CE - 451423

From GDPRhub
CE - 451423
Courts logo1.png
Court: CE (France)
Jurisdiction: France
Relevant Law: Article 55(1) GDPR
Article 56 GDPR
Article 83 GDPR
Article 49 TFEU
Article 50 Charter of Fundamental Rights
Article 56 TFEU
Directive 2002/58/CE
Regulation 2016/679
Code de justice administrative
Décret n° 2019-536 du 29 mai 2019
Loi n° 78-17 du 6 janvier 1978
Decided: 27.06.2022
Published: 27.06.2022
Parties: Amazon Europe Core
CNIL
National Case Number/Name: 451423
European Case Law Identifier: ECLI:FR:CECHR:2022:451423.20220627
Appeal from: CNIL (France)
SAN-2020-013
Appeal to: Not appealed
Original Language(s): French
Original Source: Conseil d'etat Website (in French)
Initial Contributor: Julie Houillon-Leonis

The Conseil d'Etat confirmed a prior sanction by the French DPA. In this prior decision, the French DPA fined Amazon Europe Core €35,000,000 for the unlawful use of cookies on its websites.

English Summary

Facts

The French DPA had received a complaint on 28 May 2018 regarding the lawfulness of processing by Amazon Europe Core ('Provider' or 'The company'). The French DPA had forwarded this complaint to the Luxembourg DPA under the 'one stop shop' mechanism of Article 56 GDPR. The luxembourg DPA started an investigation regarding Amazon's use of cookies and its compliance with the GDPR and the ePrivacy directive. However, the French DPA started its own investigation into Amazon's compliance with Article 82 of the French Data protection act, a national implementation of Article 5(3) of the ePrivacy directive. (directive 2002/58/EC). This investigation regarding Article 82 had resulted in decision SAN-2020-013. In this decision, the French DPA fined Amazon €35,000,000 for the failure to obtain prior consent and the failure to inform users of their rights with regards to the processing of their data, which was mandatory under Article 82 of the Data Protection Act. The DPA found that when a user visited the "Amazon.fr" site, a large number of cookies with advertising purposes were automatically placed on the data subjects computer. Because this type of cookie was not essential to the service provided by the controller, the DPA considered that the controller had not complied with the obligation to obtain the consent of Internet users before depositing the cookies.

Amazon appealed this decision at the Conseil d'Etat, the French Supreme Administrative Court, and requested its annulment. Amazon also asked the Conseil to refer several questions to the CJEU for a preliminary ruling.

Among other arguments, Amazon claimed that the French DPA had made an incorrect interpretation of the law regarding its competence and had disregarded its competence by imposing the contested sanction. The controller also stated that the involvement of the French DPA, when the Luxembourg DPA was already involved, constituted a violation of Article 50 of the Charter of Fundamental Rights. According to this article, the same person may not be prosecuted more than once for the same acts.

Holding

With regard to the application of the "one-stop shop" mechanism and the CNIL's jurisdiction:

The Conseil ruled that the application and enforcement of the ePrivacy directive was the responsibility of national DPAs according to Article 15a of the directive. The "one-stop shop" mechanism did not apply in this case, even when there was a form of a cross-border processing. The Conseil also stated that the absence of a 'one-stop shop' mechanism did not imply any infringement of Article 50 of the Charter of Fundamental Rights, because the DPA only ruled on breaches of national law transposing EU law in the contested decision, and not on GDPR related violations.

The Conseil also assessed the compatibility of Article 3 of the French Data protection Act with the ePrivacy Directive. The Conseil determined that Directive 2002/58/EC did not prevent the French DPA to apply the French data protection Act (including Article 82). The Directive would therefore also not prevent the French DPA from penalising the controller for supposed violations of Article 82 of the French data protection Act. Therefore, the Conseil established that the French DPA could enforce the French data protection act against any person or legal entity responsible for the processing of data who had an establishment in France, irrespective of the location of the principal establishment of the responsible entity. This enforcement by the DPA would also not constitute violations of articles 49 (Freedom of establishment) or 56 (Freedom to provide services) of the TFEU.

With regard to the sanction imposed by the CNIL:

The Conseil deemed that the applicant was sufficiently informed regarding the scope of the DPA's investigations, the facts and the legal grounds on which the sanction was based. Moreover, the Conseil considered that the applicant was given sufficient time to present its defence. The Conseil also ruled that the involvement of the French DPA, while the Luxembourg DPA was the lead supervisory authority, was not enough to constitute a breach of the equality of arms principle. Amazon had argued that the involvement of the French DPA in the procedure had enabled the French DPA to gain access to privileged and confidential information and had used this information as a basis for its own decision. The Conseil determined that Amazon did not provide enough proof for this argument and stated that Amazon was not able to prove that was the procedure contrary to Article 15a(4) of Directive 2002/58/EC.

