CNIL (France) - SAN-2021-024
From GDPRhub
CNIL (France) - Délibération SAN-2021-024 | |
---|---|
Authority: | CNIL (France) |
Jurisdiction: | France |
Relevant Law: | Article 82 Loi "Informatique et Libertés" |
Type: | Investigation |
Outcome: | Violation Found |
Started: | |
Decided: | 31.12.2021 |
Published: | |
Fine: | 60,000,000 EUR |
Parties: | Facebook Ireland Limited |
National Case Number/Name: | Délibération SAN-2021-024 |
European Case Law Identifier: | n/a |
Appeal: | Unknown |
Original Language(s): | French |
Original Source: | Légifrance (in FR) |
Initial Contributor: | Frederick Antonovics |
The French DPA fined Facebook Ireland Limited €60,000,000 for failing to comply with Article 82 of the French Data Protection Act, and ordered the companies to modify the website "facebook.com" to offer French users a means of refusing to give consent that is as simple as the mechanism provided for their acceptance.
English Summary
Facts
-
Holding
-
Comment
Share your comments here!
Further Resources
Share blogs or news articles here!
English Machine Translation of the Decision
The decision below is a machine translation of the French original. Please refer to the French original for more details.
HomeAround the lawAuthoritiesIndependent administrative authoritiesDeliberation SAN-2021-024 of December 31, 2021Deliberation SAN-2021-024 of December 31, 2021Search in: All contentsSelect a fund codes Consolidated texts Official newspaper Circulars and instructions Constitutional case law Administrative case law Judicial case law Financial case law Branch agreements and collective agreements Company agreements CNIL All content /*<![CDATA[*/ let searchConfigs = []; var config = {base:"CODE",value:"code",url:"\/search\/code",sort:["RELEVANCE"],defaultTarget:"ALL",targets:"ALL,TITLE,ARTICLE, TABLE,NUM_ARTICLE"}; searchConfigs.push(config); var config = {base:"LODA",value:"lawarticledecree",url:"\/search\/laws",sort:["RELEVANCE","SIGNATURE_DATE_DESC","SIGNATURE_DATE_ASC","PUBLICATION_DATE_DESC","PUBLICATION_DATE_ASC"] ,defaultTarget:"ALL",targets:"ALL,TITLE,NUM_ARTICLE,ARTICLE,VISA_NOTICE,NUM,NOR,SIGNATURE"}; searchConfigs.push(config); var config = {base:"JORF",value:"jorf",url:"\/search\/jorf",sort:["RELEVANCE","SIGNATURE_DATE_DESC","SIGNATURE_DATE_ASC","PUBLICATION_DATE_DESC","PUBLICATION_DATE_ASC"] ,defaultTarget:"ALL",targets:"ALL,TITLE,NOR,NUM,NUM_ARTICLE,ARTICLE,VISA_NOTICE,SIGNATURE"}; searchConfigs.push(config); var config = {base:"CIRC",value:"circ",url:"\/search\/circ",sort:["RELEVANCE","SIGNATURE_DATE_DESC","SIGNATURE_DATE_ASC","PUBLICATION_DATE_DESC","PUBLICATION_DATE_ASC"] ,defaultTarget:"ALL",targets:"ALL,TITLE,NOR"}; searchConfigs.push(config); var config = {base:"ACCO",value:"acco",url:"\/search\/acco",sort:["RELEVANCE","SIGNATURE_DATE_DESC","SIGNATURE_DATE_ASC"],defaultTarget:"ALL",targets :"ALL,COMPANY_NAME,IDCC,TITLE"}; searchConfigs.push(config); var config = {base:"CONSTIT",value:"constit",url:"\/search\/constit",sort:["RELEVANCE","DATE_DESC","DATE_ASC"],defaultTarget:"ALL",targets :"ALL,TITLE,NUM_DEC,TEXT"}; searchConfigs.push(config); var config = {base:"CETAT",value:"cetat",url:"\/search\/cetat",sort:["RELEVANCE","DATE_DESC","DATE_ASC"],defaultTarget:"ALL",targets :"ALL,TITLE,NUM_DEC,ABSTRATS,TEXTE"}; searchConfigs.push(config); var config = {base:"JURI",value:"juri",url:"\/search\/juri",sort:["RELEVANCE","DATE_DESC","DATE_ASC"],defaultTarget:"ALL",targets :"ALL,TITLE,NUM_AFFAIRE,ABSTRATS,TEXTE"}; searchConfigs.push(config); var config = {base:"JUFI",value:"jufi",url:"\/search\/jufi",sort:["RELEVANCE","DATE_DESC","DATE_ASC"],defaultTarget:"ALL",targets :"ALL,TITLE,NUM_DEC,ABSTRATS,TEXTE"}; searchConfigs.push(config); var config = {base:"KALI",value:"kali",url:"\/search\/kali",sort:["RELEVANCE"],defaultTarget:"ALL",targets:"ALL,TITLE,ARTICLE, IDCC"}; searchConfigs.push(config); var config = {base:"CNIL",value:"cnil",url:"\/search\/cnil",sort:["RELEVANCE"],defaultTarget:"ALL",targets:"ALL,TITLE,NOR, NUM_DELIB"}; searchConfigs.push(config); var config = {base:"ALL",value:"all",url:"\/search\/all",sort:["RELEVANCE"],defaultTarget:"ALL",targets:"ALL,TITLE"}; searchConfigs.push(config); var typesSearch = []; var type = {value:"ALL", proximity:true}; typesSearch.push(type); var type = {value:"EXACT", proximity:false}; typesSearch.push(type); var type = {value:"ONE", proximity:false}; typesSearch.push(type); var type = {value:"EXCEPT", proximity:false}; typesSearch.push(type); var type = {value:"EXACTEXCEPT", proximity:false}; typesSearch.push(type); var tabTarget = []; /*]]>*/ In all fieldsSelect a search fieldIn all fieldsIn titlesIn tables of contentsIn NORIn text numberstarget.type.idIn deliberation numbersIn decision numbersIn article numbersIn article contentIn ministry namesIn visasIn the noticesIn the visas or noticesIn the preparatory worksIn the signaturesIn the notasIn the case numbersIn the abstractsIn the summariesIn the content of the textsIn the ECLIIn the numbers of referred lawsIn the types of decisions renderedIn the internal numbersIn the OJ or BO publication referencesIn the summariesIn the reference textsIn the titles of referred lawsIn the company namesIn the key wordsIn the IDCCEx. : L. 121-1, CGI, 10-15056, fraud, protected adultssearchAdvanced searchPrintCopy the textDeliberation SAN-2021-024 of December 31, 2021Commission Nationale de l'Informatique et des LibertésNature of the deliberation: SanctionLegal status: In force Date of publication on Légifrance: Thursday, January 06, 2022Deliberation of the restricted formation n°SAN-2021-024 of December 31, 2021 concerning the company FACEBOOK IRELAND LIMITEDThe National Commission for Computing and Liberties, meeting in its restricted formation composed of Messrs. -Pierre CABOURDIN, vice-president, Ms Christine MAUGÜE and Anne DEBET and Mr Alain DRU, members; Having regard to regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 relating to the protection of personal data and to the free movement of such data; Having regard to Directive 2002/58/EC of the European Parliament and of the Council of July 12, 2002 concerning the processing of personal data of a personal nature and the protection of privacy in the electronic communications sector; Having regard to law no. 78-17 of 6 January 1978 relating to data processing, files and freedoms, in particular its articles 20 and following; no. 2019-536 of May 29, 2019 taken for the application of law no. 78-17 of January 6, 1978 relating to data processing, files and freedoms; Having regard to deliberation no. 2013-175 of July 4, 2013 adopting the rules of procedure of the National Commission for Computing and Liberties; Having regard to decision no. 2021-044C of April 6, 2021 of the President of the National Commission for Computing and Liberties to instruct the Secretary General to proceed or carry out a mission to verify the processing accessible from the "facebook.com" domain or relating to personal data collected from the latter; Having regard to the decision of the President of the National Commission for Informatics and freedoms appointing a rapporteur before the restricted committee, dated July 26, 2021; Having regard to the report of Mrs. Valérie PEUGEOT, reporting auditor, notified to the company FACEBOOK IRELAND LIMITED on September 1, 2021; Having regard to the written observations submitted by the board of the company FACEBOOK IRELAND LIMITED on October 8, 2021; Having regard to the response of the rapporteur to these observations notified to the company FACEBOOK IRELAND LIMITED on October 28, 2021; Having regard to the new written observations submitted by the board of the company FACEBOOK IRELAND LIMITED, received on November 21, 2021; Having regard to the letter sent by the company FACEBOOK IRELAND LIMITED to the chairman of the Restricted Committee and to the rapporteur on December 6, 2021; Having regard to the oral observations made during the meeting of the Restricted Committee; Having regard to the other documents in the file; Were present, during the session of the restricted committee of December 2, 2021:- Mrs Valérie PEUGEOT, commissioner, heard in her report ;As representatives of the company FACEBOOK IRELAND LIMITED:- […];The company FACEBOOK IRELAND LIMITED having the floor last;The Restricted Committee adopted the following decision:I. Facts and procedure1. Founded in 2004 and headquartered in the United States (Menlo Park, California), FACEBOOK INC., renamed META PLAFORMS INC. since October 28, 2021, has developed a social network (hereinafter "the Facebook social network"), available on the web and on a mobile application, which allows users who have created an account to share their experiences and exchange views. The latter currently has more than 2.5 billion monthly active users worldwide.2. META PLAFORMS INC. has several dozen offices in around thirty countries and has more than 35,000 employees worldwide. It has its own advertising agency and, since its creation, it has notably acquired the Instagram photo sharing service (2012) as well as the WhatsApp instant messaging service (2014). In 2020, it achieved a turnover of nearly 86 billion dollars for a net profit of more than 29 billion dollars. 98% of this turnover is generated by income from advertising implemented as part of its products and services.3. FACEBOOK IRELAND LIMITED (hereafter "FIL"), located at 4 Grand Canal Square, Grand Canal Harbor in Dublin, Ireland, presents itself as the headquarters of the Facebook group for its activities in the European region since 2008. Subsidiary of META PLAFORMS INC. it employs about […] people. In 2019, it achieved a turnover of more than […] euros for a net profit of more than […] euros.4. FACEBOOK FRANCE, located at 6 rue Ménars in Paris (75002), is the establishment of META PLAFORMS INC. in France. A subsidiary of META PLAFORMS INC., it employs […] employees. In 2019, it achieved a turnover of more than […] euros for a net profit […] euros.5. On April 8, 2021, following four referrals recorded between October 2020 and March 2021, a CNIL delegation carried out an online check on the "facebook.com" website in application of decision no. 2021-044C of 6 April 2021 from the President of the National Commission for Computing and Liberties (hereinafter "the CNIL" or "the Commission").6. The purpose of this mission was to verify compliance, by the company, with the provisions of law no. Freedoms "" or "law of January 6, 1978"), in connection with processing consisting of operations of reading and/or writing information in the terminal of users residing in France during their visit to the website " facebook.com".7. On April 16, 2021, the delegation sent two questionnaires to the companies FACEBOOK FRANCE and FIL in order in particular to have them specify the purposes of the reading and/or writing operations carried out from the "facebook.com" website in the terminal of the users residing in France and to have them confirm that FIL was indeed responsible for processing these operations. The companies were also invited to specify their organization, their activities and the links which unite them.8. The latter respectively responded to these questionnaires on May 21 and June 11, 2021, confirming in particular that the company FIL acted as "controller for the processing of personal data implemented in the context of the provision of the service. Facebook to users in the European region, including for cookie writing and reading operations on the “facebook.com” website.9. On July 26, 2021, on the basis of Article 22 of the Law of January 6, 1978, the President of the Commission appointed Mrs Valérie PEUGEOT as rapporteur for the purposes of examining these elements.10. On September 1, 2021, at the end of her investigation, the rapporteur notified FIL of a report detailing the breach of the "Informatique et Libertés" law that she considered constituted in this case with regard to the freedom of consent, the company in particular not making available to users located in France, on the "facebook.com" website, a means of refusing operations to read and/or write information in their terminal presenting the same degree of simplicity than that intended to accept its use. Also attached to the report was a convocation to the restricted committee meeting of December 2, 2021.11. This report proposed that the restricted committee of the Commission impose an administrative fine on the company FIL, as well as an injunction to bring into compliance the processing consisting of operations to read and/or write information carried out from the “facebook.com” website in the terminal of users residing in France with the provisions of article 82 of the “Informatique et Libertés” law, accompanied by a penalty payment. It also proposed that this decision be made public and no longer allow the company to be identified by name after the expiry of a period of two years from its publication.12. By letter dated September 6, 2021, the company requested additional time from the chairman of the restricted committee to produce its observations in response to the rapporteur's report, which was granted to it on the following September 9, on the basis of Article 40, paragraph 4, of decree n° 2019-536 of May 29, 2019 taken for the application of the law “Informatique et Libertés” (hereinafter “the decree of May 19, 2019”).13. On October 8, 2021, the company submitted observations in response to the rapporteur's report.14. On October 18, 2021, the rapporteur asked the chairman of the Restricted Committee for additional time to respond to the company's observations, which was granted to her on the following October 21, of which the company was informed on the same day.15. On October 28, 2021, the rapporteur responded to the company's observations.16. On October 29, 2021, the company asked the chairman of the Restricted Committee for an extension of the deadline for submitting its observations to the rapporteur's response, which was granted on the following November 4.17. On 21 November 2021, the company submitted new observations in response to those of the rapporteur.18. On November 29, 2021, the company made the request that the data expressly identified in its writings as subject to business secrecy not be disclosed to the public during the session of the restricted committee, at which the chairman of the restricted committee made right by letter dated November 30, 2021.19. The company and the rapporteur presented oral observations during the restricted committee meeting of December 2, 2021.20. On December 6, 2021, the company sent the Chairman of the Restricted Committee and the rapporteur additional information reporting on an update being deployed on the "facebook.com" website.II. Reasons for decisionA. On the competence of the CNIL1. On the material competence of the CNIL and the non-application of the "one-stop shop" mechanism provided for by the GDPR21. The provisions of Directive 2002/58/EC of the European Parliament and of the Council of 12 July 2002 concerning the processing of personal data and the protection of privacy in the electronic communications sector - as amended by Directive 2006/ 24/EC of March 15, 2006 and by Directive 2009/136/EC of November 25, 2009 (hereinafter the "ePrivacy Directive") - which relate to the storage or access to information already stored in the terminal equipment of a subscriber or user, have been transposed into domestic law in article 82 of the law "Informatique et Libertés", in chapter IV "Rights and obligations specific to processing in the electronic communications sector " of this law.22. Under the terms of article 16 of the law " Computing and Freedoms ", " the restricted formation takes the measures and pronounces the sanctions against the data controllers or the subcontractors who do not respect not the obl igations arising […] from this Act”. According to Article 20, paragraph III, of this same law, "when the data controller or its subcontractor does not comply with the obligations resulting from […] this law, the president of the National Commission for Informatics and freedoms […] can seize the restricted formation ".23. The rapporteur considers that the CNIL is materially competent pursuant to these provisions to control and, if necessary, sanction the operations of access or registration of information carried out by the company in the terminals of users of the Facebook social network residing in France and, more particularly, the fact that the company ignores the freedom of consent of Internet users by not providing them with a means of refusing operations to read and/or write information in their terminal which has the same degree of simplicity than that intended to accept its use.24. The company contests this jurisdiction on the grounds that the breach of which it is accused does not come under the "ePrivacy" directive.25. It argues that, unlike the companies Google and Amazon which were sanctioned by the Restricted Committee in December 2020 for a breach of the ban on placing cookies without having previously obtained the consent of the persons (CNIL decisions, Restricted Committee, December 7, 2020 , SAN-2020-012 and SAN-2020-013), he is only accused, under this procedure, of having violated the rule according to which it must be as simple for users to refuse the deposit of cookies as to consent thereto.26. However, according to the company, this rule would not result as such from any applicable legal or regulatory provision and would be a creation of the CNIL, formalized in the deliberations of September 17, 2020 No. 2020-091 adopting guidelines relating to the application of article 82 of the law of January 6, 1978 as amended to read and/or write operations in a user's terminal (in particular to "cookies and other tracers") and n° 2020-092 on adoption of a recommendation proposing practical methods of compliance in the event of the use of "cookies and other tracers" (hereinafter the guidelines and recommendation of September 17, 2020 ").27. The company considers that assuming that this rule actually exists, it could only materially fall under Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 (hereinafter the "Regulation" or the "GDPR"), as would have been elsewhere partially recognized the CNI L in a communication dated April 2, 2021 posted on its website, indicating that "the mere presence of a "Configure" button in addition to the "Accept all" button tends, in practice, to deter refusal and therefore does not allow not to comply with the requirements of the GDPR ".28. The company concludes from this that it would be appropriate to apply the "one-stop shop" mechanism provided for in Chapter VII of these Rules to the present proceedings. Under this mechanism, when the company FIL, which has the status of controller in question, is established in Ireland and its central administration is located in this country, the supervisory authority competent to know the facts which he is accused of not being the CNIL but the Irish data protection authority, the Data Protection Commissioner (hereinafter "the DPC").29. Firstly, the Restricted Committee recalls that a distinction should be made between, on the one hand, the operations consisting in depositing and reading cookies in a user's terminal and, on the other hand, the subsequent use that is made of the data generated by these cookies, for example for profiling purposes, referred to as "subsequent processing" (also called "subsequent").30. It stresses that each of these two successive stages is subject to a different legal regime: