CNIL (France) - Deliberation SAN-2022-024 of December 20, 2022

From GDPRhub
Revision as of 11:58, 11 January 2023 by Robertr (talk | contribs)
(diff) ← Older revision | Latest revision (diff) | Newer revision → (diff)
CNIL - Deliberation SAN-2022-024 of December 20, 2022
LogoFR.png
Authority: CNIL (France)
Jurisdiction: France
Relevant Law: Article 4(11) GDPR
Article 5(3) ePrivacy-Directive
Article 82 of the French Data Protectoin Act
Type: Complaint
Outcome: Upheld
Started:
Decided: 19.12.2022
Published: 22.12.2022
Fine: 60,000,000 EUR
Parties: Microsoft Ireland Operations Limited
National Case Number/Name: Deliberation SAN-2022-024 of December 20, 2022
European Case Law Identifier: n/a
Appeal: Unknown
Original Language(s): French
Original Source: Legifrance (in FR)
Initial Contributor: n/a

The French DPA fined Microsoft Ireland Operations Limited €60,000,000 for its website "bing.com" through which it had installed non-essential cookies without valid consent.

English Summary

Facts

On 21 February 2020, the French DPA, the National Commission for Computing and Liberties (CNIL), received a complaint directed at Microsoft Ireland Operations Limited (MIOL) regarding their domain "bing.com", a search engine. The complaint prompted the DPA to launch an investigation into "bing.com" to verify its compliance with the French law implementing the ePrivacy-Directive, the French "Data Protection Act", and the GDPR.

In their investigation, the DPA's commissioned investigator, the "rapporteur", found issues regarding both (1) a lack of compliance with the obligation to acquire users' consent to install non-essential cookies on users' terminals and (2) a shortcoming of the consent that was acquired, since it did not meet the required legal conditions to be considered "valid" consent. The rapporteur presented their findings to be considered by the DPA. MIOL was given the opportunity to reply to the rapporteur's findings.

On the topic of the first issue, the rapporteur reported that upon arrival of the bing.com site, and before any actions by the users were taken, a multi-purpose cookie named "MUID" was placed on the user's terminal. Upon request, MIOL explained that the cookie was used for advertisement purposes if users consented to it. However, if no consent was provided, the cookie was used for the detection of advertising fraud concerning non-targeted advertising.

According to the rapporteur, the "broader purpose of contextual advertising" excluded the cookie from the consent exemptions of the Article 82 of the French Data Protection Act (implementing Article 5 of the ePrivacy-Directive), which is only applicable when (i) the cookie's exclusive purpose is to "allow" or "facilitate" communications by electronic means or (ii) the cookie is "strictly necessary for the provision of an online communication service at the express request of a user". The MIOL argued in response that fighting advertising fraud is strictly necessary for their service to ensure that the search engines search results are "relevant, reliable and safe". Moreover, the fight against advertising fraud is in the same line as the prevention of denial of service attacks, cybercrime, load balancing, and session-to-session continuity. Nevertheless, the rapporteur insisted that only the purpose of combating denial of service attacks could be exempt from consent and that other purposes, such as combating advertising fraud, would not be strictly necessary for the provision of a service pursuant to Article 82 Data Protection Act.

Additionally, also related to the first issue, the rapporteur brought the cookie "ABDEF" to the attention of the DPA. The cookie was placed on a user terminal if the user continued to browse without giving consent. It also had an advertising purpose. MIOL responded that the cookie had been incorrectly categorized due to human error, was only placed for a short period, and is now subject to the collection of users' consent. MOIL invoked a "right to error" and argued that it had acted in good faith.

Regarding the the second issue, the rapporteur noted that Article 2(f) of the ePrivacy Directive states that its definition of consent is to be understood in light of the consent of data subjects of Directive 95/46/EC (which - by then - had been replaced by the GDPR). Correspondingly, the consent of Article 82 Data Protection Act (implementing the ePrivacy-Directive) also is to be understood within the meaning of consent as defined in Article 4(11) GDPR. As explained by recital 42 GDPR, "[c]onsent should not be regarded as freely given if the data subject has no genuine or free choice or is unable to refuse or withdraw consent without detriment." The rapporteur also pointed to two recommendations of the DPA (namely, recommendations no. 2020-091 and 2020-092) which state that to be valid a consent for the activation of cookies must be as easy to refuse or withdraw as it is to give it. The principle of freedom of consent would imply a necessity of a "true freedom of choice" which require consent mechanisms which allow users to express consent by being offered unbiased choices. This would not be fulfilled if, as is often the case, users are forced to go through more click-through levels of a cookie banner to refuse cookies than it takes them to accept cookies. After visiting MIOL's website "bing.com" on 11 May 2021, the rapporteur was confronted with a website allowing cookies to be accepted immediately while no similar means were offered to the user to refuse cookies. The refusal of cookies would require at least two more actions than it would take to accept them. Additionally, the use of the infinitive "Disable" - which would in principle imply a necessity to take action - would be ambiguous and confuse users. Consequently, "bing.com" would be in violation of Article 82 Data Protection Act.

In its defence, MIOL argued that neither the ePrivacy-Directive, nor its transposition, the French Data Protection Act, nor the GDPR provide for a rule requiring that it must be as easy to refuse cookies as it is to accept them. The cited recommendations of the DPA, on the other hand, would not be non-binding. MIOL explained that it had relied on a preference management system which relied on explicit consent before placing non-essential cookies on a user's terminal. Non-essential cookies would only be activated after a user had clicked the "Accept button" and not if the user either pressed "save settings" or continued to browse.

Holding

On the first set of issues, the DPA considered that Article 82 of the French Data Protection Act requires consent for the operation of cookies on user terminals, but provides for specific exemptions, such as when a cookie is strictly necessary for the provision of an online communication service which a user requested. However, cookies which fulfil multiple purposes, including both essential and non-essential ones, would not fall under this exemption. In regard to the cookie "MUID", which serves the broader purpose of contextual advertising, MIOL appears to confuse the necessity of the cookie for the distribution of advertising, which a user did not request, with the impact of the cookie on the technical functionality of the search engine. Consequently, since the provision of advertisement was not strictly necessary for provision of the search engine service, the DPA held that the cookie "MUID" did not meet the exemption of Article 82 Data Protection Act.

Regarding the miscategorised cookie "ABDEF", the DPA argued that, even if was not done intentionally, its placement without prior consent was a result of gross negligence. Moreover, the cookie was only rectified after the DPA's investigation. Therefore, the DPA considered this another violation of Article 82 Data Protection Act.

On the second issue, the DPA recalled its guidelines, which state that if a user's consent to cookies ought to be deduced from the user's silence, it is only on condition that the user is fully informed. Otherwise, there would be an imbalance between the methods of giving and denying consent. The DPA held that this imbalance was the case in the present circumstances. Users would not be aware that a lack of action would equally be a rejection of cookies as the pressing of a reject button would be. A user wishing to refuse cookies was given the impression that they would have to click on the "More options" button in order to find the reject option, while they were presented with an "Accept" button on the first level of the cookie banner. Additionally, the not explicit nature of the "More options" button and the ambiguity of the used infinitive "Disable" on the rejection button further caused confusion for data subjects. Moreover, the DPA noted that serval studies had proven that a "Refuse all" button on the first level of a cookie banner significantly reduced the rate of consent. More complex cookie acceptance mechanisms unjustifiably bias users towards accepting rather than refusing cookies. As a result, the DPA considered the foregoing considerations another violation of Article 82 Data Protection Act.

