CNIL (France) - SAN-2021-023

From GDPRhub
CNIL (France) - SAN-2021-023
LogoFR.png
Authority: CNIL (France)
Jurisdiction: France
Relevant Law: Article 56 GDPR
Article 2(f) Directive 2002/58/EC ('E-Privacy Directive')
Loi "Informatique et Libertés"
Type: Investigation
Outcome: Violation Found
Started:
Decided: 31.12.2021
Published: 06.01.2022
Fine: 150,000,000 EUR
Parties: Google LLC
Google Ireland Limited
National Case Number/Name: SAN-2021-023
European Case Law Identifier: n/a
Appeal: Unknown
Original Language(s): French
Original Source: CNIL (in FR)
Initial Contributor: Frederick Antonovics

The French DPA fined Google LLC €90,000,000 and Google Ireland Limited €60,000,000 for failing to comply with Article 82 of the French Data Protection Act, and ordered the companies to modify the websites "google.fr" and "youtube.com" to offer French users a means of refusing to give consent that is as simple as the mechanism provided for their acceptance.

English Summary

Facts

Google LLC is a subsidiary owned wholly by Alphabet Inc. Google Ireland Limited ('GIL') "presents itself" as the headquarters for the Google group's operations in the EEA and Switzerland.

In March 2020 the French DPA (CNIL) carried out an online inspection of the website "google.fr" in the context of a previous procedure against Google LLC and GIL. The purpose of this inspection was to verify their compliance with the Loi 'Informatique et Libertés', and in particular with Article 82 thereof. This resulted in this decision, that Google appealed.

Following this decision, the CNIL received more complaints about the methods of refusing cookies from the website "google.fr". It therefore reopened the case and launched a new investigation.

Holding

On the request for a stay of proceedings

First, the companies requested that per Article 66 of the CNIL's rules of procedure, the CNIL stay these proceedings pending the decision to be handed down by the Council of State in the appeal against its first decision against Google and pending the conclusions of the new EDPB working group on cookies.

The CNIL rejected this request, as it considered that there were no acceptable grounds for staying the proceedings.

On the complaint alleging breach of the ne bis in idem principle

Second, the companies argued that the restricted formation cannot rule again on the same facts as those concerned by deliberations No. SAN-2020-012 and No. SAN-2021-004, without violating the ne bis in idem principle, as it considered the parties and material facts in those case to be identical.

The CNIL responded that the two procedures do not concern the same facts, as these cases included an injunction relating to the information of users on the purposes of cookies subject to consent and on the means available to refuse cookies, whereas the one at hand concerned the refusal methods themselves, and not only the information. It also highlighted that this procedure concerned both the websites "google.fr" and "youtube.com", whereas the previous procedure concerned only the website "google.fr".

As such, the CNIL rejected the complaint based on the violation of the ne bis in idem principle.

On the competence of the CNIL

The material competence of the CNIL and the non-application of the "one-stop shop" mechanism provided for by the GDPR

The processing operations investigated by the CNIL in this case were carried out in the context of the provision of publicly available electronic communications services via a public electronic communications network offered within the European Union. As such, it considered they fell within the material scope of the ePrivacy Directive. Article 5(3) of that directive was transposed into domestic law through Article 82 of the French Data Protection Act. The CNIL therefore considered itself materially competent under these provisions to monitor and sanction the access or registration of information by companies in the terminals of users of the "google.fr" and "youtube.com" websites in France.

The companies contested the jurisdiction of the CNIL. They argued they should be subject to the procedural framework provided for by the GDPR, or the 'one-stop shop' mechanism, under which the Irish DPA (DPC) would be the lead supervisory authority (LSA). They considered that the absence of specific rules on determining the competence of the supervisory authority in the case of cross-border processing operations falling within the scope of the ePrivacy Directive should be replaced by the application of the procedural framework provided for by the GDPR. Interestingly, the companies further argued that the EDPB's announcement regarding the creation of a working group on cookie banners in response to the significant number of complaints recently filed with supervisory authorities by noyb was evidence that the EDPB considers that cookie-related breaches fall directly within the scope of the GDPR and, therefore, the 'one-stop shop' mechanism.

First, the CNIL responded that a distinction should be made between, on the one hand, the operations consisting in depositing and reading a cookie on a user's terminal and, on the other hand, the subsequent use that is made of the data generated by these cookies ("subsequent/further processing"). The former are governed by special rules, set by the ePrivacy Directive - in this case, by its Article 5(3) - and transposed into national law, the latter is governed by the GDPR and, as such, may be subject to the "one-stop-shop" mechanism in the event that they are cross-border. This case only concerned the read and write operations carried out on the terminal of the user located in France visiting the Google Search and YouTube search engines.

Second, it held that where a processing operation may fall within both the material scope of the ePrivacy Directive and the material scope of the GDPR, reference should be made to the relevant provisions of the two texts which provide for their articulation. The rule laid down in Article 5(3) of the ePrivacy Directive, according to which reading and/or writing operations must systematically be subject to the prior consent of the user, after having been informed, constitutes a special rule with regard to the GDPR, since it prohibits the legal bases mentioned in Article 6 GDPR from being invoked in order to be able to lawfully carry them out. The control of this rule is therefore a matter for the special control and sanction mechanism provided for by the ePrivacy Directive, and not for the data protection authorities and the EDPB under the GDPR. It stated that the French legislator entrusted this task to the CNIL. Thus, the "one-stop shop" mechanism provided for by the GDPR could not be applied to the processing operations covered by the Directive, as the companies claimed.

Third, the CNIL confirmed that the 'one-stop-shop' mechanism is not applicable to facts that are materially covered by the ePrivacy Directive, by referring to the Opinion No 5/2019 of the EDPB and the CJEU decision C-645/19 (Facebook Belgium) upholding this opinion.

Finally, the CNIL stated that the creation of a working group on cookies in response to the large number of complaints filed by noyb did not mean that the EDPB considered that all violations related to cookies necessarily fall within the scope of the GDPR. Furthermore, pursuant to Article 70(1)(u) GDPR, one of the EDPS's tasks is to promote cooperation and the effective bilateral and multilateral exchange of information and best practices between supervisory authorities. The purpose of the working party was thus only to exchange views on the analysis of the numerous complaints lodged by noyb.

Thus, the CNIL held that the "one-stop shop" mechanism provided for by the GDPR was not applicable to the present procedure and that it was competent to control and sanction processing operations consisting of reading and/or writing information in the terminal of users located in France implemented by companies falling within the scope of the "ePrivacy" Directive, provided that they fall within its territorial jurisdiction.

On the territorial jurisdiction of the CNIL

The CNIL considered it was territorially competent under Article 3 GDPR since the processing that was the subject of the present procedure, namely consisting of accessing or recording information on the terminals of users residing in France when using the Google Search engine and YouTube, in particular for advertising purposes, was carried out within the "framework of the activities" of the company Google France, which constituted the "establishment" of the Google group in France. In response, Google argued that its establishment in the EU was located in Ireland. The CNIL considered a range of CJEU case law (included but not limited to Google Spain C-131/12, Weltimmo C-230/14) and its findings in the previous decision SAN-2020-012, which pointed towards a broad interpretation of 'establishment' and 'in the context of the activities' and rejected this argument. As such, it held that French law was applicable and that it was materially and territorially competent to exercise its powers, including the power to impose sanctions on processing operations falling within the scope of the ePrivacy Directive.

The determination of the controller

The CNIL held that Google LLC and Google Ireland Limited jointly determined the purposes and means of the processing consisting of accessing or recording information in the terminal of users residing in France when using the Google Search engine and YouTube.

On the failure to comply with the obligations relating to cookies

The CNIL finally assessed whether the companies had complied with Article 82 of the French Data Protection Act.

It noted that, in order to give consent to the reading and/or writing of information on their terminal, users visiting the home page of the sites "google.fr" and "youtube.com" only had to click on the "I accept" button on the pop-up window, which made the window disappear and allowed them to continue browsing. On the other hand, the users going to these same home pages and wishing to refuse cookies had to click on the "Personalise" button of this first window, which took them to an interface on both the "google.fr" and "youtube.com" sites, offering them the choice of activating or deactivating cookies, on which they had the possibility of carrying out various actions.

The investigator for the CNIL considered that making the mechanism for refusing cookies more complex than the one for accepting them amounted to discouraging users from refusing cookies and encouraging them to opt for the "I accept" button. This led to their conclusion that the methods of refusing cookies implemented by the companies on the sites "google.fr" and "youtube.com" did not comply with the provisions of Article 82 of the French Data Protection Act, as clarified by the enhanced consent requirements set out in the GDPR.

In response, the companies argued that neither the ePrivacy Directive, nor the RGPD, nor Article 82 of the Data Protection Act provided that the action of refusing cookies should be as simple as accepting them. "They [also added] that, for many years, the CNIL itself had not deduced this principle even though the regulations in question had remained unchanged since the RGPD came into force. They point out that the CNIL cannot, through its guidelines and recommendations, introduce new requirements relating to the refusal of consent and consider that it is up to each data controller to choose the most appropriate method of obtaining consent."

The CNIL rejected this, restating its powers, which include drawing up and publishing guidelines, recommendations or benchmarks intended to facilitate the compliance of personal data processing with the texts relating to the protection of personal data. It was in this context the DPA had issued its previous deliberations which provided guidance to stakeholders on the implementation of concrete measures to ensure compliance with these provisions, so that they implemented these measures or measures of equivalent effect. Indeed, the guidelines' main purpose "is to recall and clarify the law applicable to the reading and/or writing of information [...] in the subscriber's or user's electronic communications terminal equipment, and in particular to the use of cookies".

It thus considered that it had not created any new obligations for the actors in its recommendation, but has limited itself to illustrating in concrete terms how Article 82 of the law should be applied. The position according to which it must be as simple for users to refuse cookies as to consent to them was even endorsed by the French Council of State in CE, 19 June 2020, No. 434684, pt 15.

Further, the CNIL highlighted that users residing in France who visit the Google Search engine and/or YouTube had to perform a single action to accept cookies, whereas they had to perform five to refuse them. It was therefore not as simple to refuse cookies as to accept them. It referred to studies that showed that having a "refuse all" button on the first-level consent interface led to a decrease in the rate of consent to accept cookies. It therefore considered that making the mechanism for refusing cookies more complex than the one for accepting them actually discourages users from refusing cookies and encourages them to prefer the ease of the "accept all" button.

"In view of the above, the [CNIL held] that there [had] been a breach of the provisions of Article 82 of the [French] Data Protection Act, interpreted in the light of the GDPR, insofar as the companies [did] not provide users located in France, on the websites "google.fr" and "youtube.com", with a means of refusing to read and/or write information to their terminal that is as simple as the one provided for accepting its use.

Thus, the CNIL:

  • imposed a fine of €90,000,000 on Google LLC for failing to comply with Article 82 of the French Data Protection Act,
  • imposed a fine of €60,000,000 on Google Ireland Limited for failing to comply with Article 82 of the French Data Protection Act,
  • ordered Google LLC and Google Ireland Limited to modify, on the websites "google.fr" and "youtube.com", the methods for obtaining the consent of users located in France to the reading and/or writing of information in their terminal, by offering them a means of refusing these operations that is as simple as the mechanism provided for their acceptance, in order to guarantee the freedom of their consent;
  • attached to the injunction a penalty of 100,000 euros (one hundred thousand euros) per day of delay at the end of a period of three months following notification of this decision, with proof of compliance to be sent to the restricted panel within this period;
  • made its decision public on the CNIL website and on the Légifrance website, which will no longer identify the companies by name at the end of a two-year period from the date of its publication.