while the read and/or write operations are governed by special rules, set out in Article 5(3) of the Directive " ePrivacy", subsequent processing is subject to the GDPR and, as such, may be subject to the "one-stop shop" mechanism in the event that it is cross-border.31. It recalls that it appears from the provisions cited above that the French legislator has instructed the CNIL to ensure compliance with the provisions of the "ePrivacy" directive transposed into article 82 of the "Informatique et Libertés" law, by entrusting it with in particular the power to penalize any breach of this article. It emphasizes that this competence was recognized in particular by the Council of State in its decision Association of communication consulting agencies of June 19, 2020 concerning the deliberation of the CNIL n ° 2019-093 adopting guidelines relating to the application of article 82 of the law of January 6, 1978 as amended to read and/or write operations in a user's terminal. The Council of State has indeed noted that "article 20 of this law entrusts [to] the president [of the CNIL] the power to take corrective measures in the event of non-compliance with the obligations resulting from regulation (EU) 2016 /279 or of its own provisions, as well as the possibility of seizing the restricted formation with a view to pronouncing the sanctions likely to be pronounced "(CE, June 19, 2020, req. 434684, pt. 3).32. In the present case, the Restricted Committee notes that this procedure only covers the read and/or write operations implemented in the terminal of the user located in France visiting the Facebook social network, the material findings carried out by the delegation during the online check of April 8, 2021 which only related to these operations, without being interested in the subsequent processing implemented from the data collected via these cookies.33. Secondly, the Restricted Committee recalls that under the rules providing for the relationship between the "ePrivacy" directive and the GDPR, Article 1 paragraph 2 of this directive provides that "the provisions of this directive specify and supplement the Directive 95/46/EC" of the European Parliament and of the Council of 24 October 1995 on the protection of personal data [hereinafter "Directive 95/46/EC"]), it being recalled that, since the entry into force of Regulation, references to Directive 95/46/EC should be understood as references to the GDPR, in accordance with Article 94 of the latter.34. Similarly, it appears from recital 173 of the GDPR that this text explicitly provides that it is not applicable to the processing of personal data "subject to specific obligations having the same objective [of protection of fundamental rights and freedoms] set out in the Directive 2002/58/EC of the European Parliament and of the Council, including the obligations incumbent on the controller and the rights of natural persons ".35. The Restricted Committee points out that this articulation was confirmed by the Court of Justice of the European Union (hereinafter "the CJEU") in its Planet49 decision of October 1, 2019 (CJEU, grand chamber, October 1, 2019, Planet49, C -673/17, point 42).36. It also recalls that the "ePrivacy" directive provides, for the specific obligations it includes, its own mechanism for implementing and monitoring its application by leaving to the Member States, through its article 15 bis, the care to specify, within the framework of their national law, the system of sanctions which they wish to implement in order to guarantee its effectiveness.37. It notes in this case that the rule laid down in Article 5(3) of the "ePrivacy" directive, according to which read and/or write operations must systematically be subject to the prior agreement of the user, after information, constitutes a specific obligation since it prohibits an actor from relying on the legal bases mentioned in article 6 of the GDPR to be able to lawfully carry out these read and/or write operations in the terminal . As a result, the violation of this rule falls under the special control and sanction mechanism provided for by the "ePrivacy" directive and not that provided for by the GDPR.38. The Restricted Committee also notes that the EDPS, in his Opinion No. 5/2019 of March 12, 2019 on the interactions between the "Privacy and Electronic Communications" Directive and the GDPR, explicitly excluded the application of the " one-stop shop" to facts materially falling under the "ePrivacy" directive in these terms: "in accordance with Chapter VII of the GDPR, the cooperation and consistency mechanisms available to the data protection authorities under the GDPR concern the control of the application of the provisions of the GDPR. The mechanisms of the GDPR do not apply to the control of the application of the provisions of the "privacy and electronic communications" directive as such" (EDPS, opinion 5/2019, 12 March 2019 , pt. 80).39. It also notes that the CJEU, in a Facebook Belgium judgment delivered on 15 June 2021, took up the aforementioned opinion 5/2019 of the EDPS, while following on this point the conclusions of its Advocate General, Mr BOBEK, who considered that "in order to decide whether a case actually falls within the material scope of the GDPR, a national court, including any referring court, is required to seek the precise source of the legal obligation weighing on an economic operator whose is alleged to have breached it. If the source of this obligation is not the GDPR, the procedures established by this instrument, which are linked to its main purpose, are logically not applicable either" (CJEU, conclusions of Advocate General M. BOBEK, 13 January 2021, Facebook Belgium, C 645/19, points 37 and 38).40. In this case, the Restricted Committee notes that, in the present procedure, the precise source of the legal obligation subject to the control finds its origin only in the specific obligation laid down in Article 5, paragraph 3, of the Directive " ePrivacy", transposed into French law in article 82 of the law "Informatique et Libertés".41. Thirdly, with regard to the scope to be given to this specific obligation, the Restricted Committee recalls that the operations of reading and/or writing in the user's terminal must systematically be the subject of "prior consent" of the user. It points out that under Article 2(f) of the ePrivacy Directive, consent has to be understood within the meaning of "consent of the data subject" as set out in Directive 95/46/EC. However, insofar as, as already mentioned, since the entry into force of the Regulation, the references made to Directive 95/46/EC must be understood as being made to the GDPR, it follows that the "consent" provided for in Article 5, paragraph 3, of the “ePrivacy” directive as transposed in article 82 of the “Informatique et Libertés” law must now be understood within the meaning of the GDPR.42. In this regard, the Restricted Committee notes that consent within the meaning of the GDPR imposes more requirements in this area than what was provided for in Article 2, h) of Directive 95/46/EC. In particular, under these new requirements, article 4, paragraph 11 of the GDPR requires that the consent now be unambiguous, which implies that it be given by a "clear positive act" and recital 42 of the GDPR reinforces its character. freedom, specifying that the person must now have a "genuine freedom of choice" when giving consent.43. With regard to the operations of reading and/or writing information, this reinforcement of the free nature of consent implies that the methods which are offered to the user to express his choice are such that they do not encourage him more about accepting cookies than refusing them.44. The Restricted Committee notes that it is in this sense that the communication from the CNIL of April 2, 2021 published on its website and denounced by the company should be understood. Indeed, by writing that "the mere presence of a "Configure" button in addition to the "Accept all" button tends, in practice, to dissuade refusal and therefore does not allow compliance with the requirements set by the GDPR", the CNIL only wanted to emphasize the strengthening of the requirements relating to the collection of the user's consent before any operation of reading and/or writing information in his terminal generated by the entry into application of the GDPR.45 . The Restricted Committee nevertheless underlines that if the GDPR does support the conditions of consent, compliance with the special provisions resulting from the "ePrivacy" directive which impose this consent, now reinforced, of the user before any reading and/or writing in his terminal continues to come under the adage specialia generalibus derogant, the special rule laid down by article 5, paragraph 3, of the "ePrivacy" directive and, therefore, the special mechanism of control and sanction provided for in Article 15a of that same directive.46. Thus, the simple reference to the GDPR operated by the provisions of the "ePrivacy" directive on the definition of consent is not sufficient to bring with it the applicability of the "one-stop shop" mechanism to the facts of the case.47. Fourthly, the Restricted Committee observes that it would in any event be materially impossible in the current state of the law to apply the "one-stop shop" mechanism to facts covered by the "ePrivacy" directive and that this position is also the subject of a consensus at European level.48. Indeed, the Member States, which are free to determine the national authority competent to hear violations of the national provisions adopted pursuant to the "ePrivacy" directive, may have attributed this competence to an authority other than their national data protection authority. data instituted by the GDPR, in this case to their telecommunications regulatory authority. Consequently, insofar as these latter authorities are not part of the EDPS, while this committee plays an essential role in the consistency control mechanism implemented in Chapter VII of the GDPR, it is in fact impossible to apply the "one-stop shop" to practices likely to be penalized by national supervisory authorities not sitting on this committee.49. The Restricted Committee also points out that other national data protection authorities have also already imposed sanctions relating to breaches relating to the operations of reading and/or writing information in the user's terminal. The Spanish authority has thus issued several sanction decisions against various data controllers in exclusive application of the national provisions transposing the "ePrivacy" directive, in this case article 22, paragraph 2 of Ley 34/2002 de 11 de julio de Servicios de la Sociedad de la Información y de Comercio Electrónico, without implementing the cooperation procedure established by the RGPD.50. Finally, the Restricted Committee notes that the question of a possible future application of the "one-stop shop" mechanism to the processing currently governed by the current "ePrivacy" directive is the subject of numerous discussions in the context of the drafting of the draft "ePrivacy" regulation that has been under negotiation for more than four years at European level. The very existence of these debates confirms that, as it stands, the "one-stop shop" mechanism provided for by the GDPR is not applicable to matters governed by the current "ePrivacy" directive.51. It follows from the foregoing that the "one-stop shop" mechanism provided for by the GDPR is not applicable to this procedure and that the CNIL is competent to control and initiate a sanction procedure against the processing implemented by the company. consisting of information reading and/or writing operations carried out from the "facebook.com" website in the terminal of users residing in France falling within the scope of the "ePrivacy" directive, provided that this processing falls within its territorial jurisdiction.2. On the territorial jurisdiction of the CNIL52. The rule of territorial application of the requirements set out in article 82 of the "Informatique et Libertés" law is specified in article 3, paragraph I, of this law, which provides: "without prejudice, with regard to the processing falling within the scope of Regulation (EU) 2016/679 of 27 April 2016, of the criteria provided for in Article 3 of this regulation, all the provisions of this law apply to the processing of personal data carried out in the framework of the activities of an establishment of a data controller (…) on French territory, whether or not the processing takes place in France”.53. The rapporteur considers that the CNIL has territorial jurisdiction pursuant to these provisions when the processing covered by this procedure, consisting of operations to access and/or register information in the terminal of users residing in France during the use of the Facebook social network, in particular for advertising purposes, is carried out within the "framework of the activities" of the company FACEBOOK FRANCE, which constitutes the "establishment" on French territory of the Facebook group.54. The company maintains that insofar as it would be appropriate to apply the rules of jurisdiction and cooperation procedures defined by the GDPR, the CNIL would not have territorial jurisdiction to hear this case given that the "real seat" of the Facebook group in Europe, i.e. the place of its central administration within the meaning of Article 56 of the GDPR, is located in Ireland.55. The Restricted Committee notes that to determine whether the CNIL has the competence to monitor compliance, by the FIL company, with the requirements provided for in Article 82 of the "Informatique et Libertés" law in the context of the processing in question, it It is appropriate to examine in this case whether the two criteria for territorial application of the "Informatique et Libertés" law, provided for in paragraph I of its article 3, are met: namely, on the one hand, if Facebook has an "establishment on French territory" and if, on the other hand, the processing in question is carried out "in the context of the activities of this establishment".56. The Restricted Committee recalls in this sense that the "ePrivacy" directive does not itself explicitly set the rule of territorial application of the various transposition laws adopted by each Member State. However, this directive indicates that it "clarifies and complements Directive 95/46.EC", which provided at the time, in its Article 4, that "each Member State applies the national provisions which it adopts pursuant to this Directive to the processing of personal data when: a) the processing is carried out in the context of the activities of an establishment of the controller in the territory of the Member State; if the same controller is established in the territory of several Member States, it must take the necessary measures to ensure that each of its establishments complies with the obligations provided for by the applicable national law". If this rule for determining the national law applicable within the Union is no longer relevant for the application of the rules of the GDPR, which replaced Directive 95/46/EC and applies uniformly to all the territory of the Union, the Restricted Committee notes that the French legislator has maintained these two criteria of territorial application for the specific rules contained in the "Informatique et Libertés" law, in particular those which transpose the "ePrivacy" directive. It follows, as will be developed below, that the case law of the CJEU on the application of Article 4 of Directive 95/46/EC remains relevant to clarify the scope to be given to these two criteria.58. Firstly, on the existence of a Facebook establishment on French territory, the Restricted Committee recalls that the CJEU has consistently considered that the concept "in the context of the activities of an establishment" cannot be accepted a restrictive interpretation in data protection law and, that to know whether a data controller had an "establishment", it was necessary to assess both the degree of stability of the installation and the reality of the exercise of the activities in a Member State, taking into account the specific nature of the economic activities and the provision of services in question (see in particular, CJEU, 1 October 2015, Weltimmo, C 230/14, pts. 25 to 31).59. The Court specified in particular that "the notion of 'establishment', within the meaning of Directive 95/46, extends to any real and effective activity, even minimal, carried out by means of a permanent establishment" (idem, pt . 30), the criterion of stability of the installation being examined with regard to the presence of "human and technical means necessary for the supply of concrete services in question" (idem, pt. 31). The Court further considered that a company, an autonomous legal person, from the same group as the data controller, may constitute an establishment of the data controller within the meaning of these provisions (CJEU, 13 May 2014, Google Spain, C -131/12, pt 48).60. In this case, the company FACEBOOK FRANCE, registered in France since February 3, 2011, is the headquarters of the French subsidiary of the company META PLAFORMS INC. It has premises located in Paris and employs approximately […] people. It is specified in the articles of association of this company, updated and filed with the registry of the Paris Commercial Court on July 9, 2020, that its purpose is "any activity relating, directly or indirectly, to the purchase, the sale or intermediation of advertising space on the Facebook Online Social Networking Platform or any other platform operated by the Facebook group, or any other commercial agreement, in its broadest sense, relating to online advertising space and in particular, without this list being exhaustive, the offer to buy, sell or provide online advertising space, the negotiation of contracts concerning online advertising space, the implementation of marketing strategies relating to offers for the sale of advertising space and any other advertising service that may be provided to advertisers, advertising agencies or any other third party". As regards the links of this company with the company FIL, the Restricted Committee notes that they are both subsidiaries of the group's parent company, the company META PLAFORMS INC., and that they are linked in particular to the to each other by a contract for the resale of advertising space and by a contract for the provision of services, in force since July 1, 2018.62. In this regard, the Restricted Committee notes that if, in its response of May 21, 2021, the company FACEBOOK FRANCE stated that "in principle, FIL is the contracting company for advertisers and partners in France wishing to use the advertising products and services of Facebook "(…) for the creation, submission or distribution of advertisements or any other activity or any other commercial or sponsored content" (…)", it also states very clearly that its role consists of "the provision of support local to advertisers and partners in France and the placing of orders and the invoicing of certain customers ".63. In particular, the Restricted Committee notes that under the service provision contract, the company FACEBOOK FRANCE provides, on a non-exclusive basis, numerous services to the company FIL, including general, administrative, human resources, accounting, legal, political , marketing and partnership management.64. Therefore, with regard to the nature of these services, the Restricted Committee