On a possible violation of Article 50 of the Charter of Fundamental Rights:

The Conseil explained, based on the CJEU's case law (Aklagaren v Akerberg Fransson C-617/10, Powszechny Zaklad Ubezpieczen na Zycie SA of C-617/17 and bpost SA v Belgian Competition Authority C-117/20), that the principle invoked by the applicant, that the same person may not be the subject of several proceeding in respect of the same facts, was not violated by the French DPA. The Conseil stated that the principle could only be enforced when criminal proceedings had been definitively terminated. This was in particular the case when a criminal penalty had become final. The Conseil held that Amazon was not found to be the subject of a final sanction issued by the Luxembourg DPA for the facts that had resulted in the €35,000,000 fine in the contested decision. The Conseil rejected the applicant's claim for a reference for a preliminary ruling on the matter.

Regarding the application of French Data Protection Act by the French DPA, Amazon had argued that the legal framework regarding cookies was not stable and unclear at the time when proceedings against Amazon were started. The Conseil concluded that it had published guidelines detailing obligations for entities under the applicable law, and considered that the fact that other national supervisory authorities had taken divergent positions in interpreting the conditions and procedures applicable to the collection of user consent had no bearing on the application of the French Data Protection Act by the French DPA.

On the proportionality of the sanction imposed:

Taking into account the elements assessed by the French DPA to calculate the imposed fine, the Conseil ruled that the DPA had not imposed a disproportionate penalty on the controller.

Consequently, the Conseil rejected the entirety of controller's claims.

Comment

This ruling seems to be in line with the Conseil's decisional practice from earlier in 2022 (See case n° 449209 of 28 January 2022).

Further Resources

Share blogs or news articles here!

English Machine Translation of the Decision

The decision below is a machine translation of the French original. Please refer to the French original for more details.

Council of StateN° 451423ECLI:FR:CECHR:2022:451423.20220627Mentioned in the tables of the Lebon collection10th - 9th chambers combinedMme Christelle Thomas, rapporteurMme Esther de Moustier, public rapporteurSARL MATUCHANSKY, POUPOT, VALDELIEVRE, lawyersReading for Monday, June 27, 2022REPUBLIQUE FRANCAISEAU NAME OF PEOPLE ENGLISH Having regard to the following procedure: By a summary request, an additional memorandum and a memorandum in reply, registered on April 6 and July 6, 2021 and March 30, 2022 at the litigation secretariat of the Council of State, the company Amazon Europe Core asks the Council of State: 1°) to cancel the deliberation n° SAN-2020-013 of December 7, 2020 by which the restricted formation of the National Commission for Computing and Freedoms pronounced against it a pecuniary penalty of 35 million euros due to breaches noted under Article 82 of Law No. 78-17 of January 6, 1978, accompanied by an injunction to bring its data processing into compliance with years within three months from the notification of its deliberation, subject to a penalty of 100,000 euros per day of delay, and the publication of the sanction, which will no longer identify the company by name at the end of a period two years; 2°) in the alternative, to reform this deliberation by reducing the amount of the fine imposed on it; 3°) if necessary, to refer the matter to the Court of Justice of the European Union for a preliminary ruling following questions: 1) The provisions of Article 15 bis of Directive 2002/58/EC amended of July 12, 2002, combined with recital 173 of Regulation (EU) 2016/679 of April 27, 2016 (GDPR) and the provisions of Article 56 of that regulation should they be interpreted as imposing the application of the one-stop-shop mechanism for monitoring the application of the provisions of Article 5(3) of Directive 2002/58/EC in presence of cross-border processing of personal data’;2) Directive 2002/ 58/EC contain an implicit conflict of law rule, or an implicit criterion, determining the territorial scope of national transposition laws and, if so, what is this rule or what is this criterion? ;3) In the event of a negative answer to question 2), the case law by which the Court of Justice has clarified, on the one hand, the concept of data processing carried out within the framework of the activities of an establishment of the controller , within the meaning and for the application of Article 4 of Directive 95/46/EC, on the other hand, the articulation of the powers of intervention of the national supervisory authorities, pursuant to Article 28 of this same directive, does it also apply to the implementation of the provisions of national law using the same concept to determine the territorial scope of the measures transposing Directive 2002/58/EC and the territorial jurisdiction of the relevant national authority';4) In the event of a positive answer to question 3), within the meaning of Directive 2002/58/EC, a national authority competent to impose penalties for processing carried out in the context of the activities of an establishment of the controller located on the territory of the State to which it belongs, can it exercise the powers conferred on it by this directive only with regard to the establishment located on this territory, or also with regard to the data controller established in a another Member State'; 5) Should Article 56 of the Treaty on the Functioning of the European Union be interpreted as meaning that it prohibits, as constituting an unjustified obstacle, the application to the same operation of reading and registration in the user's terminal, within the meaning of Article 5 (3) of Directive 2002/58/EC, already subject to compliance with the law transposing this directive of the Member State in which the service provider is established, trans law laying down this same directive of the Member State in which the services are provided'; 6) Should Article 49 of the Treaty on the Functioning of the European Union be interpreted as meaning that it prohibits, as constituting an unjustified obstacle, the application to the same operation of reading and writing in the user's terminal, within the meaning of Article 5 (3) of Directive 2002/58/EC, of the law of the Member State , transposing this directive, in which the economic operator is established on a secondary basis, when said data processing is also already subject to the national law transposing this same directive emanating from the Member State in which he is established on a principal basis' ;7) Should Article 50 of the Charter of Fundamental Rights of the European Union be interpreted in the sense that it precludes a supervisory authority of a Member State from prosecuting a person for facts, drawn from the alleged violation of its national legislation transposing the provisions of Directive 2002/58/EC, for which this person is already being prosecuted before a supervisory authority of another Member State'; 8) The provisions of Article 15 bis of Directive 2002/58/EC do they infringe the fundamental right guaranteed by Article 50 of the Charter of Fundamental Rights of the European Union in that they exclude the application of the one-stop-shop mechanism provided for by Articles 56 et seq. of Regulation (EU) 2016/679 of 27 April 2016, for the control of compliance by data controllers with the requirements of Article 5, paragraph 3 of the directive on the occasion of cross-border processing ' "; 4°) to charge the the State the sum of 10,000 euros under article L. 761-1 of the administrative justice code. Considering the other documents in the file;