Comment

Share your comments here!

Further Resources

Share blogs or news articles here!

English Machine Translation of the Decision

The decision below is a machine translation of the French original. Please refer to the French original for more details.

Deliberation of the restricted formation n°SAN-2021-023 of December 31, 2021 concerning the companies GOOGLE LLC and GOOGLE IRELAND LIMITED

The National Commission for Computing and Liberties, meeting in its restricted formation composed of Mr. Alexandre LINDEN, president, Mr. Philippe-Pierre CABOURDIN, vice-president, Mrs. Anne DEBET and Mr. Alain DRU, members;

Having regard to Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 relating to the protection of personal data and the free movement of such data;

Having regard to Directive 2002/58/EC of the European Parliament and of the Council of July 12, 2002 concerning the processing of personal data and the protection of privacy in the electronic communications sector;

Considering the law n° 78-17 of January 6, 1978 relating to data processing, files and freedoms, in particular its articles 20 and following;

Having regard to decree no. 2019-536 of May 29, 2019 taken for the application of law no. 78-17 of January 6, 1978 relating to data processing, files and freedoms;

Having regard to deliberation no. 2013-175 of July 4, 2013 adopting the internal regulations of the National Commission for Computing and Liberties;

Having regard to decision no. 2021-108C of May 20, 2021 of the President of the National Commission for Computing and Liberties to instruct the Secretary General to carry out or to have carried out a mission to verify the processing accessible from the "google. fr" and "youtube.com" or relating to personal data collected from them;

Having regard to the decision of the President of the National Commission for Computing and Freedoms appointing a rapporteur before the restricted formation, dated July 28, 2021;

Having regard to the report of Mrs Valérie PEUGEOT, reporting auditor, notified to the companies GOOGLE LLC and GOOGLE IRELAND LIMITED on September 2, 2021;

Having regard to the written observations submitted by the counsel for GOOGLE LLC and GOOGLE IRELAND LIMITED on October 8, 2021;

Having regard to the rapporteur's response to these observations notified on October 22, 2021 to the company boards;

Considering the written observations submitted by the counsels of GOOGLE LLC and GOOGLE IRELAND LIMITED received on November 12, 2021;

Having regard to the oral observations made during the session of the Restricted Committee;

Having regard to the other documents in the file;

Were present at the restricted training session of November 25, 2021:

- Mrs. Valérie PEUGEOT, commissioner, heard in her report;

As representatives of GOOGLE LLC and GOOGLE IRELAND LIMITED:

- […];

As interpreters for GOOGLE LLC and GOOGLE IRELAND LIMITED:

- […];

The companies GOOGLE LLC and GOOGLE IRELAND LIMITED having the floor last;

The Restricted Committee adopted the following decision:

I. Facts and procedure

1. GOOGLE LLC is a limited liability company headquartered in the United States. Since its creation in 1998, it has developed numerous services for individuals and businesses, such as the Google Search search engine, Gmail email, the Google Maps mapping service and the YouTube video platform. It has more than 70 offices in some fifty countries and employs more than 135,000 people around the world. Since August 2015, GOOGLE LLC has been a wholly-owned subsidiary of ALPHABET Inc., parent company of the GOOGLE group.

2. In 2020, ALPHABET Inc. had revenue of over $182 billion, while GOOGLE LLC had revenue of $182 billion. The Google Search search engine generated more than $104 billion in revenue, while advertising through GOOGLE Group services generated nearly $147 billion in revenue, and through YouTube services nearly $20 billion. billion.

3. GOOGLE IRELAND LIMITED (hereinafter "GIL") presents itself as the headquarters of the GOOGLE group for its activities in the European Economic Area and in Switzerland. Based in Dublin (Ireland), it employs approximately […] people. It achieved a turnover of […] euros in 2019.

4. GOOGLE FRANCE SARL is the French establishment of the GOOGLE group. A wholly-owned subsidiary of GOOGLE LLC, its head office is located in Paris. It employs approximately […] employees and achieved a turnover of […] euros in 2019.

5. On March 16, 2020, as part of a previous procedure brought against the companies GOOGLE LLC and GIL, a delegation from the National Commission for Computing and Liberties (hereinafter "the CNIL" or " the Commission") carried out an online check on the "google.fr" website. The purpose of this mission was in particular to verify compliance, by the companies GOOGLE LLC and GIL, with the provisions of Law No. 78-17 of January 6, 1978 as amended relating to data processing, files and freedoms (hereinafter " the Data Protection Act ") and in particular its article 82.

6. Pursuant to Article 22 of the "Informatique et Libertés" law, the President of the CNIL appointed a rapporteur on June 8, 2020.

7. By deliberation no. SAN-2020-012 of December 7, 2020, the Restricted Committee:

- imposed administrative fines on GOOGLE LLC and GIL in the respective amounts of 60 million and 40 million euros for breach of Article 82 of the "Informatique et Libertés" law;

- pronounced against the companies GOOGLE LLC and GIL "an injunction to bring the processing into compliance with the obligations resulting from article 82 of the law "computing and freedoms", in particular:

o inform the persons concerned beforehand in a clear and complete manner, for example on the information banner on the home page of the "google.fr" site:

- the purposes of all cookies subject to consent,

- the means at their disposal to refuse them”;

- accompanied by the injunction of a penalty payment of 100,000 euros per day of delay at the end of a period of three months following the notification of this deliberation;

- made public, on the CNIL website and on the Légifrance website, its deliberation, which will no longer identify the companies by name at the end of a period of two years from its publication.

8. On January 29, 2021, the companies filed a summary appeal before the Council of State, requesting the suspension of the injunction. This request was rejected by a decision of March 4, 2021 (CE, judge in chambers, March 4, 2021, No. 449212).

9. At the same time, the companies filed a full litigation appeal against the deliberation of December 7, 2020. The procedure is still pending before the Council of State.

10. By deliberation no. SAN-2021-004 of April 30, 2021, the Restricted Committee considered that the companies had complied with the injunction within the time limit, insofar as "people visiting the site" google. fr "are now informed, in a clear and complete manner, of all the purposes of cookies subject to consent and the means available to them to refuse them, through the information banner displayed when they arrive on the site" .

11. On March 18, March 31, April 2 and April 28, 2021, the CNIL received several complaints denouncing the procedures for refusing cookies from the "google.fr" and "youtube.com" websites made available to users located in France.

12. Pursuant to Decision No. 2021-108C of May 20, 2021 of the President of the Commission, the CNIL services carried out an online check, on June 1, 2021, on the "google.fr" websites and "youtube.com".

13. The purpose of this mission was in particular to verify compliance, by the companies GOOGLE LLC and GIL (hereinafter the "companies"), with the provisions of the "Informatique et Libertés" law.

14. In the context of online monitoring, the delegation made observations when the user visits the "google.fr" and "youtube.com" sites; when he clicks on the "Customize" button; when he clicks on the "Privacy Policy" link and when he clicks on "Terms of Use".

15. On June 3, 2021, the delegation notified the companies of the report drawn up as part of the online control, asking them to indicate, for each of the cookies mentioned in the said report, its purpose and to provide a volume of the number of unique daily visitors for the “google.fr” and “youtube.com” sites over the last twelve months from France.

16. On June 21 and July 9, 2021, the CNIL received two new complaints denouncing the procedures for refusing cookies from the "google.fr" website.

17. By letter dated July 9, 2021, the company GIL responded to the delegation's request, indicating that it was providing an answer "without prejudice to [its] rights under the GDPR, in particular the one-stop-shop mechanism and the role of lead authority of the Irish Data Protection Commission (“DPC“) in investigations”. She specified that she acted as the person responsible for processing personal data with regard to the cookies deployed on the "google.fr" and "youtube.com" domains for users located within the European Economic Area and in Switzerland. . It also transmitted the purpose of each of the cookies placed on the user's terminal and identified in the report of findings. On the other hand, it refused to provide the volume of the number of unique visitors to these two websites over the past twelve months from France, considering that it was not necessary to provide this information at this stage.

18. For the purposes of examining these elements, the President of the Commission appointed Mrs Valérie PEUGEOT as rapporteur, on July 28, 2021, on the basis of Article 22 of the "Informatique et Libertés" law.

19. At the end of her investigation, the rapporteur served by hand, on September 2, 2021, on the companies' councils and by e-mail on their representatives, a report detailing the breach of Article 82 of the law " Informatique et Libertés" which it considered constituted in this case.

20. This report proposed that the restricted committee of the Commission impose an administrative fine on the two companies, as well as an injunction to bring into compliance the processing consisting of operations of reading and/or writing of information in the terminal of users located in France, on the “google.fr” and “youtube.com” websites, with the provisions of article 82 of the “Informatique et Libertés” law, accompanied by a penalty payment. It also proposed that this decision be made public and no longer allow companies to be identified by name after the expiry of a period of two years from its publication.

21. By letter dated September 9, 2021, the companies, through their counsel, requested additional time to provide their observations in response. By letter dated September 15, 2021, the chairman of the Restricted Committee granted them additional time until October 8, 2021.

22. By letter dated September 27, 2021 addressed to the Chairman of the Restricted Committee, the companies, through their counsel, requested the suspension of the procedure pending the decision of the Council of State within the framework of the appeal brought against deliberation no. SAN-2020-012 of December 7, 2020. On September 30, 2021, the company boards informed the chairman of the restricted formation of the creation of a working group by the European Protection Committee (hereinafter "the EDPS"), intended to coordinate the response to complaints relating to cookie banners, filed by the None of Your Business association (hereinafter "the NOYB association") with various protection authorities European data.

23. By letter dated October 4, 2021, the chairman of the Restricted Committee rejected the companies' request for a stay of proceedings.

24. On October 8, 2021, the companies filed submissions in response to the sanction report.

25. The rapporteur replied to the companies' observations on 22 October 2021.

26. On October 27, 2021, through their advisers, the companies requested an extension of the fifteen-day period provided for in Article 40 of Decree No. 2019-536 of May 29, 2019 to file their observations. in response, a request to postpone the restricted committee meeting set for November 25, 2021 and a request for the meeting to be held behind closed doors.

27. On October 29, 2021, the chairman of the Restricted Committee granted an additional period of eight days to the companies to produce their second observations and refused to postpone the date of the Restricted Committee meeting and to hold the said meeting in camera .

28. On November 12, 2021, the companies submitted new observations in response to those of the rapporteur.

29. The companies and the rapporteur presented oral observations during the session of the Restricted Committee.

II. Reasons for decision

A. On the request for a stay of proceedings

30. The companies request that the restricted committee stay its ruling pending the decision to be rendered by the Council of State in the context of the appeal lodged against deliberation no. SAN-2020-012 of 7 December 2020 and pending the conclusions of the new EDPS working group mentioned above. They base their request on Article 66 of the CNIL's internal regulations and on the principle of the proper administration of justice. The companies argue in particular that they are asking the Council of State to rule on several pleas which will have direct and decisive consequences on the present sanction procedure. They argue in particular before the Council of State that the CNIL was not competent to pronounce administrative sanctions against them, whereas moreover the legal framework applicable to cookies was not yet consolidated and that the sanctions imposed are manifestly unjustified and disproportionate.

31. Firstly, the Restricted Committee observes that Article 66 of the CNIL's internal regulations provides that "The meetings of the Restricted Committee are chaired by its chairman or, in the event of impediment, by its vice-chairman. chairman of the meeting directs the debates and ensures the policing of the meeting. He can order any suspension that he deems useful". The suspension referred to in the context of this article does not concern the suspension of the sanction procedure, but concerns the suspension of the session of the Restricted Committee.