considers that the company FACEBOOK FRANCE must be regarded as the establishment in France of the company FIL.65. Secondly, on the existence of processing carried out "in the context of the activities" of the company FACEBOOK FRANCE, the Restricted Committee recalls that in its Wirtschaftsakademie decisions (CJEU, Grand Chamber, June 5, 2018, Wirtschaftsakademie, C-210 /16, pts. 56 to 60) and Facebook Belgium (CJEU, grand chamber, June 15, 2021, Facebook Belgium, C-645/19, pts. 92 to 95), which are in line with the Google Spain case law of 13 May 2014 relating to the activities of the search engine Google in Spain (CJEU, Grand Chamber, 13 May 2014, Google Spain, C-131/12, pt. 55), the Court of Justice considered that the processing consisting of the collection of personal data via cookies placed in the terminals of users visiting, in Germany and Belgium, pages hosted on the Facebook social network was respectively carried out "within the framework of the activities" of the companies FACEBOOK GERMANY and FACEBOOK BELGIUM, German institutions and t of the Facebook group, in so far as those establishments are intended to ensure, in their respective countries, the promotion and sale of the advertising space offered by that social network, which serves to make the service offered by Facebook profitable.66. Thus, in the Facebook Belgium judgment, the Court of Justice noted "on the one hand, a social network such as Facebook generates a substantial part of its income thanks, in particular, to the advertising which is broadcast there and that the activity exercised by the establishment located in Belgium is intended to ensure, in this Member State, even if only incidentally, the promotion and sale of advertising space which serves to make the Facebook services profitable. , the main activity carried out by Facebook Belgium, consisting in maintaining relations with the institutions of the Union and constituting a point of contact with them, aims in particular to establish the policy for the processing of personal data by Facebook Under these conditions, the activities of the establishment of the Facebook group located in Belgium must be considered to be inseparably linked to the processing of personal data at issue in the main proceedings, t Facebook Ireland is responsible for the territory of the Union" (pts. 94-95).67. Even if these three judgments concerned more specifically the subsequent processing implemented from cookies deposited in users' terminals - which justified the application of Directive 95/46/EC for the Google Spain and Wirtschaftsakademie cases and of the GDPR for the Facebook Belgium case – this case law remains relevant to clarify the scope to be given to the notion of processing carried out "in the context of the activities" of an establishment, the French legislator having taken it up, when transposing the directive " ePrivacy", to establish the territorial jurisdiction of the CNIL with regard to the processing covered by this directive.68. In this case, the Restricted Committee notes that the analyzes carried out in Germany and Belgium by the German and Belgian data protection authorities with regard to the companies FACEBOOK GERMANY and FACEBOOK BELGIUM, and confirmed by the CJEU, can be reproduced in France by the CNIL concerning the company FACEBOOK FRANCE.69. Indeed, it appears from the response of the company FACEBOOK FRANCE of May 21, 2021 that its activities consist in providing "advertising support services to advertisers and partners in France on behalf of FIL". More specifically, "it informs advertisers and partners in France about the use they can make of the Facebook advertising services offered by FIL. By way of illustration, FB France provides advice on how to use the tools and features of Facebook products in order to optimize advertising budgets or improve the quality of advertising campaigns”. Finally, "since July 1, 2018, [it] also interacts with certain advertisers and partners in France, with regard to placing their orders and invoicing related to the resale of advertising space for their benefit".70. Consequently, the Restricted Committee considers that the processing in question - consisting of operations to access or register information in the terminal of users residing in France when using the Facebook social network, in particular for advertising purposes – is carried out "as part of the activities of FACEBOOK FRANCE", a company which is "the establishment of Facebook on French territory" and participates, as such, in the promotion and marketing of Facebook products and their advertising solutions in France. Since the two criteria provided for in Article 3, paragraph I, of the "Informatique et Libertés" law are met, the processing is subject to French law.71. The Restricted Committee emphasizes that the application of French law only concerns read and/or write operations carried out on French territory (Article 4 of Directive 95/46/EC moreover specified that the law of the Member State applied only to the activities of the establishment "on the territory of the Member State").72. Finally, it notes that this has been a constant position on its part since the intervention of the Google Spain case law in 2014 (see in particular the CNIL decisions, restricted formation, April 27, 2017, SAN-2017-006; CNIL , restricted training, December 19, 2018, SAN-2018-011; CNIL, restricted training, December 7, 2021, SAN-2020-012 and CNIL, restricted training, December 7, 2021, SAN-2020-013).73. It follows from the foregoing that French law is applicable and that the CNIL is materially and territorially competent to exercise its powers, including that of taking a sanction measure concerning the processing in question which falls within the scope of the directive. “ePrivacy”.B. On the complaint alleging the illegality of this sanction procedure74. The company denounces the fact of not having received a prior formal notice, like the sixty players who were the subject of this corrective measure between May and July 2021 for similar facts, and invokes the resulting breach of the principle of equality before the law.75. It maintains that this principle would also be disregarded because of the severity of the corrective measures proposed by the rapporteur in comparison with the recent decisions of the Restricted Committee pronounced against major players for non-compliance with the provisions of Article 82 of the “Informatique et Libertés” law (see CNIL decisions, restricted formation, November 18, 2020, SAN-2020-009, Carrefour Banque; December 7, 2020, SAN-2020-012, Amazon and SAN-2020-013, Google; 27 July 2021, SAN-2021-013, Le Figaro).76. With regard firstly to the lack of prior formal notice, the Restricted Committee notes that under Article 20, paragraph III, of the "Informatique et Libertés" law, the referral of a file to a procedure of sanction belongs to the president of the CNIL alone, so that the restricted committee does not have to decide on the principle of its referral.77. It also recalls that it follows from these provisions that the President of the CNIL is not required to send a formal notice to a data controller before initiating sanction proceedings against him. It adds that the possibility of directly initiating sanction proceedings has been confirmed by the Council of State (see, in particular, CE, 4 Nov. 2020, No. 433311, pt. 3).78. Moreover, the Restricted Committee notes that a prior formal notice was all the less justified in this case as the company has already, following a prior formal notice, been subject to a penalty of the share of restricted training for breaches relating to cookies in 2017. The company therefore had to be both particularly vigilant in terms of compliance with its obligations in terms of cookies and also attentive to changes in the regulations in this area, in particular following the strengthening of the conditions of consent following the entry into force of the GDPR.79. Finally, the Restricted Committee notes that the CNIL has communicated in particular on these developments, in particular by defining an action plan relating to cookies, the terms of which were detailed in 2019 in a press release published on its website on June 28, 2019. The CNIL specified in particular that it would leave a "transitional period" to data controllers so that they have the time necessary to bring their reading and/or writing operations into compliance with the new requirements following the entry into application of the GDPR and which would be enshrined in the new recommendation which was to be drafted. It was already stressing that it would carry out checks on compliance with this future recommendation within six months of its final adoption. Extended once, this adaptation period came to an end on April 1, 2021.80. As regards, next, the amount of the fine proposed by the rapporteur, this has no effect on the legality of the procedure.81. Consequently, the Restricted Committee considers that the complaint based on the illegality of the procedure must be dismissed.C. On the breach of cookie obligations82. Under the terms of article 82 of the "Informatique et Libertés" law, which transposes into French law the provisions of article 5, paragraph 3, of the "ePrivacy" directive, "any subscriber or user of a communications service must be informed in a clear and complete manner, unless he has been informed beforehand, by the data controller or his representative: 1° Of the purpose of any action aimed at accessing, by electronic transmission, information already stored in his electronic communications terminal equipment, or to register information in this equipment; user has expressed, after having received this information, her consent (…)”.83. Under Article 2(f) of the ePrivacy Directive, consent has to be understood within the meaning of "consent of the data subject" as set out in Directive 95/46/EC. According to Article 94 of the GDPR "references to the repealed directive must be understood as references to the [GDPR]".84. Under Article 4, paragraph 11, of the GDPR, to be validly obtained, consent must be a "manifestation of will, free, specific, informed and unambiguous by which the person concerned accepts, by a declaration or by an act clear positive ".85. The scope of this article is informed by recital 42 of the GDPR, according to which "consent should not be considered to have been freely given if the data subject does not have a genuine freedom of choice or is not able to refuse or withdraw consent without prejudice”.86. In this case, the delegation noted in the context of the online check of April 8, 2021 that, when a user goes to the Facebook social network, a pop-up window whose title is "Accept Facebook cookies in this browser " appears and, at the bottom of this window, there are two buttons labeled "Manage data settings" and "Accept all". It was also noted that at this stage no cookie was placed in the user's terminal and that the latter was obliged to click on one of these two buttons in order to be able to continue browsing the social network.87 . Thus, when the user clicks on the "Accept all" button appearing at the bottom of this first window and gives his consent by this action to the reading and/or writing of information in his terminal, the window disappears, this which allows him to continue browsing the social network.88. When the user clicks on the "Manage data settings" button, a new pop-up window appears, including the two main purposes pursued by cookies subject to consent – personalized advertising carried out by Facebook and personalized advertising carried out by third parties – and next to which there are sliding buttons, disabled by default.89. The delegation found that when the user scrolls this second window, leaves the two slider buttons deactivated, and then clicks on the "Accept cookies" button at the bottom of this window, the latter disappears, allowing him to continue his navigation on the social network without advertising cookies having been deposited in his terminal.90. In view of these findings, the rapporteur considers that the company has breached Article 82 of the "Informatique et Libertés" law, as clarified by the reinforced consent requirements laid down by the GDPR, since it does not provide users residing in France, on the "facebook.com" website, with a means of freely consenting by refusing the operations of reading and/or writing information in their terminal presenting the same degree of simplicity than that intended to accept its use. The rapporteur also considers that the information provided to the user does not allow him to clearly understand that he can refuse cookies.91. It also notes by way of clarification that under the terms of its guidelines 5/2020 on consent within the meaning of Regulation (EU) 2016/679, adopted on 4 May 2020, the EDPS recalled that "the adjective "free "implies real choice and control for those affected" (§13).92. Similarly, in the context of its deliberation no. 2020-092 of September 17, 2020 adopting a recommendation proposing practical procedures for compliance in the event of the use of "cookies and other tracers", the Commission considered, given the aforementioned applicable texts, that "the data controller must offer users both the possibility of accepting and refusing read and/or write operations with the same degree of simplicity".93. The company argues that neither the "ePrivacy" directive, nor its transposition into French law in article 82 of the "Informatique et Libertés" law provides the rule that it must be as easy to refuse cookies as to accept them. . She adds that this rule is not provided for by the GDPR either, whose Article 7(3) only introduces an obligation relating to the withdrawal of consent, which does not extend to the initial refusal to consent to cookies.94. It argues that the CNIL's guidelines and recommendation of September 17, 2020 do not have mandatory value and in any case do not refer to any binding provision of the GDPR or the "ePrivacy" directive when they refer to this rule which , in these two CNIL instruments, appears moreover under headings relating to the refusal of consent and not to freedom of consent.95. Finally, it maintains that its information path complies with the applicable rules when it does indeed provide, from the first window, information relating to the setting of cookies and that a distracted user arriving at the second window allowing this setting, who would click on the "Accept cookies" button appearing at the bottom of this second window, would not see any advertising cookies deposited in their terminal.96. Firstly, with regard to the terms of the refusal, the Restricted Committee refers to the provisions recalled in points 41 to 43 and in points 82 and following of this deliberation. It considers that, to guarantee the freedom of consent, it should in this case be as easy to refuse cookies as to accept them. She points out that the EDPS clarifies this point in his guidelines on consent adopted on 4 May 2020 by specifying that "the adjective 'free' implies real choice and control for the data subjects".97. By applying this requirement of freedom of consent to cookies, it considers that making the refusal mechanism more complex than that allowing them to be accepted, for example by relegating the button allowing them to be refused to a second window, generally amounts, in the context of web browsing, in reality altering users' freedom of choice by encouraging them to favor the acceptance of these cookies rather than their refusal.98. She notes that this conclusion is corroborated in particular by an academic study entitled "Dark Patterns after the GDPR: Scraping Consent Pop-ups and Demonstrating their Influence" their influence") conducted in 2020 from different cookie banners offered to a panel of users. In this study, researchers from the universities of Cambridge and MIT in particular demonstrated that 93.1% of Internet users confronted with cookie banners stop at the first level and that only a small minority of them go to the second level to personalize or refuse. This study also showed that relegating the opt-out button to the second level increased the cookie consent rate by an average of 23.1 percentage points.99. It also recalls that, to take into account the changes brought about by the entry into force of the GDPR and in particular to clarify the scope to be given to the contested rule in this procedure, the CNIL has changed its deliberation No. 2013-378 of 5 December 2013 adopting a recommendation on cookies and other trackers (hereinafter "the recommendation of 5 December 2013").100. This change was reflected first in the adoption of deliberation no. 2019-093 of July 4, 2019 adopting guidelines relating to the application of article 82 of the law of January 6, 1978 as amended to operations reading and/or writing in a user's terminal (in particular to cookies and other tracers) (hereinafter "the guidelines of July 4, 2019), which already provided in its article 2, "that it must be as easy to refuse or withdraw consent as to give it", then by that of the guidelines and the recommendation of September 17, 2020, which respectively repealed the guidelines of July 4, 2019 and the recommendation of December 5, 2013.101. Restricted Committee emphasizes that the two instruments adopted in 2020 aim to interpret the legislative provisions and to enlighten the actors on the implementation of concrete measures to guarantee compliance with these provisions, so that they implement these measures or measures having equivalent effect, without however providing for new legal obligations. It notes that the guidelines of September 17, 2020 specify that their "main purpose is to recall and explain the law applicable to the operations of reading and/or writing information […] in the terminal equipment of the subscriber's or user's electronic communications, and in particular the use of cookies (hereinafter “cookies”)”.102. She notes that article 2 of the guidelines of September 17, 2020 and article 2.4 of the recommendation of September 17, 2020 are very clear, the latter recalling that "the data controller must offer users both the possibility of accepting and to refuse read and/or write operations with the same degree of simplicity ".103. It underlines that if, for the sake of pedagogy, these details appear in these two instruments under titles which evoke its content rather than the legal source from which it proceeds ("As regards the modalities of the refusal" for the recommendation of September 17, 2020, "On the refusal and withdrawal of consent" for the guidelines of September 17, 2020), it is indeed the requirement of freedom of consent laid down by the GDPR which implies, with regard to the deposit of cookies, that the methods proposed to the user to express this choice are such that they do not encourage him to accept cookies any more than to refuse them.104. The Restricted Committee also notes that the Council of State has already had the opportunity to rule on this issue in its decision Association of Communication Consulting Agencies, in which it examined the guidelines of July 4, 2019. It has thus ruled that: "the CNIL which, by indicating that it should "be as easy to refuse or withdraw consent as to give it", limited itself to characterizing the conditions of the user's refusal, without defining any particular technical methods for expressing such a refusal, did not taint its deliberation with any ignorance of the rules applicable in the matter" (CE, June 