CNIL (France) - SAN-2021-023

From GDPRhub
Revision as of 15:13, 11 January 2022 by FA (talk | contribs) (Created page with "{{DPAdecisionBOX |Jurisdiction=France |DPA-BG-Color= |DPAlogo=LogoFR.png |DPA_Abbrevation=CNIL (France) |DPA_With_Country=CNIL (France) |Case_Number_Name=SAN-2021-023 |ECLI=...")
(diff) ← Older revision | Latest revision (diff) | Newer revision → (diff)
CNIL (France) - SAN-2021-023
LogoFR.png
Authority: CNIL (France)
Jurisdiction: France
Relevant Law: Article 56 GDPR
Article 2(f) Directive 2002/58/EC ('E-Privacy Directive')
Loi "Informatique et Libertés"
Type: Investigation
Outcome: Violation Found
Started:
Decided: 31.12.2021
Published: 06.01.2022
Fine: 150,000,000 EUR
Parties: Google LLC
Google Ireland Limited
National Case Number/Name: SAN-2021-023
European Case Law Identifier: n/a
Appeal: Unknown
Original Language(s): French
Original Source: CNIL (in FR)
Initial Contributor: Frederick Antonovics

The French DPA fined Google LLC €90,000,000 and Google Ireland Limited €60,000,000 for failing to comply with Article 82 of the French Data Protection Act, and ordered the companies to modify the websites "google.fr" and "youtube.com" to offer French users a means of refusing to give consent that is as simple as the mechanism provided for their acceptance.

English Summary

Facts

Google LLC is a subsidiary owned wholly by Alphabet Inc. Google Ireland Limited ('GIL')"presents itself" as the headquarters for the Google group's operations in the EEA and Switzerland. In March 2020 the French DPA (CNIL) carried out an online inspection of the website "google.fr" in the context of a previous procedure against Google LLC and GIL. The purpose of this inspection was to verify their compliance with the Loi 'Informatique et Libertés', and in particular Article 82 thereof. This resulted in this decision, https://gdprhub.eu/index.php?title=CNIL_-_SAN-2020-012 that Google appealed. Following this decision, the CNIL received more complaints about the methods of refusing cookies from the website "google.fr". It therefore reopened the case and launched a new investigation.


Holding

A. On the request for a stay of proceedings B. On the complaint alleging breach of the ne bis in idem principle C. On the competence of the CNIL D. On the complaint that the present sanction procedure is unlawful E. The reference for a preliminary ruling F. The determination of the controller G. On the failure to comply with the obligations relating to cookies

Thus, the CNIL: -imposed a fine of €90,000,000 on Google LLC for failing to comply with Article 82 of the French Data Protection Act, -imposed a fine of €60,000,000 on Google Ireland Limited for failing to comply with Article 82 of the French Data Protection Act, -ordered Google LLC and Google Ireland Limited to modify, on the websites "google.fr" and "youtube.com", the methods for obtaining the consent of users located in France to the reading and/or writing of information in their terminal, by offering them a means of refusing these operations that is as simple as the mechanism provided for their acceptance, in order to guarantee the freedom of their consent; -attached to the injunction a penalty of 100,000 euros (one hundred thousand euros) per day of delay at the end of a period of three months following notification of this decision, with proof of compliance to be sent to the restricted panel within this period; -made its decision public on the CNIL website and on the Légifrance website, which will no longer identify the companies by name at the end of a two-year period from the date of its publication.

Comment

Share your comments here!

Further Resources

Share blogs or news articles here!

English Machine Translation of the Decision

The decision below is a machine translation of the French original. Please refer to the French original for more details.

HomeAbout the lawAuthoritiesIndependent administrative authoritiesDeliberation SAN-2021-023 of December 31, 2021Deliberation SAN-2021-023 of December 31, 2021Carry out a search in: All contentSelect a fund
Codes

Consolidated texts

Official newspaper

Circulars and Instructions

Constitutional case law

Administrative case law

Judicial case law

Financial case law

Branch agreements and collective agreements

Company agreements

CNIL

All contents

    / * <! [CDATA [* /

    var searchConfigs = [];
    


var config = {base: "CODE", value: "code", url: "\ / search \ / code", sort: ["RELEVANCE"], defaultTarget: "ALL", targets: "ALL, TITLE, ARTICLE, TABLE, NUM_ARTICLE "};
searchConfigs.push (config);

var config = {base: "LODA", value: "lawarticledecree", url: "\ / search \ / lois", sort: ["RELEVANCE", "SIGNATURE_DATE_DESC", "SIGNATURE_DATE_ASC", "PUBLICATION_DATE_DESC", "PUBLICATION_DATE_ASC"] , defaultTarget: "ALL", targets: "ALL, TITLE, NUM_ARTICLE, ARTICLE, VISA_NOTICE, NUM, NOR, SIGNATURE"};
searchConfigs.push (config);

var config = {base: "JORF", value: "jorf", url: "\ / search \ / jorf", sort: ["RELEVANCE", "SIGNATURE_DATE_DESC", "SIGNATURE_DATE_ASC", "PUBLICATION_DATE_DESC", "PUBLICATION_DATE_ASC"] , defaultTarget: "ALL", targets: "ALL, TITLE, NOR, NUM, NUM_ARTICLE, ARTICLE, VISA_NOTICE, SIGNATURE"};
searchConfigs.push (config);

var config = {base: "CIRC", value: "circ", url: "\ / search \ / circ", sort: ["RELEVANCE", "SIGNATURE_DATE_DESC", "SIGNATURE_DATE_ASC", "PUBLICATION_DATE_DESC", "PUBLICATION_DATE_ASC"] , defaultTarget: "ALL", targets: "ALL, TITLE, NOR"};
searchConfigs.push (config);

var config = {base: "ACCO", value: "acco", url: "\ / search \ / acco", sort: ["RELEVANCE", "SIGNATURE_DATE_DESC", "SIGNATURE_DATE_ASC"], defaultTarget: "ALL", targets : "ALL, RAISON_SOCIALE, IDCC, TITLE"};
searchConfigs.push (config);

var config = {base: "CONSTIT", value: "constit", url: "\ / search \ / constit", sort: ["RELEVANCE", "DATE_DESC", "DATE_ASC"], defaultTarget: "ALL", targets : "ALL, TITLE, NUM_DEC, TEXTE"};
searchConfigs.push (config);

var config = {base: "CETAT", value: "cetat", url: "\ / search \ / cetat", sort: ["RELEVANCE", "DATE_DESC", "DATE_ASC"], defaultTarget: "ALL", targets : "ALL, TITLE, NUM_DEC, ABSTRATES, TEXTE"};
searchConfigs.push (config);

var config = {base: "JURI", value: "juri", url: "\ / search \ / juri", sort: ["RELEVANCE", "DATE_DESC", "DATE_ASC"], defaultTarget: "ALL", targets : "ALL, TITLE, NUM_AFFAIRE, ABSTRATES, TEXTE"};
searchConfigs.push (config);

var config = {base: "JUFI", value: "jufi", url: "\ / search \ / jufi", sort: ["RELEVANCE", "DATE_DESC", "DATE_ASC"], defaultTarget: "ALL", targets : "ALL, TITLE, NUM_DEC, ABSTRATES, TEXTE"};
searchConfigs.push (config);

var config = {base: "KALI", value: "kali", url: "\ / search \ / kali", sort: ["RELEVANCE"], defaultTarget: "ALL", targets: "ALL, TITLE, ARTICLE, IDCC "};
searchConfigs.push (config);

var config = {base: "CNIL", value: "cnil", url: "\ / search \ / cnil", sort: ["RELEVANCE"], defaultTarget: "ALL", targets: "ALL, TITLE, NOR, NUM_DELIB "};
searchConfigs.push (config);

var config = {base: "ALL", value: "all", url: "\ / search \ / all", sort: ["RELEVANCE"], defaultTarget: "ALL", targets: "ALL, TITLE"};
searchConfigs.push (config);

var typesSearch = [];


var type = {value: "ALL", proximity: true};
typesSearch.push (type);

var type = {value: "EXACT", proximity: false};
typesSearch.push (type);

var type = {value: "ONE", proximity: false};
typesSearch.push (type);

var type = {value: "EXCEPT", proximity: false};
typesSearch.push (type);

var type = {value: "EXACTEXCEPT", proximity: false};
typesSearch.push (type);


var tabTarget = [];