32. Secondly, the companies have already put forward these same arguments to the chairman of the Restricted Committee in their letter of September 27, 2021, who refused to grant the request for suspension by letter of October 4, considering that the decision to initiate a sanction procedure belongs to the President of the Commission and that it does not fall within the powers of the President of the Restricted Committee to order its suspension. The president of the restricted training also recalled in this letter that in application of article L. 4 of the code of administrative justice, the request for annulment filed against the deliberation of the restricted training of December 7, 2020 before the Council of State has no suspensive effect and, moreover, the date on which this court will examine this file was not known. Finally, he added that the creation of a working group within the EDPS was not, in any event, such as to justify a suspension of the sanction procedure.

33. Thirdly, the Council of State's decision may not be taken for several months.

34. Finally, with regard to the creation of the working group by the EDPS on cookie banners, the Restricted Committee notes that the outcome of this work is not known to date.

35. The Restricted Committee therefore considers that there is no need to stay proceedings.

B. Complaint alleging breach of the non bis in idem principle

36. The companies argue that the Restricted Committee cannot rule again on the same facts as those concerned by deliberations no. SAN-2020-012 of December 7, 2020 and no. SAN-2021-004 of April 30, 2021, without violating the non bis in idem principle. They argue that the parties concerned by this procedure and the previous deliberations mentioned above are identical, that the two procedures concern the same facts and that a final decision, deliberation no. SAN-2021-004 of April 30, 2021, has been reached.

37. Firstly, the Restricted Committee notes that, in its deliberation No. SAN-2020-012 of December 7, 2020, it found a breach of Article 82 of the "Informatique et Libertés" law given the lack of informing people, the failure to collect people's consent before the cookies are placed on their terminal and the partially defective nature of the "opposition" mechanism put in place by Google. It also issued an injunction against them "to bring the processing into conformity with the obligations resulting from article 82 of the law" data processing and freedoms ", in particular:

o Inform the persons concerned beforehand in a clear and complete manner, for example on the information banner on the home page of the "google.fr" site:

- the purposes of all cookies subject to consent,

- the means at their disposal to refuse them".

38. The Restricted Committee thus notes that the first procedure that led to the aforementioned deliberation included an injunction relating to the information of users on the purposes of cookies subject to consent and on the means of refusing cookies. The current procedure concerns the refusal procedures themselves, and not only the information. Thus, the two procedures do not concern the same facts.

39. Secondly, the companies argue that, under the terms of deliberation no. SAN-2020-012 of December 7, 2020, the restricted committee ordered them to comply with article 82 of the law "Informatique et Libertés " in all its provisions and to provide in particular, but not exclusively because of the use of the terms " in particular ", information on the purposes of cookies and on the means of opposing them. They add that, by deliberation no. SAN-2021-004 of April 30, 2021, the restricted committee would have decided that the mechanism for consenting and rejecting cookies, in its entirety, complied with article 82 of the law. Informatique et Libertés" and that the companies would have complied with the injunction within the time limit.

40. The Restricted Committee does not subscribe to this analysis. The sanction report of the previous procedure only related to the information put in place by the companies on the cookie banner, on the deposit of cookies without consent and on the partial failure of the "opposition" mechanism. There is therefore no doubt that the Restricted Committee was unable to rule on what was not before it in the context of the adversarial procedure. Thus, if the words "in particular" can cause confusion, when the formula is taken in isolation, the Restricted Committee recalls that this injunction cannot be read in a manner unrelated to the whole of the corresponding decision. However, in the context of this previous procedure, the Restricted Committee only ruled on the aforementioned scope and the injunction was only issued in connection with the information of persons. The procedures for refusing read and/or write operations, which are the subject of this sanction procedure, did not fall within the scope of this injunction. Since deliberation no. SAN-2021-004 of April 30, 2021 must necessarily be read in the light of deliberation no. SAN-2020-012 of December 7, 2020, it cannot be considered that the injunction issued related to all obligations resulting from article 82 of the law "Informatique et Libertés".

41. In this respect, the Restricted Committee notes that, in two letters dated February 17, 2021 addressed to the companies, the Secretary General of the CNIL recalled that, as is apparent from the reasons and the operative part of deliberation No. SAN-2020- 012 of December 7, 2020, the compliance expected in the context of the injunction procedure related only to the information provided to people on the home page of the "google.fr" site. It was also stated that, with regard to the obligation to inform the persons concerned in a clear and complete manner of the means available to them to refuse cookies, "this question is difficult to separate from the question of the methods of refusal on the first level, by a refuse button or an equivalent solution, which is not within the scope of the injunction". From a support perspective – and in view of the developments expected under the entry into force of Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 (hereinafter “the Regulation” or “the GDPR "), informed by the recommendation of September 17, 2020, and for which an adaptation period had been left by the CNIL to the actors until April 1, 2021 - the letter included an analysis exceeding the scope of the injunction issued by the restricted committee, which focused on the elements provided by the companies in response to the injunction, elements which themselves went beyond the scope of the deliberation mechanism. In this context, the companies were reminded that it must be as easy to give their consent as to refuse to give or withdraw it and they were told that it would be up to them to insert on the information banner a "I refuse" button next to the "I accept" button, while specifying that they could "of course change the titles of these buttons as long as they allow the user to understand clearly and directly the consequences of their choices ". If this letter has no binding value, the Restricted Committee notes that under the terms of a letter that GIL sent to the Chairman of the Restricted Committee on March 30, 2021, the company had replied: "we share the analysis of the services of the CNIL that Google's consent mechanism does not fall within the scope of the injunction issued by the Restricted Committee in its deliberation of December 7, 2020".

42. Consequently, the companies cannot affirm that the Restricted Committee validated the new cookie banner put in place by them following the first sanction procedure, even though they themselves were fully aware that the mechanism of consent and rejection of cookies, in its entirety, was not the subject of this previous procedure and that the CNIL recalled on various occasions that it did not rule on this point within the framework of the previous procedure.

43. The Restricted Committee notes that, in its press release relating to the closure of the injunction of May 4, 2021, the CNIL had also taken care to specify that: "Seizure before the end of the adaptation period left to actors by the CNIL, the Restricted Committee did not examine the compliance of the information banner provided on the "google.fr" site with the new rules on cookies, relating in particular to consent, which are highlighted by the lines guidelines and the recommendation of September 17, 2020. This closing decision therefore does not prejudge the CNIL's analysis of google.fr's compliance with these requirements, according to which the user must now be able to refuse cookies. as easily as he can accept them. The CNIL now reserves the right to control these refusal procedures and, if necessary, to mobilize its entire repressive chain".

44. Lastly, the Restricted Committee notes that the present procedure concerns both the "google.fr" and "youtube.com" websites, whereas the previous procedure only concerned the "google.fr" website.

45. The Restricted Committee therefore considers that the complaint alleging breach of the non bis in idem principle must be dismissed.

C. On the competence of the CNIL

1. On the material competence of the CNIL and the non-application of the "one-stop shop" mechanism provided for by the GDPR

46. The processing operations subject to the control carried out on June 1, 2021 by a delegation from the CNIL are carried out in the context of the provision of electronic communications services accessible to the public through a public electronic communications network offered within the 'European Union. As such, they fall within the material scope of the "ePrivacy" directive.

47. Article 5(3) of that directive, relating to the storage of or access to information already stored in the terminal equipment of a subscriber or user, was transposed into national law at the article 82 of the law "Informatique et Libertés", within chapter IV of the law relating to the Rights and obligations specific to processing in the electronic communications sector.

48. Under the terms of article 16 of the "Informatique et Libertés" law, "the restricted committee takes measures and pronounces sanctions against data controllers or subcontractors who do not comply with the obligations arising [ …] of this law". Under Article 20, paragraph III, of this same law, "when the data controller or its subcontractor does not comply with the obligations resulting from […] this law, the president of the National Commission for Computing and freedoms […] can seize the restricted formation ".

49. The rapporteur considers that the CNIL is materially competent pursuant to these provisions to control and sanction the operations of access or registration of information implemented by companies in the terminals of users of the "google.fr" sites. and "youtube.com" in France.

50. The companies contest the competence of the CNIL and believe that they should be subject to the procedural framework provided for by the GDPR, i.e. the mechanism for cooperation between the supervisory authorities, known as the "one-stop shop" mechanism ", provided for in Chapter VII of the Regulations. Pursuant to this mechanism, the supervisory authority competent to know the facts in question would not be the CNIL but the Irish data protection authority, the Data Protection Commissioner (hereinafter the "DPC"), which would have to act as the lead authority with regard to the deployment of cookies, which is competent according to the companies both under the GDPR and the "ePrivacy" directive.

51. In this support, the companies invoke in particular the inextricable link between the GDPR and the “ePrivacy” directive, considering that the application of the GDPR cannot be excluded when article 82 of the “Informatique et Libertés” law applies. . They also invoke the principle of lex specialis – lex generalis under which, in their view, the "ePrivacy" directive clarifies and complements the GDPR. The companies consider that the absence of specific rules relating to the determination of the jurisdiction of the supervisory authority in the event of cross-border processing falling within the scope of the "ePrivacy" directive should be supplemented by the application of the framework procedural under the GDPR. They argue that the application of the "one-stop-shop" mechanism is not only in line with the intention of the European legislator, but also with the interpretation of the EDPS, and moreover corresponds to the position adopted by several European authorities. They point out in this respect that the power left to the Member States as to the choice of the national authority responsible for ensuring compliance with the "ePrivacy" directive does not preclude the application of the "one-stop shop" mechanism provided for by the GDPR. , to the extent that cooperation agreements between these authorities have been concluded in several Member States so that the data protection authorities and the authorities responsible for the application of the "ePrivacy" Directive, if it concerns different authorities, can jointly exercise enforcement powers on a matter falling within the scope of the GDPR and the "ePrivacy" directive and thus participate in the one-stop-shop mechanism.

52. The companies further add that the EDPS announcement of 27 September 2021 relating to the creation of a working group on cookie banners in response to the significant number of complaints recently lodged with the supervisory authorities by the association NOYB constitutes evidence that the EDPS considers that cookie-related breaches fall directly within the scope of the GDPR and, therefore, within the "one-stop-shop" mechanism.

53. As a preliminary point, the Restricted Committee emphasizes the distinction that should be made between, on the one hand, the operations consisting in depositing and reading a cookie on a user's terminal and, on the other hand, the subsequent use that is made of the data generated by these cookies, for example for profiling purposes, generally referred to as "subsequent processing" (also called "subsequent"). Each of these two successive stages is subject to a different legal regime: while the operations of reading and writing in a terminal are governed by special rules, set by the "ePrivacy" directive - in this case, by its article 5 paragraph 3 -, and transposed into national law, "subsequent processing" is governed by the GDPR and, as such, may be subject to the "one-stop shop" mechanism in the event that it is cross-border.

54. In the present case, the Restricted Committee recalls that this procedure only covers the read and write operations implemented in the terminal of the user located in France visiting the search engine Google Search and YouTube , the material findings made by the delegation during the online check of June 1, 2021 having focused only on these operations, without being interested in the subsequent processing implemented from the data collected via these cookies.

55. Firstly, the Restricted Committee notes that it is clear from the provisions cited above that the French legislator has instructed the CNIL to ensure compliance with the provisions of the "ePrivacy" directive transposed into Article 82 of the law " Computing and Freedoms ", in particular by entrusting it with the power to sanction any ignorance of this article. It emphasizes that this competence was recognized in particular by the Council of State in its decision Association of communication consulting agencies of June 19, 2020 concerning the deliberation of the CNIL no 2019-093 adopting guidelines relating to the application of article 82 of the law of January 6, 1978 amended to read or write operations in a user's terminal. The Council of State has indeed noted that "article 20 of this law entrusts [to] the president [of the CNIL] the power to take corrective measures in the event of non-compliance with the obligations resulting from regulation (EU) 2016 /279 or of its own provisions, as well as the possibility of seizing the restricted formation with a view to imposing the sanctions likely to be pronounced "(CE, June 19, 2020, req. 434684, pt. 3).

