CE - N° 434684

From GDPRhub
CE - N° 434684
Courts logo1.png
Court: Conseil d'Etat
Jurisdiction: France
Relevant Law: Article 7 GDPR
Decided: 12.06.2020
Published: 19.06.2020
Parties:
National Case Number/Name: N° 434684
European Case Law Identifier:
Appeal from: CNIL
[[1]]
Appeal to: Not appealed
Original Language(s): French
Original Source: Conseil d'Etat (in French)
Initial Contributor: n/a

The French Conseil d'Etat confirmed the July 2019 guidelines of the CNIL on cookies and other online trackers but annulled the part stating a general prohibition on cookies walls.

English Summary[edit | edit source]

Facts[edit | edit source]

Several private companies challenges the guidelines of the CNIL on cookies on several grounds, including excess of powers.

Dispute[edit | edit source]

Holding[edit | edit source]

The Council of State validated most of the interpretations or recommendations provided in the guidelines:

- Individuals should be able to decline to give consent as easily as to give consent; Individuals must be able to withdraw their consent as easily as they gave it; - User consent should be given for each purpose, which implies specific information; - Individuals must be informed of the identity of the controllers depositing cookies; the list containing the identity of the controllers must be made available to them at the time consent is obtained and must be regularly updated; - Data controllers must be able to demonstrate that they have obtained valid consent to the CNIL.

However, in its decision of 19 June 2020, the Council of State suppressed a paragraph in which the CNIL considered that the Internet user should not suffer major inconvenience in the event of the absence or withdrawal of consent. The CNIL considered in particular that access to a website could never be subject to the acceptance of cookies ("cookie walls").

The Council of State considered that by deducting this general prohibition from the GDPR, the CNIL had gone beyond what is legally possible with guidelines, which are an instrument of "soft law".

Comment[edit | edit source]

Further Resources[edit | edit source]

Share blogs or news articles here!

English Machine Translation of the Decision[edit | edit source]

The decision below is a machine translation of the French original. Please refer to the French original for more details.

STATE COUNCIL
ruling
in litigation CR


N° 434684

__________

ASSOCIATION OF COMMUNICATION AGENCIATIONS and others
__________

Session of June 12, 2020
Reading of 19 June 2020
__________

FRENCH REPUBLIC
ON BEHALF OF THE FRENCH PEOPLE


The Council of State ruling on contentious cases
(Administrative Jurisdiction Division, 10th and 9th Chambers combined)


On the report of the 10th Chamber
 of the Litigation Section


Having regard to the following procedure:

By summary application, an additional brief and three reply briefs, registered on 18 September and 1 November 2019 and on 29 January, 3 April and 13 May 2020 at the Secretariat for Litigation of the Council of State, the association of communication consultancies, the federation of e-commerce and distance selling, the grouping of online content and service publishers, the Interactive Advertising Bureau France, the Mobile Marketing Association France, the national union for direct communication from data to logistics, the union of internet agencies, the union of media consulting and purchasing companies and the union of brands, are asking the Conseil d'Etat :

1°) principally, to annul for excess of power deliberation No. 2019-093 of 4 July 2019 of the National Commission for Information Technology and Civil Liberties (CNIL) adopting guidelines relating to the application of Article 82 of the Law of 6 January 1978 as amended to reading and writing operations in a user's terminal (in particular to cookies and other tracers);

2°) in the alternative, to stay the proceedings pending the decision of the Court of Justice of the European Union on thirteen questions for a preliminary ruling on the interpretation of the combined provisions of Directive 2002/58/EC of 12 July 2002, Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on consent and Directive 2019/2161 amending Directive 2011/83/EU, articulated as follows:
- Question 1: Are Articles 2(f) and 5(3) of Directive 2002/58EC, read in conjunction with Articles 4, sub 11 and 95 of EU Regulation 2016/679 and Article 4(2)(b) of Directive 2019/2161 amending Directive 2011/83/EU, to be interpreted as meaning that offers and contracts for access to digital content and services, under which the consumer undertakes to provide personal data to the trader, are in principle prohibited?
- Question 2: If the answer to the first question is in the negative, are the abovementioned provisions to be interpreted as prohibiting the national supervisory authority from laying down a general prohibition on offers and contracts relating to access to digital content and services under which the consumer provides or undertakes to provide personal data to the trader?
- Question 3: Are Articles 2(f) and 5(3) of Directive 2002/58EC, read in conjunction with Articles 4(11), 5(1)(b) and 95, and recitals 32 and 42 in the preamble to Regulation 2016/679 to be interpreted as requiring that, in order to be valid, the users' agreement must be expressed by a separate action for each of the distinct purposes brought to their knowledge with a view to the storage of information or access to information already stored in their terminal equipment?
- Question 4: Are Articles 2(f) and 5(3) of Directive 2002/58EC, read in conjunction with Article 4(11), Article 95 and Recital 4 of Regulation (EU) 2016/679 to be interpreted as requiring, prior to the storage of information or access to information stored in the user's terminal equipment, that the expression of any prior refusal by the user be sought and obtained?