Even though "bing.com" was, as argued by MIOL, in a fragile position in a search engine market dominated by a single player, the DPA considered the massive nature of the illegal processing of data, affecting 11 million unique visitors in September 2020, the position of "bing.com" as second strongest player in the search engine market, its default use for queries made with Windows machines, and the financial benefits obtained by MIOL through the breach when assessing the height of its fine.

The DPA sanctioned MIOL EUR 60,000,000 and issued an injunction to rectify its cookie implementation under the threat of a penalty payment of EUR 60,000 per day of delay of the DPA's given deadline.

Comment

Share your comments here!

Further Resources

Share blogs or news articles here!

English Machine Translation of the Decision

The decision below is a machine translation of the French original. Please refer to the French original for more details.

Deliberation SAN-2022-023 of December 19, 2022
National Commission for Computing and Liberties

    Nature of the deliberation: Sanction
    Legal status: In force

    Date of publication on Légifrance: Thursday, December 22, 2022

Deliberation of the restricted formation n°SAN-2022-023 of December 19, 2022 concerning the company MICROSOFT IRELAND OPERATIONS LIMITED

The National Commission for Computing and Liberties, meeting in its restricted formation composed of Mr. Alexandre LINDEN, President, Mr. Philippe-Pierre CABOURDIN, Vice-President, Mrs. Christine MAUGÜÉ, Mr. Alain DRU and Mr. Bertrand du MARAIS, members;

Having regard to Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 relating to the protection of personal data and the free movement of such data;

Having regard to law no. 78-17 of January 6, 1978 relating to data processing, files and freedoms, in particular its articles 20 and following;

Having regard to decree no. 2019-536 of May 29, 2019 taken for the application of law no. 78-17 of January 6, 1978 relating to data processing, files and freedoms;

Having regard to deliberation no. 2013-175 of July 4, 2013 adopting the internal regulations of the National Commission for Computing and Liberties;

Having regard to decision n° 2020-128C of September 8, 2020 of the President of the National Commission for Computing and Liberties to instruct the Secretary General to carry out or to have carried out a verification mission of any processing accessible from the domain "bing.com" or relating to personal data collected from the latter, from any organization likely to be concerned by their implementation;

Having regard to decision n° 2020-253C of September 8, 2020 of the President of the National Commission for Computing and Liberties to instruct the Secretary General to carry out or to have carried out a mission to verify the processing implemented by the company MICROSOFT FRANCE or on its behalf, in any place likely to be affected by their implementation;

Having regard to the decision of the President of the National Commission for Computing and Freedoms appointing a rapporteur before the restricted formation, dated December 23, 2021;

Considering the report of Mr. François PELLEGRINI, commissioner rapporteur, notified to the company MICROSOFT IRELAND OPERATIONS LIMITED on July 13, 2022;

Having regard to the written observations submitted by MICROSOFT IRELAND OPERATIONS LIMITED on September 9, 2022;

Having regard to the rapporteur's response to these observations notified on October 10, 2022 to the company's board;

Having regard to the written observations of MICROSOFT IRELAND OPERATIONS LIMITED received on November 15, 2022;

Having regard to the other documents in the file;

Were present at the restricted training session of December 1, 2022:

- Mr. François PELLEGRINI, commissioner, heard in his report;

As representatives of MICROSOFT IRELAND OPERATIONS LIMITED:

- […]

MICROSOFT IRELAND OPERATIONS LIMITED having the last word;

The Restricted Committee adopted the following decision:

I. Facts and procedure

1. MICROSOFT CORPORATION, a multinational company created in 1976 whose head office is located in the United States, has as its main activity the development and sale of operating systems, application software, hardware and derived services. It also has a consulting and support activity for all MICROSOFT products. Its turnover was $143 billion in 2020 and $168 billion in 2021. In 2020, it employed nearly 148,000 people in 120 countries.

2. MICROSOFT IRELAND OPERATIONS LIMITED (hereafter "MIOL"), is a subsidiary of MICROSOFT CORPORATION whose registered office is located at 1, Microsoft Place, South County Business Park, Leopardstown in Dublin. Its main activity is the marketing and sales of software for the Europe and Asia-Pacific region. Its turnover amounted, in 2020, to […] for an annual profit of […] and to […] for an annual profit of […] in 2021.

3. MIOL operates and develops the Bing search engine in the European Economic Area. The "bing.com" domain accessible from France had 10,801,000 unique users residing in France in September 2020 and the turnover attributable to the "bing.com" domain in France amounted to […] in 2020 and to […] in 2021.

4. MICROSOFT FRANCE, a subsidiary of MICROSOFT CORPORATION and sister company of MIOL, is a simplified joint-stock company, registered with the Nanterre Trade and Companies Register under number 327733184, whose registered office is located at 37 /45, quay of President Roosevelt, Issy-les-Moulineaux (92130). It specializes in the distribution, promotion and sale of computer products and services. In 2020, it achieved a turnover of 2.2 billion euros, for a net result of 77.9 million euros and, in 2021, of 2.6 billion euros for a net result of 92.4 million euros.

5. Following a referral registered on 21 February 2020 in which the complainant denounced the conditions for obtaining his consent to the deposit of tracers ("cookies") from the domain "bing.com", a delegation from the Commission Nationale de l'Informatique et des Libertés (hereinafter "the CNIL" or "the Commission") carried out an online check on the "bing.com" website on September 29, 2020, pursuant to Decisions No. 2020 -128C and 2020-253C of September 8, 2020 from the President of the CNIL. The purpose of this control was to verify the compliance of any processing accessible from the "bing.com" domain from a terminal located in France with the law n ° 78-17 of January 6, 1978 modified relating to data processing, files and freedoms (hereinafter "the Data Protection Act") and Regulation (EU) 2016/679 of the European Parliament and of the Council of April 27, 2016 (hereinafter "the GDPR" or "the Regulation").

6. The online report of findings no. 2020-128-1, drawn up following the inspection and notified to the companies MICROSOFT CORPORATION, MIOL and MICROSOFT FRANCE on October 15, 2020, invited the companies to answer several questions relating to in particular on the identification of the entity which determines the purposes and methods of implementation of the processing of personal data relating to targeted advertising on the various domains visited during the control and accessible from the domain "bing.com ", as well as the purpose of each of the cookies mentioned in the minutes.

7. On November 13, 2020, MICROSOFT FRANCE sent response elements to the CNIL.

8. On February 4, 2021, the company MICROSOFT FRANCE was heard and provided answers to the questions posed by the delegation, relating in particular to the relations between the companies MICROSOFT FRANCE, MICROSOFT CORPORATION and MIOL, to the organization of data protection of a personal nature within MICROSOFT and the responsibility for the processing of targeted advertising linked to the Bing search engine. On February 16, 2021, MICROSOFT FRANCE sent additional response elements.