56. Secondly, the Restricted Committee considers that when processing may fall within both the material scope of the "ePrivacy" Directive and the material scope of the GDPR, reference should be made to the relevant provisions of the two texts which provide for their articulation. Thus, article 1, paragraph 2, of the "ePrivacy" directive provides that "the provisions of this directive specify and supplement Directive 95/46/EC" of the European Parliament and of the Council of 24 October 1995 on the protection of personal data (hereinafter "Directive 95/46/EC on the protection of personal data"), it being recalled that since the entry into force of the Regulation, references made to the latter directive must be understood as made to the GDPR , in accordance with Article 94 of the latter. Similarly, it appears from recital 173 of the GDPR that this text explicitly provides that it is not applicable to the processing of personal data "subject to specific obligations having the same objective [of protection of fundamental rights and freedoms] set out in the Directive 2002/58/EC of the European Parliament and of the Council, including the obligations of the controller and the rights of natural persons". This articulation was confirmed by the CJEU in its Planet49 decision of October 1, 2019 (CJEU, October 1, 2019, C 673/17, pt. 42).

57. In this respect, the Restricted Committee notes that, contrary to what the companies maintain, the "ePrivacy" directive constitutes a body of special rules, which does provide, for the specific obligations it entails, its own mechanism for implementation and control of its application within its article 15bis. Thus, the first paragraph of this article leaves the Member States the power to determine "the system of penalties, including criminal penalties where appropriate, applicable to breaches of the national provisions adopted pursuant to this Directive and [to take ] any measure necessary to ensure their implementation. The penalties thus provided for must be effective, proportionate and dissuasive and may be applied to cover the duration of the infringement, even if it has subsequently been corrected". The rule laid down in 3) of article 5 of the "ePrivacy" directive, according to which the read and/or write operations must systematically be the subject of the prior agreement of the user, after information, constitutes a special rule with regard to the GDPR since it prohibits relying on the legal bases mentioned in Article 6 of the latter in order to be able to lawfully carry out these read and/or write operations on the terminal. The control of this rule therefore falls under the special control and sanction mechanism provided for by the "ePrivacy" directive, and not the data protection authorities and the EDPS in application of the GDPR. It is by a specific choice that the legislator in France entrusted this mission to the CNIL. In addition, the second paragraph of the same article obliges Member States to ensure "that the competent national authority and, where appropriate, other national bodies have the power to order the cessation of the infringements referred to in paragraph I" .

58. In view of the foregoing, the Restricted Committee considers that, in application of the adage specialia generalibus derogant, the specific rules relating to cookies resulting from the "ePrivacy" directive prevail over the general rules of the GDPR. Thus, the "one-stop-shop" mechanism provided for by the GDPR cannot be applied to the processing covered by the directive, as the companies claim.

59. Thirdly, the Restricted Committee adds that this exclusion is corroborated by the fact that the Member States, which are free to determine the national authority competent to hear violations of the national provisions adopted pursuant to the "ePrivacy" Directive, may have assigned this competence to an authority other than their national data protection authority established by the GDPR, in this case to their telecommunications regulatory authority. Consequently, insofar as these latter authorities are not part of the EDPS, while this committee plays an essential role in the consistency control mechanism implemented in Chapter VII of the GDPR, it is in fact impossible to apply the "one-stop shop" to practices likely to be penalized by national supervisory authorities not sitting on this committee.

60. The Restricted Committee points out that the cooperation agreements entered into between data protection authorities and telecommunications regulatory authorities in certain Member States, relied on by the company, are intended to establish cooperation at national level between the various regulators in order to to ensure the consistency of their doctrines on related subjects but do not aim to involve the telecommunications regulatory authorities as such in the "one-stop shop" mechanism provided for in Chapter VII of the GDPR.

61. Fourthly, the Restricted Committee notes that the EDPS, in his Opinion No. 5/2019 of 12 March 2019 on the interactions between the "privacy and electronic communications" directive and the GDPR, explicitly excluded "one-stop shop" mechanism to matters materially falling under the "ePrivacy" directive in these terms: "in accordance with Chapter VII of the GDPR, the cooperation and consistency mechanisms available to data protection authorities under the GDPR concern the monitoring the application of the provisions of the GDPR.The mechanisms of the GDPR do not apply to monitoring the application of the provisions of the "privacy and electronic communications" directive as such" (EDPS, opinion 5/2019, March 12, 2019, pt. 80).

62. Fifthly, the Restricted Committee notes that the CJEU, in a Facebook Belgium judgment delivered on June 15, 2021, took up the aforementioned Opinion 5/2019 of the EDPS. The CJEU followed on this point the conclusions of its Advocate General, Mr BOBEK, who considered that "in order to decide whether a case actually falls within the material scope of the GDPR, a national court, including any referring court , is obliged to seek the precise source of the legal obligation weighing on an economic operator which he is alleged to have breached. If the source of this obligation is not the GDPR, the procedures established by this instrument, which are linked to its main objective, are logically not applicable either” (CJEU, conclusions of Advocate General M. BOBEK, 13 January 2021, Facebook Belgium, C 645/19, pts. 37 and 38).

63. In this case, the Restricted Committee notes that, in the present proceedings, the precise source of the legal obligation subject of the control originates in Article 5, paragraph 3, of the "ePrivacy" Directive, transposed to Article 82 of the "Informatique et Libertés" law, informed by the conditions of consent as provided for by the GDPR, Article 2, f), of the "ePrivacy" directive providing that the consent of a user corresponds to the consent of the data subject contained in Directive 95/46/EC, which has been replaced by the GDPR.

64. The Restricted Committee also points out that other national data protection authorities have also already imposed sanctions relating to breaches relating to the operations of reading and/or writing information in the user's terminal. The Spanish authority has thus issued several sanction decisions against various data controllers in exclusive application of the national provisions transposing the "ePrivacy" directive, in this case article 22, paragraph 2 of Ley 34/2002 of July 11 of Servicios de la Sociedad de la Información y de Comercio Electrónico, without implementing the cooperation procedure established by the GDPR.

65. Sixthly, the Restricted Committee notes that the possible application of the "one-stop shop" mechanism to processing governed by the "ePrivacy" directive is the subject of numerous discussions in the context of the draft regulation "ePrivacy" under negotiation for more than four years at European level. The very existence of these debates confirms that, as it stands, the one-stop-shop mechanism provided for by the GDPR is not applicable to matters governed by the current "ePrivacy" directive.

66. Lastly, according to the Restricted Committee, the creation of a working group on cookie banners in response to the large number of complaints lodged with the European supervisory authorities by the NOYB association does not mean, contrary to what is argued, that the EDPS considers that all cookie-related breaches necessarily fall within the scope of the GDPR. The Restricted Committee also notes that some of the issues raised in these complaints relate to subsequent processing, which falls under the GDPR. In addition, pursuant to Article 70(1)(u), the EDPS has the task, inter alia, of promoting cooperation and the effective bilateral and multilateral exchange of information and best practices between supervisory authorities. The purpose of the working group is thus to discuss the analysis of the numerous complaints filed by the NOYB association. The creation of this working group does not call into question the position of the EDPS, in his opinion 5/2019 mentioned above.

67. Thus, the Restricted Committee considers that the "one-stop shop" mechanism provided for by the GDPR is not applicable to this procedure and that the CNIL is competent to control and sanction processing operations consisting of reading and/or write information in the terminal of users located in France implemented by companies falling within the scope of the "ePrivacy" directive, provided that they relate to its territorial jurisdiction.

2. On the territorial jurisdiction of the CNIL

68. The rule of territorial application of the requirements set out in article 82 of the "Informatique et Libertés" law is set out in article 3, paragraph I, of the "Informatique et Libertés" law which provides: "without prejudice, with regard to the processing falling within the scope of Regulation (EU) 2016/679 of 27 April 2016, of the criteria provided for in Article 3 of this regulation, all the provisions of this law apply to the processing of personal data carried out within the framework of the activities of an establishment of a data controller […] on French territory, whether or not the processing takes place in France”.

69. The rapporteur considers that the CNIL has territorial jurisdiction pursuant to these provisions when the processing covered by this procedure, consisting of operations to access or register information in the terminal of users residing in France during the use of the Google Search search engine and YouTube, in particular for advertising purposes, is carried out within the "framework of the activities" of the company GOOGLE FRANCE, which constitutes the "establishment" on French territory of the GOOGLE group.

70. The companies, for their part, refer on this point to the observations they had produced in the context of the previous sanction procedure and in which they maintained that, insofar as it would be appropriate to apply the rules of jurisdiction and of the cooperation procedures defined by the GDPR, the CNIL would not have territorial jurisdiction to hear this case given that the "real headquarters" of the GOOGLE group in Europe, i.e. the place of its central administration within the meaning of Article 56 GDPR, is located in Ireland.

71. The Restricted Committee again holds that the facts in question fall materially under the provisions of the "ePrivacy" directive, and not the GDPR. As a result, reference should be made to the provisions of Article 3, paragraph I, of the "Informatique et Libertés" law, determining the scope of the territorial jurisdiction of the CNIL.

72. In this respect, the Restricted Committee points out that the "ePrivacy" Directive does not itself explicitly set the rule of territorial application of the various transposition laws adopted by each Member State. However, this directive indicates that it "clarifies and completes Directive 95/46.EC", which provided at the time, in its Article 4, that "Each Member State shall apply the national provisions which it adopts pursuant to this Directive to the processing of personal data when: (a) the processing is carried out in the context of the activities of an establishment of the controller in the territory of the Member State; if the same controller is established in the territory of several Member States, it must take the necessary measures to ensure that each of its establishments complies with the obligations provided for by the applicable national law". If this rule for determining the national law applicable within the Union is no longer relevant for the application of the rules of the GDPR, which replaced Directive 95/46/EC on the protection of personal data and applies uniformly throughout the territory of the Union, it appears that the French legislator has maintained these criteria of territorial application for the specific rules contained in the "Informatique et Libertés" law, and therefore in this case for those which transpose the "ePrivacy" directive. Therefore, the case law of the CJEU on the application of Article 4 of the former Directive 95/46/EC on the protection of personal data remains relevant to clarify the scope to be given to these two criteria.

73. Firstly, with regard to the existence of an "establishment of the controller on French territory", the CJEU has consistently held that the concept of establishment should be assessed in a flexible manner and that to this end, it was necessary to assess both the degree of stability of the installation and the reality of the pursuit of activities in another Member State, taking into account the specific nature of the economic activities and the provision of services in question (see, for example, CJEU, Weltimmo, 1 Oct. 2015, C 230/14, pts. 30 and 31). The CJEU also considers that a company, an autonomous legal person, from the same group as the controller, can constitute an establishment of the controller within the meaning of these provisions (CJEU, 13 May 2014, Google Spain, C-131/ 12, point 48).