/ *]]> * /
    In all fields Select a search field In all fields In titles In tables of contents In NORD In textetarget.type.id In deliberation numbers In decision numbers In article numbers In article contents In names of ministries In visasIn notices In visas or notices In preparatory work In signatures In notices In case numbers In abstracts In summaries In text content In ECLI In the numbers of referred laws In the types of decisions rendered In internal numbers In the publication references JO or BOD In the summaries In the reference texts In the titles of referred laws In the company names In the keywords In the IDCCEx. : L. 121-1, CGI, 10-15056, fraud, protected adults Légifrance: Thursday January 6, 2022 Deliberation of the restricted formation n ° SAN-2021-023 of December 31, 2021 concerning the companies GOOGLE LLC and GOOGLE IRELAND LIMITED The National Commission of Computing and Freedoms, gathered in its restricted formation composed of Mr. Alexandre LINDEN , president, Mr. Philippe-Pierre CABOURDIN, vice-president, Mrs. Anne DEBET and Mr. Alain DRU, members; Having regard to Regulation (EU) 2016/679 of the European Parliament and of the Council of April 27, 2016 on the protection of personal data personal data and the free movement of such data; Having regard to Directive 2002/58 / EC of the European Parliament and of the Council of 12 July 2002 on the processing of personal data of a personal nature and the protection of privacy in the electronic communications sector; Considering Law No. 78-17 of 6 January 1978 relating to information technology, files and freedoms, in particular Articles 20 and following; Having regard to the decree No. 2019-536 of May 29, 2019 taken for the application of Law No. 78-17 of January 6, 1978 relating to computers, files and freedoms; Having regard to deliberation No. 2013-175 of July 4, 2013 adopting the rules of procedure of the National Commission for Informatics and Freedoms; Having regard to decision no 2021-108C of 20 May 2021 of the President of the National Commission for Informatics and Freedoms to instruct the Secretary General to proceed or have to a verification mission of the processing accessible from the "google.fr" and "youtube.com" domains or relating to personal data collected from them; Considering the decision of the President of the National Commission for inf administration and freedoms appointing a rapporteur before the restricted committee, dated July 28, 2021; Having regard to the report by Ms. Valérie PEUGEOT, rapporteur commissioner, notified to the companies GOOGLE LLC and GOOGLE IRELAND LIMITED on September 2, 2021; Having regard to the observations written by the boards of GOOGLE LLC and GOOGLE IRELAND LIMITED on October 8, 2021; Having regard to the rapporteur's response to these observations notified on 22 October 2021 to the boards of companies; Having regard to the written observations made by the boards of GOOGLE LLC and GOOGLE IRELAND LIMITED received on November 12, 2021; Having regard to the oral observations made during the restricted training session; Having regard to the other documents in the file; The following were present during the restricted training session on November 25, 2021: - Ms. Valérie PEUGEOT , statutory auditor, heard in his report; As representatives of GOOGLE LLC and GOOGLE IRELAND LIMITED: - […]; As interpreter s of the companies GOOGLE LLC and GOOGLE IRELAND LIMITED: - […]; The companies GOOGLE LLC and GOOGLE IRELAND LIMITED having had the last floor; The restricted committee adopted the following decision: I. Facts and procedure 1. GOOGLE LLC is a limited liability company headquartered in the United States. Since its creation in 1998, it has developed many services for individuals and businesses, such as the Google Search search engine, Gmail email, the Google Maps mapping service and even the YouTube video platform. It has more than 70 offices located in around 50 countries and employs more than 135,000 people around the world. Since August 2015, GOOGLE LLC has been a 100% -owned subsidiary of ALPHABET Inc., parent company of the GOOGLE group. 2. In 2020, ALPHABET Inc. had sales of over $ 182 billion, while GOOGLE LLC had sales of $ […]. The Google Search search engine generated more than $ 104 billion in revenue, while advertising through GOOGLE group services generated nearly $ 147 billion in revenue and, through YouTube's services, nearly $ 20 billion. billion. 3. GOOGLE IRELAND LIMITED (hereinafter "GIL") presents itself as the headquarters of the GOOGLE group for its activities in the European Economic Area and in Switzerland. Based in Dublin (Ireland), it employs approximately […] people. It achieved a turnover of […] euros in 2019.4. GOOGLE FRANCE SARL is the French establishment of the GOOGLE group. Subsidiary 100% owned by GOOGLE LLC, its head office is located in Paris. It employs approximately […] people and achieved a turnover of […] euros in 2019.5. On March 16, 2020, within the framework of a previous procedure initiated against the companies GOOGLE LLC and GIL, a delegation of the National Commission for Informatics and Freedoms (hereinafter "the CNIL" or "the Commission ") carried out an online check on the" google.fr "website. The main purpose of this mission was to verify compliance by the companies GOOGLE LLC and GIL with the provisions of Law No. 78-17 of January 6, 1978, as amended, relating to information technology, files and freedoms (hereinafter " the Data Protection Act ") and in particular its article 82.6. Pursuant to article 22 of the "Informatique et Libertés" law, the president of the CNIL appointed a rapporteur on June 8, 2020. By deliberation n ° SAN-2020-012 of December 7, 2020, the restricted committee: - pronounced against the company GOOGLE LLC and GIL administrative fines in the respective amount of 60 million and 40 million euros for breach of article 82 of the law "Informatique et Libertés"; - pronounced against the companies GOOGLE LLC and GIL "an injunction to bring the processing into conformity with the obligations resulting from article 82 of the law" data processing and freedoms ", in particular: o inform the persons concerned in advance and in a clear and complete manner, for example on the information banner on the home page of the" google.fr "site: - of the purposes of all cookies subject to consent, - the means at their disposal to refuse them "; - accompanied by the injunction of a fine of 100,000 euros per day of delay at the end of a period of three months following the notification of the present deliberation; - made public, on the website of the CNIL and on the Légifrance website, its deliberation, which will no longer identify the companies by name after the expiration of a period of two years from its publication. 8. On January 29, 2021, the companies filed a summary appeal with the State Council, requesting the suspension of the injunction. This request was rejected by a decision of March 4, 2021 (CE, summary judge, March 4, 2021, N ° 449212). 9. At the same time, the companies have filed a full legal action against the deliberation of December 7, 2020. The proceedings are still pending before the Council of State. By deliberation n ° SAN-2021-004 of April 30, 2021, the restricted formation considered that the companies had satisfied the injunction within the time limit, insofar as "the people going on the site" google.fr " are now informed, in a clear and complete manner, of all the purposes of cookies subject to consent and of the means made available to them to refuse them, through the information banner displayed on their arrival on the site ".11 . On March 18, March 31, April 2 and April 28, 2021, the CNIL received several complaints denouncing the terms of refusal of cookies from the "google.fr" and "youtube.com" websites made available to users located in France. 12. In application of the decision n ° 2021-108C of May 20, 2021 of the President of the Commission, the services of the CNIL carried out an online check, on June 1, 2021, on the websites "google.fr" and " youtube.com ". 13. The main purpose of this mission was to verify compliance by the companies GOOGLE LLC and GIL (hereinafter the “companies”) with the provisions of the “Data Protection Act” .14. As part of the online check, the delegation made observations when the user went to the "google.fr" and "youtube.com" sites; when he clicks on the "Customize" button; when clicking on the "Privacy Policy" link and when clicking on "Terms of Service". 15. On June 3, 2021, the delegation notified the companies of the report drawn up as part of the online control, asking them to indicate, for each of the cookies mentioned in the said report, its purpose and to provide a volume of the number of daily unique visitors to the "google.fr" and "youtube.com" sites over the last twelve months from France.16. On June 21 and July 9, 2021, the CNIL received two new complaints denouncing the methods of refusing cookies from the "google.fr" website. 