CE - 449212

From GDPRhub
CE - 449212
Courts logo1.png
Court: CE (France)
Jurisdiction: France
Relevant Law: Article 56 GDPR
Article 94 GDPR
Article 12 Directive n° 2002/58/CE
Article 15 Directive n° 2002/58/CE
Article 5(3) Directive n° 2002/58/CE
Article 16 Law Informatique et Libertés
Article 20 Law Informatique et Libertés
Article 3(1) Law Informatique et Libertés
Article 8 Law Informatique et Libertés
Article 82 Law Informatique et Libertés
Article L521-1 Code of Administrative justice
Article L761-1 Code of Administrative justice
Decided: 04.03.2021
Published: 04.03.2021
Parties: Google LLC
Google Ireland Limited
National Case Number/Name: 449212
European Case Law Identifier: ECLI:FR:CEORD:2021:449212.20210304
Appeal from: CNIL (France)
[1]
Appeal to:
Original Language(s): French
Original Source: conseil-etat.fr (in French)
Initial Contributor: Roka

The French highest administrative court (Conseil d'Etat) rejected a request for interim measures made by Google LLC and Google Ireland Limited. The request aimed at removing a sanction imposed by the CNIL on Google to comply with the data processing principle regulation within three months, under a penalty of € 100.000 fine per day of delay.

English Summary

Facts

On December, 7 2020, the French DPA imposed a financial penalty of 60 Million euros fine against Google LLC and a 40 million euros against Google Ireland Limited in accordance with the General Data Protection Regulation (GDPR) and ePrivacy Directive, for lack of transparency, inadequate information and lack of valid consent regarding for violating the regulation on cookies while operating the website google.fr.

The sanction was accompanied by an order to comply with article 82 of the French Law on data protection (Law Informatique et Libertés), under three months on penalty of a €100000 fine per day of delay.

The companies appealed to the Conseil d’État in interim procedure against the CNIL's decision, arguing that the French DPA was not the competent authority because it was not the lead supervisory authority for Google LLC or Google Ireland Limited.

Dispute

Is the CNIL territorially competent to investigate and sanction a company for violating the information principle when depositing cookies if it is not the lead supervisory authority of the company? The CNIL considered that Google does have EU headquarters in Ireland, but that this Irish entity ‘did not have a decision making power’ in relation to the relevant cross-border data processing activities to which the complaints related. For that reason the CNIL decided that the One Stop Shop mechanism did not apply and that the CNIL, like any other European supervisory authority, was therefore competent to make a decision.

Holding

The Conseil d’État rejected the request made by Google and ruled that the French DPA was territorially competent on this matter even though it is not the lead supervisory authority.

The court stated that Article 82 of the Law Informatique et Libertés was a transposition of article 5(3) of the Directive 2002/58/CE into French Law when dealing with cookies and that the CNIL is charged with enforcing this Directive. As such, the one-stop shop mechanism provided for in Article 56 GDPR does not apply in the present case.

Comment

CNIL - SAN-2020-012

Further Resources

Share blogs or news articles here!

English Machine Translation of the Decision

The decision below is a machine translation of the French original. Please refer to the French original for more details.

Council of State

N° 449212
ECLI:FR:CEORD:2021:449212.20210304
Unpublished in the Recueil Lebon
Judge of summary proceedings
SCP SPINOSI, lawyers


Reading of Thursday 4 March 2021
FRENCH REPUBLIC

IN THE NAME OF THE FRENCH PEOPLE


Having regard to the following procedure:

By a request, registered on 29 January 2021 at the Secretariat for Litigation of the Council of State, the company Google LLC and the company Google Ireland Limited ask the judge of the Council of State, ruling on the basis of Article L. 521-1 of the administrative justice code, to order the suspension of the execution of the deliberation of the restricted formation of the CNIL of 7 December 2020 concerning them insofar as it pronounced against them "an injunction to bring the processing into conformity with the obligations resulting from Article 82 of the law on "data processing and liberties", in particular: to inform the persons concerned beforehand and in a clear and complete manner, for example on the information banner present on the home page of the site "google. fr" site: - the purposes of all cookies subject to consent, - the means available to them to refuse them" and that it added to this injunction a penalty of 100,000 euros per day of delay "at the end of a period of three months following notification of this decision, with proof of compliance to be sent to the restricted panel within this period".


The companies argue that
- the condition of urgency is satisfied, given the very short period of time in which to execute the injunction, the impossibility of complying with the injunction given the inability to implement it within such a short period of time and its imprecise nature, and the very high amount of the penalty payment, which reaches the legal maximum, i.e. EUR 100,000 per day of delay;
- there is a serious doubt as to the legality of the contested decision;
- the CNIL was not competent to issue this injunction even though the one-stop shop mechanism provided for in Chapter VI of the General Data Protection Regulation should have been implemented;
- the decision is vitiated by an error of law and an error of legal characterisation of the facts in that the CNIL considered that its territorial jurisdiction on the basis of Article 3(1) of the Data Protection Act would necessarily exclude the application of the one-stop shop mechanism of the General Data Protection Regulation, even though the processing operations at issue are cross-border in nature, fall within the scope of the General Data Protection Regulation, and Google Ireland Limited is Google's principal place of business in Europe

In a statement of defence, registered on 8 February 2021, the CNIL argued that the application should be rejected. It argued that the condition of urgency had not been met and that none of the pleas put forward was such as to raise serious doubts as to the legality of the decision.