74. In this case, the Restricted Committee notes, first of all, that the company GOOGLE FRANCE is the headquarters of the French subsidiary of the company GOOGLE LLC, that it has premises located in Paris, that it employs approximately […] persons and that, according to its articles of association filed with the Registry of the Paris Commercial Court, its purpose is in particular “the provision of services and/or advice relating to software, the Internet network, telematic or online networks, including intermediation in the sale of online advertising, the promotion in all its forms of online advertising, the direct promotion of products and services and the implementation of information processing centers". The Restricted Committee then notes, as it recalled in its deliberation of December 7, 2020, "that the company GOOGLE FRANCE is responsible for ensuring the promotion of online advertising on behalf of the company GIL, which is co-contractor of the advertising contracts concluded with French companies or French subsidiaries of foreign companies "and" that the company GOOGLE FRANCE participates effectively in the promotion of products and services designed and developed by the company GOOGLE LLC, such as Google Search , in France, as well as to the advertising activities managed by the company GIL "(deliberation of the restricted formation n°SAN-2020-012 of December 7, 2020 concerning the companies GOOGLE LLC and GOOGLE IRELAND LIMITED, pt. 42). It notes that these findings still appear valid at the date of this deliberation.

75. Secondly, with regard to the existence of processing carried out "in the context of the activities" of this establishment, the Restricted Committee notes that the CJEU, in its Google Spain judgment of 13 May 2014, considered that the processing relating to the Google Search search engine was carried out "within the framework of the activities" of the company GOOGLE SPAIN, an establishment of the company GOOGLE INC - which has since become GOOGLE LLC -, insofar as this company is intended to ensure in Spain the promotion and sale of advertising space offered by this search engine, which serve to make the service offered by this search engine profitable. The CJEU clarified that "Article 4(1)(a) of Directive 95/46 does not require that the processing of personal data in question be carried out" by "the establishment concerned itself, but only that it is “within the framework of the activities” of this one” (pt. 52). According to the Court, "Article 4(1)(a) of Directive 95/46 must be interpreted as meaning that processing of personal data is carried out in the context of the activities of an establishment in the responsible for this processing on the territory of a Member State, within the meaning of this provision, when the operator of a search engine creates in a Member State a branch or a subsidiary intended to ensure the promotion and sale of advertising space offered by this engine and whose activity is aimed at the inhabitants of this Member State" (pt. 60).

76. In addition, the Restricted Committee notes that the CJEU subsequently considered, in its Wirtschaftsakademie and Facebook Belgium decisions, that the processing consisting of the collection of personal data by means of cookies placed in users' terminals visiting, in Germany and Belgium, pages hosted on the Facebook social network was respectively carried out "within the framework of the activities" of the companies FACEBOOK GERMANY and FACEBOOK BELGIUM, German and Belgian establishments of the Facebook group, insofar as these establishments are intended to ensure, in their respective countries, the promotion and sale of the advertising space offered by this social network, which serves to make the service offered by Facebook profitable (CJEU, Grand Chamber, 5 June 2018, Wirtschaftsakademie, C-210/16, pts 56 to 60; 15 June 2021, Facebook Belgium, C-645/19, pts. 92 to 95). If in the Google Spain judgment, Spanish jurisdiction had been retained for processing for which the effective responsibility fell to companies based in the United States, outside the European Union, in these latter judgments, the CJEU extended its reasoning to case where the actual responsibility for the processing lies with a company established in another country of the European Union.

77. The Restricted Committee notes that, even if these three judgments concerned more specifically "subsequent processing" implemented from cookies deposited in users' terminals, which justified the application of Directive 95/46/EC for the Google Spain and Wirtschaftsakademie cases and of the GDPR for the Facebook Belgium case, this case law remains relevant to clarify the scope to be given to the notion of processing carried out "in the context of the activities" of an establishment, insofar as the legislator French took it up during the transposition of the "ePrivacy" directive to establish the territorial jurisdiction of the CNIL with regard to the processing covered by this directive.

78. In the present case, and in addition to the previous developments appearing above in paragraph74, the Restricted Committee notes that, according to the information posted on its website, the company GOOGLE FRANCE supports in particular small and medium-sized enterprises in France " through the development of collaboration tools, advertising solutions or to give them the keys to understanding their markets and their consumers". Then, it has already recorded, in its deliberation n ° SAN-2020-012 of December 7, 2020 that, "in its letter of April 30, 2020 the company GIL indicates that "Google France has a sales team dedicated to the promotion and the sale of GIL's services to advertisers and publishers based in France, such as Google Ads " " (point no. 44). This finding still appears to be valid as of the date of this deliberation. Finally, the Restricted Committee notes that it is specified on the "ads.google.com" website that "Google Ads allows French companies to promote their products or services on the search engine and on a large advertising network".

79. Thus, the processing consisting of information access or registration operations in the terminal of users of the Google Search search engine and YouTube residing in France, in particular for advertising purposes, is carried out within the framework of the activities of the company GOOGLE FRANCE on French territory, which is in charge of the promotion and marketing of GOOGLE products and their advertising solutions in France. The Restricted Committee notes that the two criteria provided for in Article 3, paragraph I, of the "Informatique et Libertés" law are therefore met.

80. It follows that French law is applicable and that the CNIL is materially and territorially competent to exercise its powers, including that of imposing sanctions concerning processing falling within the scope of the "ePrivacy" directive.

D. On the complaint alleging the illegality of this sanction procedure

81. The companies contest the fact that they did not receive any formal notice before the president of the CNIL decided to open a sanction procedure, unlike other actors, thus invoking a difference in treatment between GIL and GOOGLE LLC and the sixty companies that the CNIL declared to have given formal notice for similar acts in its press releases of May 25 and July 19, 2021 published on its website.

82. Firstly, with regard to the companies' argument that the provisions opposed to them by the rapporteur entered into force less than five months before the start of the sanction procedure, the Restricted Committee recalls that, in within the framework of this deliberation, it is based exclusively on the provisions of article 82 of the law "Informatique et Libertés", enlightened by the reinforced requirements in terms of consent of the GDPR, which came into force in May 2018. Therefore, the legal framework applicable to the facts giving rise to this sanction procedure is fully established.

83. The Restricted Committee also recalls that, from June 2019 and on various occasions thereafter, the CNIL communicated on its action plan which comprised two main stages: the publication of new guidelines in July 2019 and consultation with professionals to draw up a new recommendation, proposing operational methods for obtaining consent. The CNIL had specified, in a press release of June 28, 2019, that it would carry out verifications of compliance with the recommendation six months after its final adoption. The Restricted Committee notes that the CNIL had been perfectly transparent on the timetable, in order to allow organizations time to bring themselves into compliance before carrying out checks.

84. Secondly, the Restricted Committee recalls that, in accordance with Article 20 of the "Informatique et Libertés" law, the President of the CNIL is not required to send a formal notice to a data controller before to initiate sanction proceedings against him. It adds that the possibility of directly initiating sanction proceedings has been confirmed by the Council of State (see, in particular, CE, 4 Nov. 2020, application no. 433311, pt. 3).

85. It also notes that the Secretary General of the CNIL had reminded companies, in his letters of February 17, 2021, that it must be as easy to give consent as to refuse to give it or to withdraw it. It also notes that GOOGLE LLC and GIL have already been the subject of sanction proceedings relating to their cookie policy. The companies were well aware that they were exposing themselves to possible other sanctions since, according to a press release published on May 4, 2021, the CNIL had indicated that the closure of the injunction only related to the perimeter of the injunction issued by the Restricted Committee in its deliberation of December 7, 2020. It specified that this closing decision did not prejudge the CNIL's analysis of the compliance of "google.fr" with other rules on cookies , relating in particular to consent, which are informed by the guidelines and the recommendation of September 17, 2020, according to which the user must now be able to refuse cookies as easily as he can accept them. The CNIL specified that it reserved the possibility of controlling these refusal procedures and, if necessary, of mobilizing its entire repressive chain, it being specified that the CNIL had received several complaints on this subject.

Thus, the Restricted Committee considers that the companies GOOGLE LLC and GIL were not in the same situation as other organizations that were the subject of formal notices from the CNIL and that the grievance based on the illegality of the sanction procedure must be dismissed.

E. On the request for a preliminary ruling

86. In the alternative, the companies ask the Restricted Committee to refer a preliminary question to the Court of Justice of the European Union (hereinafter the "CJEU") in these terms: "the absence of a "refuse all" button "next to an "accept all" button be considered a breach of GDPR Article 4(11) and Article 7, read in conjunction with GDPR Article 5(3) -Privacy while the data controller gives the data subject the right to refuse said processing in the second level of the cookie banner and through the browser settings and informs him of this possibility of refusing the processing and the means by which he has to do it from the first level of the cookie banner? ". The companies believe that the restricted formation is a jurisdiction within the meaning of Article 267 of the Treaty on the Functioning of the European Union (hereinafter "TFEU") and that it meets the criteria of a jurisdiction: it is established permanently by the law "Informatique et Libertés"; it has compulsory jurisdiction when the president of the CNIL decides to initiate a sanction procedure; it follows a procedure of an adversarial nature between the rapporteur and the respondent; it applies the rules of law and is independent and impartial.

87. The Restricted Committee recalls that, for a body to be able to address a question for a preliminary ruling to the CJEU, it must enjoy the status of "court" within the meaning of Article 267 TFEU, an autonomous concept in Union law. To assess this quality, the CJEU takes into consideration the following criteria: legal origin of the body, its permanence, its mandatory nature, adversarial nature of its procedure, application of the rules of law, its independence and judicial nature of its decisions.

88. The Restricted Committee notes that it is not qualified as a court in domestic law: no legislative provision has recognized it as such. If, as noted by the companies, the Council of State has already ruled that "in view of its nature, composition and powers", the restricted body may be qualified as a "court" within the meaning of Article 6-1 of the European Convention for the Protection of Human Rights and Fundamental Freedoms (hereinafter the "CESDH") (Council of State, judge in chambers, February 19, 2008, No. 311974), this decision does not, however, recognize the quality of jurisdiction.

89. The Restricted Committee considers, contrary to what the companies maintain, that the criteria adopted by the CJEU on the notion of jurisdiction within the meaning of Article 267 TFEU, in particular in its recent ANESCO judgment (CJEU, 16 Sept. 2020, Anesco, C-462/19), are not met by the Restricted Committee. Indeed, in this judgment, the CJEU stated that, "it must be noted that the decisions that the CNMC [the Spanish competition authority] is called upon to adopt in cases such as that at issue in the main proceedings are similar to decisions of an administrative nature, excluding their adoption in the exercise of judicial functions" (§41). However, the same applies to the decisions taken by the restricted committee, which are decisions of an administrative nature since they are sanction decisions which contribute to the effectiveness of the action of the CNIL in its regulatory power. The sanction decision puts an end to the administrative procedure initiated and an administrative contentious appeal can then be brought against it before the Council of State.

90. In addition, the Restricted Committee notes that the Court of Cassation considered that "it follows from these texts of European Union law, as interpreted by the Court of Justice of the European Union, that the Autorité de la concurrence is not a competent court to ask it a preliminary question pursuant to Article 267 of the TFEU (CJEU, judgment of September 16, 2020, Anesco, C-462/19, concerning the Comisión Nacional de los Mercados y la Competencia, Spanish competition authority)" (Cass. 2nd civ., September 30, 2021, n° 20-18.302). However, the Autorité de la concurrence, as an independent administrative authority, has major organizational and procedural similarities with the restricted formation.

91. Consequently, the Restricted Committee cannot be classified as a court within the meaning of Article 267 TFEU, so that it is not able to refer a question to the CJEU for a preliminary ruling.

F. On the determination of the controller

92. The Restricted Committee notes, first of all, that Articles 4, paragraph 7, and 26, paragraph 1, of the GDPR are applicable to this procedure because of the use of the concept of "data controller" in the article 82 of the "Informatique et Libertés" law, which is justified by the reference made by article 2 of the "ePrivacy" directive to directive 95/46/EC on the protection of personal data, which has been replaced by the GDPR.