17. By letter of July 9, 2021, the company GIL responded to the delegation's request, indicating to provide a response "without prejudice to [its] rights under the GDPR, in particular the one-stop-shop mechanism and the role of chief authority lead by the Irish Data Protection Commission (“DPC”) in investigations ”. It clarified that it acts as the person responsible for processing personal data with regard to cookies deployed on the "google.fr" and "youtube.com" domains for users located within the European economic area and in Switzerland. . It also transmitted the purpose of each of the cookies placed on the users' terminal and identified in the report of findings. However, it refused to provide the volume of the number of unique visitors to these two websites over the last twelve months from France, considering that it was not necessary to provide this information at this stage. For the purposes of examining these elements, the President of the Commission appointed Ms. Valérie PEUGEOT as rapporteur, on July 28, 2021, on the basis of Article 22 of the "Data Protection Act" .19. At the end of her investigation, on September 2, 2021, the rapporteur had the company councils and by e-mail sent to their representatives, a report detailing the breach of article 82 of the "Data processing and information technology" law. Freedoms "which it considered constituted in the present case.20. This report proposed to the restricted formation of the Commission to pronounce an administrative fine against the two companies, as well as an injunction to bring into conformity the processing consisting of operations of reading and / or writing of information in the terminal of users located in France, on the “google.fr” and “youtube.com” websites, with the provisions of article 82 of the “Informatique et Libertés” law, accompanied by a penalty payment. He also proposed that this decision be made public and no longer allow companies to be identified by name after a period of two years from its publication. By letter of September 9, 2021, the companies, through their counsel, requested additional time to provide their comments in response. By letter of September 15, 2021, the president of the restricted party granted them additional time until October 8, 2021. By letter of September 27, 2021 addressed to the president of the restricted formation, the companies, through their advisers, requested the suspension of the procedure pending the decision of the Council of State in the context of the appeal. against deliberation n ° SAN-2020-012 of December 7, 2020. On September 30, 2021, the company councils informed the president of the restricted formation of the creation of a working group by the European Data Protection Committee (hereinafter "the EDPS"), intended to coordinate the response to complaints relating to cookie banners, filed by the None of Your Business association (hereinafter "the NOYB association") with various data protection authorities European. 23. By letter of October 4, 2021, the president of the restricted formation rejected the request for suspension of the procedure made by the companies. 24. On October 8, 2021, the companies filed submissions in response to the sanction report. 25. The rapporteur responded to the companies' comments on 22 October 2021. 26. On October 27, 2021, through their advisers, the companies submitted a request for an extension of the fifteen-day period provided for by article 40 of decree n ° 2019-536 of May 29, 2019 to produce their observations in response. , a request to postpone the session of the restricted formation set for November 25, 2021 and a request that the session be held in camera. 27. On October 29, 2021, the president of the restricted formation granted an additional eight days to the companies to produce their second observations and refused to postpone the date of the meeting of the restricted formation and to hold the said meeting in camera. 28. On 12 November 2021, the companies produced new observations in response to those of the rapporteur. The companies and the rapporteur presented oral observations during the session of the restricted formation. II. Reasons for the decision A. On the request for a stay of proceedings 30. The companies request that the restricted committee stay the decision pending the decision that will be rendered by the Council of State in the context of the appeal filed against deliberation n ° SAN-2020-012 of December 7, 2020. and pending the conclusions of the new EDPS working group mentioned above. They base their request on Article 66 of the CNIL's internal regulations and on the principle of the proper administration of justice. The companies argue in particular that they are asking the Council of State to rule on several means that will have direct and decisive consequences on the present sanctioning procedure. They maintain in particular before the Council of State that the CNIL was not competent to pronounce administrative sanctions against them, whereas in addition the legal framework applicable in the matter of cookies was not yet consolidated and that the sanctions pronounced are manifestly unjustified and disproportionate. 31. First, the restricted formation observes that article 66 of the internal regulations of the CNIL provides that "The sessions of the restricted formation are chaired by its president or, in the event of impediment, by its vice-president. The meeting directs the debates and ensures the police of the meeting. It can order any suspension that it deems useful ". The suspension mentioned in the context of this article does not concern the suspension of the sanctioning procedure, but relates to the suspension of the session of the restricted formation. 32. Second, the companies have already made these same arguments to the president of the restricted party in their letter of September 27, 2021, who refused to grant the request for suspension by letter of October 4, considering that the decision it is up to the President of the Commission to initiate a sanction procedure and that it is not within the powers of the President of the restricted formation to order its suspension. The president of the restricted formation also recalled in this letter that in application of article L. 4 of the code of administrative justice, the request for annulment formed against the deliberation of the restricted formation of December 7, 2020 before the Council of State has no suspensive effect and, moreover, the date on which this court will examine this file was not known. Finally, he added that the creation of a working group within the EDPS was not likely, in any event, to justify a suspension of the sanction procedure.33. Third, the decision of the Council of State may not be taken for several months. 34. Lastly, with regard to the creation of the working group by the EDPS concerning cookie banners, the restricted committee notes that the outcome of this work is not known to date. The restricted committee therefore considers that there is no need to stay the proceedings. The complaint alleging violation of the principle non bis in idem 36. The companies maintain that the restricted formation cannot rule again on the same facts as those concerned by deliberations n ° SAN-2020-012 of December 7, 2020 and n ° SAN-2021-004 of April 30, 2021, without violating the principle non bis in idem. They claim that the parties concerned by this procedure and the previous aforementioned deliberations are identical, that the two procedures concern the same facts and that a final decision, deliberation n ° SAN-2021-004 of April 30, 2021, has been taken. 37. In the first place, the restricted formation notes that, in its deliberation n ° SAN-2020-012 of December 7, 2020, it retained a breach of article 82 of the law "Informatique et Libertés" given the lack of information people, the failure to collect consent from people before cookies are placed on their terminal and the partially defective nature of the "opposition" mechanism put in place by Google. It also pronounced against them an injunction "to bring the processing into conformity with the obligations resulting from article 82 of the law" Informatique et Libertés ", in particular: o Inform the persons concerned in advance and in a clear and complete manner , for example on the information banner on the home page of the "google.fr" site: - the purposes of all cookies subject to consent, - the means at their disposal to refuse them ". 38. The restricted committee thus notes that the first procedure leading to the aforementioned deliberation included an injunction relating to the information of users on the purposes of cookies subject to consent and on the means of refusing cookies. The current procedure focuses on the terms of refusal themselves, not just information. Thus, the two procedures do not concern the same facts. 39. Secondly, the companies argue that, under the terms of deliberation n ° SAN-2020-012 of December 7, 2020, the restricted formation ordered them to comply with article 82 of the law "Informatique et Libertés" in all its provisions and to provide, in particular, but not exclusively by virtue of the use of the terms "in particular", information on the purposes of cookies and on the means to oppose them. They add that, by deliberation n ° SAN-2021-004 of April 30, 2021, the restricted formation would have decided that the mechanism of consent and rejection of cookies, in its entirety, complied with article 82 of the law " Informatique et Libertés "and that the companies would have satisfied the injunction within the time limit. 