If the answer to the fourth question is in the affirmative, are the abovementioned provisions to be interpreted as :
* laying down an obligation which is imposed both in respect of purposes for which the user's consent is required and in respect of purposes for which the user's consent is not required (Question 5)?
* requiring that the expression of the user's prior refusal be kept for a certain period of time (question No 6)?

If the answer to the sixth question is in the affirmative, are the abovementioned provisions to be interpreted as :
- leaving it to the national supervisory authority itself to determine the period for which the expression of the user's refusal is to be retained as being subject to determination by prescription by the Member States (Question No 7)?
- prohibiting, during the retention period of the expression of refusal, the user's prior consent from being sought again, or as allowing the retention period of the expression of prior refusal to be terminated where, on being sought again, the user expresses prior consent instead of refusal (question No 8)?
- Question 9: Are Articles 2(f) and 5(3) of Directive 2002/58EC read in conjunction with Articles 4(11), 6(1)(a) and 95 of Regulation (EU) 2016/679 to be interpreted as requiring, as a condition for the validity of the user's consent, that the user be informed of the categories of entities pursuing the purposes brought to his knowledge relating to the operations of recording or reading information stored in his terminal, including where those operations do not constitute the processing of personal data?
- Question 10: Are those same provisions to be interpreted as meaning that, where there is a multiplicity of entities pursuing the purposes brought to the user's knowledge, they require, as a condition for the validity of the user's consent, that the user be informed of the identity of each of the entities likely to be the recipient of information stored in his terminal in the context of the operations of recording and reading that information?
- If the answer to Question 10 is in the affirmative, are those same provisions to be interpreted as meaning that, for a constant purpose for which the user's consent is valid, they require the list of recipient entities to be constantly updated and that that list must be brought to the user's attention in order to seek again the expression of his consent, where new recipient entities had not been listed at the time of the earlier expression of his consent for the same purpose (Question 11)?
- Question 12: Are Articles 2(f) and 5(3) of Directive 2002/58EC, read in conjunction with Articles 4(11), 7(1)(a), 13, 14 and 95 of Regulation (EU) 2016/679, to be interpreted as requiring that, in order to be valid, the user's agreement must be accompanied by the retention of information provided to the user relating to the identification of each of the recipient entities of the information stored or read in his terminal?
- If the answer to Question 12 is in the affirmative, must the abovementioned provisions be interpreted as requiring that the list of recipient entities, when amended, be updated and renewed and that the information given to the user in that connection be kept, failing which his consent would not be valid even if the purpose to which he consented remains unchanged (Question 13)?

3°) to charge the CNIL with the sum of 15,000 euros under Article L. 761 of the Code of Administrative Justice.

They maintain that :
- the contested deliberation is vitiated by irregularity, inasmuch as there is nothing to ensure compliance with the rules governing the procedure for the adoption of those guidelines;
- the contested decision is vitiated by a lack of competence inasmuch as the CNIL has no legislative or regulatory power to issue guidelines relating to data of a non-personal nature, and by an error of law for having applied the system of protection enjoyed by personal data to data which are not personal data;
- the CNIL vitiated its deliberations with negative incompetence and an error of law by basing its guidelines on those of the European Data Protection Committee, which are devoid of binding legal force ;
- the contested decision infringes the applicable legislative and regulatory provisions by prohibiting the use of cookie walls, thereby unduly infringing the freedom to conduct business and the freedom of information;
- the CNIL interpreted the conditions of independence and specificity of consent in breach of the applicable legislative and regulatory provisions, by failing to take into consideration the compatibility of each purpose with the initial purposes of the processing;
- the CNIL has established a right to refuse cookies in breach of the applicable legislative and regulatory provisions;
- the contested decision, in breach of the law, imposed an obligation to identify the controller(s) and to provide exhaustive and regularly updated information to all entities that use cookies;
- the CNIL has set a limited period of validity for audience measurement cookies in breach of the applicable legislative and regulatory provisions;
- the disputed deliberation imposes, in breach of the law, an obligation to inform the user for cookies not subject to prior consent.