- the Constitution ;

- the European Convention for the Protection of Human Rights and Fundamental Freedoms;

- the Treaty on the Functioning of the European Union;

- the Charter of Fundamental Rights of the European Union;

- Directive 95/46/EC of the European Parliament and of the Council of October 24, 1995;

- Directive 2002/58/EC of the European Parliament and of the Council of July 12, 2002;

- Regulation (EU) 2016/679 of the European Parliament and of the Council of April 27, 2016;

- Law No. 78-17 of January 6, 1978;

- Decree No. 2019-536 of May 29, 2019;

- the code of administrative justice;After having heard in public session:- the report of Mrs. Christelle Thomas, master of requests, - the conclusions of Mrs. A... de Moustier, public rapporteur;The floor having been given, after the conclusions , to SARL Matuchansky, Poupot, Valdelièvre, lawyer for Amazon Europe Core; Considering the following:1. On the one hand, under I of article 8 of the law of January 6, 1978 relating to data processing, files and freedoms, the National Commission for Data Processing and Freedoms (CNIL) is in particular responsible for ensure that the processing of personal data is carried out in accordance with the provisions of this law. The first paragraph of article 16 of the same law provides that the restricted formation of the CNIL "takes measures and pronounces sanctions against data controllers or subcontractors who do not comply with the obligations arising from the regulation. (EU) 2016/679 of 27 April 2016 and of this law under the conditions provided for in section 3 of this chapter". Pursuant to article 20 of the same law, the president of the CNIL may seize the restricted committee with a view to the pronouncement, after adversarial procedure, of one or more measures, among which is the injunction to bring the processing with the obligations resulting from the law and the GDPR, which may be accompanied by a penalty payment the amount of which may not exceed 100,000 euros per day of delay, an administrative fine and the obligation to publish the decision.2. On the other hand, under the terms of Article 82 of the same law, which transposed paragraph 3 of Article 5 of Directive 2002/58/EC of the European Parliament and of the Council of 12 July 2002 concerning the processing of personal data and the protection of privacy in the electronic communications sector (known as the "privacy and electronic communications" directive): "Any subscriber or user of an electronic communications service must be clearly informed and complete, unless it has been done beforehand, by the controller or his representative: 1° The purpose of any action aimed at accessing, by electronic transmission, information already stored in his terminal equipment of electronic communications, or to register information in this equipment; / 2° The means at his disposal to oppose it. / These accesses or registrations can only take place on condition that the subscriber or the person a user has expressed, after having received this information, her consent which may result from appropriate parameters of her connection device or any other device placed under her control. / These provisions are not applicable if access to information stored in the user's terminal equipment or the recording of information in the user's terminal equipment: / 1° Either, has the exclusive purpose of enable or facilitate communication by electronic means; / 2° Either, is strictly necessary for the provision of an online communication service at the express request of the user ".3. On the basis of the provisions mentioned in point 1, the restricted formation of the CNIL has adopted the December 7, 2020 a deliberation imposing on the company Amazon Europe Core (AEC) an administrative fine of 35 million euros due to breaches of article 82 of the law of January 6, 1978 with regard to the operations depositing and reading connection tracers on the terminals of users located in France and connecting to the "amazon.fr" site that this company operates, ordered it to bring the processing into compliance with the obligations resulting from the law, under penalty of 100,000 euros per day of delay at the end of a period of three months from the notification of its deliberation, and decided to make its deliberation public, by attaching it to an anonymization procedure at the expiration of a period of two years. The company Amazon Europe Core asks the Council of State to cancel this deliberation. On the competence of the CNIL: Regarding the application of the "one-stop shop" mechanism of article 56 of the regulation of April 27, 2016 :4. According to paragraph 1 of article 55 of Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on free movement of this data and repealing Directive 95/46/EC of October 24, 1995, known as the General Data Protection Regulation (GDPR): "Each supervisory authority is competent to exercise the missions and powers vested in it in accordance with this settlement in the territory of the Member State to which it belongs". Under paragraph 1 of Article 56 of the same regulation, relating to the "one-stop shop" mechanism: "Without prejudice to Article 55, the supervisory authority of the main establishment or of the single establishment of the responsible controller or processor is competent to act as lead supervisory authority with regard to the cross-border processing carried out by this controller or processor, in accordance with the procedure provided for in Article 60 ".5 . However, Directive 2002/58/EC specifically governs the processing of personal data in the electronic communications sector, specifying and supplementing, for this sector and for what it specifically deals with, Directive 95/46/EC of European Parliament and of the Council of 24 October 1995 on the protection of individuals with regard to the processing of personal data and on the free movement of such data and, henceforth, the GDPR, whose article 94 repeals this directive while specifying that references to the repealed directive are understood as references to the GDPR. According to Article 15a of Directive 