19, 2020, no. 434684, T., pt 15).105. It notes that this recital must be read in the light of the conclusions of the public rapporteur on this judgment, which noted: "As indicated by the CNIL, the contested guidelines do not impose any technical procedure for collecting this refusal. They are limit themselves to requiring, generally and rightly, that it should not be more complicated to refuse than to accept" (CE, conclusions of the public rapporteur on judgment no. 434684, p. 17).106. Finally, it emphasizes that in the guidelines and in the recommendation of September 17, 2020, the CNIL does not necessarily require the insertion of a "Refuse all" button, but recalls the importance of setting up a simple alternative allowing the user to refuse cookies as simply as accepting them, giving examples of wording and methods that can be used by organizations so that users' freedom of consent is truly respected.107. Thus, under the recommendation of September 17, 2020, the CNIL proposes: "For example, at the stage of the first level of information, users can have the choice between two buttons presented at the same level and on the same format, on which "accept all" and "refuse all", "allow" and "prohibit", or "consent" and "not consent", or any other equivalent and sufficiently clear wording are written respectively. The Commission considers that this method constitutes a means simple and clear to allow the user to express his refusal as easily as his consent. The expression of the refusal to consent can however result from other types of actions than that consisting in clicking on one of the buttons described here In any event, the Commission recalls that the terms enabling users to consent or refuse must be presented in a clear and understandable manner, in particular when refusal may be be manifested by the simple closing of the consent collection window or by the absence of interaction with it for a certain period of time, this possibility must be clearly indicated to users on this window. Indeed, failing this, the user would be likely not to understand that these actions lead to the fact that no read or write operation subject to consent can legally take place. Appropriate design and information should allow him to fully understand the options available to him". April 2021, when a user residing in France visits the "facebook.com" website, he can accept the deposit of advertising cookies in a single action, by clicking on the button entitled "Accept cookies" appearing on the first 109. It notes that, on the other hand, to refuse these cookies, the user must perform no less than three actions: first click on the button entitled "Manage data settings" located above the "Accept" button cookies " of the first window, scroll through the entire content of the second window, in particular to note that the two sliding buttons controlling the deposit of advertising cookies are deactivated by default, and finally click on the button " Accept all" located at the bottom of this second window.110. In this case and as it has already mentioned, the Restricted Committee considers that the fact, for the company, of making the mechanism for refusing cookies more complex than that consisting in accepting them actually amounts to discouraging users from refusing cookies and to encourage them to favor the ease of the "Accept cookies" button. Indeed, a web user is generally led to consult many sites. Browsing the web is characterized by its speed and fluidity. Having to click on "Manage data settings" and having to understand how the page to refuse cookies is constructed is likely to discourage the user, who would nevertheless wish to refuse the deposit of cookies. It is not disputed that in this case, the company offers a choice between the acceptance or refusal of cookies, but the methods by which this refusal can be expressed, in the context of web browsing, skews the expression of choice in favor of consent in such a way as to alter the freedom of choice.111. Secondly, with regard to the information provided, the Restricted Committee recalls that under Article 82 of the "Informatique et Libertés" law, the user must in particular be informed, before consenting to cookies, " the means at his disposal to oppose them", that is to say to refuse them, and that the information provided must be "clear and complete". It stresses that these provisions must be read in the light of recital 66 of the amending Directive 2009/136/EC "ePrivacy" which provides that "the methods chosen to provide information and offer the right of refusal should be as user-friendly as possible" .112. It underlines that, in the context of its recommendation of September 17, 2020, the Commission took care to specify that this requirement for "clear and complete" information should be interpreted in such a way that "the information accompanying each actionable element expressing consent or refusal is easily understandable and does not require efforts of concentration or interpretation on the part of the user. Thus, it is particularly recommended to ensure that it is not worded in such a way that a cursory or careless read might suggest that the selected option produces the opposite of what users thought they were choosing".113. In this case, it recalls that it appears from the online check of April 8, 2021 that once arrived on the "facebook.com" website, the user must, to refuse the deposit of advertising cookies, first click on the "Manage Data Settings" button in the first window, scroll through the entire second popup window leaving both sliders disabled to not accept cookies, then click on the "Accept Cookies" button appearing at the bottom of this second window.114. If, as the company argues in defence, the Restricted Committee recognizes that a distracted user who clicks on the "Accept cookies" button appearing at the bottom of the second window would not see any advertising cookies deposited in his terminal as soon as the sliding buttons allowing the deposit of these cookies to be activated are deactivated by default, it notes that it is particularly counter-intuitive to have to click on a button entitled "Accept cookies" in order to refuse their deposit.115. The Restricted Committee considers that these methods rather encourage the user to think that it is ultimately not possible to continue browsing after having refused the deposit of advertising cookies since the entire process of refusing cookies is based on information referring to the acceptance of cookies.116. It notes that this feeling can only be accentuated by the not very explicit nature of the "Manage data settings" button offered within the framework of the first window, which does not clearly mention the existence of means allowing cookies to be refused. 117. It considers that the fact that ultimately cookies are not deposited has no impact on the confusion generated by this contradictory information path which can give the user the feeling that it is not possible to refuse the deposit of cookies. and that it has no means of monitoring in this respect.118. In view of these elements, the Restricted Committee considers that the information provided to users residing in France visiting the "facebook.com" page as well as the procedures for obtaining consent offered to them by the company on this website do not do not comply with the provisions of article 82 of the law "Informatique et Libertés" as clarified by the reinforced requirements in terms of consent laid down by the RGPD.III. On the pronouncement of corrective measures and publicity119. Article 20 of Law No. 78-17 of January 6, 1978 as amended provides that: "when the data controller or its subcontractor does not comply with the obligations resulting from Regulation (EU) 2016/679 of April 27, 2016 or of this law, the president of the National Commission for Computing and Liberties may […] seize the restricted formation of the commission with a view to the pronouncement, after adversarial procedure, of one or more of the following measures: [ …]2° An injunction to bring the processing into compliance with the obligations resulting from Regulation (EU) 2016/679 of 27 April 2016 or from this law or to satisfy the requests presented by the person concerned in order to exercise their rights , which may be accompanied, except in cases where the processing is implemented by the State, by a penalty payment the amount of which may not exceed €100,000 per day of delay from the date set by the restricted body; […]7° With the exception of cases where the processing is implemented by the State, an administrative fine not to exceed 10 million euros or, in the case of a company, 2% of the total worldwide annual turnover of the previous financial year, whichever is higher retained. In the cases mentioned in 5 and 6 of Article 83 of Regulation (EU) 2016/679 of April 27, 2016, these ceilings are increased, respectively, to 20 million euros and 4% of said turnover. The restricted formation takes into account, in determining the amount of the fine, the criteria specified in the same article 83. "Article 83 of the GDPR, as referred to in article 20, paragraph III, of the law "Informatique and Freedoms", provides for its part that "Each supervisory authority shall ensure that the administrative fines imposed under this article for breaches of this Regulation referred to in paragraphs 4, 5 and 6 are, in each case, effective, proportionate and dissuasive", before specifying the elements to be taken into account to decide whether it is necessary to impose an administrative fine and to decide on the amount of this fine.A. On the imposition of an administrative fine and its amount120 The company first argues that the demonstration by the rapporteur of the seriousness of the breach and the number of people concerned in support of its proposal for a sanction is insufficient.121 It also argues that the developments in the ra information relating to the scope of the breach and the financial benefits perceived as a result of the breach would be inoperative when the sliding buttons appearing on the second window are disabled by default, so that a distracted user who clicks on the "Accept cookies" button " located at the bottom of this second window would not see any cookie deposited in his terminal.122. The Restricted Committee recalls, in general, that Article 20, paragraph III, of the "Informatique et Libertés" law gives it jurisdiction to impose various sanctions, in particular administrative fines, the maximum amount of which may be equivalent to 2% of the turnover total worldwide annual turnover of the previous financial year achieved by the data controller. The determination of the amount of these fines is assessed in the light of the criteria specified by Article 83 of the GDPR to which this article refers.123. Firstly, with regard to the imposition of an administrative fine, the Restricted Committee considers that it is first necessary to apply the criterion provided for in subparagraph a) of Article 83, paragraph 2, of the GDPR relating to the seriousness of the breach taking into account the nature, the scope of the processing and the number of data subjects.124. It notes first of all that by not complying with the requirements of article 82 of the "Informatique et Libertés" law, the company does not allow users residing in France visiting the "facebook.com" web page to refusing cookies as easily as accepting them. By depriving them of this true freedom of choice, the company strongly encourages users to consent to the deposit of advertising cookies.125. The Restricted Committee underlines the scope of the social network Facebook and the essential place it occupies in France, since it dominates the social network market by far, as noted by the Autorité de la concurrence in its opinion no. ° 18-A-03 of March 6, 2018. It also notes the "network effects" generated by this dominant position, highlighted by the German competition authority in a decision of February 6, 2019.126. It insists on the fact that this shortcoming is all the more harmful for the people concerned since, alongside its traditional function of maintaining and developing interpersonal relationships, this social network is also playing an increasing role in areas as diverse as access to information, public debate, even civil security via the "Facebook danger check" (or "safety check") functionality in the event of a natural disaster or an attack, which are of unquestionable importance in a democratic society.127. It also stresses that the tracing of the persons concerned, which begins with the collection of information linked to the user account and which continues throughout the user's browsing on Facebook, for an advertising purpose clearly recognized by the data controller, does not does not stop at the borders of the social network.128. It is not discussed that Facebook makes available to very many third-party sites a set of tracking tools – such as social plugins, connection buttons or the Facebook pixel – which will continue to collect data from users visiting these third party sites to cross them with the data already collected within the framework of the social network and this in order to increase the valuation of this data. A 2019 study revealed the presence of these Facebook tracking tools on 44% of the world's 65,000 most visited websites, so the indirect scope of the processing is considerable.129. Finally, with regard to the number of people affected by the processing in question, the Restricted Committee recalls that, according to the own volumetric data provided by the company, the social network counts approximately […]monthly users in France, which corresponds to […] % of the population.130. Secondly, the Restricted Committee considers that the criterion provided for in subparagraph k) of Article 83(2) of the GDPR relating to the financial benefits obtained as a result of the breach should be applied.131. In this regard, it notes that insofar as Facebook follows a business model known as "targeted content matching", operating simultaneously in the collection of data, their valuation and the operational implementation of the advertisements broadcast in the banners deployed within the social network, the performance of its business model is mainly based on targeting tools and in particular on cookies, which make it possible to single out and reach the identified user with a view to offering him advertising content adapted to his centers of interest and his profile.132. In this case, the Restricted Committee considers that the breach in question provides undeniable financial advantages to the company, since the fact of opting for a process that facilitates the deposit of cookies more than refusal increases the share of users with whom advertising cookies are likely to be deposited and therefore also increases the volume of advertising revenue generated by the profiling in which these cookies participate.133. In this perspective, it appears from the financial elements of the company FACEBOOK INC., communicated by the company FIL, that the first derives nearly 98% of its gross income from the online advertising segment and that it operates a global operating margin around 40% in this segment. Even if all of these revenues are not directly linked to cookies, the Restricted Committee emphasizes that this segment is essentially based on the targeting of Internet users, in which the cookie participates directly by making it possible to single out and reach the identified user with a view to to display him advertising content corresponding to his centers of interest and his profile.134. In this case, if it is not aware of the amount of profit made by the Facebook group from the collection and use of cookies on the French market via the income generated by targeted advertising aimed at French Internet users, the training restricted notes that a proportional approximation based on the figures available to it, in particular the average income generated by a European user for the online advertising segment and the number of users residing in France, would lead to an estimate that France would contribute to the net income of FACEBOOK INC., the parent company of the Facebook group, now called META PLAFORMS INC., for an amount of between 550 and 660 million euros.135. Secondly, with regard to the determination of the amount of the fine, the Restricted Committee recalls that pursuant to the provisions of Article 20, paragraph III, of the "Informatique et Libertés" law, the company FIL incurs financial penalty of a maximum amount of 2% of its turnover, which was EUR […] in 2019.136. Therefore, with regard to the liability of the company, its financial capacities and the relevant criteria of Article 83, paragraph 2, of the Rules mentioned above, the Restricted Committee considers that a fine of 60 million euros against the company appears justified.B. On the issuance of an injunction accompanied by a penalty payment137. In its writings of October 8, 2021, the company indicated that an update of its interface for collecting consent to cookies would be being deployed in the European region, including in France, without however producing any proof. It specified that "this update for the European region does not introduce additional purposes for cookies, nor does it add new cookies" and that it aims to "improve the ergonomics of the interface ".138. On December 6, 2021, the company released screenshots documenting the nature of this update.139. Firstly, the Restricted Committee notes that this update modifies in particular the content of the buttons of the first window "Manage data parameters" and "Accept all", which are now respectively entitled "Other options" and "Allow all cookies" and that in the second window the old single button "Allow cookies" is now called "Allow only essential cookies" and that next to it the company has introduced a second button called "Allow all cookies" .140. The Restricted Committee notes that, in accordance with the explanations already mentioned during the meeting and repeated by the company in the letter accompanying these screenshots, this update only concerns "users connected to the site www.facebook.com ", which informal checks enabled him to ascertain.141. Furthermore, and above all, the Restricted Committee notes that this update still does not put in place the means to refuse cookies as easily as they can accept them.142. Consequently, since the interface resulting from this update still does not comply with the provisions of article 82 of the "Informatique et Libertés" law, as clarified by the reinforced requirements in terms of consent by the GDPR, the Restricted Committee considers it necessary to issue an injunction in order for the company to comply with the applicable obligations in this area.143. Secondly, the Restricted Committee recalls that a daily fine is a financial penalty per day of delay that the data controller will have to pay in the event of non-compliance with the injunction at the expiry of the deadline for execution. Its pronouncement may therefore sometimes prove necessary to ensure compliance of the data controller within a certain period.144. The Restricted Committee adds that in order to keep the penalty payment its comminatory function, its amount must be both proportionate to the seriousness of the breaches committed and adapted to the financial capacities of the data controller. It also notes that, in order to determine this amount, account must also be taken of the fact