40. The Restricted Committee does not subscribe to this analysis. The sanction report from the previous proceedings only dealt with the information put in place by the companies on the cookie banner, the deposit of cookies without consent and the partial failure of the "opposition" mechanism. There is therefore no doubt that the restricted panel was unable to rule on what was not before it in the adversarial proceedings. Thus, if the words "in particular" can lead to confusion, when the formula is taken in isolation, the restricted panel recalls that this injunction cannot be read in a decorrelated manner from the whole of the corresponding decision. However, in the context of this previous procedure, the restricted panel only ruled on the aforementioned perimeter and the injunction was only issued in connection with the information of individuals. The methods of refusing read and / or write operations, which are the subject of this sanctioning procedure, did not fall within the scope of this injunction. As deliberation n ° SAN-2021-004 of April 30, 2021 must necessarily be read in the light of deliberation n ° SAN-2020-012 of December 7, 2020, it cannot be considered that the injunction pronounced concerned the whole obligations resulting from article 82 of the law "Informatique et Libertés" .41. In this regard, the restricted committee notes that, in two letters of February 17, 2021 addressed to companies, the secretary general of the CNIL recalled that, as emerges from the reasons and the mechanism of deliberation n ° SAN-2020-012 of the December 7, 2020, the expected compliance in the context of the injunction procedure only concerned the information provided to people on the home page of the "google.fr" site. It was also indicated that, as regards the obligation to inform the persons concerned in a clear and complete manner of the means made available to them to refuse cookies, "this question is difficult to separate from the question of the methods of refusal on the first level, by a refuse button or an equivalent solution, which is not in the scope of the injunction ". From a support perspective - and in view of the changes expected under the entry into force of Regulation (EU) 2016/679 of the European Parliament and of the Council of April 27, 2016 (hereinafter "the Regulation" or "the RGPD "), enlightened by the recommendation of September 17, 2020, and for which an adaptation period had been left by the CNIL to the actors until April 1, 2021 - the letter included an analysis exceeding the scope of the injunction pronounced by the restricted training, which focused on the elements provided by the companies in response to the injunction, elements which themselves went beyond the perimeter of the deliberation mechanism. In this context, companies were reminded that it must be as easy to give consent as to refuse to give or withdraw it and they were told that it would be up to them to insert a "I refuse" button next to the "I accept" button, while specifying that they could "of course change the titles of these buttons as long as they allow the user to clearly and directly understand the consequences of his choices ". If this letter does not have any imperative value, the restricted formation notes that under a letter that GIL addressed to the president of the restricted formation on March 30, 2021, the company had replied: "we share the analysis of the services of the CNIL according to which Google's consent mechanism does not fall within the scope of the injunction pronounced by the restricted committee in its deliberation of December 7, 2020 ".42. Therefore, companies cannot assert that the restricted committee validated the new cookie banner set up by them following the first sanction procedure, even though they themselves were fully aware that the consent mechanism and rejection of cookies, in its entirety, was not the subject of this previous procedure and that the CNIL has reminded on various occasions that it did not rule on this point in the context of the previous procedure. The restricted committee notes in fact that, in its press release relating to the closure of the injunction of May 4, 2021, the CNIL had also taken care to specify that: "Seizure before the end of the adaptation period left to the actors by the CNIL, the restricted committee did not examine the compliance of the information banner provided on the "google.fr" site with the new rules on cookies, relating in particular to consent, which are informed by the guidelines and the recommendation of September 17, 2020. This closing decision therefore does not prejudge the analysis of the CNIL as to the compliance of google.fr with these requirements, according to which the user must now be able to refuse cookies as easily that it can accept them. The CNIL now reserves the right to control these methods of refusal and, if necessary, to mobilize its entire chain of repression ".44. Lastly, the restricted committee noted that the present procedure targets both the “google.fr” and “youtube.com” websites, while the previous procedure only concerned the “google.fr” site .45. The restricted committee therefore considers that the complaint alleging the violation of the principle non bis in idem must be rejected. On the competence of the CNIL 1. On the material competence of the CNIL and the non-application of the "one-stop-shop" mechanism provided for by the RGPD46. The processing operations subject to due diligence on June 1, 2021 by a CNIL delegation are carried out within the framework of the provision of electronic communications services accessible to the public through a public electronic communications network offered within the Union. European. As such, they fall within the material scope of the "ePrivacy" Directive. 47. Article 5 (3) of that directive, relating to the storage of or access to information already stored in the terminal equipment of a subscriber or user, has been transposed into domestic law in Article 82 of the "Informatique et Libertés" law, within chapter IV of the law relating to the rights and obligations specific to processing in the electronic communications sector. 48. Under the terms of article 16 of the "Informatique et Libertés" law, "the restricted formation takes measures and pronounces sanctions against data controllers or subcontractors who do not comply with the obligations arising from […] of this law ". Under Article 20, paragraph III, of this same law, "when the data controller or his subcontractor does not comply with the obligations resulting from [...] this law, the president of the National Commission for data processing and freedoms […] can apply for the restricted training ”.49. The rapporteur considers that the CNIL is materially competent in application of these provisions to control and sanction the operations of access or registration of information implemented by the companies in the terminals of users of the "google.fr" and "sites". youtube.com "in France.50. The companies contest the jurisdiction of the CNIL and believe that they should be subject to the procedural framework provided for by the GDPR, that is to say the cooperation mechanism between the supervisory authorities, known as the "one-stop-shop" mechanism, provided for in Chapter VII of the Regulations. In application of this mechanism, the supervisory authority competent to hear the facts in question would not be the CNIL but the Irish data protection authority, the Data Protection Commission (hereinafter the "DPC"), which should act as the lead authority with regard to the deployment of cookies, depending on the companies, this authority is competent under both the GDPR and the "ePrivacy" directive .51. To this support, companies invoke in particular the inextricable link between the RGPD and the "ePrivacy" directive, considering that the application of the RGPD cannot be excluded when Article 82 of the "Data Protection Act" applies. They also invoke the principle of lex specialis - lex generalis under which, according to them, the "ePrivacy" directive specifies and supplements the GDPR. Companies consider that the absence of specific rules relating to the determination of the competence of the supervisory authority in the event of cross-border processing falling within the scope of the "ePrivacy" directive should be supplemented by the application of the framework. procedural provided for by the GDPR. They argue that the application of the "one-stop-shop" mechanism is not only in line with the intention of the European legislator, but also with the interpretation of the EDPS, and furthermore corresponds to the position taken by several European authorities. They point out in this regard that the power left to the Member States as regards the choice of the national authority responsible for ensuring compliance with the "ePrivacy" directive does not preclude the application of the "one-stop-shop" mechanism provided for by the GDPR. , insofar as cooperation agreements between these authorities have been concluded in several Member States so that the data protection authorities and the authorities responsible for the application of the "ePrivacy" Directive, in the case of different authorities, can jointly exercise enforcement powers on a matter falling within the scope of the GDPR and the "ePrivacy" directive and thus participate in the one-stop-shop mechanism. 52. The companies also add that the EDPS 'announcement of September 27, 2021 relating to the creation of a working group on cookie banners in response to the large number of complaints recently lodged with the supervisory authorities by the NOYB association constitutes a evidence that the EDPS considers cookie-related breaches to fall directly within the scope of the GDPR and, therefore, of the 'one-stop-shop' mechanism .53. As a preliminary point, the restricted committee underlines the distinction that should be made between, on the one hand, the operations consisting in depositing and reading a cookie on a user's terminal and, on the other hand, the subsequent use made of the data generated by these cookies, for example for profiling purposes, generally referred to as "subsequent processing" (also known as "subsequent"). Each of these two successive stages is subject to a different legal regime: while the read and write operations in a terminal are governed by special rules, fixed by the "ePrivacy" directive - in this case, by its article 5 paragraph 3 -, and transposed into national law, "subsequent processing" is governed by the GDPR and, as such, may be subject to the "one-stop-shop" mechanism in the event that it is cross-border.54 . In the present case, the restricted committee recalls that the present procedure only concerns the reading and writing operations implemented in the terminal of the user located in France going to the Google Search and YouTube search engine, the material findings made by the delegation during the online check of June 1, 2021, which focused only on these operations, without considering the subsequent processing carried out from the data collected via these cookies. 