2002/58/EC, relating to penalties applicable to breaches of the objectives of this directive: "1. Member States shall determine the system of penalties, including criminal penalties where appropriate , applicable to breaches of the national provisions adopted pursuant to this Directive and take all necessary measures to ensure that they are implemented. The penalties provided for must be effective, proportionate and dissuasive and may be applied to cover the duration of infringement, even if it has subsequently been corrected (...) / 2. Without prejudice to any judicial remedy which may be available, Member States shall ensure that the competent national authority and, where where appropriate, other national bodies shall have the power to order the cessation of the infringements referred to in paragraph 1. / 3. Member States shall ensure that the competent national authority and, where appropriate, of other national bodies shall have the necessary investigative powers and resources, and in particular the power to obtain any relevant information they may need, in order to monitor and control compliance with the national provisions adopted pursuant to this Directive. / 4. The competent national regulatory authorities may adopt measures to ensure effective cross-border cooperation in the enforcement of national laws adopted pursuant to this Directive and to create harmonized conditions for the provision of services involving cross-border data flows".6. On the one hand, it follows from the provisions cited in points 4 and 5, as interpreted by the Court of Justice of the European Union in its judgment of 1 October 2019, Bundesverband der Verbraucherzentralen und Verbraucherverbände Verbraucherzentrale Bundesverband eV/Planet49 GmbH (C-673/17) and in its judgment of June 15, 2021, Facebook Ireland Ltd and others (C-645/19), that, if the conditions for obtaining the user's consent provided for by the RGPD are applicable to the operations of reading and writing in the terminal of a user, it was not provided for the application of the mechanism of the "single window" defined i in Article 56 of this Regulation, to cross-border processing, for the measures for the implementation and monitoring of Directive 2002/58/EC of 12 July 2002, which fall within the competence of the national supervisory authorities pursuant to Article 15a of this directive. It follows that, with regard to the control, with regard to the provisions having transposed the objectives of Directive 2002/58/EC, of the operations of access and registration of information in the terminals of users in France d For an electronic communications service, even when processing cross-border, the "one-stop shop" mechanism does not apply. 7. On the other hand, Article 50 of the Charter of Fundamental Rights of the European Union provides that "no one may be prosecuted or punished under criminal law for an offense for which he has already been acquitted or convicted in the 'Union by a final criminal judgment in accordance with the law ". Contrary to what is maintained, the absence of implementation of a one-stop-shop mechanism does not imply an infringement of this Article 50, which is binding in any case on the national supervisory authorities brought to prosecute and penalize breaches of national legislation transposing Directive 2002/58/EC. In the absence of any reasonable doubt as to the correct application of the provisions of European Union law in question, there is no need to refer a case to the Court of Justice of the European Union for a preliminary ruling. question relating to the interpretation of the provisions of Union law mentioned above.8. The object of the contested decision being to sanction breaches of the obligations resulting solely from Article 82 of the law of 6 January 1978 transposing the requirements of paragraph 3 of Article 5 of Directive 2002/58/EC, and not a violation of the provisions of the GDPR, the applicant company is therefore not justified in maintaining either that the CNIL's restricted formation tainted this decision with material inaccuracy of the facts by mistaking the scope of the transactions subject to its control, or that it should have implemented the "one-stop shop" mechanism provided for by the GDPR. With regard to article 3 of the law of January 6, 1978: As to the scope of this article 3:9. According to I of article 3 of the law of January 6, 1978, all the provisions of this law apply "to the processing of personal data carried out within the framework of the activities of an establishment of a person in charge of the processing or of a subcontractor on French territory, whether or not the processing takes place in France ", without prejudice, with regard to processing falling within the scope of the GDPR, of the criteria provided for in paragraphs 2 and 3 of article 3 of this regulation.10. Paragraph 1 of Article 4 of Directive 95/46/EC provided that: "Each Member State shall apply the national provisions which it adopts pursuant to this Directive to the processing of personal data where: / a) the processing is carried out in the context of the activities of an establishment of the controller in the territory of the Member State (...)". It follows from the case law of the Court of Justice of the European Union, in particular from its judgment of 5 June 2018, Unabhängiges Landeszentrum für Datenschutz Schleswig-Holstein v Wirtschaftsakademie Schleswig-Holstein GmbH (C-210/16), that in view of of the objective pursued by this directive, consisting in ensuring effective and complete protection of the fundamental rights and freedoms of natural persons, in particular the right to the protection of private life and the protection of personal data, the processing of personal data can be regarded as carried out "in the context of the activities" of a national establishment not only if this establishment itself intervenes in the implementation of this processing, but also in the case where the latter is limited to ensure, on the territory of a Member State, the promotion and sale of advertising space making it possible to make profitable the services offered