CE - 449209
|CE - 449209|
|Relevant Law:||Article 55(1) GDPR|
Article 56(1) GDPR
Article 5(3) ePrivacy Directive
Article 16 of the Law of 6 January 1978 on data processing, files and freedoms
Article 8 of the Law of 6 January 1978 on data processing, files and freedoms
Article 82 of the Law of 6 January 1978 on data processing, files and freedoms
Google LLC and Google Ireland Ltd.
|National Case Number/Name:||449209|
|European Case Law Identifier:||ECLI:EN:CECHR:2022:449209.20220128|
|Appeal from:||CNIL (France)|
|Appeal to:||Not appealed|
|Original Source:||Légifrance Lebon Collection (in French)|
|Initial Contributor:||Giel Ritzen|
The Supreme Administrative Court of France rejected Google’s appeal to annul the CNIL’s fine of € 100 million, imposed for the violation of Article 82 of the French Data Protection Act, since the one-stop-shop mechanism did not apply to the CNIL’s obligation to monitor compliance with the act.
English Summary[edit | edit source]
Facts[edit | edit source]
On 7 December 2020, the French DPA (CNIL) imposed two fines totaling € 100 million on Google LLC and Google Ireland Ltd for violating Article 82 of the French Data Protection Act (which transposes the ePrivacy Directive). Google (1) had not obtained the user’s consent before depositing advertising cookies in the user’s terminal equipment, (2) had lacked to provide information, and (3) had not implemented a mechanism to refuse the cookies.
Google did not agree with the CNIL’s decision and brought the issue before court. First, it claimed that, since there is cross-border processing, the Irish DPA (DPC) is the lead supervisory authority since Google’s main establishment in the EU is in Ireland, and the CNIL therefore did not have competence to rule on this matter according to the one-stop-shop mechanism. Second, it found the fine to be disproportionate. Hence, it requested the Council of State to annul the decision, and to refer two preliminary questions to the CJEU, asking:
(1) whether the one-stop-shop mechanism provided for in Article 56 GDPR is excluded in the context of cross-border processing that falls within the scope of both the ePrivacy Directive and the GDPR, and
(2) whether Article 15a ePrivacy Directive violates the right to data protection because does not provide an obligation, but rather an option, “for the competent national regulatory authorities to adopt measures to ensure effective cross-border cooperation in the enforcement of national laws adopted pursuant to the directive and to create harmonised conditions for the provision of services involving cross-border data flows”.
Holding[edit | edit source]
The Council of State rejected Google’s appeal.
First, according to the Council, the ePrivacy Directive, implemented in the French Data Protection Act, does not provide for the application of the one-stop-shop mechanism as mentioned in Article 56 GDPR. Although the requirements for consent are regulated by the GDPR the deposit of cookies is regulated by the ePrivacy Directive. Hence, even if cross-border processing takes place, the CNIL is competent to monitor compliance with the objectives of such Directive. The Council then notes that “it follows that, as regards the control of the operations of access and recording of information in the terminals of users in France of an electronic communications service, even if they are the result of cross-border processing, the measures to monitor the application of the provisions transposing the objectives of Directive 2002/58/EC fall within the competence conferred on the CNIL by the Law of 6 January 1978.” The Council stipulated that there is no need to refer preliminary questions to the CJEU, because it had no doubt as to whether the one-stop-shop mechanism should be excluded in the context of cookies.
Second, the Council rejected Google’s argument that their right of defense had been infringed by the CNIL because they did not provide a prior formal notice, since it is not required to provide such a formal notice before imposing a sanction.
Third, on the substance of the matter, the Council confirmed the three violations of Article 82 of the Data Protection Act: (1) not obtaining the user’s consent before depositing advertising cookies in the user’s terminal equipment, (2) not providing clear information on the deposit of cookies, and (3) not implementing a mechanism to refuse the cookies.
Lastly, the Council stated that the fines were not disproportionate in light of the financial capacities of the “two” companies. It considered Google’s market share of more than 90% with (an estimated) 47 million users in France and the large profits that follow from the targeted online advertisement. Moreover, it stated that Google did not genuinely cooperated with the CNIL since it did not provide advertising revenues, and the breaches were serious.
Comment[edit | edit source]
It seems that, whereas the CNIL had formulated an extensive doctrine regarding the material and territorial competence, the Council of State mainly looked at the physical location of the terminal of the user, to determine the territorial competence.
Further Resources[edit | edit source]
Share blogs or news articles here!
English Machine Translation of the Decision[edit | edit source]
The decision below is a machine translation of the French original. Please refer to the French original for more details.