55. First of all, the restricted committee notes that it emerges from the provisions cited above that the French legislator has instructed the CNIL to ensure compliance with the provisions of the "ePrivacy" directive transposed to article 82 of the law " Informatique et Libertés ", in particular by giving it the power to sanction any disregard of this article. It underlines that this competence was recognized in particular by the Council of State in its decision Association of communication consulting agencies of June 19, 2020 concerning the deliberation of the CNIL no 2019-093 adopting guidelines relating to the application of article 82 of the law of January 6, 1978 amended to read or write operations in a user's terminal. The Council of State has indeed noted that "article 20 of this law gives [to the] president [of the CNIL] the power to take corrective measures in the event of non-compliance with the obligations resulting from the (EU) 2016 regulation / 279 or its own provisions, as well as the possibility of applying to the restricted committee with a view to the pronouncement of sanctions which may be pronounced "(CE, June 19, 2020, req. 434684, pt. 3) .56. Secondly, the restricted committee considers that when a processing operation can fall both within the material scope of the "ePrivacy" directive and the material scope of the GDPR, it is appropriate to refer to the relevant provisions of the two texts which provide for their articulation. Thus, Article 1, paragraph 2, of the "ePrivacy" directive provides that "the provisions of this directive specify and supplement Directive 95/46 / EC" of the European Parliament and of the Council of 24 October 1995 on the protection of personal data (hereinafter "Directive 95/46 / EC on the protection of personal data"), it being recalled that since the entry into application of the Regulation, the references made to this last directive must be understood as made to the RGPD , in accordance with article 94 thereof. Likewise, it is apparent from recital 173 of the GDPR that this text explicitly provides that it does not apply to the processing of personal data "subject to specific obligations having the same objective [of protecting fundamental rights and freedoms] set out in the directive. 2002/58 / EC of the European Parliament and of the Council, including the obligations of the controller and the rights of natural persons ". This articulation was confirmed by the CJEU in its Planet49 decision of October 1, 2019 (CJEU, October 1, 2019, C 673/17, pt. 42). 57. In this regard, the Restricted Committee notes that, contrary to what companies maintain, the "ePrivacy" directive constitutes a body of special rules, which does indeed provide, for the specific obligations it entails, its own implementation mechanism. and control of its application within its article 15bis. Thus, the first paragraph of this article leaves to the Member States the competence to determine "the system of sanctions, including criminal sanctions where appropriate, applicable to violations of the national provisions adopted pursuant to this Directive and [take ] any measure necessary to ensure that they are implemented. The penalties provided for must be effective, proportionate and dissuasive and may be applied to cover the duration of the infringement, even if it has subsequently been corrected ". The rule laid down in 3) of article 5 of the "ePrivacy" directive, according to which read and / or write operations must systematically be the subject of a prior agreement of the user, after information, constitutes a special rule with regard to the GDPR since it prohibits taking advantage of the legal bases mentioned in article 6 of the latter in order to be able to lawfully carry out these read and / or write operations on the terminal. The control of this rule therefore falls under the special control and sanction mechanism provided for by the "ePrivacy" directive, and not by the data protection authorities and the EDPS in application of the GDPR. It is by a specific choice that the legislator in France has entrusted this mission to the CNIL. In addition, the second paragraph of the same article obliges Member States to ensure "that the competent national authority and, where appropriate, other national bodies have the power to order the cessation of the offenses referred to in paragraph I" . 58. In view of the foregoing, the Restricted Panel considers that, in application of the adage specialia generalibus derogant, the specific rules relating to cookies arising from the "ePrivacy" directive prevail over the general rules of the GDPR. Thus, the "one-stop-shop" mechanism provided for by the GDPR cannot be applied to the processing operations covered by the directive, as the companies claim. Thirdly, the Restricted Committee adds that this exclusion is corroborated by the fact that the Member States, which are free to determine the national authority competent to deal with violations of the national provisions adopted in application of the "ePrivacy" directive, may have attributed this competence to an authority other than their national data protection authority established by the GDPR, in this case to their telecommunications regulatory authority. Therefore, insofar as these latter authorities are not part of the EDPS, while this committee plays an essential function in the consistency control mechanism implemented in Chapter VII of the GDPR, it is in fact impossible to apply the "one-stop-shop" for practices liable to be sanctioned by national supervisory authorities not sitting on this committee.60. The restricted formation emphasizes that the cooperation agreements concluded between data protection authorities and telecommunications regulatory authorities in certain Member States, invoked by the company, aim to establish cooperation at national level between the various regulators in order to ensure the consistency of their doctrines on related subjects but do not aim to involve as such the telecommunications regulatory authorities in the "one-stop-shop" mechanism provided for by Chapter VII of the GDPR. 61. Fourthly, the restricted committee notes that the EDPS, in his opinion n ° 5/2019 of 12 March 2019 relating to the interactions between the "privacy and electronic communications" directive and the GDPR, explicitly excluded the application of the "one-stop-shop" for matters materially falling under the "ePrivacy" directive in these terms: "in accordance with chapter VII of the GDPR, the cooperation and consistency mechanisms available to the data protection authorities under the GDPR concern the control of the application of the provisions of the GDPR. The mechanisms of the GDPR do not apply to monitoring the application of the provisions of the "privacy and electronic communications" directive as such "(EDPS, opinion 5/2019, 12 March 2019, pt. 80) 62. Fifth, the restricted committee notes that the CJEU, in a Facebook Belgium judgment delivered on June 15, 2021, took over the aforementioned EDPS opinion 5/2019. The CJEU followed on this point the conclusions of its Advocate General, Mr BOBEK, who considered that "in order to decide whether a case actually falls within the material scope of the GDPR, a national court, including any referring court , is required to seek the precise source of the legal obligation incumbent on an economic operator which it is alleged to have violated. If the source of this obligation is not the GDPR, the procedures established by this instrument, which are linked to its main objective, are logically not applicable either "(CJEU, conclusions of Advocate General M. BOBEK, January 13, 2021, Facebook Belgium, C 645/19, pts. 37 and 38) .63. In this case, the restricted committee notes that, in the present procedure, the precise source of the legal obligation subject to the control finds its origin in Article 5, paragraph 3, of the "ePrivacy" directive, transposed to the article 82 of the "Informatique et Libertés" law, informed by the conditions of consent as provided for by the RGPD, article 2, f), of the "ePrivacy" directive providing that the consent of a user corresponds to the consent of the data subject listed in Directive 95/46 / EC, which has been replaced by the GDPR. 64. The restricted formation also points out that other national data protection authorities have also already pronounced sanctions relating to breaches relating to operations of reading and / or writing information in the users' terminal. The Spanish authority has thus issued several sanction decisions against various data controllers in application exclusively of the national provisions transposing the "ePrivacy" directive, in this case article 22, paragraph 2 of Ley 34/2002 de 11 de julio de Servicios de la Sociedad de la Información y de Comercio Electrónico, without implementing the cooperation procedure established by the GDPR. 65. Sixthly, the restricted committee notes that the possible application of the "one-stop-shop" mechanism to processing governed by the "ePrivacy" directive is the subject of numerous discussions in the context of the preparation of the "ePrivacy" regulation project. "under negotiation for more than four years at European level. The very existence of these debates confirms that as it stands, the one-stop-shop mechanism provided for by the GDPR is not applicable to matters governed by the current "ePrivacy" directive. 