by the person responsible for processing consisting of coll ect personal data through connection tracers installed on the terminals of visitors to a site. It follows from the judgment of the Court of Justice, Facebook Ireland Ltd and Others, mentioned in point 6, that paragraph 1 of Article 3 of the GDPR, which provides that this Regulation applies to the processing of personal data " carried out within the framework of the activities of an establishment of a data controller or a processor on the territory of the Union", must be interpreted in the same way. 11. By referring, in I of article 3 of the law of January 6, 1978, to all processing of personal data carried out "in the context of the activities of an establishment of a data controller or a sub-contractor on French territory, whether or not the processing takes place in France", the legislator used the terms appearing both in paragraph 1 of Article 4 of Directive 95/46/EC and, henceforth, in paragraph 1 of article 3 of the GDPR and intended to define the scope of the law of January 6, 1978, including its article 82 - and, consequently, the scope of competence of the CNIL to sanction breaches of these provisions -, with reference to the interpretation, recalled in the previous point, that the Court of Justice of the European Union has given to Directive 95/46/EC and, henceforth, to the GDPR. As for the compatibility of article 3 of the law of January 6, 1978 thus interpreted with the law of the Union:12. Firstly, Article 1 of Directive 2002/58/EC provides that the purpose of this directive is in particular to harmonize the provisions of the Member States necessary to ensure an equivalent level of protection of fundamental rights and freedoms, and in particular of the right to privacy and confidentiality, with regard to the processing of personal data in the electronic communications sector. This same article states that its provisions "clarify and supplement" the GDPR, which applies, as stated in point 10, to the processing of personal data "carried out in the context of the activities of an establishment of 'a data controller or a processor on the territory of the Union'. Article 3 of the same directive provides that it applies "to the processing of personal data in the context of the provision of electronic communications services available to the public on public communications networks" in the Union. Pursuant to Article 95 of the GDPR, this Regulation does not impose additional obligations on natural or legal persons with regard to processing in the context of the provision of electronic communications services available to the public on public communications networks in the Union with regard to the aspects for which they are subject to specific obligations having the same objective set out in Directive 2002/58/EC, which is confirmed by recital 10 of that directive according to which, in the electronic communications sector, the GDPR is applicable in particular to all aspects of the protection of fundamental rights and freedoms which do not expressly fall within the scope of this directive, including the obligations to which the person responsible for processing personal data is subject and individual rights . Finally, according to Article 15a of this directive, cited in point 5, it is up to the Member States to determine the system of penalties applicable to breaches of the national provisions adopted pursuant to it and to take "any measure necessary to ensure the implementation of these". 13. It clearly follows from the provisions referred to in point 12 that, contrary to what is maintained by the applicant company, Directive 2002/58/EC does not prevent, in the same way as the provisions of the GDPR that it supplements, article 82 of the law of January 6, 1978 applies to the operations of access and registration of information in the terminals of the users of an electronic communications service in France when the person in charge of this processing has an establishment and that this processing is carried out within the framework of the activities of this establishment, within the meaning specified in point 10. It does not therefore prevent the CNIL, the competent national authority in France, from sanctioning this person in charge in the event of breaches of the provisions of this article 82 committed to the detriment of these users. 14. Secondly, if the person responsible for such processing who has an establishment in France within the framework of the activities of which this processing is carried out is required to comply with the provisions of article 82 of the law of January 6, 1978 and is exposed, in the event of a breach, to the imposition by the CNIL of the sanctions provided for by this law, such an obligation, which aims to guarantee the effectiveness of the provisions of Directive 2002/58/EC and ensure effective protection of the freedoms and of the fundamental rights of users of the terminals concerned in France, and which applies regardless of the location of the principal establishment of this manager, cannot in any case constitute an obstacle to the freedom to provide services prohibited by the Article 56 of the Treaty on the Functioning of the European Union, any more than an obstacle to the freedom of establishment prohibited by Article 49 of the same Treaty. The provisions of Directive 2002/58/EC, insofar as they do not prevent such legislation, are not likely to constitute such an obstacle either. As to the application in this case of Article 3 of the law of January 6, 1978:15. It follows from the investigation that, on the date of the contested decision, the company Amazon Online France, which it is not disputed constitutes an establishment of the company Amazon Europe Core in France, carried out a promotion and marketing of advertising tools controlled and operated by the company Amazon Europe Core, operating in particular thanks to the data collected by means of the connection tracers deposited on the terminals of the users of the site "amazon.fr" in France. It follows from what was said in points 10 and 11 that by deducing from these elements