that the breach concerned by the injunction indirectly contributes to the profits generated by the data controller.145. In view of these elements, the Restricted Committee considers as justified the pronouncement of a penalty payment in the amount of 100,000 euros per day of delay and payable at the end of a period of three months.C. Publicity of the decision146. The company asked the restricted committee not to make its decision public.147. The Restricted Committee considers, on the contrary, that the publication of this Decision is justified in the light of the seriousness of the breach in question, the scope of the processing and the number of persons concerned.148. It also notes that this measure will make it possible to alert users of the social network Facebook residing in France of the characterization of the breach of article 82 of the law "Informatique et Libertés" in its various branches and to inform them of the persistence of the breach. on the day of this deliberation and of the injunction issued against the company to remedy it.149. Finally, it considers that this measure is not disproportionate since the decision will no longer identify the company by name at the end of a period of two years from its publication.FOR THESE REASONSThe restricted formation of the CNIL, after having deliberated, decides to:• pronounce an administrative fine against the company FACEBOOK IRELAND LIMITED in the amount of sixty million euros (60,000,000 euros) with regard to the breach of Article 82 of the “Informatique et Libertés” law; • pronounce against the company FACEBOOK IRELAND LIMITED, an injunction to modify, on the “facebook.com” website, the procedures for obtaining the consent of users located in France to information reading and/or writing operations in their terminal, by offering them a means of refusing these operations presenting a simplicity equivalent to the mechanism provided for their acceptance, in order to guarantee the freedom of their consent; nction of a penalty payment of one hundred thousand euros (100,000 euros) per day of delay at the end of a period of three months following the notification of this deliberation, the supporting documents of compliance must be sent to the training restricted within this period; • make public, on the CNIL website and on the Légifrance website, its deliberation, which will no longer allow the company to be identified by name after a period of two years from of its publication; • send its deliberation to the company FACEBOOK FRANCE with a view to its execution. The president Alexandre LINDEN This decision may be the subject of an appeal before the Council of State within a period of four months from its notification. /*<![CDATA[*/ // Creation of a tag with sending in secure mode. var tag = tagAtinternet; // Marking the page with its level 2. tag.page.set({ level2:'54' }); // Send hit. tag. dispatch(); /*]]>*/ Back to topThe National Commission for Computing and Liberties, meeting in its restricted formation composed of Messrs Alexandre LINDEN, president, Philippe-Pierre CABOURDIN, vice-president, Mesdames Christine MAUGÜE and Anne DEBET and Mr Alain DRU, members ;Having regard to Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 relating to the protection of personal data and the free movement of such data;Having regard to Directive 2002/58/EC of the European Parliament and of the Council of July 12, 2002 concerning the processing of personal data and the protection of privacy in the electronic communications sector; Having regard to law no. 78-17 of January 6, 1978 relating to data processing, files and freedoms , in particular articles 20 and following; Considering decree no. 2019-536 of May 29, 2019 taken for the application of law no. 78-17 of January 6, 1978 relating to data processing, files and freedoms; tion No. 2013-175 of July 4, 2013 adopting the internal regulations of the National Commission for Computing and Liberties; Having regard to Decision No. 2021-044C of April 6, 2021 of the President of the National Commission for Computing and the freedoms to instruct the Secretary General to carry out or have carried out a mission to verify the processing accessible from the "facebook.com" domain or relating to personal data collected from the latter; Having regard to the decision of the President of the National Commission for Computing and Freedoms appointing a rapporteur to the restricted committee, dated July 26, 2021; Having regard to the report of Mrs Valérie PEUGEOT, commissioner rapporteur, notified to the company FACEBOOK IRELAND LIMITED on July 1 September 2021; Having regard to the written observations submitted by the board of the company FACEBOOK IRELAND LIMITED on October 8, 2021; Having regard to the response of the rapporteur to these observations notified to the a the company FACEBOOK IRELAND LIMITED on October 28, 2021; Considering the new written observations submitted by the board of the company FACEBOOK IRELAND LIMITED, received on November 21, 2021; Having regard to the letter sent by the company FACEBOOK IRELAND LIMITED to the chairman of the restricted committee and to the rapporteur on December 6, 2021; Having regard to the oral observations made during the restricted committee meeting; Having regard to the other documents in the file; , heard in its report;As representatives of the company FACEBOOK IRELAND LIMITED:- […];The company FACEBOOK IRELAND LIMITED having the floor last;The Restricted Committee adopted the following decision:I. Facts and procedure1. Founded in 2004 and headquartered in the United States (Menlo Park, California), FACEBOOK INC., renamed META PLAFORMS INC. since October 28, 2021, has developed a social network (hereinafter "the Facebook social network"), available on the web and on a mobile application, which allows users who have created an account to share their experiences and exchange views. The latter currently has more than 2.5 billion monthly active users worldwide.2. META PLAFORMS INC. has several dozen offices in around thirty countries and has more than 35,000 employees worldwide. It has its own advertising agency and, since its creation, it has notably acquired the Instagram photo sharing service (2012) as well as the WhatsApp instant messaging service (2014). In 2020, it achieved a turnover of nearly 86 billion dollars for a net profit of more than 29 billion dollars. 98% of this turnover is generated by income from advertising implemented as part of its products and services.3. FACEBOOK IRELAND LIMITED (hereafter "FIL"), located at 4 Grand Canal Square, Grand Canal Harbor in Dublin, Ireland, presents itself as the headquarters of the Facebook group for its activities in the European region since 2008. Subsidiary of META PLAFORMS INC. it employs about […] people. In 2019, it achieved a turnover of more than […] euros for a net profit of more than […] euros.4. FACEBOOK FRANCE, located at 6 rue Ménars in Paris (75002), is the establishment of META PLAFORMS INC. in France. A subsidiary of META PLAFORMS INC., it employs […] employees. In 2019, it achieved a turnover of more than […] euros for a net profit […] euros.5. On April 8, 2021, following four referrals recorded between October 2020 and March 2021, a CNIL delegation carried out an online check on the "facebook.com" website in application of decision no. 2021-044C of 6 April 2021 from the President of the National Commission for Computing and Liberties (hereinafter "the CNIL" or "the Commission").6. The purpose of this mission was to verify compliance, by the company, with the provisions of law no. Freedoms "" or "law of January 6, 1978"), in connection with processing consisting of operations of reading and/or writing information in the terminal of users residing in France during their visit to the website " facebook.com".7. On April 16, 2021, the delegation sent two questionnaires to the companies FACEBOOK FRANCE and FIL in order in particular to have them specify the purposes of the reading and/or writing operations carried out from the "facebook.com" website in the terminal of the users residing in France and to have them confirm that FIL was indeed responsible for processing these operations. The companies were also invited to specify their organization, their activities and the links which unite them.8. The latter respectively responded to these questionnaires on May 21 and June 11, 2021, confirming in particular that the company FIL acted as "controller for the processing of personal data implemented in the context of the provision of the service. Facebook to users in the European region, including for cookie writing and reading operations on the “facebook.com” website.9. On July 26, 2021, on the basis of Article 22 of the Law of January 6, 1978, the President of the Commission appointed Mrs Valérie PEUGEOT as rapporteur for the purposes of examining these elements.10. On September 1, 2021, at the end of her investigation, the rapporteur notified FIL of a report detailing the breach of the "Informatique et Libertés" law that she considered constituted in this case with regard to the freedom of consent, the company in particular not making available to users located in France, on the "facebook.com" website, a means of refusing operations to read and/or write information in their terminal presenting the same degree of simplicity than that intended to accept its use. Also attached to the report was a convocation to the restricted committee meeting of December 2, 2021.11. This report proposed that the restricted committee of the Commission impose an administrative fine on the company FIL, as well as an injunction to bring into compliance the processing consisting of operations to read and/or write information carried out from the “facebook.com” website in the terminal of users residing in France with the provisions of article 82 of the “Informatique et Libertés” law, accompanied by a penalty payment. It also proposed that this decision be made public and no longer allow the company to be identified by name after the expiry of a period of two years from its publication.12. By letter dated September 6, 2021, the company requested additional time from the chairman of the restricted committee to produce its observations in response to the rapporteur's report, which was granted to it on the following September 9, on the basis of Article 40, paragraph 4, of decree n° 2019-536 of May 29, 2019 taken for the application of the law “Informatique et Libertés” (hereinafter “the decree of May 19, 2019”).13. On October 8, 2021, the company submitted observations in response to the rapporteur's report.14. On October 18, 2021, the rapporteur asked the chairman of the Restricted Committee for additional time to respond to the company's observations, which was granted to her on the following October 21, of which the company was informed on the same day.15. On October 28, 2021, the rapporteur responded to the company's observations.16. On October 29, 2021, the company asked the chairman of the Restricted Committee for an extension of the deadline for submitting its observations to the rapporteur's response, which was granted on the following November 4.17. On 21 November 2021, the company submitted new observations in response to those of the rapporteur.18. On November 29, 2021, the company made the request that the data expressly identified in its writings as subject to business secrecy not be disclosed to the public during the session of the restricted committee, at which the chairman of the restricted committee made right by letter dated November 30, 2021.19. The company and the rapporteur presented oral observations during the restricted committee meeting of December 2, 2021.20. On December 6, 2021, the company sent the Chairman of the Restricted Committee and the rapporteur additional information reporting on an update being deployed on the "facebook.com" website.II. Reasons for decisionA. On the competence of the CNIL1. On the material competence of the CNIL and the non-application of the "one-stop shop" mechanism provided for by the GDPR21. The provisions of Directive 2002/58/EC of the European Parliament and of the Council of 12 July 2002 concerning the processing of personal data and the protection of privacy in the electronic communications sector - as amended by Directive 2006/ 24/EC of March 15, 2006 and by Directive 2009/136/EC of November 25, 2009 (hereinafter the "ePrivacy Directive") - which relate to the storage or access to information already stored in the terminal equipment of a subscriber or user, have been transposed into domestic law in article 82 of the law "Informatique et Libertés", in chapter IV "Rights and obligations specific to processing in the electronic communications sector " of this law.22. Under the terms of article 16 of the law " Computing and Freedoms ", " the restricted formation takes the measures and pronounces the sanctions against the data controllers or the subcontractors who do not respect not the obl igations arising […] from this Act”. According to Article 20, paragraph III, of this same law, "when the data controller or its subcontractor does not comply with the obligations resulting from […] this law, the president of the National Commission for Informatics and freedoms […] can seize the restricted formation ".23. The rapporteur considers that the CNIL is materially competent pursuant to these provisions to control and, if necessary, sanction the operations of access or registration of information carried out by the company in the terminals of users of the Facebook social network residing in France and, more particularly, the fact that the company ignores the freedom of consent of Internet users by not providing them with a means of refusing operations to read and/or write information in their terminal which has the same degree of simplicity than that intended to accept its use.24. The company contests this jurisdiction on the grounds that the breach of which it is accused does not come under the "ePrivacy" directive.25. It argues that, unlike the companies Google and Amazon which were sanctioned by the Restricted Committee in December 2020 for a breach of the ban on placing cookies without having previously obtained the consent of the persons (CNIL decisions, Restricted Committee, December 7, 2020 , SAN-2020-012 and SAN-2020-013), he is only accused, under this procedure, of having violated the rule according to which it must be as simple for users to refuse the deposit of cookies as to consent thereto.26. However, according to the company, this rule would not result as such from any applicable legal or regulatory provision and would be a creation of the CNIL, formalized in the deliberations of September 17, 2020 No. 2020-091 adopting guidelines relating to the application of article 82 of the law of January 6, 1978 as amended to read and/or write operations in a user's terminal (in particular to "cookies and other tracers") and n° 2020-092 on adoption of a recommendation proposing practical methods of compliance in the event of the use of "cookies and other tracers" (hereinafter the guidelines and recommendation of September 17, 2020 ").27. The company considers that assuming that this rule actually exists, it could only materially fall under Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 (hereinafter the "Regulation" or the "GDPR"), as would have been elsewhere partially recognized the CNI L in a communication dated April 2, 2021 posted on its website, indicating that "the mere presence of a "Configure" button in addition to the "Accept all" button tends, in practice, to deter refusal and therefore does not allow not to comply with the requirements of the GDPR ".28. The company concludes from this that it would be appropriate to apply the "one-stop shop" mechanism provided for in Chapter VII of these Rules to the present proceedings. Under this mechanism, when the company FIL, which has the status of controller in question, is established in Ireland and its central administration is located in this country, the supervisory authority competent to know the facts which he is accused of not being the CNIL but the Irish data protection authority, the Data Protection Commissioner (hereinafter “the DPC”).29. Firstly, the Restricted Committee recalls that a distinction should be made between, on the one hand, the operations consisting in depositing and reading cookies in a user's terminal and, on the other hand, the subsequent use that is made of the data generated by these cookies, for example for profiling purposes, referred to as "subsequent processing" (also called "subsequent").30. It stresses that each of these two successive stages is subject to a different legal regime: while the read and/or write operations are governed by special rules, set out in Article 5(3) of the Directive " ePrivacy", subsequent processing is subject to the GDPR and, as such, may be subject to the "one-stop shop" mechanism in the event that it is cross-border.31. It recalls that it appears from the provisions cited above that the French legislator has instructed the CNIL to ensure compliance with the provisions of the "ePrivacy" directive transposed into article 82 of the "Informatique et Libertés" law, by entrusting it with in particular the power to penalize any breach of this article. It emphasizes that this competence was recognized in particular by the Council of State in its decision Association of communication consulting agencies of June 19, 2020 concerning the deliberation of the CNIL n ° 2019-093 adopting guidelines relating to the application of article 82 of the law of January 6, 1978 as amended to read and/or write operations in a user's terminal. The Council of State has indeed noted that "article 20 of this law entrusts [to] the president [of the CNIL] the power to take corrective measures in the event of non-compliance with the obligations resulting from regulation (EU) 2016 /279 or of its own provisions, as well as the possibility of seizing the restricted formation with a view to pronouncing the sanctions likely to be pronounced "(CE, June 19, 2020, req. 434684, pt. 3).32. In the present case, the Restricted Committee notes that this procedure only covers the read and/or write operations implemented in the terminal of the user located in France visiting the Facebook social network, the material findings carried out by the delegation during the online check of April 8, 2021 which only related to these operations, without being interested in the subsequent processing implemented from the data collected via these cookies.33. Secondly, the Restricted Committee recalls that under the rules providing for the relationship between the "ePrivacy" directive and the GDPR, Article 1 paragraph 2 of this directive provides that "the provisions of this directive specify and supplement the Directive 95/46/EC" of the European Parliament and of the Council of 24 October 1995 on the protection of personal data [hereinafter "Directive 95/46/EC"]), it being recalled that, since the entry into force of Regulation, references to Directive 95/46/EC should be understood as references to the GDPR, in accordance with Article 94 of the latter.34. Similarly, it appears from recital 173 of the GDPR that this text explicitly provides that it is not applicable to the processing of personal data "subject to specific obligations having the same objective [of protection of fundamental rights and freedoms] set out in the Directive 2002/58/EC of the European Parliament and of