CNIL (France) - SAN-2024-019
| CNIL - SAN-2024-019 | |
|---|---|
 | |
| Authority: | CNIL (France) |
| Jurisdiction: | France |
| Relevant Law: | Article 82 Loi n° 78-17 L. 34-5 CPCE |
| Type: | Investigation |
| Outcome: | Violation Found |
| Started: | 26.06.2023 |
| Decided: | 14.11.2024 |
| Published: | 10.12.2024 |
| Fine: | 50,000,000 EUR |
| Parties: | Orange |
| National Case Number/Name: | SAN-2024-019 |
| European Case Law Identifier: | n/a |
| Appeal: | n/a |
| Original Language(s): | French |
| Original Source: | Legifrance (in FR) |
| Initial Contributor: | ao |
The DPA fined the main telecommunications operator in France €50,000,000 for displaying advertisements in users e-mail inboxes and operating cookies on user devices without consent. The controller was ordered to bring their practices into compliance under penalty of further fines.
English Summary
Facts
Among other services, the respondent provides an e-mail service called “Mail Orange” to more than 7,800,000 users and is the leading telecommunications operator in France. In an ex-officio investigation, the French Data Protection Commission (Commission Nationale de l’Informatique et des Libertés – CNIL) found the following:
Between the 7 and 12 June 2023, users were confronted with advertisements which were displayed like regular e-mails in their inboxes. The only recorded difference to regular emails was that the advertisements appeared in a light grey colour, included the word “publicité” and a cross to delete the email instantly. In addition, it was found that the respondent operated cookies on user devices if they had agreed to this.
The respondent's argument
The respondent argued that the CNIL up until now has always placed the responsibility of obtaining data subject’s consent to advertising on the advertiser. It therefore, did not see itself responsible for obtaining consent as it merely transferred the email of the advertiser to the data subject, just like regular emails. It further explained that it used a system which allowed it to disseminate the advertising emails without processing the data subject’s email address.
Operation of cookies
When users withdrew their consent to the placement of cookies on their device, the cookies which had previously been activated continued to function. Here the respondent argued that the data collected through the cookies after consent had been withdrawn was not then further processed by the respondent.
Holding
Requirement of consent
The CNIL based its decision on the CJEU judgment C-102/20 which showed that e-mails which are displayed in a space normally used for private e-mails containing promotional content, constitute direct marketing which in turn requires the data subject’s consent. Therefore, the CNIL concluded that in this case as per Article L. 34-5 Postal and Electronic Communications Code (Code des postes et des communications électroniques – CPCE) which partly transposes the e-privacy Directive into French law, the users consent to these marketing emails was necessary.
Liability of the respondent
The CNIL held that the respondent as the provider of the email service strategically markets spaces in the inbox of its users to advertisers. Since the respondent determines the display of these emails, the respondent is the only one in direct contact with the recipients of the emails. Therefore, it is the only entity, which could have obtained the recipients consent and which made the CNIL declare the respondent as the controller.
Cookies
The CNIL held that the persistent functioning of cookies after user consent had been withdrawn is expressly prohibited by Article 82 of the Informatics and Freedoms Act (Loi Informatique et Libertés - Loi n78-17), a French Act providing for data protection rights. The CNIL stated that it was irrelevant whether the extracted data was then subject to further processing by the respondent. The mere reading of the cookie data fell under the prohibition detailed in Article 82 of Loi n78-17.
Administrative fine
For the breach of Article 82 of Loi n78-17 and Article L. 34-5 CPCE, the CNIL issued a fine of €50,000,000 based on the respondent’s annual turnover. The CNIL further issued an order to cease the unlawful operation of cookies within three months. A penalty of €100,000 per day must be paid by the respondent in case of delay.
Comment
Share your comments here!
Further Resources
Share blogs or news articles here!
English Machine Translation of the Decision
The decision below is a machine translation of the French original. Please refer to the French original for more details.
