CE - N° 433069

From GDPRhub
CE - N° 433069
Conseil D'Etat photo.png
Court: CE (France)
Jurisdiction: France
Relevant Law:

Article 4(11) GDPR

Articles 8, 20 and 82 of the French Data Protection Act

ePrivacy Directive 2002/58/EC

Decided: 16. 10. 2019
Published: n/a
Parties: La Quadrature du Net, Caliopen and CNIL
National Case Number: N°433069
European Case Law Identifier: n/a
Appeal from: CNIL (France)
Language: French
Original Source: CONSEIL D'ETAT (in FR)

Council of State (Conseil d'Etat) confirms the CNIL's discretion to initiate consultation process to define new practical arrangements for expressing consent in targeted advertisement and to provide stakeholders with a period of adaptation to comply with it.

English Summary[edit | edit source]

Facts[edit | edit source]

In July 2018 the CNIL adopted a decision clarifying the new rules on consent for targeted advertisement under GDPR. It initiated a consultation process for the first quarter of 2020 to define the practical arrangements for obtaining consent. It determined a six-month adaptation period.

Two associations requested to annul the decision of CNIL on grounds of excess of power and to instruct it to publish both on its website and on the pages of its press releases of 28 June and 18 July, a reference to the decision of the Conseil d'Etat which should indicate that "continued navigation" does not constitute a valid means of expressing consent for cookies and online tracking devices, while every day of delay would imply a penalty of 500 euros.

Dispute[edit | edit source]

The Council has to assess whether the CNIL had the power to initiate such a process.

Holding[edit | edit source]

The Council found that the CNIL is an independent administrative authority with wide discretion in the exercise of its missions. In this sense, the CNIL can initiate such an action plan in order to achieve more effective compliance with the data protection law.

The Council ruled that the six-month period of tolerance which the CNIL provided the stakeholders in order to fully comply with the rules is legal. Finally, the CNIL’s decision does not prevent the Commission from carrying out controls during the mentioned period and imposing sanctions for serious breaches of the new data protection framework.

Comment[edit | edit source]

Share your comment on the decision here!

Further Resources[edit | edit source]

Share blogs or news articles here!

English Machine Translation of the Decision[edit | edit source]

The decision below is a machine translation of the original. Please refer to the French original for more details.

DECISION
N° 433069
THE QUADRATURE OF THE NET
CALIOPEN
Ms. Christelle Thomas
Rapporteur
Mr. Alexandre Lallet
Public Rapporteur
Session held on September 30, 2019
Reading of October 16, 2019

FRENCH REPUBLIC
ON BEHALF OF THE FRENCH PEOPLE

The Council of State adjudicating in litigation (Administrative Jurisdiction Division, 10th and 9th Chambers together)

On the report of the 10th Chamber of the Administrative Jurisdiction Division

Having regard to the following procedure:

By an application and a reply, registered on 29 July and 24 September 2019 with the Secretariat of Litigation of the Council of State, the associations "La Quadrature du net" and "Caliopen" request the Council of State, acting on the basis of Article L. 521-1 of the Code of Administrative Justice:

1°) to annul for excess of power the decision of the National Commission for Information Technology and Liberties (CNIL), revealed by press releases dated 28 June and 18 July 2019;

2°) to instruct the CNIL to publish, both on the home page of its website and on the pages of its press releases of 28 June and 18 July, an insert referring to the decision of the Conseil d'Etat and indicating that "continued navigation" does not constitute a valid means of expressing consent in terms of cookies and online tracking devices, subject to a penalty of 500 euros per day of delay;

3°) to charge the State the sum of 1,024 euros under Article L. 761-1 of the Code of Administrative Justice.

Considering the other documents in the file;

Considered:
- the Constitution, in particular its Preamble;
- the European Convention for the Protection of Human Rights and Fundamental Freedoms;
- the Charter of Fundamental Rights of the European Union;
- Directive 2002/58/EC of the European Parliament and of the Council of 12 July 2002;
- Regulation (EU) No 2016/679 of the European Parliament and of the Council of 27 April 2016;
- Act No. 78-17 of 6 January 1978;
- the code of administrative justice;

After hearing in public session:

- the report of Mrs Christelle Thomas, maître des requêtes en service extraordinaire,  
    
- the conclusions of Mr Alexandre Lallet, Public Rapporteur;

Having regard to the note under advisement, recorded on 3 October 2019, submitted by the associations "La Quadrature du net" and "Caliopen";

Considering the following:

1. It appears from the documents in the file that, by a press release dated 28 June 2019 published on its website, the Commission nationale de l'informatique et des libertés (CNIL) announced that it had drawn up an action plan for 2019-2020 in order to specify the rules applicable to online advertising targeting and to assist stakeholders in bringing them into compliance with these rules. By Resolution No. 2019-093 of 4 July 2019, it adopted guidelines on the application of Article 82 of the amended Act of 6 January 1978 to read or write operations in a user's terminal, in particular cookies and other tracers, and repealed its Recommendation of 5 December 2013 on cookies and other tracers. By a press release also published on its website on 18 July 2019, the Commission specified that this decision constitutes the basis of its action plan and announced that it would initiate a consultation process to adopt, in the first quarter of 2020, a recommendation specifying the practical procedures for collecting consent to the deposit of cookies and connection tracers. Finally, she indicated that an adaptation period, ending six months after the publication of this recommendation, will be given to operators in order to give them time to integrate the new rules, specifying that this period is intended to "ensure compliance with the rules protecting users' privacy according to a robust and sustainable standard set by the regulator".