the Council, including the obligations incumbent on the controller and the rights of natural persons ".35. The Restricted Committee points out that this articulation was confirmed by the Court of Justice of the European Union (hereinafter "the CJEU") in its Planet49 decision of October 1, 2019 (CJEU, grand chamber, October 1, 2019, Planet49, C -673/17, point 42).36. It also recalls that the "ePrivacy" directive provides, for the specific obligations it includes, its own mechanism for implementing and monitoring its application by leaving to the Member States, through its article 15 bis, the care to specify, within the framework of their national law, the system of sanctions which they wish to implement in order to guarantee its effectiveness.37. It notes in this case that the rule laid down in Article 5(3) of the "ePrivacy" directive, according to which read and/or write operations must systematically be subject to the prior agreement of the user, after information, constitutes a specific obligation since it prohibits an actor from relying on the legal bases mentioned in article 6 of the GDPR to be able to lawfully carry out these read and/or write operations in the terminal . As a result, the violation of this rule falls under the special control and sanction mechanism provided for by the "ePrivacy" directive and not that provided for by the GDPR.38. The Restricted Committee also notes that the EDPS, in his Opinion No. 5/2019 of 12 March 2019 relating to the interactions between the "Privacy and Electronic Communications" Directive and the GDPR, explicitly excluded the application of the " one-stop shop" to facts materially falling under the "ePrivacy" directive in these terms: "in accordance with Chapter VII of the GDPR, the cooperation and consistency mechanisms available to the data protection authorities under the GDPR concern the control of the application of the provisions of the GDPR. The mechanisms of the GDPR do not apply to the control of the application of the provisions of the "privacy and electronic communications" directive as such" (EDPS, opinion 5/2019, 12 March 2019 , pt. 80).39. It also notes that the CJEU, in a Facebook Belgium judgment delivered on 15 June 2021, took up the aforementioned opinion 5/2019 of the EDPS, while following on this point the conclusions of its Advocate General, Mr BOBEK, who considered that "in order to decide whether a case actually falls within the material scope of the GDPR, a national court, including any referring court, is required to seek the precise source of the legal obligation weighing on an economic operator whose is alleged to have breached it. If the source of this obligation is not the GDPR, the procedures established by this instrument, which are linked to its main purpose, are logically not applicable either" (CJEU, conclusions of Advocate General M. BOBEK, 13 January 2021, Facebook Belgium, C 645/19, points 37 and 38).40. In this case, the Restricted Committee notes that, in the present procedure, the precise source of the legal obligation subject to the control finds its origin only in the specific obligation laid down in Article 5, paragraph 3, of the Directive " ePrivacy", transposed into French law in article 82 of the law "Informatique et Libertés".41. Thirdly, with regard to the scope to be given to this specific obligation, the Restricted Committee recalls that the operations of reading and/or writing in the user's terminal must systematically be the subject of "prior consent" of the user. It points out that under Article 2(f) of the ePrivacy Directive, consent has to be understood within the meaning of "consent of the data subject" as set out in Directive 95/46/EC. However, insofar as, as already mentioned, since the entry into force of the Regulation, the references made to Directive 95/46/EC must be understood as being made to the GDPR, it follows that the "consent" provided for in Article 5, paragraph 3, of the “ePrivacy” directive as transposed in article 82 of the “Informatique et Libertés” law must now be understood within the meaning of the GDPR.42. In this regard, the Restricted Committee notes that consent within the meaning of the GDPR imposes more requirements in this area than what was provided for in Article 2, h) of Directive 95/46/EC. In particular, under these new requirements, article 4, paragraph 11 of the GDPR requires that the consent now be unambiguous, which implies that it be given by a "clear positive act" and recital 42 of the GDPR reinforces its character. freedom, specifying that the person must now have a "genuine freedom of choice" when giving consent.43. With regard to the operations of reading and/or writing information, this reinforcement of the free nature of consent implies that the methods which are offered to the user to express his choice are such that they do not encourage him more about accepting cookies than refusing them.44. The Restricted Committee notes that it is in this sense that the communication from the CNIL of April 2, 2021 published on its website and denounced by the company should be understood. Indeed, by writing that "the mere presence of a "Configure" button in addition to the "Accept all" button tends, in practice, to dissuade refusal and therefore does not allow compliance with the requirements set by the GDPR", the CNIL only wanted to emphasize the strengthening of the requirements relating to the collection of the user's consent before any operation of reading and/or writing information in his terminal generated by the entry into application of the GDPR.45 . The Restricted Committee nevertheless underlines that if the GDPR does support the conditions of consent, compliance with the special provisions resulting from the "ePrivacy" directive which impose this consent, now reinforced, of the user before any reading and/or writing in his terminal continues to come under the adage specialia generalibus derogant, the special rule laid down by article 5, paragraph 3, of the "ePrivacy" directive and, therefore, the special mechanism of control and sanction provided for in Article 15a of that same directive.46. Thus, the simple reference to the GDPR operated by the provisions of the "ePrivacy" directive on the definition of consent is not sufficient to bring with it the applicability of the "one-stop shop" mechanism to the facts of the case.47. Fourthly, the Restricted Committee observes that it would in any event be materially impossible in the current state of the law to apply the "one-stop shop" mechanism to facts covered by the "ePrivacy" directive and that this position is also the subject of a consensus at European level.48. Indeed, the Member States, which are free to determine the national authority competent to hear violations of the national provisions adopted pursuant to the "ePrivacy" directive, may have attributed this competence to an authority other than their national data protection authority. data instituted by the GDPR, in this case to their telecommunications regulatory authority. Consequently, insofar as these latter authorities are not part of the EDPS, while this committee plays an essential role in the consistency control mechanism implemented in Chapter VII of the GDPR, it is in fact impossible to apply the "one-stop shop" to practices likely to be penalized by national supervisory authorities not sitting on this committee.49. The Restricted Committee also points out that other national data protection authorities have also already imposed sanctions relating to breaches relating to the operations of reading and/or writing information in the user's terminal. The Spanish authority has thus issued several sanction decisions against various data controllers in exclusive application of the national provisions transposing the "ePrivacy" directive, in this case article 22, paragraph 2 of Ley 34/2002 de 11 de julio de Servicios de la Sociedad de la Información y de Comercio Electrónico, without implementing the cooperation procedure established by the RGPD.50. Finally, the Restricted Committee notes that the question of a possible future application of the "one-stop shop" mechanism to the processing currently governed by the current "ePrivacy" directive is the subject of numerous discussions in the context of the drafting of the draft "ePrivacy" regulation that has been under negotiation for more than four years at European level. The very existence of these debates confirms that, as it stands, the "one-stop shop" mechanism provided for by the GDPR is not applicable to matters governed by the current "ePrivacy" directive.51. It follows from the foregoing that the "one-stop shop" mechanism provided for by the GDPR is not applicable to this procedure and that the CNIL is competent to control and initiate a sanction procedure against the processing implemented by the company. consisting of information reading and/or writing operations carried out from the "facebook.com" website in the terminal of users residing in France falling within the scope of the "ePrivacy" directive, provided that this processing falls within its territorial jurisdiction.2. On the territorial jurisdiction of the CNIL52. The rule of territorial application of the requirements set out in article 82 of the "Informatique et Libertés" law is specified in article 3, paragraph I, of this law, which provides: "without prejudice, with regard to the processing falling within the scope of Regulation (EU) 2016/679 of 27 April 2016, of the criteria provided for in Article 3 of this regulation, all the provisions of this law apply to the processing of personal data carried out in the framework of the activities of an establishment of a data controller (…) on French territory, whether or not the processing takes place in France”.53. The rapporteur considers that the CNIL has territorial jurisdiction pursuant to these provisions when the processing covered by this procedure, consisting of operations to access and/or register information in the terminal of users residing in France during the use of the Facebook social network, in particular for advertising purposes, is carried out within the "framework of the activities" of the company FACEBOOK FRANCE, which constitutes the "establishment" on French territory of the Facebook group.54. The company maintains that insofar as it would be appropriate to apply the rules of jurisdiction and cooperation procedures defined by the GDPR, the CNIL would not have territorial jurisdiction to hear this case given that the "real seat" of the Facebook group in Europe, i.e. the place of its central administration within the meaning of Article 56 of the GDPR, is located in Ireland.55. The Restricted Committee notes that to determine whether the CNIL has the competence to monitor compliance, by the FIL company, with the requirements provided for in Article 82 of the "Informatique et Libertés" law in the context of the processing in question, it It is appropriate to examine in this case whether the two criteria for territorial application of the "Informatique et Libertés" law, provided for in paragraph I of its article 3, are met: namely, on the one hand, if Facebook has an "establishment on French territory" and if, on the other hand, the processing in question is carried out "in the context of the activities of this establishment".56. The Restricted Committee recalls in this sense that the "ePrivacy" directive does not itself explicitly set the rule of territorial application of the various transposition laws adopted by each Member State. However, this directive indicates that it "clarifies and completes Directive 95/46.EC", which provided at the time, in its Article 4, that "each Member State shall apply the national provisions which it adopts pursuant to this Directive to the processing of personal data when: a) the processing is carried out in the context of the activities of an establishment of the controller in the territory of the Member State; if the same controller is established in the territory of several Member States, it must take the necessary measures to ensure that each of its establishments complies with the obligations provided for by the applicable national law". If this rule for determining the national law applicable within the Union is no longer relevant for the application of the rules of the GDPR, which replaced Directive 95/46/EC and applies uniformly to all the territory of the Union, the Restricted Committee notes that the French legislator has maintained these two criteria of territorial application for the specific rules contained in the "Informatique et Libertés" law, in particular those which transpose the "ePrivacy" directive. It follows, as will be developed below, that the case law of the CJEU on the application of Article 4 of Directive 95/46/EC remains relevant to clarify the scope to be given to these two criteria.58. Firstly, on the existence of a Facebook establishment on French territory, the Restricted Committee recalls that the CJEU has consistently considered that the concept "in the context of the activities of an establishment" cannot be accepted a restrictive interpretation in data protection law and, that to know whether a data controller had an "establishment", it was necessary to assess both the degree of stability of the installation and the reality of the exercise of the activities in a Member State, taking into account the specific nature of the economic activities and the provision of services in question (see in particular, CJEU, 1 October 2015, Weltimmo, C 230/14, pts. 25 to 31).59. The Court specified in particular that "the notion of 'establishment', within the meaning of Directive 95/46, extends to any real and effective activity, even minimal, carried out by means of a permanent establishment" (idem, pt . 30), the criterion of stability of the installation being examined with regard to the presence of "human and technical means necessary for the supply of concrete services in question" (idem, pt. 31). The Court further considered that a company, an autonomous legal person, from the same group as the data controller, may constitute an establishment of the data controller within the meaning of these provisions (CJEU, 13 May 2014, Google Spain, C -131/12, pt 48).60. In this case, the company FACEBOOK FRANCE, registered in France since February 3, 2011, is the headquarters of the French subsidiary of the company META PLAFORMS INC. It has premises located in Paris and employs approximately […] people. It is specified in the articles of association of this company, updated and filed with the registry of the Paris Commercial Court on July 9, 2020, that its purpose is "any activity relating, directly or indirectly, to the purchase, the sale or intermediation of advertising space on the Facebook Online Social Networking Platform or any other platform operated by the Facebook group, or any other commercial agreement, in its broadest sense, relating to online advertising space and in particular, without this list being exhaustive, the offer to buy, sell or provide online advertising space, the negotiation of contracts concerning online advertising space, the implementation of marketing strategies relating to offers for the sale of advertising space and any other advertising service that may be provided to advertisers, advertising agencies or any other third party". As regards the links of this company with the company FIL, the Restricted Committee notes that they are both subsidiaries of the group's parent company, the company META PLAFORMS INC., and that they are linked in particular to the to each other by a contract for the resale of advertising space and by a contract for the provision of services, in force since July 1, 2018.62. In this regard, the Restricted Committee notes that if, in its response of May 21, 2021, the company FACEBOOK FRANCE stated that "in principle, FIL is the contracting company for advertisers and partners in France wishing to use the advertising products and services of Facebook "(…) for the creation, submission or distribution of advertisements or any other activity or any other commercial or sponsored content" (…)", it also states very clearly that its role consists of "the provision of support local to advertisers and partners in France and the placing of orders and the invoicing of certain customers ".63. In particular, the Restricted Committee notes that under the service provision contract, the company FACEBOOK FRANCE provides, on a non-exclusive basis, numerous services to the company FIL, including general, administrative, human resources, accounting, legal, political , marketing and partnership management.64. Therefore, with regard to the nature of these services, the Restricted Committee considers that the company FACEBOOK FRANCE must be regarded as the establishment in France of the company FIL.65. Secondly, on the existence of processing carried out "in the context of the activities" of the company FACEBOOK FRANCE, the Restricted Committee recalls that in its Wirtschaftsakademie decisions (CJEU, Grand Chamber, June 5, 2018, Wirtschaftsakademie, C-210 /16, pts. 56 to 60) and Facebook Belgium (CJEU, grand chamber, June 15, 2021, Facebook Belgium, C-645/19, pts. 92 to 95), which are in line with the Google Spain case law of 13 May 2014 relating to the activities of the search engine Google in Spain (CJEU, Grand Chamber, 13 May 2014, Google Spain, C-131/12, pt. 55), the Court of Justice considered that the processing consisting of the collection of personal data via cookies placed in the terminals of users visiting, in Germany and Belgium, pages hosted on the Facebook social network was respectively carried out "within the framework of the activities" of the companies FACEBOOK GERMANY and FACEBOOK BELGIUM, German institutions and t of the Facebook group, in so far as those establishments are intended to ensure, in their respective countries, the promotion and sale of the advertising space offered by that social network, which serves to make the service offered by Facebook profitable.66. Thus, in the Facebook Belgium judgment, the Court of Justice noted "on the one hand, a social network such as Facebook generates a substantial part of its income thanks, in particular, to the advertising which is broadcast there and that the activity exercised by the establishment located in Belgium is intended to ensure, in this Member State, even if only incidentally, the promotion and sale of advertising space which serves to make the Facebook services profitable. , the main activity carried out by Facebook Belgium, consisting in maintaining relations with the institutions of the Union and constituting a point of contact with them, aims in particular to establish the policy for the processing of personal data by Facebook Under these conditions, the activities of the establishment of the Facebook group located in Belgium must be considered to be inseparably linked to the processing of personal data at issue in the main proceedings, t Facebook Ireland is responsible for the territory of the Union" (pts. 94-95).67. Even if these three judgments concerned more specifically the subsequent processing implemented from cookies deposited in users' terminals - which justified the application of Directive 95/46/EC for the Google Spain and Wirtschaftsakademie cases and of the GDPR for the Facebook Belgium case – this case law remains relevant to clarify the scope to be given to the notion of processing carried out "in the context of the activities" of an establishment, the