Having regard to the brief, registered on 17 February 2021, submitted by the CNIL et des libertés ;

Having regard to the brief, registered on 23 February 2021, submitted by Google LLC and Google Ireland Limited;


Having regard to the other documents in the file;

Having regard to :
- Directive 2002/58/EC of the European Parliament and of the Council of 12 July 2002;
- Regulation (EU) No 2016/679 of the European Parliament and of the Council of 27 April 2016; Having regard to
- Law no. 78-17 of 6 January 1978;
- Decree no. 2019-536 of 29 May 2019;
- the judgment of the Court of Justice of the European Union C-673/17 Bundesverband der Verbraucherzentralen un Verbraucherverbände - Verbraucherzentrale Bundesverband eV v Planet49 GmbH of 1 October 2019;
- the Code of Administrative Justice;


After having summoned to a public hearing, on the one hand, the companies Google LLC and Google Ireland Limited, and on the other hand, the CNIL et des libertés;

The following were heard at the public hearing on 11 February 2021, at 2.30 pm:

- Mr Spinosi, lawyer at the Conseil d'Etat and the Cour de cassation, lawyer for Google LLC and Google Ireland Limited;

- the representatives of Google LLC and Google Ireland Limited

- the representatives of the Commission Nationale de l'Informatique et des Libertés (CNIL);

at the end of which the interim relief judge postponed the closure of the investigation to 23 February at 12 noon.


Considering the following:

1. Under the terms of the first paragraph of Article L. 521-1 of the Code of Administrative Justice: "When an administrative decision, even a rejection decision, is the subject of an application for annulment or reversal, the interim relief judge, seized of a request to this effect, may order the suspension of the execution of this decision, or of some of its effects, when this is justified by the urgency of the matter and when a plea is made which, in the state of the investigation, is likely to create a serious doubt as to the lawfulness of the decision.

2. The companies Google LLC and Google Ireland Limited asked the interim relief judge of the Conseil d'Etat, ruling on the basis of Article L. 521-1 of the Code of Administrative Justice, to order the suspension of the execution of the deliberation of the restricted formation of the CNIL et des libertés (CNIL) of 7 December 2020 concerning them insofar as it pronounced against them an injunction to bring into conformity the processing of personal data consisting of operations access or registration of information in the terminals of users residing in France when using the Google Search engine with the obligations resulting from Article 82 of the "Data Protection" law and in particular to inform the persons concerned in advance and in a clear and complete manner, for example on the information banner on the home page of the site "google. fr" of the purposes of all cookies subject to consent and the means available to refuse them.

3. In accordance with Article 8(I) of the Act of 6 January 1978, the CNIL is the national supervisory authority within the meaning and for the application of Regulation (EU) 2016/679 of 27 April 2016 on the protection of individuals with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC of 24 October 1995, known as the General Data Protection Regulation (GDPR). In particular, it is responsible for informing all data subjects and data controllers of their rights and obligations. Pursuant to Article 8(I)(2), the CNIL ensures that personal data processing is carried out in accordance with the provisions of the Act of 6 January 1978 and other provisions relating to the protection of personal data set out in legislative and regulatory texts, European Union law and France's international commitments. In this respect, it may draw up and publish guidelines, recommendations or benchmarks intended to facilitate the compliance of personal data processing with the applicable texts. The first paragraph of Article 16 of the Act of 6 January 1978 also provides that the CNIL's restricted panel "shall take measures and impose penalties on data controllers or processors who fail to comply with the obligations arising from Regulation (EU) 2016/679 of 27 April 2016 and this Act under the conditions set out in section 3 of this chapter". Article 20 of this law entrusts its president with the possibility of referring the matter to the restricted panel with a view to issuing an injunction to bring the processing operation into compliance with the obligations resulting from Regulation (EU) 2016/679 of 27 April 2016 or this law, which may be accompanied, except in cases where the processing operation is implemented by the State, by a penalty payment, the amount of which may not exceed 100,000 euros for each day of delay as from the date set by the restricted panel.