66. Finally, according to the restricted party, the creation of a working group on cookie banners in response to the large number of complaints lodged with European supervisory authorities by the NOYB association does not mean, contrary to what is argued , that the EDPS considers that all breaches related to cookies necessarily fall within the scope of the GDPR. The restricted committee also notes that some of the questions raised in these complaints concern subsequent processing which, in turn, falls within the scope of the GDPR. In addition, pursuant to Article 70 (1) (u), the EDPS has, inter alia, the task of promoting cooperation and effective bilateral and multilateral exchange of information and good practice between supervisory authorities. The purpose of the working group is thus to discuss the analysis of the numerous complaints filed by the NOYB association. The creation of this working group does not call into question the position of the EDPS, in his aforementioned opinion 5/2019. 67. Thus, the restricted committee considers that the "one-stop-shop" mechanism provided for by the GDPR is not applicable to this procedure and that the CNIL is competent to control and sanction processing consisting of reading and / or reading operations. writing of information in the terminal of users located in France implemented by companies falling within the scope of the "ePrivacy" directive, provided that they fall under its territorial jurisdiction. 2. On the territorial jurisdiction of the CNIL68. The rule of territorial application of the requirements fixed in article 82 of the law "Informatique et Libertés" is fixed in article 3, paragraph I, of the law "Informatique et Libertés" which provides: "without prejudice, in this which concerns the processing within the scope of Regulation (EU) 2016/679 of April 27, 2016, of the criteria provided for by article 3 of this regulation, all the provisions of this law apply to the processing of data to personal character carried out within the framework of the activities of an establishment of a controller […] on French territory, whether or not the processing takes place in France ".69. The rapporteur considers that the CNIL has territorial jurisdiction in application of these provisions when the processing object of this procedure, consisting of operations to access or enter information in the terminal of users residing in France during the he use of the Google Search search engine and of YouTube, in particular for advertising purposes, is carried out within the "framework of the activities" of the company GOOGLE FRANCE, which constitutes the "establishment" on the French territory of the GOOGLE group. 70. The companies refer, for their part, on this point to the observations they had produced in the context of the previous sanctioning procedure and in which they maintained that, in so far as it would be appropriate to apply the rules of jurisdiction and the procedures cooperation defined by the RGPD, the CNIL would not have the territorial competence to hear this case given that the "real seat" of the GOOGLE group in Europe, that is to say the place of its central administration within the meaning of article 56 of the GDPR, is located in Ireland. 71. The restricted committee once again retains that the facts in question are materially covered by the provisions of the "ePrivacy" directive, and not of the GDPR. It follows that it is appropriate to refer to the provisions of article 3, paragraph I, of the law "Informatique et Libertés", determining the scope of the territorial jurisdiction of the CNIL. 72. In this regard, the restricted committee emphasizes that the "ePrivacy" directive does not itself explicitly lay down the rules for the territorial application of the various transposition laws adopted by each Member State. However, this directive indicates that it "specifies and supplements Directive 95 / 46.CE", which at the time provided, in Article 4, that "Each Member State shall apply the national provisions which it adopts by virtue of the this Directive to the processing of personal data when: a) the processing is carried out within the framework of the activities of an establishment of the controller in the territory of the Member State; if the same controller is established in the territory of several Member States, it must take the necessary measures to ensure that each of its establishments complies with the obligations provided for by the applicable national law ". While this rule for determining the national law applicable within the Union no longer applies for the application of the rules of the GDPR, which replaced Directive 95/46 / EC on the protection of personal data and applies uniformly throughout the territory of the Union, it appears that the French legislator has maintained these criteria of territorial application for the specific rules contained in the law "Informatique et Libertés", and therefore in this case for those which transpose the "ePrivacy" directive. Therefore, the case law of the CJEU on the application of Article 4 of the former Directive 95/46 / EC on the protection of personal data remains relevant to shed light on the scope to be given to these two criteria. First, with regard to the existence of an "establishment of the controller on French territory", the CJEU has consistently considered that the notion of establishment should be assessed in a flexible manner and that this Finally, it was necessary to assess both the degree of stability of the installation and the reality of carrying out activities in another Member State, taking into account the specific nature of the economic activities and the provision of services in question (see , for example, CJEU, Weltimmo, 1 Oct. 2015, C 230/14, pts. 30 and 31). The CJEU further considers that a company, an autonomous legal person, of the same group as the controller, can constitute an establishment of the controller within the meaning of these provisions (CJEU, May 13, 2014, Google Spain, C-131 / 12, pt 48) 74. In this case, the restricted formation notes, first of all, that the company GOOGLE FRANCE is the head office of the French subsidiary of the company GOOGLE LLC, that it has premises located in Paris, that it employs approximately [... ] people and that, according to its statutes filed with the registry of the Paris Commercial Court, its particular object is "the provision of services and / or advice relating to software, the Internet, telematic or online networks, in particular the 'intermediation in the sale of online advertising, the promotion of all forms of online advertising, the direct promotion of products and services and the setting up of data processing centers ". The restricted formation then notes, as it recalled in its deliberation of December 7, 2020, "that the company GOOGLE FRANCE is responsible for ensuring the promotion of online advertising on behalf of the company GIL, which is a co-contractor of advertising contracts concluded with French companies or French subsidiaries of foreign companies "and" that the company GOOGLE FRANCE effectively participates in the promotion of products and services designed and developed by the company GOOGLE LLC, such as Google Search , in France, as well as the advertising activities managed by the company GIL "(deliberation of the restricted party n ° SAN-2020-012 of December 7, 2020 concerning the companies GOOGLE LLC and GOOGLE IRELAND LIMITED, pt. 42). It notes that these findings still appear to be valid on the date of this deliberation.75. Secondly, with regard to the existence of processing carried out "within the framework of the activities" of this establishment, the restricted committee notes that the CJEU, in its Google Spain judgment of 13 May 2014, considered that the processing relating to the search engine Google Search was carried out "within the framework of the activities" of the company GOOGLE SPAIN, establishment of the company GOOGLE INC - since become GOOGLE LLC -, insofar as this company is intended to ensure in Spain the promotion and the sale of advertising space offered by this search engine, which is used to make the service offered by this search engine profitable. The CJEU clarified that "Article 4 (1) (a) of Directive 95/46 does not require that the processing of personal data in question be carried out" by "the establishment concerned itself, but only that it is "within the framework of the activities" of this one "(pt. 52). According to the Court, "Article 4 (1) (a) of Directive 95/46 must be interpreted as meaning that processing of personal data is carried out in the context of the activities of an establishment of responsible for this processing in the territory of a Member State, within the meaning of this provision, when the operator of a search engine creates in a Member State a branch or a subsidiary intended to ensure the promotion and sale of advertising space offered by this engine and whose activity targets the inhabitants of that Member State "(pt. 60) .76. In addition, the restricted panel notes that the CJEU subsequently considered, in its Wirtschaftsakademie and Facebook Belgium decisions, that the processing consisting of the collection of personal data via cookies placed in the terminals of visiting users, in Germany and Belgium, pages hosted on the Facebook social network were respectively made "within the framework of the activities" of the companies FACEBOOK GERMANY and FACEBOOK BELGIUM, German and Belgian establishments of the Facebook group, insofar as these establishments are intended to provide , in their respective country, the promotion and sale of advertising space offered by this social network, which is used to make the service offered by Facebook profitable (CJEU, large chamber, June 5, 2018, Wirtschaftsakademie, C-210/16, pts. 56 to 60; June 15, 2021, Facebook Belgium, C-645/19, pts. 92 to 95). If in the Google Spain judgment, Spanish jurisdiction had been retained for processing for which the effective responsibility fell to companies based in the United States, outside the European Union, in these latter judgments, the CJEU extended its reasoning to cases where the effective responsibility for the processing lies with a company located in another country of the European Union. 