93. According to Article 4(7) of the GDPR, the controller is “the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing". According to Article 26(1) of the GDPR, "where two or more controllers jointly determine the purposes and means of the processing, they are the joint controllers".

94. The rapporteur considers that the companies GIL and GOOGLE LLC are joint controllers of the processing in question pursuant to these provisions since the companies both determine the purposes and means of the processing consisting of access or registration of information in the terminal of users residing in France when using the Google Search search engine and YouTube.

95. The companies respond that the company GIL would be solely responsible for the processing of personal data of users located in the European Economic Area and in Switzerland.

96. The Restricted Committee recalls that the CJEU has ruled on several occasions on the notion of joint responsibility for processing, in particular in its Jehovah's Witnesses judgment. In its terms, it considered that, according to the provisions of Article 2(d) of Directive 95/46 on the protection of personal data, "the concept of 'controller' refers to the person natural or legal person who, "alone or jointly with others", determines the purposes and means of the processing of personal data. This notion therefore does not necessarily refer to a single natural or legal person and may concern several actors taking part in this processing, each of them must then be subject to the applicable data protection provisions […] The objective of this provision being to ensure, by a broad definition of the notion of "responsible" , effective and complete protection of the persons concerned, the existence of joint responsibility does not necessarily translate into equivalent responsibility, for the same processing of personal data, of the different all actors. On the contrary, these actors may be involved at different stages of this processing and to different degrees, so that the level of responsibility of each of them must be assessed taking into account all the relevant circumstances of the case. (CJEU, July 10, 2018, C 25/17, pts. 65 and 66).

97. The Restricted Committee considers that these developments make it possible to usefully shed light on the notion of joint processing responsibility invoked by the rapporteur with regard to the companies GOOGLE LLC and GIL concerned by the processing in question.

98. The Restricted Committee points out, finally, that if the present procedure does not relate to the same facts as those mentioned in the context of deliberation no. SAN-2020-012 of December 7, 2020 for the reasons developed above, it still concerns the read and write operations implemented in the user's terminal located in France by the companies GOOGLE LLC and GIL, for which the role of the two companies has already been examined by the restricted committee in the deliberation mentioned above.

99. The Restricted Committee also recalls that, in this same deliberation of December 7, 2020, it considered that the companies GOOGLE LLC and GIL jointly determine the purposes and means of the processing consisting of access or registration operations. information in the terminal of users residing in France when using the Google Search search engine (pts. 47 to 66 of the deliberation). It considers that this observation is still valid on the date of this deliberation and can be extended to the cookies used on the "youtube.com" site, as demonstrated by the elements developed below.

1. On the responsibility of the company GIL

100. The companies maintain that the company GIL acts as controller of the processing in question, which the rapporteur also considers.

101. The Restricted Committee agrees with this analysis.

102. Firstly, it notes that it retained in its deliberation no. SAN-2020-012, that "the representatives of the companies declared that the company GIL" participates in the development and supervision of the internal policies which guide the products and their design, the implementation of parameters, the determination of confidentiality rules and all the checks carried out before the launch of the products, in application of the "privacy by design" principle.

103. Secondly, it recalls that it has also pointed out that, "with regard more particularly to cookies, the representatives stated […] that "GIL applies, for example, shorter retention periods for cookies" by compared to other regions of the world and that it "limits the extent of processing related to the personalization of advertising in Europe compared to the rest of the world. For example, GIL does not use certain categories of data to perform personalized advertising such as assumed household resources. GIL does not set up personalized advertising for children whom it assumes are minors within the meaning of the GDPR".

104. The Restricted Committee concluded that "the company GIL is, at least in part, responsible for the controlled processing consisting of operations of access or registration of information in the terminal of users residing in France during the use of the search engine Google Search".

105. The Restricted Committee considers that no change in the role of GIL appears to have taken place since this recent observation, which therefore remains valid. It considers that the same applies to the "youtube.com" site since, in Google's terms of use, accessible both via the "google.fr" and "youtube.com" sites , it is identically stated that: "In the European Economic Area (EEA) and Switzerland, Google services are provided to you by the company below with which you are contracting: Google Ireland Limited".

106. Thus, the company GIL is, at least in part, responsible for the processing consisting of operations of access or registration of information in the terminal of users residing in France when using the search engine Google Search and YouTube.

2. On the liability of GOOGLE LLC

107. The companies dispute the rapporteur's analysis that GOOGLE LLC shares responsibility for the processing in question with GIL.

108. The Restricted Committee has already taken a position on this subject, in its deliberation no. SAN-2020-012 of December 7, 2020.

109. Firstly, it had noted that, during the hearing of July 22, 2020, the representatives of the companies had affirmed that the company GOOGLE LLC "designs and builds the technology of Google products and that with regard to cookies deposited and read when using the Google Search search engine, there is no difference in technology between the cookies deposited from the different versions of the search engine. offer French users in the rules of use accessible from "google.fr", make no distinction in their presentation of the cookies used by the GOOGLE group when they indicate that they use "different types of cookies for products associated with advertisements and websites of Google " ", which also includes the site " youtube.com " according to the restricted formation.

110. It notes that even today, there is still no difference in the presentation of the cookies used by Google (information provided to French users from the "Technologies" tab, "how Google uses cookies", after having clicked on the "terms of use" button, accessible both on "google.fr" and on "youtube.com"). The company "describes the types of cookies used by Google", stating that "some or all of the cookies described below may be stored in your browser". The Restricted Committee also notes that the privacy rules accessible both from "google.fr" and from "youtube.com" confirm this point when it is stated that "These Privacy Rules apply to all the services offered by Google LLC and its affiliates, including YouTube and Android, as well as services offered on third-party sites, such as advertising services".

111. Thus, in the information they provide to French users, the companies GOOGLE LLC and GIL still make no distinction in their presentation of the cookies used by the GOOGLE group.

112. Secondly, the Restricted Committee had also noted, in its aforementioned deliberation, that "despite the unquestionable participation of the company GIL in the various stages and bodies related to the definition of the methods of implementation of the cookies deposited on Google Search , the matrix organization described by the companies […] has shown that the company GOOGLE LLC is also represented in the bodies adopting the decisions relating to the deployment of the products within the EEA and in Switzerland and to the processing of data to personal character of the users residing there and that it exercises a significant influence there" or that "the data protection officer appointed by the company GIL […] as well as its assistant DPOs are based in California as employees of the company GOOGLE LLC".

113. Thirdly, the Restricted Committee had considered that, "although under a formal reading of the subcontracting contract of December 11, 2018, the company GOOGLE LLC would act as a subcontractor of the company GIL in the processing of European user data collected via cookies, the actual involvement of GOOGLE LLC in the processing in question goes far beyond that of a subcontractor who would simply carry out processing operations on behalf of the company GIL and on its sole instructions".

114. In view of the evidence in the file, the Restricted Committee maintains that GOOGLE LLC plays a fundamental role in the entire decision-making process relating to the processing in question. It also determines the means of processing given that, as mentioned above, it is the company that designs and builds the cookie technology placed on the terminals of European users. The Restricted Committee notes that, if it had only ruled on the Google Search search engine in its deliberation No. SAN-2020-012 of December 7, 2020, it considers that the same reasoning is applicable, on the basis of these same elements, for YouTube, in particular insofar as, when the user clicks on "Privacy policy" and "Terms of use" from "youtube.com", he is referred to the privacy policy and GOOGLE Group Terms of Service.

115. It follows from all of the foregoing that the companies GOOGLE LLC and GIL jointly determine the purposes and means of the processing consisting of operations to access or register information in the terminal of users residing in France. when using the Google Search search engine and YouTube.

G. On the breach of cookie obligations

116. Under the terms of article 82 of the "Informatique et Libertés" law, "any subscriber or user of an electronic communications service must be informed in a clear and complete manner, unless he has been informed beforehand, by the controller or his representative:

1° The purpose of any action seeking to access, by electronic transmission, information already stored in its electronic communications terminal equipment, or to enter information in this equipment;

2° The means at his disposal to oppose it.

This access or registration can only take place on condition that the subscriber or user has expressed, after having received this information, his consent which may result from appropriate parameters of his connection device or any other device placed under his control. […] ".

117. The "ePrivacy" directive provides for its part in its article 2, f), that the consent of a user or subscriber corresponds to the consent of the person concerned appearing in Directive 95/46/EC, to which replaced the GDPR.

118. Thus, since the entry into force of the GDPR, the "consent" provided for in the aforementioned Article 82 must be understood within the meaning of Article 4, paragraph 11, of the GDPR, i.e. 'it must be given in a free, specific, enlightened and unequivocal manner and manifest itself in a clear positive act.

119. In this respect, recital 42 of this Regulation provides that: "consent should not be considered to have been freely given if the data subject does not have a real freedom of choice or is not able to refuse or withdraw consent without prejudice".

120. In the present case, in the context of the online check of June 1, 2021, the delegation noted that, to give their consent to the reading and/or writing of information in their terminal, the user going to the home page of the sites "google.fr" and "youtube.com" must only click on the "I accept" button of the pop-up window, which makes this window disappear and allows him to continue browsing. On the other hand, the user visiting these same home pages and wishing to refuse cookies must click on the "Personalise" button of this first window, which gives him access to both the "google.fr" sites. and "youtube.com", to an interface offering him to choose to activate or deactivate cookies, on which he has the possibility of carrying out various actions.

121. The rapporteur notes, by way of clarification, that under the terms of his guidelines 5/2020 on consent within the meaning of Regulation (EU) 2016/679, adopted on 4 May 2020, the EDPS recalled that "the "free" implies real choice and control for the persons concerned" (§13).

122. Similarly, in the context of its deliberation No. 2020-092 of September 17, 2020 adopting a recommendation proposing practical methods of compliance in the event of the use of "cookies and other tracers", the Commission considered , taking into account the aforementioned applicable texts, that "the controller must offer users both the possibility of accepting and refusing read and/or write operations with the same degree of simplicity".

123. On the basis of the findings made in the context of the online check, the rapporteur observes that, if the banner displayed on the "google.fr" and "youtube.com" sites contains a button allowing immediate acceptance of cookies , no similar means are offered to the user to be able to refuse, so easily, the deposit of these cookies. To refuse cookies, he must perform at least five actions (the first click on the "Customize" button, then a click on each of the three buttons to select "Disabled" - each button corresponding to "search personalization", the 'YouTube history' and 'Ads personalization' - and finally a click on 'Confirm'), against a single action to accept them. Such a mechanism therefore does not, according to the rapporteur, offer the same facility as that allowing consent to be expressed, in disregard of the legal requirements of freedom of consent, which imply not encouraging the Internet user to accept cookies rather than to refuse them. It thus considers that making the mechanism for refusing cookies more complex than that consisting in accepting them, in reality amounts to discouraging users from refusing cookies and encouraging them to favor the ease of the "I accept" button. The rapporteur concludes that the procedures for refusing cookies implemented by the companies GOOGLE LLC and GIL on the "google.fr" and "youtube.com" sites do not comply with the provisions of article 82 of the law " Computing and Liberties” as informed by the reinforced consent requirements laid down by the GDPR.

124. The companies consider that neither the "ePrivacy" directive, nor the GDPR, nor article 82 of the "Informatique et Libertés" law provide that the action of refusing cookies must be as simple as accepting them. They add that, for many years, the CNIL itself had not deduced this principle even though the regulations in question had remained unchanged since the entry into force of the GDPR. They note that the CNIL cannot, through its guidelines and recommendations, introduce new requirements relating to the refusal of consent and consider that it is up to each data controller to choose the most appropriate method of obtaining consent. In this, the companies consider that the consent collection mechanism set up on the "google.fr" and "youtube.com" sites already complies with the provisions of article 82 of the "Informatique et Libertés" law. ". The companies consider that the fact of not offering, at the first level of information, a "Refuse all" button is not contrary to the principle of freedom of consent insofar as users do have the possibility of refusing cookies by clicking on the "Customize" button.