9. On May 11, 2021, a second online check was carried out by a delegation from the CNIL. During this check, the delegation followed the following path in order to identify whether cookies are placed on the user's equipment:

- the delegation visited the "bing.com" domain;

- then, without clicking on any of the buttons or links that appear on the cookie management banner (entitled "Accept" or "More options" or "Privacy statement"), they continued browsing the engine search before being blocked by a pop-up window;

- finally, the delegation clicked on the "Privacy statement" and "More options" links located on the pop-up window. From the "more options" link, the delegation authorized the deposit of cookies on its terminal by clicking on the "Allow all" button.

10. The delegation of control asked the companies MICROSOFT FRANCE, MICROSOFT CORPORATION and MIOL, as part of the online report of findings drawn up at the end of the control, for additional details on the purposes of each of the cookies mentioned in said minutes and explanations as to the triggering of the advertising purpose of the "MUID" cookie.

11. On July 12 and August 31, 2021, on the basis of information provided by MIOL, MICROSOFT FRANCE provided additional response elements to the requests made by the delegation.

12. For the purpose of examining these elements, the President of the Commission, on December 23, 2021, appointed Mr François PELLEGRINI as rapporteur on the basis of Article 39 of Decree No. 2019-536 of May 29, 2019 .

13. On March 30, 2022, the board of the company MIOL communicated to the CNIL a bailiff's report of March 29, 2022 noting the update of the banner relating to cookies.

14. On July 13, 2022, the rapporteur notified MIOL of a report detailing the breach of Article 82 of the Data Protection Act that he considered constituted in this case. This report proposed that the Restricted Committee impose an administrative fine on the company, as well as an injunction, accompanied by a penalty, to stop depositing the "MUID" cookie subject to the collection of the consent of persons residing in France when they arrive on the "bing.com" website, even before they have had the opportunity to make a choice as to the operations for accessing or entering information in their terminal. It also proposed that the sanction decision be made public, but that it would no longer be possible to identify the company by name after the expiry of a period of two years from its publication.

15. On September 9, 2022, the company filed its observations in response to the sanction report.

16. On September 22, 2022, the board of the company MIOL sent a letter to the CNIL, demonstrating the update of the preference management center of the cookie banner of the "bing.com" website.

17. The rapporteur responded to the company's observations on October 10, 2022.

18. On November 15, 2022, the company produced new observations in response to those of the rapporteur.

19. By letter dated November 16, 2022, the rapporteur informed the company's board that the investigation was closed, pursuant to Article 40, III, of amended decree no. 2019-536 of May 29, 2019.

20. By letter dated November 16, 2022, the company was informed that the file was on the agenda of the restricted meeting of December 1, 2022.

21. The rapporteur and the company presented oral observations during the session of the Restricted Committee.

II. Reasons for decision

A. On the processing in question and the competence of the CNIL

1. On the material competence of the CNIL and the non-application of the "one-stop shop" mechanism provided for by the GDPR

22. The processing covered by this procedure, relating to the deposit of cookies and tracers on the terminal of users residing in France when using the Bing search engine, is carried out in the context of the provision of accessible electronic communications services to the public through a public electronic communications network offered within the European Union. As such, they fall within the material scope of Directive 2002/58/EC of the European Parliament and of the Council of 12 July 2002 concerning the processing of personal data and the protection of privacy in the electronic communications, as amended by Directive 2006/24/EC of March 15, 2006 and by Directive 2009/136/EC of November 25, 2009 (hereinafter the “ePrivacy” Directive).

23. Article 5(3) of that directive, relating to the storage of or access to information already stored in the terminal equipment of a subscriber or user, was transposed into national law at the Article 82 of the Data Protection Act, within Chapter IV of the law relating to the Rights and obligations specific to processing in the electronic communications sector.

24. Under the terms of Article 16 of the Data Protection Act, "the restricted committee takes measures and pronounces sanctions against data controllers or subcontractors who do not comply with the obligations arising […] of this law". Under Article 20, paragraph III, of this same law, "when the data controller or its subcontractor does not comply with the obligations resulting from […] this law, the president of the National Commission for Computing and freedoms […] can seize the restricted formation ".

25. The rapporteur considers that the CNIL is materially competent to control and sanction the operations of access or registration of information implemented by the company in the terminals of users of the "bing.com" domain residing in France.

26. In defence, the company did not comment on the jurisdiction of the CNIL

27. The Restricted Committee recalls that the Council of State, in its decision Société GOOGLE LLC and société GOOGLE IRELAND LIMITED of January 28, 2022, confirmed that the control of operations for accessing or registering information in the terminals of users in France of an electronic communications service, even if processing cross-border, falls within the jurisdiction of the CNIL and that the one-stop-shop system provided for by Regulation (EU) 2016/679 of the European Parliament and of the Council of April 27, 2016 (hereinafter "the GDPR") is not applicable: "it has not been provided for the application of the so-called "one-stop shop" mechanism applicable to cross-border processing, defined in article 56 of this regulation, for the measures for the implementation and monitoring of Directive 2002/58/EC of 12 July 2002, which fall within the competence of the national supervisory authorities by virtue of Article 15a of this directive. it follows that, with regard to the control operations for accessing and recording information in the terminals of users in France of an electronic communications service, even if proceeding from cross-border processing, the measures for monitoring the application of the provisions having transposed the objectives of directive 2002/58/EC fall within the competence conferred on the CNIL by the law of January 6, 1978 […]" (EC, 10th and 9th chambers combined, January 28, 2022, company GOOGLE LLC and company GOOGLE IRELAND LIMITED, no. 449209, pt. 12). The Council of State very recently reaffirmed this position in a judgment of June 27, 2022 (CE, 10th and 9th chambers combined, June 27, 2022, company AMAZON EUROPE CORE, n° 451423).

28. Therefore, the Restricted Committee considers that the CNIL is competent to initiate a sanction procedure concerning the processing implemented by the company falling within the scope of the "ePrivacy" Directive, provided that the processing relates to its territorial jurisdiction.

2. On the territorial jurisdiction of the CNIL

29. The rule of territorial application of the requirements set out in Article 82 of the Data Protection Act is specified in Article 3, paragraph I, of the same law which provides: "without prejudice, with regard to the processing falling within the scope of Regulation (EU) 2016/679 of 27 April 2016, of the criteria provided for in Article 3 of this regulation, all the provisions of this law apply to the processing of personal data carried out in the framework of the activities of an establishment of a data controller […] on French territory, whether or not the processing takes place in France”.

30. The rapporteur considers that the CNIL has territorial jurisdiction pursuant to these provisions since the processing, subject of this procedure, consisting of operations to access or register information in the terminal of users residing in France , when browsing the "bing.com" website, is carried out within the "framework of the activities" of the company MICROSOFT FRANCE, which constitutes the "establishment" on French territory of the company MIOL.