77. The restricted committee noted that, even if these three judgments concerned more specifically the "subsequent processing" implemented from cookies placed in users' terminals, which justified the application of Directive 95/46 / EC for business Google Spain and Wirtschaftsakademie and of the RGPD for the Facebook Belgium case, this case law remains relevant to shed light on the scope to be given to the concept of processing carried out "within the framework of the activities" of an establishment, insofar as the French legislator l 'resumed during the transposition of the "ePrivacy" directive to found the territorial jurisdiction of the CNIL with regard to processing covered by this directive.78. In this case, and in addition to the previous developments appearing above in paragraph 74, the restricted committee notes that, according to the information posted on its website, the company GOOGLE FRANCE supports in particular small and medium-sized enterprises in France "through the development of collaboration tools, advertising solutions or to give them the keys to understanding their markets and their consumers ". Then, it has already noted, in its deliberation n ° SAN-2020-012 of December 7, 2020 that, "in its letter of April 30, 2020, the company GIL indicates that" Google France has a sales team dedicated to promoting and the sale of GIL's services to advertisers and publishers based in France, such as Google Ads "" (item n ° 44). This observation still appears to be valid on the date of this deliberation. The limited training finally notes that it is specified on the website "ads.google.com" that "Google Ads allows French companies to promote their products or services on the search engine and on a large advertising network". 79. Thus, the processing consisting of operations of access or registration of information in the terminal of users of the Google Search search engine and of YouTube residing in France, in particular for advertising purposes, is carried out within the framework of the activities of the company GOOGLE FRANCE on French territory, which is in charge of the promotion and marketing of GOOGLE products and their advertising solutions in France. The restricted committee notes that the two criteria provided for in Article 3, paragraph I, of the "Informatique et Libertés" law are therefore met.80. It follows that French law is applicable and that the CNIL is materially and territorially competent to exercise its powers, including that of imposing sanctions concerning processing operations falling within the scope of the "ePrivacy" directive. On the complaint alleging the illegality of the present sanctioning procedure81. The companies dispute the fact of not having received any formal notice before the president of the CNIL decides to open a sanction procedure, unlike other actors, thus invoking a difference in treatment between GIL and GOOGLE LLC and the sixty companies that the CNIL declared to have put on formal notice for similar acts in its press releases of 25 May and 19 July 2021 posted on its website. First, with regard to the companies' argument according to which the provisions opposed to them by the rapporteur entered into force less than five months before the start of the sanction procedure, the restricted committee recalls that, in the context of of this deliberation, it is based exclusively on the provisions of article 82 of the law "Informatique et Libertés", informed by the reinforced requirements in terms of consent of the GDPR, which came into force in May 2018. Therefore, the framework legal applicable to the facts giving rise to the present sanction proceedings is fully established. 83. The restricted committee also recalls that, from June 2019 and on various occasions thereafter, the CNIL communicated on its action plan which included two main stages: the publication of new guidelines in July 2019 and consultation with professionals. to develop a new recommendation, proposing operational modalities for obtaining consent. The CNIL had specified, in a press release dated June 28, 2019, that it would verify compliance with the recommendation six months after its final adoption. The restricted party noted that the CNIL had been perfectly transparent on the schedule, in order to give the organizations time to comply before carrying out checks.84. Secondly, the restricted committee recalls that, in accordance with article 20 of the law "Informatique et Libertés", the president of the CNIL is not required to send a formal notice to a data controller before sending initiate a sanction procedure against him. It adds that the possibility of directly initiating a sanction procedure has been confirmed by the Council of State (see, in particular, CE, 4 Nov. 2020, req. No. 433311, pt. 3) .85. It further notes that the secretary general of the CNIL reminded companies, in his letters of February 17, 2021, that it must be as easy to give consent as to refuse to give or withdraw it. It also notes that the companies GOOGLE LLC and GIL have already been the subject of a sanction procedure relating to their cookie policy. The companies were fully aware that they were exposed to possible other sanctions since, according to a press release published on May 4, 2021, the CNIL had indicated that the closure of the injunction only concerned the scope of the injunction pronounced by the restricted formation in its deliberation of December 7, 2020. It specified that this closing decision did not prejudge the analysis of the CNIL as to the compliance of "google.fr" with other rules on cookies , relating in particular to consent, which are informed by the guidelines and the recommendation of September 17, 2020, according to which the user should now be able to refuse cookies as easily as he can accept them. The CNIL specified that it reserved the right to control these methods of refusal and, if necessary, to mobilize its entire repressive chain, it being specified that the CNIL had received several complaints on this subject. GOOGLE LLC and GIL were not in the same situation as other organizations subject to formal notices from the CNIL and that the complaint alleging the illegality of the sanctioning procedure must be rejected. . On the request for a preliminary ruling86. In the alternative, the companies ask the restricted formation to refer a preliminary question to the Court of Justice of the European Union (hereinafter the "CJEU") in these terms: "the absence of a" refuse all "button to next to a button "accept all" should it be considered a violation of article 4, paragraph 11 and article 7 of the GDPR, read in conjunction with article 5, paragraph 3 of the e-Privacy directive while the data controller gives the data subject the right to refuse said processing in the second level of the cookies banner and through the browser settings and informs him of this possibility to refuse the processing and the means at his disposal to do it from the first level of the cookies banner? ". The companies consider that the restricted formation is a court within the meaning of Article 267 of the Treaty for the Functioning of the European Union (hereinafter "TFEU") and that it meets the criteria of a court: it is established permanently by the law "Informatique et Libertés"; it has compulsory jurisdiction when the president of the CNIL decides to initiate a sanction procedure; it follows a procedure of an adversarial nature opposing the rapporteur and the respondent; it applies the rules of law and is independent and impartial. 87. The restricted formation recalls that, for a body to be able to address a preliminary question to the CJEU, it must have the quality of "jurisdiction" within the meaning of Article 267 TFEU, an autonomous concept in Union law. To assess this status, the CJEU takes into consideration the following criteria: legal origin of the body, its permanence, its binding nature, adversarial nature of its procedure, application of the rules of law, its independence and the jurisdictional nature of its decisions.88 . The restricted formation notes that it is not classified as a jurisdiction in domestic law: no legislative provision has recognized this quality. If, as the companies point out, the Council of State has already ruled that "having regard to its nature, its composition and its powers", the restricted formation can be qualified as a "tribunal" within the meaning of the article 6-1 of the European Convention for the Protection of Human Rights and Fundamental Freedoms (hereinafter the "CESDH") (Council of State, summary judge, February 19, 2008, n ° 311974), this decision does not, however, recognize it as a court. 