French legislator having taken it up, when transposing the directive " ePrivacy", to establish the territorial jurisdiction of the CNIL with regard to the processing covered by this directive.68. In this case, the Restricted Committee notes that the analyzes carried out in Germany and Belgium by the German and Belgian data protection authorities with regard to the companies FACEBOOK GERMANY and FACEBOOK BELGIUM, and confirmed by the CJEU, can be reproduced in France by the CNIL concerning the company FACEBOOK FRANCE.69. Indeed, it appears from the response of the company FACEBOOK FRANCE of May 21, 2021 that its activities consist in providing "advertising support services to advertisers and partners in France on behalf of FIL". More specifically, "it informs advertisers and partners in France about the use they can make of the Facebook advertising services offered by FIL. By way of illustration, FB France provides advice on how to use the tools and features of Facebook products in order to optimize advertising budgets or improve the quality of advertising campaigns”. Finally, "since July 1, 2018, [it] also interacts with certain advertisers and partners in France, with regard to placing their orders and invoicing related to the resale of advertising space for their benefit".70. Consequently, the Restricted Committee considers that the processing in question - consisting of operations to access or register information in the terminal of users residing in France when using the Facebook social network, in particular for advertising purposes – is carried out "as part of the activities of FACEBOOK FRANCE", a company which is "the establishment of Facebook on French territory" and participates, as such, in the promotion and marketing of Facebook products and their advertising solutions in France. Since the two criteria provided for in Article 3, paragraph I, of the "Informatique et Libertés" law are met, the processing is subject to French law.71. The Restricted Committee emphasizes that the application of French law only concerns read and/or write operations carried out on French territory (Article 4 of Directive 95/46/EC moreover specified that the law of the Member State applied only to the activities of the establishment "on the territory of the Member State").72. Finally, it notes that this has been a constant position on its part since the intervention of the Google Spain case law in 2014 (see in particular the CNIL decisions, restricted formation, April 27, 2017, SAN-2017-006; CNIL , restricted training, December 19, 2018, SAN-2018-011; CNIL, restricted training, December 7, 2021, SAN-2020-012 and CNIL, restricted training, December 7, 2021, SAN-2020-013).73. It follows from the foregoing that French law is applicable and that the CNIL is materially and territorially competent to exercise its powers, including that of taking a sanction measure concerning the processing in question which falls within the scope of the directive. “ePrivacy”.B. On the complaint alleging the illegality of this sanction procedure74. The company denounces the fact of not having received a prior formal notice, like the sixty players who were the subject of this corrective measure between May and July 2021 for similar facts, and invokes the resulting breach of the principle of equality before the law.75. It maintains that this principle would also be disregarded because of the severity of the corrective measures proposed by the rapporteur in comparison with the recent decisions of the Restricted Committee pronounced against major players for non-compliance with the provisions of Article 82 of the “Informatique et Libertés” law (see CNIL decisions, restricted formation, November 18, 2020, SAN-2020-009, Carrefour Banque; December 7, 2020, SAN-2020-012, Amazon and SAN-2020-013, Google; 27 July 2021, SAN-2021-013, Le Figaro).76. With regard firstly to the lack of prior formal notice, the Restricted Committee notes that under Article 20, paragraph III, of the "Informatique et Libertés" law, the referral of a file to a procedure of sanction belongs to the president of the CNIL alone, so that the restricted committee does not have to decide on the principle of its referral.77. It also recalls that it follows from these provisions that the President of the CNIL is not required to send a formal notice to a data controller before initiating sanction proceedings against him. It adds that the possibility of directly initiating sanction proceedings has been confirmed by the Council of State (see, in particular, CE, 4 Nov. 2020, No. 433311, pt. 3).78. Moreover, the Restricted Committee notes that a prior formal notice was all the less justified in this case as the company has already, following a prior formal notice, been subject to a penalty of the share of restricted training for breaches relating to cookies in 2017. The company therefore had to be both particularly vigilant in terms of compliance with its obligations in terms of cookies and also attentive to changes in the regulations in this area, in particular following the strengthening of the conditions of consent following the entry into force of the GDPR.79. Finally, the Restricted Committee notes that the CNIL has communicated in particular on these developments, in particular by defining an action plan relating to cookies, the terms of which were detailed in 2019 in a press release published on its website on June 28, 2019. The CNIL specified in particular that it would leave a "transitional period" to data controllers so that they have the time necessary to bring their reading and/or writing operations into compliance with the new requirements following the entry into application of the GDPR and which would be enshrined in the new recommendation which was to be drafted. It was already stressing that it would carry out checks on compliance with this future recommendation within six months of its final adoption. Extended once, this adaptation period came to an end on April 1, 2021.80. As regards, next, the amount of the fine proposed by the rapporteur, this has no effect on the legality of the procedure.81. Consequently, the Restricted Committee considers that the complaint based on the illegality of the procedure must be dismissed.C. On the breach of cookie obligations82. Under the terms of article 82 of the "Informatique et Libertés" law, which transposes into French law the provisions of article 5, paragraph 3, of the "ePrivacy" directive, "any subscriber or user of a communications service must be informed in a clear and complete manner, unless he has been informed beforehand, by the data controller or his representative: 1° Of the purpose of any action aimed at accessing, by electronic transmission, information already stored in his electronic communications terminal equipment, or to register information in this equipment; user has expressed, after having received this information, her consent (…)”.83. Under Article 2(f) of the ePrivacy Directive, consent has to be understood within the meaning of "consent of the data subject" as set out in Directive 95/46/EC. According to Article 94 of the GDPR "references to the repealed directive must be understood as references to the [GDPR]".84. Under Article 4, paragraph 11, of the GDPR, to be validly obtained, consent must be a "manifestation of will, free, specific, informed and unambiguous by which the person concerned accepts, by a declaration or by an act clear positive ".85. The scope of this article is informed by recital 42 of the GDPR, according to which "consent should not be considered to have been given freely if the data subject does not have a genuine freedom of choice or is not able to refuse or withdraw consent without prejudice”.86. In this case, the delegation noted in the context of the online check of April 8, 2021 that, when a user goes to the Facebook social network, a pop-up window whose title is "Accept Facebook cookies in this browser " appears and, at the bottom of this window, there are two buttons labeled "Manage data settings" and "Accept all". It was also noted that at this stage no cookie was placed in the user's terminal and that the latter was obliged to click on one of these two buttons in order to be able to continue browsing the social network.87 . Thus, when the user clicks on the "Accept all" button appearing at the bottom of this first window and gives his consent by this action to the reading and/or writing of information in his terminal, the window disappears, this which allows him to continue browsing the social network.88. When the user clicks on the "Manage data settings" button, a new pop-up window appears, including the two main purposes pursued by cookies subject to consent – personalized advertising carried out by Facebook and personalized advertising carried out by third parties – and next to which there are sliding buttons, disabled by default.89. The delegation found that when the user scrolls this second window, leaves the two slider buttons deactivated, and then clicks on the "Accept cookies" button at the bottom of this window, the latter disappears, allowing him to continue his navigation on the social network without advertising cookies having been deposited in his terminal.90. In view of these findings, the rapporteur considers that the company has breached Article 82 of the "Informatique et Libertés" law, as clarified by the reinforced consent requirements laid down by the GDPR, since it does not provide users residing in France, on the "facebook.com" website, with a means of freely consenting by refusing the operations of reading and/or writing information in their terminal presenting the same degree of simplicity than that intended to accept its use. The rapporteur also considers that the information provided to the user does not allow him to clearly understand that he can refuse cookies.91. It also notes by way of clarification that under the terms of its guidelines 5/2020 on consent within the meaning of Regulation (EU) 2016/679, adopted on 4 May 2020, the EDPS recalled that "the adjective "free "implies real choice and control for those affected" (§13).92. Similarly, in the context of its deliberation no. 2020-092 of September 17, 2020 adopting a recommendation proposing practical procedures for compliance in the event of the use of "cookies and other tracers", the Commission considered, given the aforementioned applicable texts, that "the data controller must offer users both the possibility of accepting and refusing read and/or write operations with the same degree of simplicity".93. The company argues that neither the "ePrivacy" directive, nor its transposition into French law in article 82 of the "Informatique et Libertés" law provides the rule that it must be as easy to refuse cookies as to accept them. . She adds that this rule is not provided for by the GDPR either, whose Article 7(3) only introduces an obligation relating to the withdrawal of consent, which does not extend to the initial refusal to consent to cookies.94. It argues that the CNIL's guidelines and recommendation of September 17, 2020 do not have mandatory value and in any case do not refer to any binding provision of the GDPR or the "ePrivacy" directive when they refer to this rule which , in these two CNIL instruments, appears moreover under headings relating to the refusal of consent and not to freedom of consent.95. Finally, it maintains that its information path complies with the applicable rules when it does indeed provide, from the first window, information relating to the setting of cookies and that a distracted user arriving at the second window allowing this setting, who would click on the "Accept cookies" button appearing at the bottom of this second window, would not see any advertising cookies deposited in their terminal.96. Firstly, with regard to the terms of the refusal, the Restricted Committee refers to the provisions recalled in points 41 to 43 and in points 82 and following of this deliberation. It considers that, to guarantee the freedom of consent, it should in this case be as easy to refuse cookies as to accept them. She points out that the EDPS clarifies this point in his guidelines on consent adopted on 4 May 2020 by specifying that "the adjective 'free' implies real choice and control for the data subjects".97. By applying this requirement of freedom of consent to cookies, it considers that making the refusal mechanism more complex than that allowing them to be accepted, for example by relegating the button allowing them to be refused to a second window, generally amounts, in the context of web browsing, in reality altering users' freedom of choice by encouraging them to favor the acceptance of these cookies rather than their refusal.98. She notes that this conclusion is corroborated in particular by an academic study entitled "Dark Patterns after the GDPR: Scraping Consent Pop-ups and Demonstrating their Influence" their influence") conducted in 2020 from different cookie banners offered to a panel of users. In this study, researchers from the universities of Cambridge and MIT in particular demonstrated that 93.1% of Internet users confronted with cookie banners stop at the first level and that only a small minority of them go to the second level to personalize or refuse. This study also showed that relegating the opt-out button to the second level increased the cookie consent rate by an average of 23.1 percentage points.99. It also recalls that, to take into account the changes brought about by the entry into force of the GDPR and in particular to clarify the scope to be given to the contested rule in this procedure, the CNIL has changed its deliberation No. 2013-378 of 5 December 2013 adopting a recommendation on cookies and other trackers (hereinafter "the recommendation of 5 December 2013").100. This change was reflected first in the adoption of deliberation no. 2019-093 of July 4, 2019 adopting guidelines relating to the application of article 82 of the law of January 6, 1978 as amended to transactions reading and/or writing in a user's terminal (in particular to cookies and other tracers) (hereinafter "the guidelines of July 4, 2019), which already provided in its article 2, "that it must be as easy to refuse or withdraw consent as to give it", then by that of the guidelines and the recommendation of September 17, 2020, which respectively repealed the guidelines of July 4, 2019 and the recommendation of December 5, 2013.101. Restricted Committee emphasizes that the two instruments adopted in 2020 aim to interpret the legislative provisions and to enlighten the actors on the implementation of concrete measures to guarantee compliance with these provisions, so that they implement these measures or measures having equivalent effect, without however providing for new legal obligations. It notes that the guidelines of September 17, 2020 specify that their "main purpose is to recall and explain the law applicable to the operations of reading and/or writing information […] in the terminal equipment of the subscriber's or user's electronic communications, and in particular the use of cookies (hereinafter “cookies”)”.102. She notes that article 2 of the guidelines of September 17, 2020 and article 2.4 of the recommendation of September 17, 2020 are very clear, the latter recalling that "the data controller must offer users both the possibility of accepting and to refuse read and/or write operations with the same degree of simplicity ".103. It underlines that if, for the sake of pedagogy, these details appear in these two instruments under titles which evoke its content rather than the legal source from which it proceeds ("As regards the modalities of the refusal" for the recommendation of September 17, 2020, "On the refusal and withdrawal of consent" for the guidelines of September 17, 2020), it is indeed the requirement of freedom of consent laid down by the GDPR which implies, with regard to the deposit of cookies, that the methods proposed to the user to express this choice are such that they do not encourage him to accept cookies any more than to refuse them.104. The Restricted Committee also notes that the Council of State has already had the opportunity to rule on this issue in its decision Association of Communication Consulting Agencies, in which it examined the guidelines of July 4, 2019. It has thus ruled that: "the CNIL which, by indicating that it should "be as easy to refuse or withdraw consent as to give it", limited itself to characterizing the conditions of the user's refusal, without defining any particular technical methods for expressing such a refusal, did not taint its deliberation with any ignorance of the rules applicable in the matter" (CE, June 19, 2020, no. 434684, T., pt 15).105. It notes that this recital must be read in the light of the conclusions of the public rapporteur on this judgment, which noted: "As indicated by the CNIL, the contested guidelines do not impose any technical procedure for collecting this refusal. They are limit themselves to requiring, generally and rightly, that it should not be more complicated to refuse than to accept" (CE, conclusions of the public rapporteur on judgment no. 434684, p. 17).106. Finally, it emphasizes that in the guidelines and in the recommendation of September 17, 2020, the CNIL does not necessarily require the insertion of a "Refuse all" button, but recalls the importance of setting up a simple alternative allowing the user to refuse cookies as simply as accepting them, giving examples of wording and methods that can be used by organizations so that users' freedom of consent is truly respected.107. Thus, under the recommendation of September 17, 2020, the CNIL proposes: "For example, at the stage of the first level of information, users can have the choice between two buttons presented at the same level and on the same format, on which "accept all" and "refuse all", "allow" and "prohibit", or "consent" and "not consent", or any other equivalent and sufficiently clear wording are written respectively. The Commission considers that this method constitutes a means simple and clear to allow the user to express his refusal as easily as his consent. The expression of the refusal to consent can however result from other types of actions than that consisting in clicking on one of the buttons described here In any event, the Commission recalls that the terms enabling users to consent or refuse must be presented in a clear and understandable manner, in particular when refusal may be be manifested by the simple closing of the consent collection window or by the absence of interaction with it for a certain period of time, this possibility must be clearly indicated to users on this window. Indeed, failing this, the user would be likely not to understand that these actions lead to the fact that no read or write operation subject to consent can legally take place. Appropriate design and information should allow him to fully understand the options available to him". April 2021, when a user residing in France visits the "facebook.com" website, he can accept the deposit of advertising cookies in a single action, by clicking on the button entitled "Accept cookies" appearing on the first 109. It notes that, on the other hand, to refuse these cookies, the user must perform no less than three actions: first click on the button entitled "Manage data settings" located above the "Accept" button cookies " of the first window, scroll through the entire content of the