31. In defence, the company made no observations on this point.

32. Firstly, with regard to the existence of an establishment of the data controller on French territory, the Restricted Committee recalls that the Court of Justice of the European Union (hereinafter the "CJEU") has consistently considered that the concept of establishment should be assessed in a flexible manner and that to this end, it was necessary to assess both the degree of stability of the installation and the reality of the exercise of activities in another State member, taking into account the specific nature of the economic activities and the provision of services in question (see, for example, CJEU, Weltimmo, 1 Oct. 2015, C 230/14, pts. 30 and 31). The CJEU also considers that a company, an autonomous legal person, from the same group as the controller, can constitute an establishment of the controller within the meaning of these provisions (CJEU, 13 May 2014, Google Spain, C-131/ 12, point 48).

33. In this case, the Restricted Committee notes, first of all, that MICROSOFT FRANCE is the headquarters of the French subsidiary of MICROSOFT CORPORATION. It notes the existence of a program entitled "Resident Guest Employee", allowing a person working in an entity other than MICROSOFT CORPORATION to be contractually employed by the local entity but dependent, hierarchically and in the tasks it performs, from another entity of the MICROSOFT group. MICROSOFT FRANCE specified that in this case, several people in the team responsible for managing advertising for the Bing search engine, namely the Microsoft Advertising team which reports to MIOL, are employees of MICROSOFT FRANCE and deal with the French market.

34. Secondly, with regard to the existence of processing carried out "in the context of the activities" of this establishment, the Restricted Committee notes that, in its AMAZON EUROPE CORE decision of June 27, 2022, the Board of State recalled that "it follows from the case law of the Court of Justice of the European Union, in particular from its judgment of 5 June 2018, Unabhängiges Landeszentrum für Datenschutz Schleswig-Holstein v Wirtschaftsakademie Schleswig-Holstein GmbH (C-210/16 ), that in view of the objective pursued by this directive [the "e-Privacy" directive], consisting in ensuring effective and complete protection of the fundamental rights and freedoms of natural persons, in particular the right to protection of privacy and the protection of personal data, processing of personal data may be regarded as carried out "in the context of the activities" of a national establishment not only if this establishment itself intervenes in the implementation of this processing, but also in the case where the latter is limited to ensuring, on the territory of a Member State, the promotion and sale of advertising space making it possible to make profitable the services offered by the person responsible for a processing consisting in collecting personal data through connection tracers installed on the terminals of visitors to a site" (CE, 10th and 9th chambers combined, June 27, 2022, company AMAZON EUROPE CORE, n° 451423, pt . 10). The Council of State considered in this same decision that this was the case when the activities of the establishment of the data controller consist of the promotion and marketing of advertising tools controlled and operated by the data controller operating in particular thanks to the data collected through connection tracers deposited on the terminals of users of the site operated by the data controller (pt. 15 of the aforementioned decision).

35. In the present case, the Restricted Committee notes that the operations of accessing or entering information in the terminal of users located in France, when using the Bing search engine, are intrinsically linked to the activities of the company MICROSOFT FRANCE. Indeed, the company MIOL operates and develops in the European Economic Area (EEA) the Bing search engine, on which advertising space is purchased by advertisers, the promotion of these advertising tools being ensured, for the French market, by part of the Microsoft Advertising team.

36. Thus, the processing consisting of operations of access or registration of information in the terminal of users residing in France, when using the Bing search engine, is indeed carried out "within the framework of the activities" of the company MICROSOFT FRANCE. The Restricted Committee notes that the two criteria provided for in Article 3, paragraph I, of the Data Protection Act are therefore met.

37. It follows that French law is applicable and that the CNIL is materially and territorially competent to exercise its powers, including that of imposing sanctions concerning processing falling within the scope of the "ePrivacy" directive.

B. On the determination of the controller

38. The Restricted Committee notes, first of all, that Article 4, paragraph 7, of the GDPR is applicable to this procedure because of the use of the concept of "data controller" in Article 82 of the Law Computing and Liberties, which is justified by the reference made by article 2 of the "ePrivacy" directive to directive 95/46/EC on the protection of personal data, which has been replaced by the GDPR.

39. According to Article 4(7) of the GDPR, the controller is “the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing".

40. The rapporteur considers that the company MIOL acts as controller of the processing in question, in that it determines the purposes and means of the processing consisting of operations of access or registration of information in the terminal of the users residing in France when using the Bing search engine.

41. The company did not submit any observations on this point.

42. The Restricted Committee points out that, in its letter of November 13, 2020, the company MICROSOFT FRANCE, which communicates "on the basis of the information which [it] was communicated by Microsoft Ireland Operations Limited", mentioned the role of MIOL in as controller of the data processing carried out from the "bing.com" domain for users in the EEA, the United Kingdom and Switzerland and specified that MIOL exercised a decisive influence on the purposes and methods of implementation of processing and in particular processing relating to targeted advertising. Finally, the Restricted Committee notes that these comments were confirmed by MICROSOFT FRANCE during the hearing of February 4, 2021.

43. It follows from the foregoing that the company MIOL determines the purposes and means of the processing consisting of access operations or registration of information in the terminal of users residing in France, when using the engine of Bing search, and therefore acts as the controller in question.

C. On the breach of cookie obligations

44. Under the terms of article 82 of the Data Protection Act, transposing article 5, paragraph 3, of the "ePrivacy" directive, "any subscriber or user of an electronic communications service must be clearly informed and complete, unless it has been completed beforehand, by the controller or his representative:

1° The purpose of any action seeking to access, by electronic transmission, information already stored in its electronic communications terminal equipment, or to enter information in this equipment;

2° The means at his disposal to oppose it.

This access or registration can only take place on condition that the subscriber or user has expressed, after having received this information, his consent which may result from appropriate parameters of his connection device or any other device placed under his control.

These provisions are not applicable if the access to information stored in the user's terminal equipment or the registration of information in the user's terminal equipment:

1° Either, has the exclusive purpose of allowing or facilitating communication by electronic means;

2° Either, is strictly necessary for the provision of an online communication service at the express request of the user".

1. On the obligation to obtain the user's consent to the deposit and reading of cookies

has. Regarding the deposit of a cookie on the user's terminal before any action on his part, without obtaining his consent

45. In his report, the rapporteur notes that the checks carried out revealed that upon arrival on the bing.com site, before any action on the part of the user, the "MUID" cookie was placed on the terminal of the user. According to the information communicated by MIOL within the framework of the control procedure, this is a multi-purpose cookie used to ensure the security of the service, to measure the use of the website and for the presentation of advertisements. . The company indicated that a mechanism for collecting consent made it possible to trigger the advertising purposes of this cookie. The company nevertheless specified that when the advertising purpose of this cookie was not activated, it was used for the detection and filtering of advertising fraud concerning non-targeted advertising. The rapporteur notes that cookies relating to the detection and filtering of advertising fraud are part of the broader purpose of contextual advertising, which covers all advertising techniques consisting in offering advertising content according to the context in which the individual exposed to the message. He considers that these cookies are therefore not exclusively intended to allow or facilitate communication by electronic means and cannot be regarded as strictly necessary for the provision of an online communication service at the express request of the user. 'user. The rapporteur thus considers that the company MIOL disregards the obligations of article 82 of the law "Informatique et Libertés" by depositing this cookie without the consent of the user.