4. Under the terms of Article 82 of the Act of 6 January 1978 relating to data processing, files and freedoms: "Any subscriber or user of an electronic communications service must be informed in a clear and complete manner, unless he or she has been informed beforehand, by the controller or his or her representative: 1° Of the purpose of any action tending to access, by electronic transmission, information already stored in his or her electronic communications terminal equipment, or to enter information in this equipment; / 2° Of the means available to him or her to oppose it. / These accesses or entries may only take place on condition that the subscriber or user has expressed, after having received this information, his or her consent, which may result from the appropriate parameters of his or her connection device or any other device under his or her control. / These provisions are not applicable if access to information stored in the user's terminal equipment or the recording of information in the user's terminal equipment: / 1° Either for the sole purpose of enabling or facilitating communication by electronic means; / 2° Or, is strictly necessary for the provision of an online communication service at the express request of the user. These provisions transpose into national law Article 5(3) of Directive 2002/58/EC of 12 July 2002 concerning the processing of personal data and the protection of privacy in the electronic communications sector. They must therefore be interpreted in the light of the provisions of that article, according to which: "Member States shall ensure that the storage of information, or the gaining of access to information already stored, in the terminal equipment of a subscriber or user is permitted only with the consent of the subscriber or user, after having received, in accordance with Directive 95/46/EC, clear and comprehensive information, inter alia, on the purposes of the processing. This shall not prevent storage or technical access for the sole purpose of carrying out the transmission of a communication over an electronic communications network, or as strictly necessary for the provider to supply an information society service explicitly requested by the subscriber or user. According to Article 15a of the same Directive: "1. Member States shall lay down the rules on penalties, including criminal penalties where appropriate, applicable to infringements of the national provisions adopted pursuant to this Directive and shall take all measures necessary to ensure that they are implemented. The penalties thus provided for must be effective, proportionate and dissuasive and may be applied to cover the duration of the infringement, even if the infringement has subsequently been rectified. Member States shall notify those provisions to the Commission by 25 May 2011 at the latest and shall notify it without delay of any subsequent amendment affecting them. / 2. Without prejudice to any judicial remedy that may be available, Member States shall ensure that the competent national authority and, where appropriate, other national bodies have the power to order the cessation of the infringements referred to in paragraph 1. / Member States shall ensure that the competent national authority and, where appropriate, other national bodies have the necessary investigative powers and resources, including the power to obtain any relevant information they may require, to monitor and enforce compliance with the national provisions adopted pursuant to this Directive. / 4. Competent national regulatory authorities may adopt measures to ensure effective cross-border cooperation in monitoring the application of national laws adopted pursuant to this Directive and to create harmonised conditions for the provision of services involving cross-border data flows. According to Article 94 of the Regulation of 27 April 2016, "references to the repealed Directive shall be construed as references to this Regulation".

5. It follows from the general scheme of the Act of 6 January 1978 that the CNIL is responsible for ensuring that any data processing falling within its scope, whether or not it involves personal data, complies with its provisions and with the obligations resulting from the Regulation of 27 April 2016. In order to carry out its tasks, it has the power to implement its prerogatives in the way it deems most appropriate, including by issuing an injunction to bring into conformity a processing operation that does not comply with the obligations applicable to "cookies" and other connection tracers arising from Article 5, paragraph 3, of Directive 2002/58/EC of 12 July 2002.

6. As indicated at the hearing, the applicant companies do not dispute that the contested injunction concerns compliance with the obligations applicable to cookies under Article 5(3) of Directive 2002/58/EC of 12 July 2002. But they argue that the CNIL would be incompetent to issue such an injunction, as this competence belongs to the supervisory authority of the main processing establishment pursuant to the so-called one-stop-shop mechanism provided for in Article 56 of the Regulation of 27 April 2016, according to which: "Without prejudice to Article 55, the supervisory authority of the principal or sole establishment of the controller or processor shall be competent to act as lead supervisory authority in relation to cross-border processing carried out by that controller or processor; in accordance with the procedure laid down in Article 60". Under these provisions, they consider that the competent supervisory authority should be the Irish authority, Google Ireland Limited being Google's principal place of business in Europe

7. It follows from the provisions cited in point 4 as interpreted by the Court of Justice of the European Union in its judgment C-673/17 of 1 October 2019, that the conditions for obtaining the user's consent provided for in the Regulation of 27 April 2016 are applicable to read and write operations on a user's terminal. These provisions do not, however, provide for the application of the "one-stop shop" mechanism provided for in Article 56 of this Regulation to the measures for the implementation and control of Directive 2002/58/EC of 12 July 2002, which fall within the competence of the Member States pursuant to the provisions of Article 15a of that Directive. The existence of those specific provisions prevents the provisions of the regulation of 27 April 2016 on the one-stop shop mechanism from applying. Consequently, the pleas alleging that the CNIL was not competent to issue the contested injunction and that it made an error of law and an error of legal characterisation of the facts in considering that its competence would exclude the application of the one-stop shop mechanism do not appear, in the light of the investigation, to be capable of creating a serious doubt as to the legality of the contested decision.

8. It follows from the above, without the need to rule on the condition of urgency, that the application can only be rejected, including the conclusions presented pursuant to Article L. 761-1 of the Administrative Justice Code.


O R D O N E :
------------------

Article 1: The application of the companies Google LLC and Google Ireland Limited is rejected.
Article 2: This order shall be notified to the companies Google LLC and Google Ireland Limited and to the CNIL et des libertés.