 1° A call to order; / 2° An injunction to to bring the processing into compliance with the obligations resulting from Regulation (EU) 2016/679 of 27 April 2016 or from this law or to satisfy the requests presented by the person concerned with a view to exercising their rights, which may be accompanied, except in cases where the processing is implemented by the State, to a penalty payment, the amount of which may not exceed €100,000 per day of delay from the date set by the restricted committee; / (...) 7° With the exception of cases where the processing is implemented by the State, an administrative fine not exceeding 10 million euros or, in the case of a company, 2% of the total worldwide annual revenue for the previous financial year, whichever is greater. In the cases mentioned in 5 and 6 of Article 83 of Regulation (EU) 2016/679 of April 27, 2016, these ceilings are increased, respectively, to 20 million euros and 4% of said turnover. The restricted committee takes into account, in determining the amount of the fine, the criteria specified in the same article 83. / The draft measure is, if necessary, submitted to the other supervisory authorities concerned according to the procedures defined in Article 60 of the same regulation".

22. On the other hand, pursuant to Article 83 of the General Data Protection Regulation of 27 April 2016, to which now refers, taking into account Article 94 of the Regulation, paragraph 2 of Article 15 of Directive 2002/58/EC, the administrative fines imposed by the supervisory authorities of the Member States must, in each case, be "effective, proportionate and dissuasive". To set the amount of the fine, the following must, in particular, be taken into account: "a) the nature, gravity and duration of the violation, taking into account the nature, scope or purpose of the processing concerned, as well as the number of data subjects affected and the level of harm they have suffered; (...) / c) any action taken by the controller or processor to mitigate the harm suffered by data subjects; (...) / f) the degree of cooperation established with the supervisory authority with a view to remedying the breach and mitigating its possible negative effects; (...) / k) any other aggravating or mitigating circumstances applicable to the circumstances of the case, such as the financial benefits obtained or the losses avoided, directly or indirectly, as a result of the breach".

23. First, it follows from the investigation that, to set the amount of the penalty imposed on the applicants, the CNIL's restricted panel took into account the market share of more than 90% represented by the search engine of Google, with an estimated 47 million users in France, as well as particularly significant profits produced by the online targeted advertising segment enabled by the data collected through the use of cookies. It considered that the updates made following the initiation of the sanction procedure could not be regarded as genuine cooperation with the supervisory authority in the persistent absence, in particular, of communication to the latter of advertising revenues from Google companies in France. It did not retain an amount of penalty exceeding the ceiling set by article 20 of the law of January 6, 1978. Given the seriousness of the breaches noted and all the circumstances of the case, the restricted committee of the CNIL did not impose a sanction of a disproportionate amount on the companies Google LLC and Google Ireland Limited, the respective amounts of 60,000,000 euros and 40,000,000 euros retained for each of these companies not being disproportionate with regard to of the respective financial capacities of these two companies.

24. Secondly, if the restricted formation of the CNIL accompanied the injunction that it issued with regard to the applicant companies with a penalty payment of 100,000 euros per day of delay, this amount does not exceed the limit set by article 20 of the law of January 6, 1978 and cannot, in the circumstances of the case and having regard to the purpose of a penalty payment, be regarded as excessive. Moreover, this penalty was lifted by a new deliberation of the Restricted Committee on April 30, 2021, to take into account the changes proposed by the applicant companies to comply with the operative part of the contested deliberation.

25. Thirdly, by deciding, given the seriousness of the breach in question and the large number of users concerned, to make its deliberation public and to proceed with its anonymization at the end of a two-year period, the restricted formation of the CNIL did not taint its deliberation with an error of assessment.

26. It follows that the applicant companies are not justified in maintaining that the disputed deliberation, which is sufficiently reasoned, is vitiated by illegality because of the disproportionate nature of the measures which it pronounced.

27. It follows from all of the foregoing, without there being any need to refer the matter to the Court of Justice of the European Union for a preliminary ruling, that the applicant companies are not justified in requesting the annulment of the deliberation of the restricted formation of the CNIL that they are attacking.

D E C I D E :
--------------

Article 1: The request of the companies Google LLC and Google Ireland Limited is rejected.
Article 2: This decision will be notified to the companies Google LLC and Google Ireland Limited and to the Commission Nationale de l'Informatique et des Libertés.

Deliberated at the end of the meeting of January 12, 2022, attended by: Mr. Jacques-Henri Stahl, deputy president of the presiding litigation section; Mr. G... F..., Mr. Frédéric Aladjidi, Presidents of Chambers; Ms. J... C..., Ms. A... K..., MI.. B..., MD.. E..., Mr. Arno Klarsfeld, State Councilors and Ms. Christelle Thomas, master of requests-rapporteur.

Delivered on January 28, 2022.

President :
Signed: Mr. Jacques-Henri Stahl

The reporter:
Signed: Mrs. Christelle Thomas

The Secretary :
Signed: Mrs. H... L...

ECLI:EN:CECHR:2022:449209.20220128