46. In defense, the company explains that the "MUID" cookie is a multi-purpose cookie, used for essential and non-essential purposes to avoid using several cookies each for one purpose, in order to reduce the number of reads and writes information between the user's terminal and "bing.com". The company indicates that only essential purposes are activated before the user gives consent. The company asserts that it considers as purposes essential to the functionality of "bing.com": the purposes of combating fraud, including advertising fraud, security purposes such as the prevention of denial of service attacks, malware detection and countering misinformation. The company maintains that these inseparable purposes are strictly necessary for the provision of "bing.com" services as requested by the user. The company specifies that in the absence of user consent, the only advertising purpose for which the "MUID" cookie is used is non-targeted advertising as part of the fight against advertising fraud.

47. In his answer, the rapporteur recalls that, when the advertising purpose of the "MUID" cookie was not activated, this cookie was nevertheless used for the detection and filtering of advertising fraud concerning non-targeted advertising. It therefore considers that the deposit of this cookie requires the prior consent of the user for this purpose. In addition, the rapporteur specifies, in response to the company's argument considering the purpose of combating fraud in the broad sense as an essential purpose exempt from consent, that only the purpose of combating denial of service attacks could be exempt from consent. The rapporteur notes that the other purposes mentioned do not fall within the scope of the exemptions provided for in Article 82 of the Data Protection Act since they are not intended to facilitate electronic communication and are not strictly necessary for the provision of a service expressly requested by the user.

48. The company, in its final submissions, argues that the purposes of detecting malware and combating misinformation and advertising fraud are strictly necessary for the provision of the "bing.com" service, a service which produces search results relevant, reliable and safe. The company maintains that the term service should be interpreted with reference to a user's legitimate expectations, as well as the provider's legal obligations, regarding integrity, quality and security. It maintains that in any case, once the "MUID" cookie is placed on the user's terminal for an essential purpose, article 82 of the Data Protection Act does not apply to subsequent uses. by the company of the personal data stored in the cookie. In this sense, the company concludes that the fight against misinformation, fraud, spam and abuse is compatible with the prevention of denial of service attacks, cybercrime, load balancing and session-to-session continuity. in accordance with Article 6(4) of the GDPR. The company also argues that in this case, compliance with GDPR requirements would then be overseen by the Data Protection Commission, Ireland's data protection authority, under the GDPR's one-stop shop, not the CNIL.

49. Firstly, with regard to cookies and other multi-purpose trackers, the Restricted Committee recalls that Article 82 of the Data Protection Act requires consent to the operations of reading and writing information in the terminal of a user but provides for specific cases in which certain tracers benefit from an exemption to consent: either when the latter has the exclusive purpose of allowing or facilitating communication by electronic means or when it is strictly necessary for the provision of an online communication service at the express request of the user. The Restricted Committee notes by way of illustration that the Commission specifies, in its guidelines of September 17, 2020, that "the use of the same tracer for several purposes, some of which do not fall within the scope of these exemptions, requires obtain the prior consent of the persons concerned, under the conditions set out in these guidelines. For example, in the case of a service offered via a platform requiring user authentication ("logged-in universe"), the publisher of the service may use a cookie to authenticate users without asking for their consent (because this cookie is strictly necessary for the provision of the online communication service). On the other hand, it may not use this same cookie for advertising purposes other than if the latter have actually consented beforehand to this specific purpose".

50. The Restricted Committee thus considers that, if a multi-purpose cookie can be deposited without consent for an essential purpose which falls under one of the two exemptions provided for in Article 82 of the Data Protection Act, the company cannot use this cookie for non-essential purposes only if the user has actually consented to these specific purposes prior to registering in their terminal, contrary to what the company maintains. Indeed, the Restricted Committee notes that depositing a multi-purpose cookie on the user's terminal for essential purposes exempt from obtaining consent under the exemptions provided for in Article 82 of the Data Protection Act, then having of the GDPR the subsequent processing carried out for non-essential purposes of said cookie, would amount to circumventing the provisions of the Data Protection Act since the user's consent would never again be requested prior to the deposit of cookies.

With regard to the inseparability of the purposes invoked by the company, the Restricted Committee recalls that the use of a multi-purpose tracker is a flexibility left to the data controller so as not to overload the user's terminal with a multitude of tracers each corresponding to a particular purpose.

51. Secondly, the Restricted Committee considers that in order to determine whether the registration of a multi-purpose cookie, such as the "MUID" cookie, on the user's terminal requires the prior collection of their consent, it is necessary to determine whether among the purposes announced by the company, at least one of them requires the prior collection of consent.

52. In the present case, the Restricted Committee notes that the purpose of the "MUID" cookie is in particular to fight against advertising fraud, understood as all third-party practices aimed at manipulating the distribution and advertising measurement operated by the company MIOL, whether this fraud is carried out to the detriment of the MIOL company or its advertising partners. It considers that this purpose is part of the broader purpose of contextual advertising, which covers all advertising techniques consisting of offering advertising content according to the context in which the individual exposed to the message is located. The Restricted Committee considers that this purpose concerns the distribution of advertising, for the benefit of MIOL and its advertiser clients, but does not impact the provision of the search engine service to users. It notes that the company is confusing the dissemination of malicious content by the search engine's advertising services, which is part of the company's internal management, and the detection of fraud operated by bots, which makes it possible to fight against the artificial creation of clicks on advertising content or affiliate links in order to prevent robots from artificially increasing the number of views of an advertisement, and which is referred to as the fight against advertising fraud.

53. The Restricted Committee considers that cookies for this purpose do not meet any of the conditions set out for the two aforementioned exceptions, particularly since advertising is not the service requested by the user, and require the user's consent. . The Restricted Committee recalls that this position is not new since it has been supported by the CNIL since March 18, 2021 in the FAQ "Questions and answers on the amending guidelines and the "cookie and other tracers" recommendation published on its site. The Restricted Committee recalls that this soft law instrument specifically indicates that cookies to combat advertising fraud are not intended to facilitate electronic communication and are not strictly necessary for the provision of a service expressly requested. by the user.

54. Given these elements and without there being any need to comment on the other purposes invoked by the company, the Restricted Committee considers that the deposit and reading of a multi-purpose cookie such as the "MUID" cookie " on the user's terminal, at least for the purpose of combating advertising fraud as defined in paragraphs 52 and 53, require the user to give his prior consent, under the conditions provided for in article 82 of the Data Protection Act, as clarified by Article 4, paragraph 11, of the GDPR.

55. The Restricted Committee thus considers that by allowing, on the day of the online check of May 11, 2021, the deposit and reading of this cookie on the user's terminal when he arrives on the "bing.com" site without first obtaining its consent, the company MIOL has disregarded the obligations of article 82 of the Data Protection Act.

b. Regarding the deposit of a cookie on the user's terminal after navigation without obtaining his consent

56. The rapporteur notes that the online check of 11 May 2021 revealed that the "ABDEF" cookie was placed on the user's terminal after continuing to browse, without the user's consent having been given. collected. According to the information provided by the company as part of the control procedure, the "ABDEF" cookie has an advertising purpose. The rapporteur therefore considered that the MIOL company disregarded the obligations of article 82 of the "Informatique et Libertés" law by depositing this cookie, without the consent of the user, whereas cookies and other tracers for advertising purposes do not not part of the cookies exempt from consent under the aforementioned article. In addition, the rapporteur noted that, after the online check, the company indicated that this cookie had been added inadvertently and that it would rectify this error before July 30, 2021 by placing it only after having obtained the user consent.