125. Firstly, the Restricted Committee recalls that pursuant to Article 8 I, 2°, b) of the "Data Processing and Liberties" law, the CNIL "establishes and publishes guidelines, recommendations or reference systems intended to facilitate the compliance of the processing of personal data with the texts relating to the protection of personal data […]”.

126. It is within this framework that the CNIL took deliberation no. reading or writing in a user's terminal (in particular to cookies and other tracers), which provided in its article 2, "that it must be as easy to refuse or withdraw consent as to give it"; then deliberations no. 2020-091 of September 17, 2020 adopting guidelines relating to the application of article 82 of the law of January 6, 1978 as amended to read and/or write operations in the terminal of a user (in particular to "cookies and other tracers") and No. 2020-092 adopting a recommendation proposing practical methods of compliance in the event of the use of "cookies and other tracers". These instruments aim to interpret the applicable legislative provisions and to inform the players on the implementation of concrete measures to guarantee compliance with these provisions, so that they implement these measures or measures with equivalent effect. In this sense, it is specified in the guidelines that the main purpose of these "is to recall and explain the law applicable to the operations of reading and/or writing information […] in the terminal equipment electronic communications of the subscriber or user, and in particular the use of cookies".

127. As indicated above, the Commission considered, in the context of its recommendation of September 17, 2020, that "the data controller must offer users both the possibility of accepting and of refusing read operations and/or of writing with the same degree of simplicity".

128. With regard to the possible refusal procedures, in this same recommendation, the Commission "strongly recommended that the mechanism making it possible to express a refusal to consent to read and/or write operations be accessible on the same screen and with the same ease as the mechanism for expressing consent. Indeed, it considers that consent collection interfaces that require a single click to consent to tracking while several actions are necessary to "parameterize" a refusal to consent present , in most cases, the risk of biasing the choice of the user, who wishes to be able to view the site or use the application quickly.

For example, at the stage of the first level of information, users can have the choice between two buttons presented at the same level and in the same format, on which are written respectively "accept all" and "reject all", "authorize" and "prohibit", or "consent" and "not consent", or any other equivalent and sufficiently clear wording. The Commission considers that this modality constitutes a simple and clear way to allow the user to express his refusal as easily as his consent".

129. The Restricted Committee considers that the CNIL limited itself, in its recommendation mentioned above, to clarifying the obligations provided for by French and European legislators, drawing in particular all the consequences of the principle of freedom of consent as defined in article 4, paragraph 11, of the GDPR, and by applying them to the hypotheses of acceptance and refusal by the user of the deposit of cookies on his terminal. Indeed, this principle of freedom of consent now implies that the user benefits from a "genuine freedom of choice", as underlined in recital 42 of the GDPR, and therefore that the methods offered to him to express this choice are not biased in favor of consent. As the EDPS recalled in its guidelines on consent, adopted on 4 May 2020, the adjective "free" implies real choice and control for the data subjects.

130. It thus appears that the CNIL did not create new obligations for the actors in its recommendation but limited itself to illustrating in concrete terms how Article 82 of the law should be applied.

131. Secondly, the Restricted Committee notes that the position of the CNIL on this point, according to which it must be as simple for users to refuse cookies as to consent to them, already appeared in Article 2 of the guidelines of July 4, 2019 - abrogated by those of September 17, 2020 - and that it has been ratified by the Council of State. Indeed, seized of an appeal for excess of power brought against these first guidelines, the Council of State ruled, in its decision Association of communication consulting agencies, that "the CNIL which, by indicating that it had to "to be as easy to refuse or withdraw consent as to give it", was limited to characterizing the conditions of the user's refusal, without defining the specific technical methods for expressing such a refusal, has tainted its deliberation with any ignorance of the rules applicable in the matter" (CE, June 19, 2020, n° 434684, T., pt 15).

132. The Restricted Committee considers that this reading is all the more necessary in view of the conclusions of the public rapporteur on this judgment, which noted: "As indicated by the CNIL, the contested guidelines do not impose any technical method of collection of this refusal. They confine themselves to requiring, generally and rightly, that it should not be more complicated to refuse than to accept" (CE, conclusions of the public rapporteur on judgment no. 434684, p. 17).

133. Thirdly, the panel notes that in this case, users residing in France visiting the Google Search search engine and/or YouTube must perform a single action to accept cookies, whereas they must perform five to refuse them. It is therefore not as simple to refuse cookies as to accept them.

134. However, it appears from several recent studies that organizations that have set up a "refuse all" button on the consent collection interface at the first level have seen the consent rate relating to the acceptance of cookies decrease. Thus, according to the "Privacy barometer - 2021 edition" published by the company COMMANDERS ACT, the rate of consent on computers fell from 70% to 55% in April-May 2021, since the collection of consent is explicit. Similarly, according to a 366-Kantar study, it appears that 41% of Internet users in France refused, systematically or partially, the deposit of cookies in June 2021.

135. The Restricted Committee thus considers that making the mechanism for refusing cookies more complex than that consisting in accepting them actually amounts to discouraging users from refusing cookies and encouraging them to favor the ease of the "Accept all" button. ". Indeed, an Internet user is generally led to consult many sites. Internet browsing is characterized by its speed and fluidity. The fact of having to click on "Customize" and having to understand the way in which the page allowing the refusal of cookies is constructed is likely to discourage the user, who would nevertheless wish to refuse the deposit of cookies. It is not disputed that in this case, the companies offer a choice between the acceptance or the refusal of cookies, but the methods by which this refusal can be expressed, in the context of Internet browsing, skews the expression of choice in favor of consent in such a way as to alter the freedom of choice.

136. In view of the foregoing, the Restricted Committee considers that a breach of the provisions of Article 82 of the "Informatique et Libertés" law, interpreted in the light of the GDPR, is constituted, insofar as the companies do not do not make available to users located in France, on the "google.fr" and "youtube.com" websites, a means of refusing operations to read and/or write information in their terminal presenting the same degree of simplicity than that intended to accept its use.

III. On corrective measures and publicity

137. Article 20, paragraph III, of the "Informatique et Libertés" law provides: "When the data controller or its subcontractor does not comply with the obligations resulting from Regulation (EU) 2016/679 of the European Parliament and of the Council of April 27, 2016 mentioned above or of this law, the president of the National Commission for Data Processing and Liberties may also, if necessary after having sent him the warning provided for in I of this article or, if necessary in addition to a formal notice provided for in II, seize the restricted formation of the commission with a view to the pronouncement, after adversarial procedure, of one or more of the following measures: […]

2° An injunction to bring the processing into compliance with the obligations resulting from Regulation (EU) 2016/679 of 27 April 2016 or from this law or to satisfy the requests presented by the person concerned with a view to exercising their rights, which may be accompanied, except in cases where the processing is implemented by the State, with a penalty payment the amount of which may not exceed €100,000 per day of delay from the date set by the restricted committee; […]

7° With the exception of cases where the processing is implemented by the State, an administrative fine not exceeding 10 million euros or, in the case of a company, 2% of the annual worldwide turnover total for the previous year, whichever is higher. […] The Restricted Committee takes into account, in determining the amount of the fine, the criteria specified in the same Article 83”.

138. Article 83 of the GDPR, as referred to in Article 20, paragraph III, of the "Informatique et Libertés" law, provides that "Each supervisory authority shall ensure that the administrative fines imposed pursuant to of this Article for breaches of this Regulation referred to in paragraphs 4, 5 and 6 are, in each case, effective, proportionate and dissuasive", before specifying the elements to be taken into account in deciding whether to impose an administrative fine and to decide on the amount of this fine.

A. On the imposition of administrative fines and their amount

139. The companies claim that the amount of the fines proposed by the rapporteur is unpredictable, disproportionate and unjustified. They contest the fact that, unlike other French or European administrative authorities with sanctioning powers, the CNIL has not provided guidelines for calculating its fines. The companies also add that the rapporteur does not explain the distribution of the amount of the fine between GOOGLE LLC and GIL.

140. In addition, the companies maintain that by refusing to enter into discussions with them, the rapporteur deprived them of the possibility of cooperating with the CNIL, and, therefore, of availing themselves of the mitigating circumstance of article 83 -2 f) of the GDPR to reduce the amount of the fine.

141. The Restricted Committee recalls, in general terms, that Article 20, paragraph III, of the "Informatique et Libertés" law gives it jurisdiction to impose various sanctions, in particular administrative fines the maximum amount of which may be, in cash, equivalent to 2% of the total worldwide annual turnover of the previous financial year achieved by the data controller. It adds that the determination of the amount of these fines is assessed in the light of the criteria specified by Article 83 of the GDPR.

142. The Restricted Committee notes that the rapporteur is not required to specify how the fines he proposes to the Restricted Committee are calculated. The Council of State has also ruled that the restricted training was not subject to this obligation (CE, 10th/9th, June 19, 2020, req. no. 430810). The Restricted Committee notes that the European courts share this position, since they have already ruled that "it is not incumbent on the Commission under the obligation to state reasons, to indicate in its decision the figures relating to the method of calculating fines" (judgment of the Court of 16 November 2000, Stora Kopparbergs Bergslags v Commission, C‑286/98 P, ECR I‑9925, paragraph 66). Jurisprudence only requires that the penalty panel "show in a clear and detailed manner the reasoning it followed, thus allowing the applicant to know the elements of assessment taken into account to measure the seriousness of the offense for the purposes calculation of the amount of the fine and for the Court to exercise its control" (judgment of the Court of First Instance, Third Chamber, 8 July 2008, BPB plc v Commission of the European Communities, judgment ECLI:EU:T:2008:254 , paragraph 337, collection of case law 008 II-01333). This position is justified, on the one hand, by the fact that "fines constitute an instrument of the policy" of an institution "which must be able to have a margin of appreciation in fixing their amount in order to direct the behavior of undertakings in the sense of compliance with the rules" and, secondly, because "it is important to prevent fines from being easily foreseeable by economic operators. Indeed, if the Commission had the obligation to indicate in its decision the figures relating to the method of calculating the amount of the fines, their deterrent effect would be undermined.If the amount of the fine were the result of a calculation following a simple arithmetic formula, companies would have the possibility of foreseeing the possible sanction and of comparing it with the profits which they would derive from the infringement of the rules of law”.

143. Firstly, the Restricted Committee stresses that it is appropriate, in this case, to apply the criterion provided for in subparagraph a) of Article 83, paragraph 2, of the GDPR relating to the seriousness of the breach. taking into account the nature, the scope of the processing and the number of data subjects.

144. The Restricted Committee notes that, if the companies GIL and GOOGLE LLC refused to communicate the volume of the number of unique visitors from the "google.fr" and "youtube.com" sites during the last twelve months from France , it appears from the figures available on the internet that in June 2020, Google had more than 51 million unique visitors residing in France per month and YouTube more than 46 million (press release of August 24, 2020 published on the Médiamétrie website) . The number of people affected by the processing in question is therefore extremely large on the scale of the French population.

145. As the Restricted Committee recalled in its deliberation no. SAN-2020-012 of December 7, 2020, the Competition Authority noted that, on the French online search advertising market, Google holds a dominant position which has, in many respects, "extraordinary" characteristics. Its search engine now accounts for more than 90% of searches carried out in France and its market share in the online search advertising market is probably over 90% (ADLC, 19 Dec. 2019, Dec. N °19-D-26). The search engine Google Search therefore has a considerable reach in France.