By four defence briefs, registered on 7 January, 21 February, 23 April and 11 May 2020 at the Litigation Secretariat of the Council of State, the National Commission for Information Technology and Civil Liberties concludes that the application is dismissed. It submits that the pleas raised by the applicants are unfounded.


Having regard to the other documents in the file ;

Having regard to:
- the Constitution, in particular its Preamble;
- Directive 2002/58/EC of the European Parliament and of the Council of 12 July 2002;
- Regulation (EU) No 2016/679 of the European Parliament and of the Council of 27 April 2016;
- Law No. 78-17 of 6 January 1978;
- Decree No. 2019-536 of 29 May 2019;
- the judgment of the Court of Justice of the European Union C-673/17 Bundesverband der Verbraucherzentralen un Verbraucherverbände - Verbraucherzentrale Bundesverband eV v. Planet49 GmbH of 1 October 2019;
- the Code of Administrative Justice and Order No 2020-305 of 25 March 2020 as amended;
        


After hearing in open session:

- the report of Ms Christelle Thomas, Maître des requêtes en service extraordinaire, 
- the conclusions of Mr Alexandre Lallet, public rapporteur ;

The floor having been given, before and after the conclusions, to SCP Gatineau, Fattaccini, Rebeyrol, lawyer of the association of Communication Consultancy Agencies, of the federation of E-commerce and distance selling (fevad), of the association of publishers of online content and services (gesture), Interactive advertising bureau France (iab France), Mobile Marketing Association France (mma France), National union for direct communication from data to logistics (sncd), Internet agencies union (sri), Union des entreprises de conseil et d'achat média (udecam) and Union des marques ;

Having regard to the memorandum under deliberation, registered on 12 June 2020, presented by the CNIL;

 

Considering the following:

1. It appears from the documents in the file that on 4 July 2019, the National Commission for Data Processing and Liberties (CNIL) adopted deliberation no. 2019-093 by which it adopted "guidelines" relating to the application to reading and writing operations in a user's terminal of article 82 of the law of 6 January 1978 relating to data processing, files and liberties. These guidelines are part of an action plan on advertising targeting announced on June 28, 2019, of which they constitute the first stage, and are intended to be completed, following a phase of consultation with professionals in the sector and civil society, by the adoption of a recommendation intended to guide operators with regard to the practical procedures for obtaining the consent provided for in Article 82 of the Act of January 6, 1978 applicable to "cookies" and other connection tracers. This deliberation, on the one hand, provides the CNIL's interpretation of the regulations applicable in this area, recalling that failure to comply with them may result in sanctions on its part, and, on the other hand, sets out recommendations of good practice for the operators concerned.

On the lawfulness of the procedure for adopting the contested decision:

2. Contrary to what is claimed, it is apparent from the endorsements of the decision of 4 July 2019 and from the documents which the CNIL placed on file that that decision was adopted following a procedure which complies with the requirements of the decree of 19 May 2019 implementing Law No 78-17 of 6 January 1978 on information technology, to files and freedoms, after the commission's members have been summoned by its chairperson, with the agenda for the meeting, in compliance with the quorum and majority rules required for the adoption of the deliberations and after the Government Commissioner has received the observations of the Government Commissioner.