57. In defense, the company indicates that it had incorrectly categorized the "ABDEF" cookie due to simple human inadvertence and that the latter was only placed for a short period since, since July 30, 2021, this cookie is now subject to the collection of user consent. The company invokes a "right to error" and explains that it acted in perfect good faith since it would have itself indicated its error to the CNIL by declaring in complete transparency, by letter dated July 12, 2021, that this cookie had been inadvertently added to the site.

58. The Restricted Committee notes that the letter of July 12, 2021 in which the company admitted having incorrectly categorized the "ABDEF" cookie is a response to the question posed by the delegation of control in the context of the minutes drawn up at the from the online check of May 11, 2021, "Specify the purposes of the cookies whose deposit could be noted in the PV n° 2020-128/3 of May 11, 2021". The Restricted Committee considers that, if the deposit of the "ABDEF" cookie without obtaining the consent of the user was not intentional, it nevertheless resulted from a gross error on the part of the company which did not dispute the purpose advertising of said cookie. In addition, it was only following the check carried out by the Commission that MIOL noticed its error and put an end to it.

59. The Restricted Committee considers that by allowing, on the day of the online check of May 11, 2021, the deposit and reading of the "ABDEF" cookie on the user's terminal after browsing the "bing.com" site without obtain its consent beforehand, the company MIOL has disregarded the obligations of article 82 of the law "Informatique et Libertés", cookies and other tracers for advertising purposes are not part of the cookies exempt from consent under the aforementioned article .

2. On the conditions for obtaining consent

60. In law, the "ePrivacy" directive provides in its article 2, f), that the consent of a user or subscriber corresponds to the consent of the data subject set out in Directive 95/46/EC, to which replaced the GDPR.

61. Thus, since the entry into force of the GDPR, the "consent" provided for in the aforementioned Article 82 must be understood within the meaning of Article 4, paragraph 11, of the GDPR, that is to say that 'it must be given in a free, specific, enlightened and unequivocal manner and manifest itself in a clear positive act.

62. In this respect, recital 42 of this Regulation provides that "consent should not be considered to have been given freely if the data subject does not have a real freedom of choice or is not in a position to refuse or to withdraw consent without prejudice".

63. The CNIL considers that it follows from these combined provisions, as it interpreted them in its deliberation no. 2020-091 of September 17, 2020 adopting guidelines relating to the application of Article 82 of the law of 6 January 1978 amended to read and/or write operations in a user's terminal (in particular to "cookies and other tracers") and n° 2020-092 adopting a recommendation proposing practical methods of compliance in the event of the use of "cookies and other tracers", that it must be as easy to refuse or withdraw consent to tracers as to give it. The Restricted Committee recalls that although these instruments are certainly not mandatory, they aim to interpret the applicable legislative provisions and to enlighten the players on the implementation of concrete measures to guarantee compliance with the legal provisions, so that they implement these measures or measures having equivalent effect. In this sense, it is specified in the guidelines that the main purpose of these "is to recall and explain the law applicable to the operations of reading and/or writing information […] in the terminal equipment electronic communications of the subscriber or user, and in particular the use of cookies". Therefore, the Restricted Committee recalls that it retains a breach of the obligations arising from Article 82 of the Data Protection Act and not the non-compliance with the recommendations which constitute relevant insight to shed light on the obligations provided for by European legislators and French, in particular by drawing all the consequences of the principle of freedom of consent as defined in Article 4, paragraph 11, of the GDPR, and by applying them to the assumptions of acceptance and refusal by the user to the deposit of cookies on his terminal. Indeed, this principle of freedom of consent implies that the user benefits from a "true freedom of choice", as underlined in recital 42 of the GDPR, and therefore that the methods offered to him to express this choice are not biased. in favor of consent.

64. With regard to the possible refusal procedures, in this same recommendation, the Commission "strongly recommended that the mechanism making it possible to express a refusal to consent to read and/or write operations be accessible on the same screen and with the same ease as the mechanism allowing consent to be expressed. Indeed, it considers that consent collection interfaces which require a single click to consent to tracking while several actions are necessary to "parameterize" a refusal to consent present , in most cases, the risk of biasing the choice of the user, who wishes to be able to view the site or use the application quickly.

For example, at the stage of the first level of information, users can have the choice between two buttons presented at the same level and in the same format, on which are written respectively "accept all" and "reject all", "authorize" and "prohibit", or "consent" and "not consent", or any other equivalent and sufficiently clear wording. The Commission considers that this modality constitutes a simple and clear way to allow the user to express his refusal as easily as his consent".

65. The rapporteur noted that on the day of the online check of 11 May 2021, while the banner displayed on the "bing.com" website contained a button allowing cookies to be accepted immediately, no similar means were offered to the user to be able to refuse, easily and with a single click, the deposit of these cookies. He had to perform at least two actions (perform a first click on "More options", leave the sliding buttons pre-checked on "Disable" by default, then perform a click on "Save settings") to refuse cookies against a single action to accept them. Such a mechanism therefore did not offer, according to the rapporteur, the same ease as that allowing consent to be expressed, in disregard of the legal requirements of freedom of consent, which imply not encouraging the Internet user to accept cookies rather than to refuse them. The rapporteur also notes that before the modification of the terms in the preference management center made on September 22, 2022, the presentation of the window allowing the user to refuse cookies could be ambiguous due to the use of the infinitive – "Disable" – which in principle implies that an action must be taken. The rapporteur therefore considered that the conditions for obtaining consent implemented by the company MIOL on the "bing.com" website did not comply with the provisions of article 82 of the Data Protection Act as explained by article 4, paragraph 11, of the GDPR on the freedom of consent, at the time of the online control from May 11, 2021 and until March 29, 2022, the date on which the company implemented a "Reject all" button .

66. In defence, the company argues that neither the "ePrivacy" directive, nor its transposition into French law in article 82 of the "Informatique et Libertés" law, nor the GDPR, provide for the rule according to which it must be as easy to refuse cookies as it is to accept them. It argues that the CNIL's recommendation of September 17, 2020 is not binding. The company considers in this respect that the CNIL accepts the presentation of a less easily accessible or less visible button to refuse the registration of cookies. The company maintains that the length of the implementation times, the tests and the technical and commercial consequences on the activity of its search engine justified it waiting for the final decision of the Council of State to avoid yet another modification of his cookie banner.

67. The company also explains that before the implementation of this "Refuse all" button, it relied on a preference management center and explicit consent from its users for the use of non-essential cookies and that no non-essential cookies were placed on users' terminals before they clicked the "Accept" button. It thus considers that the user refused to consent to non-essential cookies when he refrained from clicking on the "Accept" button and continued browsing or by clicking on "Save settings" after visiting the preference center by clicking on "More options", and that it was thus as easy to refuse as to consent to read and/or write operations. MIOL therefore considers that the user could accept or refuse the deposit of cookies in a very simple way and each time according to two methods, thus ensuring a free choice.