that the data processing implemented by the company Amazon Europe Core was carried out within the framework of the activities of its Amazon Online France establishment located in France , within the meaning of article 3 of the law of January 6, 1978, the restricted formation of the CNIL, which did not have to justify its own competence in the reasons for its deliberation and therefore did not, contrary to what is supported, insufficiently justified its decision on this point, has made an exact application of the provisions of this article 3.16. It follows from all the foregoing that, without there being any reason, in the absence of any reasonable doubt on the interpretation of Directive 2002/58/EC and of Articles 49 and 56 of the Treaty on the functioning of the European Union, as well as on the validity of this directive with regard to these last articles, to seize the Court of Justice of the European Union for a preliminary ruling, the company Amazon Europe Core is not justified in maintaining that the restricted formation of the CNIL would have made an inaccurate interpretation or an inaccurate application of the texts governing its competence and would have disregarded its field of competence by imposing the contested sanction on it. On the regularity of the sanction procedure: 17. Firstly, it appears from the decision of the President of the CNIL of November 29, 2019, instructing the Secretary General of the Commission to carry out or to have carried out a verification mission, that this concerned the compliance of the all the processing accessible from the "amazon.fr" domain in accordance with the provisions of the law of January 6, 1978. It results from the investigation and, in particular, from all the reports of the controls carried out by the CNIL at the following the launch of this verification mission and the notification of grievances which was sent to the company Amazon Europe Core, that these checks concerned in particular the conditions under which connection tracers were deposited on the terminals of users of the site "amazon.fr" with regard to the obligations of information and collection of consent provided for by article 82 of the law of January 6, 1978. It follows that the applicant company cannot seriously support, on the one hand, that it was not sufficiently informed of the scope of the checks carried out and of the facts on which the sanction was based and, on the other hand, that the mention of the GDPR in these documents would have misled it, especially since the required consent by article 82 of the law of January 6, 1978 is defined by the GDPR, in accordance with the provisions of f) of article 2 of directive 2002/58/EC. 18. Secondly, it follows from the investigation that if the applicant company was only informed on May 13, 2020 that a rapporteur had been appointed on March 23, 2020 for the purpose of examining the results of the due diligence against it, it had, after the rapporteur's report was sent to it on July 17, 2020, a period of two months to present its observations. It produced observations on September 15, 2020, then presented new observations on November 2, 2020 in response to those of the rapporteur, made on October 9, 2020. Under these conditions, and while the obligation in which it found itself to respond to a request for information from the CNIL services on a date on which a rapporteur had been appointed, without it being yet informed, cannot characterize a violation of its right not to incriminate itself, the applicant company, which was given a total of six months to present its defence, is not justified in maintaining that the proceedings were irregular on that account.19. Thirdly, by virtue of Article 8 I, 2° g) of the law of January 6, 1978, the CNIL may "by special decision, instruct one or more of its members or the Secretary General, under the conditions provided for in article 19 of this law, to carry out or to have carried out by the agents of its services, verifications relating to all processing and, if necessary, to obtain copies of all documents or useful information media to his duties". It follows from article 39 of the decree of May 29, 2019 taken for the application of the law of January 6, 1978 that, when a sanction is likely to be pronounced against a data controller, the president of the CNIL appoints a rapporteur who does not belong to the restricted training and that the CNIL may, at the request of this rapporteur, decide to carry out additional checks, under the conditions provided for in g) of 2° of I of article 8 of this law. In the present case, it follows from the investigation and appears from the mentions of the contested decision that the online check carried out by the services of the CNIL on May 19, 2020 was requested by the rapporteur appointed by the presidency of the CNIL to investigate the case. Consequently, the applicant company is not justified in maintaining, even though the report of this inspection does not mention that it was requested by the rapporteur, that the procedure was conducted in violation of Article 39 of the decree of May 29, 2019.20. Fourthly, if the applicant company maintains that the participation of the CNIL, as the authority concerned, in the procedure carried out by the National Commission for the Protection of Data in Luxembourg (CNPD), which is the Luxembourg supervisory authority for the application of the GDPR and the laws of this country regarding the protection of personal data, in its capacity as lead authority, would constitute a breach of the equality of arms since it would have allowed the first to have privileged and confidential information and to use it to establish the penalty it imposed, it does not accompany this assertion with any details as to the information in question, nor with any element likely to establish that such participation would be contrary to the cross-border cooperation framework mentioned in paragraph 4 of Article 15a of Directive 2002/58/EC. 21. It follows from the foregoing that the company Amazon Europe Core is not justified in maintaining that the contested deliberation was taken at