On the competence of the CNIL to take the contested deliberation :

3. First, in accordance with Article I of Article 8 of the Law of 6 January 1978, the CNIL is the national supervisory authority within the meaning and for the application of Regulation (EU) 2016/679 of 27 April 2016 on the protection of individuals with regard to the processing of personal data and on the free movement of such data and repealing Directive 95/46/EC of 24 October 1995, known as the General Regulation on Data Protection (RGPD). In particular, it is responsible for informing all data subjects and data controllers of their rights and obligations. Pursuant to 2° of I of this Article 8, the CNIL ensures that the processing of personal data is carried out in accordance with the provisions of the Act of 6 January 1978 and other provisions relating to the protection of personal data provided for by laws and regulations, European Union law and France's international commitments. In this respect, it may draw up and publish guidelines, recommendations or reference systems intended to facilitate compliance of personal data processing with the applicable texts. The first paragraph of Article 16 of the Act of 6 January 1978 further provides that the CNIL's restricted formation "shall take measures and impose sanctions on controllers or processors who do not comply with the obligations arising from Regulation (EU) 2016/679 of 27 April 2016 and this Act under the conditions provided for in Section 3 of this chapter". Article 20 of this law confers on its President the power to take corrective measures in the event of non-compliance with the obligations arising from Regulation (EU) 2016/279 or from its own provisions, as well as the possibility of referring the matter to the restricted formation for the imposition of the sanctions that may be imposed.

4. On the other hand, under the terms of Article 82 of the Act of 6 January 1978 on Data Processing, Data Files and Individual Liberties: "Any subscriber or user of an electronic communications service must be informed in a clear and complete manner, unless he has been previously informed by the controller or his representative: 1° Of the purpose of any action tending to access, by electronic transmission, information already stored in his electronic communications terminal equipment, or to enter information in this equipment; / 2° Of the means at his disposal to oppose it. / These accesses or inscriptions may only take place on condition that the subscriber or user has expressed, after receiving this information, his consent, which may result from appropriate parameters of his connection device or any other device under his control. / These provisions shall not apply if access to or the entry of information stored in the user's terminal equipment: / 1° Either, has the exclusive purpose of enabling or facilitating communication by electronic means; / 2° Or, is strictly necessary for the provision of an online communication service at the express request of the user". These provisions ensure the transposition into national law of Article 5(3) of Directive 2002/58/EC of 12 July 2002 concerning the processing of personal data and the protection of privacy in the electronic communications sector. They must therefore be interpreted in the light of the provisions of that Article, which states: 'Member States shall ensure that the storage of information, or gaining access to information already stored, in the terminal equipment of a subscriber or user is only allowed on condition that the subscriber or user has given his consent, after having received, in accordance with Directive 95/46/EC, clear and comprehensive information, inter alia, about the purposes of the processing. This shall not prevent any storage or technical access for the sole purpose of carrying out the transmission of a communication over an electronic communications network or as strictly necessary for the provider to provide an information society service explicitly requested by the subscriber or user". Pursuant to Article 94 of Regulation (EU) 2016/679 of 27 April 2016, "references to the repealed Directive shall be construed as references to this Regulation".

5. It follows from the general scheme of the Law of 6 January 1978 and, in particular, from the provisions cited in the previous points, that the CNIL is responsible for ensuring that any data processing falling within its scope, whether or not it involves personal data, complies with its provisions and with the obligations resulting from the Regulation of 27 April 2016. For the performance of its tasks, it has the power to exercise its prerogatives in the manner it considers most appropriate, including through recourse to soft law instruments. It follows that the argument based on the fact that the CNIL was incompetent to adopt "guidelines" generally applicable to "cookies" and other connection tracers must be rejected.

On the regime applicable to cookies and other connection tracers:

6. Firstly, it follows from the provisions cited in point 4 as interpreted by the Court of Justice of the European Union in its judgment C-673/17 of 1 October 2019 that the conditions for obtaining the user's consent provided for by the regulation of 27 April 2016 are applicable to reading and writing operations in a user's terminal. It follows that the CNIL has been able, without error of law, to apply to those data processing operations the regime of consent required for the processing of personal data.

7. 7. Secondly, by referring, in adopting its 'guidelines', to the various works of the European Data Protection Committee (EDPS) which is, under Articles 68 and 70 of the Regulation of 27 April 2016, responsible for ensuring uniform application of the provisions of that regulation between Member States and may issue guidelines to that end, the CNIL, which has not, in so doing, sought to confer on those works a binding value of which they are devoid, did not commit any error of law.