second window, in particular to note that the two sliding buttons controlling the deposit of advertising cookies are deactivated by default, and finally click on the button " Accept all" located at the bottom of this second window.110. In this case and as it has already mentioned, the Restricted Committee considers that the fact, for the company, of making the mechanism for refusing cookies more complex than that consisting in accepting them actually amounts to discouraging users from refusing cookies and to encourage them to favor the ease of the "Accept cookies" button. Indeed, a web user is generally led to consult many sites. Browsing the web is characterized by its speed and fluidity. Having to click on "Manage data settings" and having to understand how the page to refuse cookies is constructed is likely to discourage the user, who would nevertheless wish to refuse the deposit of cookies. It is not disputed that in this case, the company offers a choice between the acceptance or refusal of cookies, but the methods by which this refusal can be expressed, in the context of web browsing, skews the expression of choice in favor of consent in such a way as to alter the freedom of choice.111. Secondly, with regard to the information provided, the Restricted Committee recalls that under Article 82 of the "Informatique et Libertés" law, the user must in particular be informed, before consenting to cookies, " the means at his disposal to oppose them", that is to say to refuse them, and that the information provided must be "clear and complete". It stresses that these provisions must be read in the light of recital 66 of the amending Directive 2009/136/EC "ePrivacy" which provides that "the methods chosen to provide information and offer the right of refusal should be as user-friendly as possible" .112. It underlines that, in the context of its recommendation of September 17, 2020, the Commission took care to specify that this requirement for "clear and complete" information should be interpreted in such a way that "the information accompanying each actionable element expressing consent or refusal is easily understandable and does not require efforts of concentration or interpretation on the part of the user. Thus, it is particularly recommended to ensure that it is not worded in such a way that a cursory or careless read might suggest that the selected option produces the opposite of what users thought they were choosing".113. In this case, it recalls that it appears from the online check of April 8, 2021 that once arrived on the "facebook.com" website, the user must, to refuse the deposit of advertising cookies, first click on the "Manage Data Settings" button in the first window, scroll through the entire second popup window leaving both sliders disabled to not accept cookies, then click on the "Accept Cookies" button appearing at the bottom of this second window.114. If, as the company argues in defence, the Restricted Committee recognizes that a distracted user who clicks on the "Accept cookies" button appearing at the bottom of the second window would not see any advertising cookies deposited in his terminal as soon as the sliding buttons allowing the deposit of these cookies to be activated are deactivated by default, it notes that it is particularly counter-intuitive to have to click on a button entitled "Accept cookies" in order to refuse their deposit.115. The Restricted Committee considers that these methods rather encourage the user to think that it is ultimately not possible to continue browsing after having refused the deposit of advertising cookies since the entire process of refusing cookies is based on information referring to the acceptance of cookies.116. It notes that this feeling can only be accentuated by the not very explicit nature of the "Manage data settings" button offered within the framework of the first window, which does not clearly mention the existence of means allowing cookies to be refused. 117. It considers that the fact that ultimately cookies are not deposited has no impact on the confusion generated by this contradictory information path which can give the user the feeling that it is not possible to refuse the deposit of cookies. and that it has no means of monitoring in this respect.118. In view of these elements, the Restricted Committee considers that the information provided to users residing in France visiting the "facebook.com" page as well as the procedures for obtaining consent offered to them by the company on this website do not do not comply with the provisions of article 82 of the law "Informatique et Libertés" as clarified by the reinforced requirements in terms of consent laid down by the RGPD.III. On the pronouncement of corrective measures and publicity119. Article 20 of Law No. 78-17 of January 6, 1978 as amended provides that: "when the data controller or its subcontractor does not comply with the obligations resulting from Regulation (EU) 2016/679 of April 27, 2016 or of this law, the president of the National Commission for Computing and Liberties may […] seize the restricted formation of the commission with a view to the pronouncement, after adversarial procedure, of one or more of the following measures: [ …]2° An injunction to bring the processing into compliance with the obligations resulting from Regulation (EU) 2016/679 of 27 April 2016 or from this law or to satisfy the requests presented by the person concerned in order to exercise their rights , which may be accompanied, except in cases where the processing is implemented by the State, by a penalty payment the amount of which may not exceed €100,000 per day of delay from the date set by the restricted body; […]7° With the exception of cases where the processing is implemented by the State, an administrative fine not to exceed 10 million euros or, in the case of a company, 2% of the total worldwide annual turnover of the previous financial year, whichever is higher retained. In the cases mentioned in 5 and 6 of Article 83 of Regulation (EU) 2016/679 of April 27, 2016, these ceilings are increased, respectively, to 20 million euros and 4% of said turnover. The restricted formation takes into account, in determining the amount of the fine, the criteria specified in the same article 83. "Article 83 of the GDPR, as referred to in article 20, paragraph III, of the law "Informatique and Freedoms", provides for its part that "Each supervisory authority shall ensure that the administrative fines imposed under this article for breaches of this Regulation referred to in paragraphs 4, 5 and 6 are, in each case, effective, proportionate and dissuasive", before specifying the elements to be taken into account to decide whether it is necessary to impose an administrative fine and to decide on the amount of this fine.A. On the imposition of an administrative fine and its amount120 The company first argues that the demonstration by the rapporteur of the seriousness of the breach and the number of people concerned in support of its proposal for a sanction is insufficient.121 It also argues that the developments in the ra information relating to the scope of the breach and the financial benefits perceived as a result of the breach would be inoperative when the sliding buttons appearing on the second window are disabled by default, so that a distracted user who clicks on the "Accept cookies" button " located at the bottom of this second window would not see any cookie deposited in his terminal.122. The Restricted Committee recalls, in general, that Article 20, paragraph III, of the "Informatique et Libertés" law gives it jurisdiction to impose various sanctions, in particular administrative fines, the maximum amount of which may be equivalent to 2% of the turnover total worldwide annual turnover of the previous financial year achieved by the data controller. The determination of the amount of these fines is assessed in the light of the criteria specified by Article 83 of the GDPR to which this article refers.123. Firstly, with regard to the imposition of an administrative fine, the Restricted Committee considers that it is first necessary to apply the criterion provided for in subparagraph a) of Article 83, paragraph 2, of the GDPR relating to the seriousness of the breach taking into account the nature, the scope of the processing and the number of data subjects.124. It notes first of all that by not complying with the requirements of article 82 of the "Informatique et Libertés" law, the company does not allow users residing in France visiting the "facebook.com" web page to refusing cookies as easily as accepting them. By depriving them of this true freedom of choice, the company strongly encourages users to consent to the deposit of advertising cookies.125. The Restricted Committee underlines the scope of the social network Facebook and the essential place it occupies in France, since it dominates the social network market by far, as noted by the Autorité de la concurrence in its opinion no. ° 18-A-03 of March 6, 2018. It also notes the "network effects" generated by this dominant position, highlighted by the German competition authority in a decision of February 6, 2019.126. It insists on the fact that this shortcoming is all the more harmful for the people concerned since, alongside its traditional function of maintaining and developing interpersonal relationships, this social network is also playing an increasing role in areas as diverse as access to information, public debate, even civil security via the "Facebook danger check" (or "safety check") functionality in the event of a natural disaster or an attack, which are of unquestionable importance in a democratic society.127. It also stresses that the tracing of the persons concerned, which begins with the collection of information linked to the user account and which continues throughout the user's browsing on Facebook, for an advertising purpose clearly recognized by the data controller, does not does not stop at the borders of the social network.128. It is not discussed that Facebook makes available to very many third-party sites a set of tracking tools – such as social plugins, connection buttons or the Facebook pixel – which will continue to collect data from users visiting these third party sites to cross them with the data already collected within the framework of the social network and this in order to increase the valuation of this data. A 2019 study revealed the presence of these Facebook tracking tools on 44% of the world's 65,000 most visited websites, so the indirect scope of the processing is considerable.129. Finally, with regard to the number of people affected by the processing in question, the Restricted Committee recalls that, according to the own volumetric data provided by the company, the social network counts approximately […]monthly users in France, which corresponds to […] % of the population.130. Secondly, the Restricted Committee considers that the criterion provided for in subparagraph k) of Article 83(2) of the GDPR relating to the financial benefits obtained as a result of the breach should be applied.131. In this regard, it notes that insofar as Facebook follows a business model known as "targeted content matching", operating simultaneously in the collection of data, their valuation and the operational implementation of the advertisements broadcast in the banners deployed within the social network, the performance of its business model is mainly based on targeting tools and in particular on cookies, which make it possible to single out and reach the identified user with a view to offering him advertising content adapted to his centers of interest and his profile.132. In this case, the Restricted Committee considers that the breach in question provides undeniable financial advantages to the company, since the fact of opting for a process that facilitates the deposit of cookies more than refusal increases the share of users with whom advertising cookies are likely to be deposited and therefore also increases the volume of advertising revenue generated by the profiling in which these cookies participate.133. In this perspective, it appears from the financial elements of the company FACEBOOK INC., communicated by the company FIL, that the first derives nearly 98% of its gross income from the online advertising segment and that it operates a global operating margin around 40% in this segment. Even if all of these revenues are not directly linked to cookies, the Restricted Committee emphasizes that this segment is essentially based on the targeting of Internet users, in which the cookie participates directly by making it possible to single out and reach the identified user with a view to to display him advertising content corresponding to his centers of interest and his profile.134. In this case, if it is not aware of the amount of profit made by the Facebook group from the collection and use of cookies on the French market via the income generated by targeted advertising aimed at French Internet users, the training restricted notes that a proportional approximation based on the figures available to it, in particular the average income generated by a European user for the online advertising segment and the number of users residing in France, would lead to an estimate that France would contribute to the net income of FACEBOOK INC., the parent company of the Facebook group, now called META PLAFORMS INC., for an amount of between 550 and 660 million euros.135. Secondly, with regard to the determination of the amount of the fine, the Restricted Committee recalls that pursuant to the provisions of Article 20, paragraph III, of the "Informatique et Libertés" law, the company FIL incurs financial penalty of a maximum amount of 2% of its turnover, which was EUR […] in 2019.136. Therefore, with regard to the liability of the company, its financial capacities and the relevant criteria of Article 83, paragraph 2, of the Rules mentioned above, the Restricted Committee considers that a fine of 60 million euros against the company appears justified.B. On the issuance of an injunction accompanied by a penalty payment137. In its writings of October 8, 2021, the company indicated that an update of its interface for collecting consent to cookies would be being deployed in the European region, including in France, without however producing any proof. It specified that "this update for the European region does not introduce additional purposes for cookies, nor does it add new cookies" and that it aims to "improve the ergonomics of the interface ".138. On December 6, 2021, the company released screenshots documenting the nature of this update.139. Firstly, the Restricted Committee notes that this update modifies in particular the content of the buttons of the first window "Manage data parameters" and "Accept all", which are now respectively entitled "Other options" and "Allow all cookies" and that in the second window the old single button "Allow cookies" is now called "Allow only essential cookies" and that next to it the company has introduced a second button called "Allow all cookies" .140. The Restricted Committee notes that, in accordance with the explanations already mentioned during the meeting and repeated by the company in the letter accompanying these screenshots, this update only concerns "users connected to the site www.facebook.com ", which informal checks enabled him to ascertain.141. Furthermore, and above all, the Restricted Committee notes that this update still does not put in place the means to refuse cookies as easily as they can accept them.142. Consequently, since the interface resulting from this update still does not comply with the provisions of article 82 of the "Informatique et Libertés" law, as clarified by the reinforced requirements in terms of consent by the GDPR, the Restricted Committee considers it necessary to issue an injunction in order for the company to comply with the applicable obligations in this area.143. Secondly, the Restricted Committee recalls that a daily fine is a financial penalty per day of delay that the data controller will have to pay in the event of non-compliance with the injunction at the expiry of the deadline for execution. Its pronouncement may therefore sometimes prove necessary to ensure compliance of the data controller within a certain period.144. The Restricted Committee adds that in order to keep the penalty payment its comminatory function, its amount must be both proportionate to the seriousness of the breaches committed and adapted to the financial capacities of the data controller. It also notes that, in order to determine this amount, account must also be taken of the fact that the breach concerned by the injunction indirectly contributes to the profits generated by the data controller.145. In view of these elements, the Restricted Committee considers as justified the pronouncement of a penalty payment in the amount of 100,000 euros per day of delay and payable at the end of a period of three months.C. Publicity of the decision146. The company asked the restricted committee not to make its decision public.147. The Restricted Committee considers, on the contrary, that the publication of this Decision is justified in the light of the seriousness of the breach in question, the scope of the processing and the number of persons concerned.148. It also notes that this measure will make it possible to alert users of the social network Facebook residing in France of the characterization of the breach of article 82 of the law "Informatique et Libertés" in its various branches and to inform them of the persistence of the breach. on the day of this deliberation and of the injunction issued against the company to remedy it.149. Finally, it considers that this measure is not disproportionate since the decision will no longer identify the company by name at the end of a period of two years from its publication.FOR THESE REASONSThe restricted formation of the CNIL, after having deliberated, decides to:• pronounce an administrative fine against the company FACEBOOK IRELAND LIMITED in the amount of sixty million euros (60,000,000 euros) with regard to the breach of Article 82 of the “Informatique et Libertés” law; • pronounce against the company FACEBOOK IRELAND LIMITED, an injunction to modify, on the “facebook.com” website, the procedures for obtaining the consent of users located in France to information reading and/or writing operations in their terminal, by offering them a means of refusing these operations presenting a simplicity equivalent to the mechanism provided for their acceptance, in order to guarantee the freedom of their consent; nction of a penalty payment of one hundred thousand euros (100,000 euros) per day of delay at the end of a period of three months following the notification of this deliberation, the supporting documents of compliance must be sent to the training restricted within this period; • make public, on the CNIL website and on the Légifrance website, its deliberation, which will no longer allow the company to be identified by name after a period of two years from of its publication; • send its deliberation to the company FACEBOOK FRANCE with a view to its execution. The president Alexandre LINDEN This decision may be the subject of an appeal before the Council of State within a period of four months from its notification.Deliberation SAN-2021-024 of December 31, 2021Deliberation SAN-2021-024 of December 31, 2021