the end of an irregular procedure and contrary to Article 6 of the European Convention for the Protection of Rights rights and fundamental freedoms or, in any event, that the CNIL has, for all of these reasons, breached a general obligation of loyalty. On the alleged disregard of Article 50 of the Charter of fundamental rights of the European Union: 22. It follows from the investigation that a complaint was filed with the CNIL on May 28, 2018, questioning compliance, by the company Amazon Europe Core, with the provisions of the GDPR setting the conditions of lawfulness of the processing of personal data. As part of the "one-stop shop" mechanism of Article 56 of this regulation, the CNIL forwarded this complaint to the Luxembourg National Commission for Data Protection (CNPD). In parallel with the control procedure implemented by the CNIL concerning the respect, by the company Amazon Europe Core, of article 82 of the law of January 6, 1978 with regard to operations of access and registration of information on user terminals in France, the CNPD conducted an investigation into the compliance of the processing of personal data by the company Amazon Europe Core with the provisions of the GDPR, with those of Luxembourg law on the protection of personal data staff and those of the Luxembourg law transposing paragraph 3 of Article 5 of Directive 2002/58/EC and notified this company, on June 25, 2020, of the objections relating to the "lawfulness basis" and to " the use of cookies" in connection with the data processing activities carried out by Amazon for the purposes of behavioral advertising. 23. The applicant maintains that by initiating a procedure of control and sanction relating to the implementation of processing of personal data which were already the subject of proceedings by the Luxembourg data protection authority at reason of the same facts, the restricted formation of the CNIL disregarded the principle, as guaranteed by article 50 of the charter of fundamental rights of the European Union, according to which the same person cannot be the subject of several prosecutions on the same facts. 24. According to Article 50 of the Charter of Fundamental Rights of the European Union, as interpreted by the Court of Justice of the European Union in its Aklagaren v. Akerberg Fransson judgments of 26 February 2013 (C-617/ 10), Powszechny Zaklad Ubezpieczen na Zycie SA of April 3, 2019 (C-617/17) and bpost SA v/ Belgian Competition Authority of March 22, 2022 (C-117/20), it is only when a proceedings of a criminal nature, within the meaning of these provisions, are definitively closed, in particular when a criminal sanction has become final, which supposes that a decision has been rendered following an assessment relating to the merits of the case and is no longer subject to appeal, that these provisions preclude criminal proceedings for the same offense from being subsequently instituted against the same person and, where applicable, a criminal sanction being pronounced. 25. It does not follow from the investigation, and it is not maintained, that, on the date of this decision, the company Amazon Europe Core would have been the subject of a sanction that has become definitive, imposed by the CNPD on because of the facts which justified the contested sanction, relating to users of the "amazon.fr" site in France, that the proceedings initiated by this authority for these facts would have been definitively abandoned or that a sanction in this respect would have been definitively cancelled. Consequently, and without there being any reason, in the absence of reasonable doubt as to the scope of Article 50 of the Charter of Fundamental Rights of the European Union, to seize the Court of Justice of the European Union European Union of a preliminary question, the applicant company cannot rely on disregard of these provisions. On the characterization of the breach of article 82 of the law of January 6, 1978:26. To characterize Amazon Europe Core's failure to comply with the provisions of article 82 of the law of January 6, 1978, the CNIL noted, on the one hand, that, regardless of the user's journey - that this if he goes directly to the "amazon.fr" site or whether he goes to a "product" page of the site via an advertisement -, more than forty "cookies" pursuing an advertising purpose were deposited on the user's terminal prior to any action on its part and that, on the other hand, the information provided by the company concerning the operations of access or registration of "cookies" was either incomplete or non-existent. 27. If the applicant company maintains that the legal framework applicable to connection tracers was not clear and stabilized at the time of the initiation of proceedings against the company, due to the legal uncertainty surrounding the conditions and the procedures for obtaining consent and significant differences in interpretation between the various competent national authorities, in the context of cross-border processing, it follows from the instruction that after the entry into force, on May 25, 2018, of the GDPR, the CNIL, through a deliberation dated July 4, 2019, adopted guidelines relating to the application of article 82 of the law of January 6, 1978 to read or write operations in the terminal of a user and repealed its previous recommendation of December 5, 2013. In order to allow players to integrate these new guidelines, the CNIL, through two press releases published on its website on June 28 and July 18 and 2019, announced the implementation of an adaptation period during which it would refrain from prosecuting and sanctioning data controllers under the new regulations applicable to "cookies" and other tracers, which was to end six months after the adoption of its new deliberation relating to the operational procedures for obtaining consent in this matter. However, these new guidelines of July 4, 2019, intended to adapt the reference framework for consent taking into account the modification of the law of January 6, 1978 by the ordinance of December 12, 2018 as a result of the GDPR, have not in question the pre-existing