2. The applicant associations request the Conseil d'Etat to annul the decision, revealed by the two press releases of 28 June and 18 July 2019, by which the Commission considered it acceptable, for a transitional period of approximately twelve months, to continue browsing as an expression of consent to the deposit of cookies and waived its right to use the powers at its disposal to punish, during that period, breaches of the rules applicable in this field.

On the dismissal of the CNIL:

3. Opinions, recommendations, warnings and positions adopted by regulatory authorities in the performance of their duties may be referred to the judge of excess of power when they are of a general and mandatory nature or when they set out individual requirements of which these authorities may subsequently censure ignorance. Such acts may also be the subject of such an action, brought by an applicant having a direct and certain interest in their annulment, where they are likely to produce significant effects, in particular of an economic nature, or are intended to have a significant influence on the conduct of the persons to whom they are addressed.

4. The act revealed by the press releases of 28 June and 18 July 2019, which present the action plan drawn up by the CNIL in the field of online advertising targeting, constitutes a public statement by the commission on the use of its powers, in particular in law enforcement matters, to ensure compliance with the rules applicable to the collection of consent to the deposit of cookies and other tracers. It must be regarded as intended to influence the behaviour of the operators to whom it is addressed and as likely to have a significant impact on both those operators and on users and subscribers of electronic services. In view of their corporate purpose, which is to defend freedoms on the Internet and protect the confidentiality of personal data, it complains to the applicant associations which are entitled to request its cancellation. The non-receipt end opposed by the CNIL must therefore be ruled out.

On the legality of the contested act:

5. First, Article 8(I) of the Act of 6 January 1978 on data processing, files and freedoms provides that the CNIL "1° (...) informs all data subjects and all data controllers of their rights and obligations (...)"; / 2° (...) ensures that the processing of personal data is carried out in accordance with the provisions of this Act and other provisions relating to the protection of personal data laid down by legislative and regulatory texts, European Union law and France's international commitments. / In this respect: / (...) b) It shall establish and publish guidelines, recommendations or reference systems to facilitate the compliance of the processing of personal data with the texts relating to the protection of personal data (...); (d) It shall deal with complaints, petitions and complaints lodged by a person concerned or by a body, organisation or association, examine or investigate the subject matter of the complaint, to the extent necessary, and inform the complainant of the progress and outcome of the investigation within a reasonable time, in particular if further investigation or coordination with another supervisory authority is necessary (...). II- For the accomplishment of its missions, the commission may proceed by recommendation and take individual or regulatory decisions in the cases provided for by this law". Under Article 20 of the same law, in the event of non-compliance with the obligations resulting from Regulation (EU) 2016/679 of 27 April 2016 or the law of 6 January 1978, the CNIL may issue a formal notice to the controller or his processor to bring the processing operations into compliance with the applicable provisions within the time limit it sets. It may also, where appropriate, in addition to a formal notice, impose one or more corrective measures or penalties on the controller, in particular a reminder, an injunction to bring the processing operation into conformity, if necessary under penalty payment, a temporary or permanent limitation of the processing operation, which may extend to its prohibition, and a fine.

6. For the application of these provisions, the Commission nationale de l'informatique et des libertés has, with regard to the use of the prerogatives conferred on it for the performance of its tasks, a wide discretionary power, in particular with regard to the exercise of its power of sanction, whether to assess the advisability of instituting proceedings on its own initiative or to decide on the follow-up to be given to complaints it may receive. In this respect, the Commission may take into account the seriousness of the breaches in question with regard to the legislation or regulations it is responsible for enforcing, the date on which they were committed, the context in which they were committed and, more generally, all the general interests for which it is responsible. In this field, as in any other field within its remit, it may publish the guidelines it has adopted for the exercise of its powers. It follows that, contrary to what is claimed, the Commission has not misunderstood the extent of its competence by drawing up an action plan for online advertising targeting and by making public the position it has taken on the use of its powers, including sanctions, to achieve the objectives it has defined.