On the prohibition of the use of "cookie walls":

8. Article 2 of the contested deliberation provides, under the heading 'free nature of consent', that 'the Commission considers that consent can be valid only if the person concerned is able to exercise his choice validly and does not suffer major inconvenience in the event of the absence or withdrawal of consent'. / In this respect, the Commission recalls that the EDPS, in his "Statement on the review of the ePrivacy Directive and its impact on privacy and confidentiality of electronic communications", considered that the practice of blocking access to a website or mobile application for those who do not consent to be tracked ("cookie walls") is not in line with the DPMR. Indeed, the EDPS considers that, in such a case, users are not in a position to refuse the use of tracers without suffering negative consequences (in this case the impossibility to access the site consulted)".

9. On the one hand, with regard to "cookie walls", a practice which consists in blocking access to a website or a mobile application for those who do not consent to the deposit or reading of connection traces on their terminal, it is clear from the terms of Article 2 above that the CNIL has merely pointed out that the EDPS considers that it does not comply with the requirements arising from the RGPD. In reiterating the EDPS's position on this point, without endorsing it, the CNIL, which did not misunderstand the scope of the committee's recommendations, did not intend to give them binding force.

10. 10. Furthermore, in the same Article 2, the CNIL states that the validity of consent is subject to the condition that the data subject should not suffer any major inconvenience in the event of the absence or withdrawal of his or her consent, such a major inconvenience being, in its view, the impossibility of accessing an Internet site because of the practice of "cookie walls". By deducting such a general and absolute prohibition from the sole requirement of free consent, laid down by the regulation of 27 April 2016, the CNIL has exceeded what it can legally do, in the context of a soft law instrument, enacted on the basis of 2° of I of Article 8 of the Law of 6 January 1978 cited in point 3. It follows that the contested decision is, to that extent, tainted with illegality.

On the independence, specificity and informed nature of consent:

11. It follows from the provisions of Article 5(3) of Directive 2002/58/EC of 12 July 2002, cited in point 4, that the reading and writing operations in the terminal of a subscriber or user must give rise to clear and complete information for the latter, in compliance with the requirements of the DPMR, in particular as regards the purposes of the processing.

12. In the first place, according to Article 13 of the DPMR, the clear and complete information to be provided to the individual prior to the collection of his consent includes "(a) the identity and contact details of the controller and, where applicable, of the representative of the controller; (...) / (e) the recipients or categories of recipients of personal data, if any (...)". It follows from the provisions of Article 82 of the Law of 8 January 1978 cited above, informed by the respective provisions of Directive 2002/58/EC as interpreted by the Court of Justice of the European Union in its judgment C-673/17 of 1 October 2019 and the Regulation of 27 April 2016 cited above, that for prior consent to be considered as informed, the user must be able to have the identity of the controller(s) and the list of the recipients or categories of recipients of his data. In particular, if the publisher of a site that deposits "cookies" must be considered as a data controller, including when it subcontracts to third parties the management of "cookies" set up on its own behalf, third parties that deposit cookies when visiting the site of a publisher must also be considered as data controllers, provided that they are acting on their own behalf. It follows that the CNIL has legally been able, on the one hand, to point out that among the information that must be brought to the user's attention is, in particular and at the very least, "the identity of the data controller(s)", and, on the other hand, to specify that the user "must be able to identify all the entities that use cookies before being able to consent to them" insofar as these entities, which do not include data recipients, appear to be responsible or co-responsible for data processing.

13. In the second place, Article 7(1) of the Regulation of 27 April 2016 provides that "where processing is based on consent, the controller must be able to demonstrate that the data subject has given his or her consent to the processing of personal data relating to him or her". It is clear from these provisions that the controller must be able at any time to provide evidence of the valid collection of the user's consent. As a result, the CNIL was legally able to remind that an exhaustive and regularly updated list of entities using tracers as defined in the previous point must be made available to the user directly when his consent is obtained.

14. Thirdly, it follows from the above-mentioned provisions of Article 82 of the Act of 8 January 1978 that the user's consent must relate to each of the purposes pursued by the data processing and that any new subsequent purpose, compatible with the initial purpose or purposes, assigned to the data processing is subject to the collection of its own consent. Compliance with such a requirement implies at least, in the event that consent is given globally, that it is preceded by information specific to each of the purposes. It follows that by recalling that "the person concerned must be able to give his or her consent independently and specifically for each distinct purpose", the CNIL, which, in so doing, has not defined the concrete modalities according to which consent must be obtained, has not disregarded the provisions applicable in this area.