regime, provided for in II of article 32 of this same law, which already laid down the principle of prior consent to the deposit of "cookies", that of clear and complete information for the user, as well as than a right of opposition. In addition, the fact that other national supervisory authorities have taken divergent positions in interpreting the terms and conditions applicable to the collection of the user's consent has no impact on the application by the CNIL of the provisions of the law of 6 January 1978. It follows from this that the plea alleging breach of the principle of legality of offenses and penalties can only be rejected.On the proportionality of the sanction imposed:28. On the one hand, under the terms of III of article 20 of the law of January 6, 1978: "When the data controller or its subcontractor does not comply with the obligations of Regulation (EU) 2016/679 of April 27, 2016 or of this law, the president of the National Commission for Computing and Liberties may also, if necessary after having sent him the warning provided for in I of this article or, if necessary in addition to a remains provided for in II, seize the restricted formation of the committee with a view to the pronouncement, after adversarial procedure, of one or more of the following measures: / 1° A call to order; / 2° An injunction to put in compliance the processing with the obligations resulting from Regulation (EU) 2016/679 of 27 April 2016 or from this law or to satisfy the requests presented by the person concerned with a view to exercising their rights, which may be accompanied, except in case where the processing is implemented by the State, of a penalty payment, the amount of which cannot exceed 100,000? per day late from the date set by the restricted committee; / (...) 7° With the exception of cases where the processing is implemented by the State, an administrative fine not exceeding 10 million euros or, in the case of a company, 2% of the total worldwide annual revenue for the previous financial year, whichever is greater. In the cases mentioned in 5 and 6 of Article 83 of Regulation (EU) 2016/679 of April 27, 2016, these ceilings are increased, respectively, to 20 million euros and 4% of said turnover. The restricted committee takes into account, in determining the amount of the fine, the criteria specified in the same article 83. / The draft measure is, if necessary, submitted to the other supervisory authorities concerned according to the procedures defined in article 60 of the same regulation". 2 of Article 15 of Directive 2002/58/EC, the administrative fines imposed by the supervisory authorities of the Member States must, in each case, be "effective, proportionate and dissuasive". , must, in particular, be taken into account: "a) the nature, gravity and duration of the breach, taking into account the nature, scope or purpose of the processing concerned, as well as the number of data subjects affected and the level of damage they have t suffered; (...) / f) the degree of cooperation established with the supervisory authority with a view to remedying the violation and mitigating its possible negative effects; (g) the categories of personal data affected by the breach; (...) / k) any other aggravating or mitigating circumstance applicable to the circumstances of the case, such as the financial benefits obtained or the losses avoided, directly or indirectly, as a result of the violation ".30. It follows from the investigation that, to set the amount of the penalty imposed on the company Amazon Europe Core, the CNIL's restricted committee took into account the seriousness of the violation found, due to the automatic deposit of "advertising cookies" as soon as the arrival of the user on the website and in the absence of any information from the interested parties when this arrival is from a third party site, the extent of the processing carried out by the company thanks to the deposit of these tracers and the potentially sensitive nature of the data collected thereby, the significant financial benefit to the company from the use of this data by the personalization of ads, as well as the company's worldwide annual turnover Amazon Europe Core on which the CNIL relied, estimated at 7.7 billion euros.31. In view of the particular seriousness of the breaches committed, which is due to the nature of the unknown requirements and their effects on users located in France, to the financial advantages that the company has been able to derive from the collection of data resulting from the use of tracers of connection illegally deposited on the terminals of these users, to the ceilings provided for by 4 of article 83 of the RGPD and to the financial situation of the company, the restricted formation of the CNIL, which sufficiently justified its decision and had not not to rule on all the criteria provided for in Article 83 of the GDPR, has not, by retaining a fine of 35 million euros, imposed on the company Amazon Europe Core a sanction of a disproportionate amount. 32. It follows from all of the foregoing that the applicant company is not justified in requesting the annulment of the deliberation of the restricted formation of the CNIL which it is attacking. The conclusions that they present under article L. 761-1 of the code of administrative justice can therefore only be rejected.D E C I D E :

--------------

Article 1: Amazon Europe Core's request is rejected.

Article 2: This decision will be notified to Amazon Europe Core and to the National Commission for Computing and Liberties.

Deliberated at the end of the meeting of June 10, 2022, attended by: Mr. Jacques-Henri Stahl, deputy president of the litigation section, presiding; Mr. Bertrand Dacosta, Mr. Frédéric Aladjidi, chamber presidents; Mrs. Nathalie Escaut, Mrs. Anne Egerszegi, Mr. Alain Seban, Mr. Thomas Andrieu, Mr. Alexandre Lallet, State Councilors and Mrs. Christelle Thomas, master of requests-rapporteur. Delivered on June 27, 2022. The President:

Signed: Mr. Jacques-Henri StahlThe rapporteur:

Signed: Mrs. Christelle Thomas The secretary:

Signed: Mrs. Claudine Ramalahanoharana