7. Secondly, on the one hand, Article 4 (11) of the Regulation of the European Parliament and of the Council of 27 April 2016 on the protection of individuals with regard to the processing of personal data and on the free movement of such data ("General Data Protection Regulation") defines the "consent" of the data subject as "any free, specific, informed and unambiguous expression of will by which the data subject accepts, by a clear declaration or positive act, that personal data relating to him/her are being processed".

8. On the other hand, Article 82 of the Law of 6 January 1978 on data processing, files and freedoms provides that: "Any subscriber or user of an electronic communications service must be informed clearly and completely, unless he has been informed in advance, by the controller or his representative: 1° The purpose of any action tending to access, by electronic transmission, information already stored in his terminal equipment for electronic communications, or to enter information in that equipment; / 2° The means at his disposal to oppose it. / Such access or registration may only take place if the subscriber or user person has expressed, after having received this information, his consent, which may result from appropriate parameters of his connection device or any other device under his control (...)".

9. In order to ensure, within the framework of the mission entrusted to it by 2° du I of article 8 of the law of 6 January 1978, that the procedures for collecting consent to the deposit of cookies and other tracers comply with the provisions cited in points 7 and 8, the Commission nationale de l'informatique et des libertés repealed its deliberation n° 2013-378 of 5 December 2013 adopting the "cookies and other tracers recommendation" and set new guidelines by a deliberation n° 2019-093 of 4 July 2019.

10. By Article 2 of this decision of 4 July 2019, the Commission states that: "In accordance with the Data Protection Act, the DGPS and the guidelines of the European Data Protection Committee on consent, tracers requiring a collection of consent may not be used in writing or reading unless the user has first expressed his or her intention to do so, in a free, specific, informed and unambiguous manner by a declaration or a clear positive act". It also emphasizes that "consent must be manifested through positive action by the person who has been informed in advance of the consequences of his or her choice and has the means to exercise it". It further specifies that "the fact of continuing to browse a website, using a mobile application or scrolling the page of a website or a mobile application do not constitute clear positive actions amounting to valid consent" and that "the use of pre-checked boxes, as well as the overall acceptance of general conditions of use, cannot be considered as a clear positive act aimed at giving consent".

11. By the press release of 18 July 2019, the CNIL indicated that it was initiating consultations with professionals and civil society with a view to the publication, in the first quarter of 2020, of the sectoral recommendation specifying the practical arrangements for obtaining consent announced in the deliberations of 4 July 2019.

12. While it is true that the CNIL has left operators, within the framework of this action plan, an adaptation period, ending six months after the publication of this recommendation, during which it announces that the continuation of navigation as an expression of consent will not entail the setting in motion of its repressive power, it appears from the documents in the file that the purpose of fixing such a period is to enable all operators, at the latest at its end, to effectively comply with the requirements resulting from the provisions referred to in points 7 and 8. It appears from the documents in the file that such a choice allows the regulatory authority to support the actors concerned, faced with the need to define new practical arrangements for obtaining consent that are likely to provide, at the technical level, the guarantees required by the state of the law in force, in order to achieve the objective of complete compliance by all actors by summer 2020. In addition, as the CNIL pointed out in the contested position paper, it will continue to monitor, during this period, compliance with the rules relating to the prior nature of consent, the possibility of access to the service even in the event of refusal and the availability of a device for withdrawing consent that is easy to access and use. Under these circumstances and in view of all the circumstances of the case, the Commission nationale de l'informatique et libertés cannot be regarded as having committed a manifest error of assessment in adopting such guidelines for the exercise of its powers.

13. Third, if it is argued that, in so doing, the Commission infringed the right to privacy protected by Article 7 of the Charter of Fundamental Rights of the European Union and Article 8 of the European Convention for the Protection of Human Rights and Fundamental Freedoms, the right to the protection of personal data guaranteed by Article 8 of the Charter of Fundamental Rights and the requirement of predictability under Article 7 of the European Convention for the Protection of Human Rights and Fundamental Freedoms, the contested act, which does not exclude that the Commission may in any event exercise its power of repression in the event of a particularly serious breach of those same principles, contributes to remedying practices which do not comply with the requirements laid down by the provisions referred to in points 7 and 8, by imposing on all operators, within a reasonable time limit, an obligation to comply, which the exercise of the power of sanction would not in any event be likely to result in more rapid compliance. In those circumstances, the plea that the Commission's choice not to make immediate use of its power to impose sanctions would excessively infringe the right to respect for private life and the right to the protection of personal data and disregard the requirement of foreseeability must be rejected.

14. It follows from the foregoing that the applicant associations are not entitled to seek the annulment of the decision they are challenging. Their application must therefore be dismissed, including the submissions made for an injunction and under Article L. 761-1 of the Code of Administrative Justice.

D E C I D E D:

Article 1: The request of the associations "La Quadrature du Net" and "Caliopen" is rejected.

Article 2: This decision shall be notified to the associations "La Quadrature du net" and "Caliopen" and to the Commission nationale de l'informatique et des libertés.