68. Firstly, the Restricted Committee notes that, if the company MIOL today argues that the lack of choice expressed by the user had the effect of not registering any non-essential cookies on his terminal, the banner of The information displayed to the user did not contain any such information.

69. The Restricted Committee considers, as the Commission recalled in its aforementioned guidelines, that if the user's refusal to consent to cookies can be deduced from his silence, it is on condition that the user be fully informed. Otherwise, the balance between the terms of acceptance and refusal is not respected. However, this was not the case in this case: by viewing the banner, the user was not informed of the means at his disposal to not simply consent to cookies.

70. The Restricted Committee considers, on the contrary, that it was not intuitive for the user to consider that by continuing to browse without performing any action on the cookie banner, no cookie would be deposited. It also notes that, if such navigation without action on the banner was indeed possible, as the delegation of control noted during the online check carried out on May 11, 2021, a choice was imposed concerning the deposit of cookies after three searches from the search engine, through a pop-up window with an "Accept" button and a "More options" button. Therefore, the simplest choice for an Internet user was to accept cookies via the "Accept" button. Thus, the Restricted Committee considers that in the absence of information on the consequences of his inaction, the user wishing to refuse cookies was strongly encouraged to click on the "More options" button and then to perform the two actions described. above.

71. In addition, the Restricted Committee notes the inexplicit nature of the "More options" button offered in the context of the first window, which did not clearly mention the existence of means for refusing cookies as well as the ambiguity the use of the infinitive "Disable" in the context of the second window, which could lead the user to believe that cookies were by default authorized. It considers that the fact that the cookies were not deposited has no impact on the confusion generated by the information path which could give the user the feeling that it was not possible to refuse the deposit of cookies and that it did not have any control methods in this regard or to be mistaken when deactivating these cookies.

72. Secondly, the Restricted Committee notes that it appears from several studies that the organizations which have set up a "Refuse all" button on the consent collection interface at the first level have seen the rate of consent relating to the acceptance of cookies decrease. Thus, according to the "Privacy barometer - 2021 edition" published by the company COMMANDERS ACT, the rate of consent on computers fell from 70% to 55% in April-May 2021, since the collection of consent is explicit. Similarly, according to a 366-Kantar study, it appears that 41% of Internet users in France refused, systematically or partially, the deposit of cookies in June 2021.

73. The Restricted Committee also considers that making the mechanism for refusing cookies more complex than that consisting in accepting them amounts in reality to discouraging users from refusing cookies and encouraging them to favor the ease of the "Accept" button. ". Indeed, an Internet user is generally led to consult many sites. Internet browsing is characterized by its speed and fluidity. Having to click on "More options" and having to understand how the page to refuse cookies is constructed is likely to discourage the user, who would nevertheless wish to refuse the deposit of cookies. It is not disputed that in this case, the company offered a choice between accepting or refusing cookies before the insertion of the "Refuse all" button, but the methods by which this refusal could be expressed, in the context of Internet browsing, biased the expression of choice in favor of consent in such a way as to alter the freedom of choice.

74. In view of the foregoing, the Restricted Committee considers that a breach of the provisions of Article 82 of the Data Protection Act, interpreted in the light of the GDPR, is constituted, insofar as, at the time of the control online from May 11, 2021 and until the implementation of a "Deny all" button on March 29, 2022, the user did not have the possibility to refuse read and/or write operations with the same degree of simplicity that he had in accepting them.

III. On corrective measures and their publicity

75. Under the terms of article 20, III, of the amended law of January 6, 1978, "When the data controller or its processor does not comply with the obligations resulting from Regulation (EU) 2016/679 of April 27, 2016 or of this law, the president of the National Commission for Computing and Liberties may also, if necessary after having sent him the warning provided for in I of this article or, if necessary in addition to a remains provided for in II, seize the restricted formation of the committee with a view to the pronouncement, after adversarial procedure, of one or more of the following measures: […]

2° An injunction to bring the processing into compliance with the obligations resulting from Regulation (EU) 2016/679 of 27 April 2016 or from this law or to satisfy the requests presented by the person concerned with a view to exercising their rights, which may be accompanied, except in cases where the processing is implemented by the State, with a penalty payment the amount of which may not exceed €100,000 per day of delay from the date set by the restricted body; […]

7° With the exception of cases where the processing is implemented by the State, an administrative fine not exceeding 10 million euros or, in the case of a company, 2% of the annual worldwide turnover total for the previous year, whichever is higher. […] The Restricted Committee takes into account, in determining the amount of the fine, the criteria specified in the same Article 83".

76. Article 83 of the GDPR provides that "each supervisory authority shall ensure that administrative fines imposed under this Article for breaches of this Regulation referred to in paragraphs 4, 5 and 6 are, in each case , effective, proportionate and dissuasive", before specifying the elements to be taken into account to decide whether to impose an administrative fine and to decide on the amount of this fine.

A. On the pronouncement of an administrative fine and its amount

77. The company considers that the proposed administrative fine is disproportionate to the alleged breaches and its conduct, to the fragile position of "bing.com" in the search engine market dominated by a single player, to the essential role that "bing.com" plays by offering an alternative to French users and the small proportion by which "bing.com" contributes to its financial results.

78. The Restricted Committee recalls that Article 20, paragraph III, of the Data Protection Act gives it jurisdiction to impose various sanctions, in particular administrative fines, the maximum amount of which may be equivalent to 2% of the annual worldwide turnover. total of the previous financial year carried out by the data controller or 10 million euros. It adds that the determination of the amount of these fines is assessed in the light of the criteria specified by Article 83 of the GDPR.

79. Firstly, the Restricted Committee stresses that it is appropriate, in this case, to apply the criterion provided for in subparagraph a) of Article 83, paragraph 2, of the GDPR relating to the seriousness of the breach. taking into account the scope of the processing and the number of data subjects.

80. The Restricted Committee notes that by not complying with the requirements of Article 82 of the Data Protection Act, the company deprives users of the "bing.com" search engine residing in France of the possibility of choosing methods preserving the confidentiality of their data and methods allowing better personalization of the service offered to them, thus reducing their informational autonomy. Furthermore, the absence of prior consent to the deposit of cookies upon the arrival of users residing in France on the "bing.com" website and during their navigation on the latter, constitutes a substantial infringement of the right to respect for the privacy of the persons concerned. Finally, the imbalance between the methods offered to the user to accept or refuse the deposit of cookies on his terminal does not allow him to benefit from a real freedom of choice.

81. The Restricted Committee also notes the massive nature of the processing. She recalls that the company indicated that the Bing search engine had nearly 11 million unique visitors in France for the month of September 2020, i.e. one sixth of the French population. The number of people affected by the processing in question is therefore significant on the scale of the French population.