On the other obligations formulated by the contested decision:

15. In the first place, Article 4(11) of the RPMD defines the data subject's consent as 'any freely given specific, informed and unambiguous indication of his or her wishes by which the data subject signifies his or her agreement, by means of a declaration or a clear positive act, to personal data relating to him or her being processed'. According to Article 7(3) of the same Regulation: "The data subject shall have the right to withdraw his or her consent at any time". It clearly follows from these provisions combined with those of Article 82 of the Law of 6 January 1978 cited in point 3 that, on the one hand, in the absence of consent expressed by a clear positive act, the user must be considered as having refused access to his terminal or the entry of information in it, and that, on the other hand, he may withdraw his consent at any time. It follows that the CNIL, which, by stating that it should "be as easy to refuse or withdraw consent as to give it", limited itself to characterizing the conditions of the user's refusal without defining any particular technical modalities for expressing such a refusal, did not vitiate its deliberation with any ignorance of the applicable rules in this area.

16. 16. Secondly, it follows from the aforementioned provisions of Article 82 of the Law of 6 January 1978 that the operations of reading or writing information stored in a user's terminal that are strictly necessary for the technical operation of the site or that correspond to the provision of an online communication service at the express request of the user are exempt from the collection of consent. It is apparent from the documents in the file that the CNIL, in Article 5 of the contested decision, listed the conditions which must be satisfied by the audience measurement tracers in order to benefit from such an exemption from the requirement to obtain consent, indicating in particular that the tracers used by such processing, which fall within one of the two categories referred to in that same Article 82, must not have a life span exceeding 13 months and that the information collected by means of those tracers must not be kept for more than 25 months. In defining such indicative durations for the use of tracers and for the conservation of information collected through them, the CNIL, which could not legally set a time limit for the validity of audience measurement cookies, limited itself to recommending, through non-binding guidelines, durations for the use of these cookies of such a nature as to allow the periodic re-examination of their necessity in the light of the derogations to the rule of consent provided for in the last two paragraphs of Article 82. It follows that, contrary to what is submitted, the contested decision is not vitiated by illegality on that point.

17. Finally, it is apparent from the very terms of the contested decision that the CNIL stated, in Article 6, that, in order to ensure the objective of full and complete transparency with regard to cookies and other tracers not subject to prior consent, users must be informed of their existence and purpose, for example by means of a statement in the privacy policy of the organisations using them. In setting such a transparency objective, after recalling that the law does not subject such cookies to any obligation to obtain the prior consent of the user, nor does it impose any obligation to offer the possibility of objecting to the use of such tracers, the CNIL did not intend to impose a new obligation of information not provided for by law, but simply to promote the dissemination of good practices for the user of tracers not subject to prior consent, as it can legally do in application of 2° of I of article 8 of the law of 6 January 1978 cited in point 3. It follows that, contrary to what is submitted, the contested deliberation is not further vitiated by illegality on that point.

18. It follows from all of the foregoing, without the need to refer questions to the Court of Justice of the European Union for a preliminary ruling, that the applicants are entitled to seek annulment only of the fourth paragraph of Article 2 of the contested decision. In the circumstances of the present case, the CNIL should be charged with the total sum of EUR 3 000 to be paid to the applicant associations under Article L. 761-1 of the Code of Administrative Justice.


D E C I D E :
--------------

Article 1: The fourth paragraph of Article 2 of the CNIL's deliberation of 4 July 2019 is annulled.

Article 2: The CNIL will pay the applicant associations a total sum of 3,000 euros under Article L. 761-1 of the Code of Administrative Justice.

Article 3: The remainder of the conclusions of the claim of the Association of Communication Consultancy Agencies and Others is rejected.

Article 4: This decision shall be notified to the Association of Communication Consultancy Agencies, the Federation of E-Commerce and Distance Selling, the Association of Publishers of Online Content and Services, the Interactive Advertising Bureau France, the Mobile Marketing Association France, the National Union of Direct Communication from Data to Logistics, the Union of Internet Service Providers, the Union of Media Consultancy and Purchasing Companies, the Union of Brands and the National Commission for Information Technology and Civil Liberties.