146. Secondly, the Restricted Committee considers that it is appropriate to apply the criterion provided for in subparagraph b) of Article 83(2) of the GDPR, relating to the fact that the violation was committed deliberately.

147. The Restricted Committee recalls that the companies have been the subject of a recent sanction relating to breaches of Article 82 of the "Informatique et Libertés" law with regard to information and the collection of the consent of persons before the deposit of cookies on their terminal. Although this sanction is not definitive since it is the subject of an appeal before the Council of State, the Restricted Committee notes however that the attention of the companies had been explicitly called by the CNIL services to the terms refusal of cookies. As part of the follow-up to the injunction issued by the restricted committee, the companies, on December 18, 2020, through their advisers, sent the CNIL a document in which they presented the changes that GOOGLE intended to deploy on the "google.fr" web page to respond to the injunction. On February 17, 2021, the Secretary General of the CNIL sent the companies GOOGLE LLC and GIL a response constituting assistance for the companies in order to comply. Said letter went "beyond the scope of the injunction" and also mentioned "the procedures for refusing cookies". The secretary general of the CNIL reminded companies that it must be as easy to give their consent as to refuse to give it or to withdraw it and indicated that it would be up to them to insert a button "I refuse" next to the button "I accept", while specifying that they could "of course change the titles of these buttons as long as they allow the user to clearly and directly understand the consequences of their choices". It was also specified there that: "While different ways of complying with the legal requirements are possible, it seems to me that the proposal appearing in your letter, where there is only an "I accept" button and a "Configure" button, which must be clicked to then understand how it is possible to refuse cookies, does not comply with the legal requirements of freedom of consent". The secretary general of the CNIL had therefore indicated to the companies, from February 2021, the actions expected with a view to bringing them into compliance at the end of the adaptation period left by the CNIL to the actors and which ended on April 1, 2021.

148. In addition, the restricted training recalls the more general context in which the companies GOOGLE LLC and GIL have chosen not to offer their users, on the "google.fr" and "youtube.com" sites, the option of refusing cookies easily. Indeed, the CNIL has implemented a compliance plan on the issue of cookies spread over several years and has communicated publicly on its website, on several occasions, on the fact that it must be as easy for the Internet user to refuse cookies than to accept them, in particular on October 1, 2020 on the occasion of the publication of the aforementioned guidelines and recommendation of September 17, 2020. The adaptation period left to the players ended on April 1, 2021. Hundreds of thousands of players, from the smallest sites to the largest, have complied and introduced a button " refuse" or "continue without accepting".

149. In this context, the Restricted Committee considers that the fact that the companies GOOGLE LLC and GIL, which are among the major and essential global players on the Internet and manage some of the most visited sites, refuse to set up a system of easy refusal of cookies at the very moment when they were the subject of an injunction follow-up procedure clearly alerting them on this same subject, reveals a clear desire on the part of these companies not to modify their practices. It considers that the companies have intended not to bring into compliance the processing consisting of operations of access or registration of information in the terminal of users residing in France when using the sites "google.fr" and " youtube.com", nor rely on the recommendations of the CNIL to do this.

150. Thirdly, the Restricted Committee considers that the companies cannot claim exemplary cooperation with the CNIL, even though they have never communicated the volume of the number of unique daily visitors for the "google.fr" sites. " and " youtube.com " during the last twelve months from France, elements nevertheless requested by the CNIL control delegation. The Restricted Committee notes that it follows from Article 18 of the "Informatique et Libertés" law that data controllers "cannot oppose the action of the Commission" and that they must take "all useful measures in order to facilitate his task". Cooperation with the supervisory authority is thus first and foremost an obligation provided for by law. Thus, the obligation to cooperate is far from being fully satisfied in this case, so that there is no need to apply a mitigating circumstance under subparagraph (f) of paragraph 2 of the 83 GDPR.

151. Fourthly, the Restricted Committee considers that it is appropriate to apply the criterion provided for in subparagraph k) of Article 83, paragraph 2, of the Rules relating to the financial advantages obtained as a result of the breach.

152. In this respect, the Restricted Committee notes that the read and write operations, allowing the collection of user data for the purposes of targeted advertising via the "google.fr" and "youtube.com" sites, allow companies to derive considerable financial benefit. Although it admits that not all of the companies' income is directly linked to cookies, the Restricted Committee emphasizes that online advertising is essentially based on the targeting of Internet users, in which the cookie participates directly by making it possible to single out and reach the identified user with a view to displaying advertising content corresponding to his centers of interest and his profile.

153. It recalls that, as it noted in its aforementioned deliberation no. SAN-2020-012 of December 7, 2020, the GOOGLE group makes most of its profits in the two main segments of the online advertising market that constitute display advertising (Display Advertising) and contextual advertising (Search Advertising), in which cookies play an undeniable, albeit different, role.

154. Firstly, in the segment of display advertising, the purpose of which is to display content in a specific area of a website and in which cookies and trackers are used to identify users during of their navigation, for the purpose of offering them the most personalized content, it is established that the GOOGLE group offers products at all levels of the value chain of this segment and that its products are systematically dominant at these different levels. In this respect, the GOOGLE group indicates, on one of its websites, that it offers an advertising ecosystem accessible from its tools and services capable of reaching more than 2 million sites, videos and applications and more than 90 % of Internet users in the world.

155. Next, the segment of contextual advertising, the object of which is to display sponsored results according to the keywords typed by users into a search engine, also requires the use of cookies in its practical implementation. , for example to be able to determine the geographical location of users and, thereby, adapt the advertisements offered according to this location. In this respect, it appears from ALPHABET's annual report for the year 2019 that this segment alone constitutes, through in particular the Google Ads service - formerly AdWords -, 61% of the turnover of the GOOGLE group.

156. If, in the context of the procedure that gave rise to the aforementioned deliberation, the Restricted Committee was unaware of the amount of profit derived by the GOOGLE group from the collection and use of cookies on the French market via income generated by advertising targeted at French Internet users, it noted "that a proportional approximation based on publicly available figures would lead to an estimate that France would contribute between $680 and $755 million to ALPHABET's annual net income , the parent company of the GOOGLE group, i.e., at the current exchange rate, between 580 and 640 million euros".

157. In addition, the Restricted Committee emphasizes once again that it emerges from the studies mentioned above that the companies which have set up a "refuse all" button on the consent collection interface have seen the relative consent rate to the acceptance of cookies decrease. Indeed, when a button appearing at the first level allows them to refuse cookies, a large proportion of Internet users completely or partially refuse cookies and other tracers, which necessarily has an impact in terms of income related to online advertising. . These elements therefore confirm the undeniable financial advantage derived from the breach committed by the companies GOOGLE LLC and GIL by not setting up a mechanism for refusing consent as easy as that of accepting cookies.

158. Finally, the Restricted Committee recalls that pursuant to the provisions of Article 20 paragraph III of the "Informatique et Libertés" law, the companies GOOGLE LLC and GIL incur a financial penalty of a maximum amount of 2% their turnover, which was respectively […] dollars in 2020 in the case of GOOGLE LLC and more than […]euros in 2019 in the case of GIL.

159. In its deliberation no. SAN-2020-012 of December 7, 2020, the Restricted Committee demonstrated the greater involvement of the company GOOGLE LLC in determining the purposes and means of the cookies implemented on the "google. fr " compared to the company GIL. Indeed, it is the company GOOGLE LLC that designs and builds the technology of GOOGLE products. In addition, GOOGLE LLC exercises significant influence in the bodies deciding on the deployment of GOOGLE products in Europe and the processing of personal data of European users.

160. The Restricted Committee points out that due to the massive use of the Google Search search engine and of YouTube in France, the number of people concerned by the breach found is considerable. It also notes the considerable profits made by companies, through the advertising revenue indirectly generated by the data collected by these cookies.

161. Therefore, with regard to the respective responsibilities of the companies, their financial capacities and the relevant criteria of Article 83, paragraph 2, of the Rules mentioned above, the Restricted Committee considers that a fine of 90 million euros to against the company GOOGLE LLC and a fine of 60 million euros against the company GIL appear justified.

B. On the issuance of an injunction

162. The companies maintain that the request for an injunction formulated by the rapporteur is useless, considering that it was not necessary to open a sanction procedure.

163. They also dispute the amount of the daily penalty payment proposed in addition to the injunction since the rapporteur does not demonstrate the need for this penalty payment or the proportionality of its amount, which is the maximum amount provided for by the law "Informatique et Libertés".

164. Finally, they challenge the deadline proposed by the rapporteur after which the penalty payment could be liquidated, considering that the modification of the consent collection mechanism requires complex and substantial computer programming work. They indicate that GIL would need at least six months to comply with the terms of the injunction.

165. Firstly, the Restricted Committee notes that in the current state of the cookie banner on the "google.fr" and "youtube.com" sites, users still do not have a means of refusing the operations of reading and/or writing information in their terminal having the same degree of simplicity as that provided for accepting its use. It therefore considers it necessary to issue an injunction so that the companies comply with the applicable obligations in this area.

166. Secondly, the Restricted Committee recalls that in order to keep the penalty payment its comminatory function, its amount must be both proportionate to the seriousness of the breaches committed but also adapted to the financial capacities of the controller. It notes, moreover, that for the determination of this amount, it must also be taken into account that the breach concerned by the injunction indirectly contributes to the profits generated by the controller.

167. Thirdly, with regard to the time that would be necessary to execute the injunction, the Restricted Committee takes note of the arguments put forward by the companies while taking into account the technical and human resources at their disposal.

168. In view of these elements, the Restricted Committee considers as justified the issuance of an injunction accompanied by a penalty payment in the amount of 100,000 euros per day of delay and liquidable at the end of a period of three months. .

C. On advertising

169. The Restricted Committee considers that the publication of this decision is justified in view of the number of people concerned and the seriousness of the breach.

170. The Restricted Committee notes that this measure will make it possible to alert users residing in France of the "google.fr" and "youtube.com" sites of the characterization of the breach of Article 82 of the "Informatique et Libertés" law and to inform them of the persistence of the breach on the day of this deliberation and of the injunction issued against the companies to remedy it.

171. Finally, the measure is not disproportionate since the decision will no longer identify the companies by name at the end of a period of two years from its publication.

FOR THESE REASONS

The CNIL Restricted Committee, after having deliberated, decides to:

• impose an administrative fine on GOOGLE LLC in the amount of 90,000,000 euros (ninety million euros) for breach of article 82 of the "Informatique et Libertés" law,

• pronounce against the company GOOGLE IRELAND LIMITED an administrative fine of 60,000,000 euros (sixty million euros) for breach of article 82 of the law "Informatique et Libertés,

• pronounce against the companies GOOGLE LLC and GOOGLE IRELAND LIMITED an injunction to modify, on the websites "google.fr" and "youtube.com", the procedures for obtaining the consent of users located in France to the reading operations and/or write information in their terminal, by offering them a means of refusing these operations presenting a simplicity equivalent to the mechanism provided for their acceptance, in order to guarantee the freedom of their consent;

• attach to the injunction a penalty payment of 100,000 euros (one hundred thousand euros) per day of delay at the end of a period of three months following the notification of this deliberation, the proof of compliance must be sent to the restricted training within this period;

• send this decision to the company GOOGLE FRANCE for its execution;

• make public, on the CNIL website and on the Légifrance website, its deliberation, which will no longer identify the companies by name at the end of a period of two years from its publication.

President

Alexander LINDEN

This decision may be appealed to the Council of State within four months of its notification.