82. In addition, the Restricted Committee notes that it appears from publicly available information that the Bing search engine is the leading competitor to that offered by Google, although it represents only 5% of the market share in average number query monthly. The Restricted Committee also notes that the "bing.com" search engine is used by default for queries made within Windows operating systems. The Restricted Committee notes that, in fact, the search engine user base is extended beyond the single segment of web browsing software.

83. Secondly, the Restricted Committee considers that it is appropriate to apply the criterion provided for in subparagraph k) of Article 83, paragraph 2, of the Rules relating to the financial benefits obtained as a result of the breach and any other circumstance.

84. The Restricted Committee recalls that the deposit of the "MUID" cookie on the terminal of users in France, before any action on their part and without their consent for the purposes of combating advertising fraud is contextual advertising. The Restricted Committee also notes that the deposit of the "ABDEF" cookie on the terminal of users in France, after navigation and without their consent, as well as the absence of a similar means of refusing cookies than of accepting them, have direct consequences on the use of cookies for non-essential purposes relating to personalized advertising.

85. In this respect, the Restricted Committee notes that the clients of the Microsoft Advertising team for the French public, such as […] buy advertising space on the Bing search engine and collaborate with the Microsoft Advertising team in order to target local audiences and thus offer the most relevant advertisements. The Restricted Committee notes that the display of personalized advertisements to an Internet user is only possible if the navigation of the latter could be traced using a tracer, in order to determine which content would be the most relevant to display. In addition, the Restricted Committee points out that it emerges from the studies mentioned above that the companies which have set up a "Refuse all" button on the consent collection interface have seen the consent rate relating to the acceptance decrease in cookies, since a large proportion of Internet users completely or partially refuse cookies and other tracers, which necessarily has an impact in terms of revenue linked to online advertising. Thus, the Restricted Committee considers that the processing in question carried out by the company MIOL – consisting of operations to access or register information in the terminal of users residing in France when using the Bing search engine, without implementing a mechanism for refusing consent as easy as that of accepting cookies until March 2022 – participates in this respect in generating advertising revenue in France, for the benefit of the company's activity.

86. Although the placement of cookies for advertising purposes is not the main source of income for the company, which indicates that it derives most of its profits from the resale of equipment, marketing and licensing and distribution software, the Restricted Committee notes that invoiced advertising revenue relating to the "bing.com" domain and generated in France, which rose from […] in 2020 to […] in 2021, shows an increase of [...] %.

87. The Restricted Committee also notes that the accounts of Microsoft Corporation and its subsidiaries which are publicly available show that advertising constitutes one of the major economic models of the Microsoft group. The group's 2021 annual report thus mentions that its gross margin increased by 10% in 2021 thanks, in particular, to the advertising sector.

88. In addition, the Restricted Committee recalls the context in which the MIOL company chose not to offer its users, on the "bing.com" search engine, the option of easily refusing cookies until March 2022. Indeed, the CNIL has implemented a compliance plan on the issue of cookies spread over several years. The CNIL has communicated publicly on its website, on several occasions, on the fact that it must be as easy for the Internet user to refuse cookies as to accept them. This was the case in particular on October 1, 2020, when the aforementioned guidelines and recommendation of September 17, 2020 were published. Compliance was to take place by April 1, 2021. Hundreds of thousands of players, from the smallest sites to the largest, have complied and introduced a "Refuse" or "Continue without accepting".

89. The Restricted Committee also notes that before the online check of May 11, 2021, a first online check had been carried out by the delegation on September 29, 2020, and that a hearing of the company MICROSOFT FRANCE had been organized on 4 February 2021 with the delegation. In this sense, the Restricted Committee notes that MIOL was warned that the search engine was expected to be brought into compliance by the CNIL, that cookies were deposited when consent was necessary and that it had the necessary time in particular to set up a compliant means of obtaining the consent of users.

90. The Restricted Committee notes, however, that it was not until March 29, 2022 that the company chose to insert a "Refuse all" button, following the appointment of a rapporteur by the President of the Commission.

91. Finally, the Restricted Committee recalls that pursuant to the provisions of Article 20, paragraph III, of the Data Protection Act, the company MIOL incurs a financial penalty of a maximum amount of 2% of its turnover. of business or €10 million, whichever is greater. Given the company's turnover amounting to […] in 2021, the maximum amount of the fine incurred in the present case therefore amounts to more than […].

92. Therefore, with regard to the liability of the company, its financial capacity and the relevant criteria of Article 83, paragraph 2, of the Rules mentioned above, the Restricted Committee considers that a fine of sixty million euros against MICROSOFT IRELAND OPERATIONS LIMITED appears justified.

B. On the issuance of an injunction

93. The rapporteur proposed to the Restricted Committee, in its initial report, to issue a compliance injunction relating to the conditions under which the "MUID" cookie is placed on the user's terminal, accompanied by a penalty payment of one amount of sixty thousand euros per day of delay and payable at the end of a period of three months.

94. The company submits that the issuance of an injunction is not necessary.

95. Firstly, the Restricted Committee notes that the company MIOL continues to deposit on the terminal of the user residing in France, before any action, the multi-purpose cookie "MUID" which requires the collection of consent, as a it serves the purpose of combating advertising fraud. It therefore considers it necessary to issue an injunction so that the company complies with the applicable obligations in this area.

96. Secondly, the Restricted Committee recalls that the amount of the penalty payment must be both proportionate to the seriousness of the breaches committed and adapted to the financial capacities of the controller.

97. In view of these elements, the Restricted Committee considers as justified the issuance of an injunction accompanied by a penalty payment in the amount of sixty thousand euros per day of delay and liquidable at the end of a period of three months. .

C. On advertising

98. The company disputes the rapporteur's proposal to make this decision public. It considers that the publication of the sanction would have significant and disproportionate consequences in terms of image and reputation. To justify this request for publicity, the rapporteur invokes in particular the number of people concerned and the nature of the breach established in this case.

99. The Restricted Committee considers that the publication of this decision is justified in view of the seriousness of the breaches in question, the scope of the processing and the number of persons concerned.

100. The Restricted Committee notes that this measure will make it possible to alert French users of the Bing search engine of the characterization of the breach of Article 82 of the Data Protection Act in its various branches and of the delivery of an injunction to remedy.

101. Finally, the measure is proportionate since the decision no longer identifies the company by name at the end of a period of two years from its publication.

FOR THESE REASONS

The CNIL Restricted Committee, after having deliberated, decides to:

• pronounce against the company MICROSOFT IRELAND OPERATIONS LIMITED an administrative fine of sixty million euros (€60,000,000), with regard to the breach of Article 82 of the Data Protection Act;

• pronounce against the company MICROSOFT IRELAND OPERATIONS LIMITED an injunction to obtain the consent of users when they arrive on the "bing.com" website before any operation of reading and writing information on the terminal of resident users in France for the purpose of combating advertising fraud;

• accompany the injunction with a penalty payment of sixty thousand euros (€60,000) per day of delay at the end of a period of three months following the notification of this deliberation, the supporting documents for compliance must be sent to the restricted training within this period;

• make public, on the CNIL website and on the Légifrance website, its deliberation, which will no longer identify the company by name at the end of a period of two years from its publication.

President

Alexander LINDEN

This decision may be appealed to the Council of State within four months of its notification.