89. The restricted committee considers, contrary to what the companies maintain, that the criteria adopted by the CJEU on the notion of jurisdiction within the meaning of article 267 TFEU, in particular in its recent ANESCO judgment (CJEU, Sept. 16, 2020, Anesco, C-462/19), are not fulfilled by the restricted training. Indeed, in this judgment, the CJEU indicated that, "it must be noted that the decisions that the CNMC [the Spanish competition authority] is led to adopt in cases such as the one at issue in the main proceedings are similar to decisions of an administrative nature, excluding their being adopted in the exercise of judicial functions "(§41). However, the same applies to decisions taken by the restricted body, which are administrative decisions since they are sanction decisions which contribute to the effectiveness of the CNIL's action in its regulatory power. The sanction decision puts an end to the administrative procedure initiated and an administrative litigation appeal may then be initiated against him before the Council of State.90. In addition, the restricted formation notes that the Court of Cassation considered that "it follows from these texts of European Union law, as interpreted by the Court of Justice of the European Union, that the Authority of competition is not a court capable of asking it a preliminary question pursuant to article 267 of the TFEU (CJEU, judgment of September 16, 2020, Anesco, C-462/19, concerning the Comisión Nacional de los Mercados y la Competencia, Spanish competition authority) "(Cass. 2nd civ., September 30, 2021, n ° 20-18.302). However, the Competition Authority, as an independent administrative authority, has great organizational and procedural similarities with the restricted body.91. Therefore, the restricted formation cannot be classified as a court within the meaning of Article 267 TFEU, so that it is not able to ask a preliminary question to the CJEU. On the determination of the controller 92. The restricted committee notes, first of all, that Articles 4, paragraph 7, and 26, paragraph 1, of the GDPR are applicable to this procedure due to the use of the concept of "controller" in Article 82 of the "Informatique et Libertés" law, which is justified by the reference made by article 2 of the "ePrivacy" directive to directive 95/46 / CE on the protection of personal data, which has been replaced by the RGPD. 93. According to article 4, paragraph 7, of the GDPR, the controller is "the natural or legal person, public authority, service or other body which, alone or jointly with others, determines the purposes and the means of treatment ". According to Article 26 (1) of the GDPR, "where two or more controllers jointly determine the purposes and means of processing, they are the joint controllers" .94. The rapporteur considers that the companies GIL and GOOGLE LLC are jointly responsible for the processing in question in application of these provisions since the companies both determine the purposes and means of the processing consisting of access or registration operations. information in the terminal of users residing in France when using the Google Search search engine and YouTube. 95. The companies respond that the company GIL would be solely responsible for the processing of personal data of users located in the European Economic Area and in Switzerland. 96. The restricted panel recalls that the CJEU has ruled on several occasions on the concept of joint responsibility for processing, in particular in its Jehovah's Witnesses judgment. According to the latter, it considered that, according to the provisions of Article 2 (d) of Directive 95/46 on the protection of personal data, "the concept of" controller "refers to the person natural or legal person which, "alone or jointly with others", determines the purposes and means of the processing of personal data. This concept does not, therefore, necessarily refer to a single natural or legal person and may concern several actors participating in this processing, each of them then having to be subject to the applicable data protection provisions […]. The objective of this provision is to ensure, by a broad definition of the concept of "responsible" , effective and complete protection of the persons concerned, the existence of joint liability does not necessarily translate into equivalent liability, for the same processing of personal data, for differences ts actors. On the contrary, these actors may be involved at different stages of this processing and to different degrees, so that the level of responsibility of each of them must be assessed taking into account all the relevant circumstances of the case at hand " (CJEU, July 10, 2018, C 25/17, pts. 65 and 66) .97. The restricted committee considers that these developments make it possible to usefully shed light on the concept of joint processing responsibility invoked by the rapporteur with regard to the GOOGLE LLC and GIL companies concerned by the processing operations in question.98. The restricted committee underlines, finally, that if the present procedure does not relate to the same facts as those mentioned in the framework of deliberation n ° SAN-2020-012 of December 7, 2020 for the reasons developed above, it still concerns the reading and writing operations implemented in the user's terminal located in France by the companies GOOGLE LLC and GIL, for which the role of the two companies has already been examined by the restricted committee in the deliberation mentioned above above.99. The restricted committee also recalls that it, in this same deliberation of December 7, 2020, considered that the companies GOOGLE LLC and GIL jointly determine the purposes and means of the processing consisting of operations of access or registration of information. in the terminal of users residing in France when using the Google Search search engine (pts. 47 to 66 of the deliberation). It considers that this observation is still valid on the date of this deliberation and can be extended to the cookies used on the "youtube.com" site, as demonstrated by the elements developed below.1. On the responsibility of the company GIL100. The companies claim that GIL is acting as the data controller in question, which the rapporteur also considers. 101. The small group shares this analysis. 102. In the first place, it notes that it retained in its deliberation n ° SAN-2020-012, that "the representatives of the companies declared that the company GIL" participates in the development and the supervision of the internal policies which guide the products and their design, the setting up of parameters, the determination of confidentiality rules and all the verifications carried out before the launch of the products, in application of the principle of “privacy by design”. ”103 Secondly, she recalls that 'she also pointed out that, "with regard to cookies in particular, the representatives stated [...] that" GIL applies, for example, shorter cookie retention periods "compared to other regions of the world and that it "limits the scope of processing related to the personalization of advertising in Europe compared to the rest of the world. For example, GIL does not use certain categories of data to carry out personalized advertising such as than the assumed household resources. The company GIL does not set up personalized advertising for children whom it assumes are minors within the meaning of the RGPD. "104. The restricted committee concluded that" the company GIL is, at least in part, responsible for the controlled processing consisting of operations to access or register information in the terminal of users residing in France when using the Google Search search engine. ”105 The restricted committee considers that no modification of the role of GIL does not appear to have taken place since this recent finding, which therefore remains valid. , accessible both via the "google.fr" and "youtube.com" sites, it is identically indicated that: "In the European Economic Area (EEA) and in Switzerland, Google services are provided to you by the company below with which you are concluding a c ontrat: Google Ireland Limited ". 106. Thus, the company GIL is, at least in part, responsible for processing consisting of operations to access or register information in the terminal of users residing in France when using the Google Search search engine and YouTube. 2. On the responsibility of GOOGLE LLC107. The companies dispute the rapporteur's analysis that the company GOOGLE LLC shares the responsibility for the processing operations in question with the company GIL.108. The restricted formation has already taken a position on this subject, in its deliberation n ° SAN-2020-012 of December 7, 2020.109. First, it noted that, during the hearing on July 22, 2020, the representatives of the companies had affirmed that the company GOOGLE LLC "designs and builds the technology of Google products and that with regard to the cookies deposited and read when using the Google Search search engine, there is no difference in technology between the cookies placed from the different versions of the search engine. Similarly, companies, in the information they offer to French users in the rules of use accessible from "google.fr", make no distinction in their presentation of the cookies used by the GOOGLE group when they indicate using "different types of cookies for products associated with advertisements and Google "" websites, which also includes the "youtube.com" site according to the restricted formation. 110. It notes that even today, there is no difference in the presentation of the cookies used by Google (information provided to French users from the "Technologies" tab, "how Google uses cookies", after clicking on the "terms of use" button, accessible both on "google.fr" and on "youtube.com"). The company "describes the types of cookies used by Google", specifying that "some or all of the cookies described below may be stored in your browser". The restricted committee also notes that the confidentiality rules accessible both from "google.fr" and from "youtube.com" confirm this point when it is indicated that "These confidentiality rules apply to all the services offered by Google LLC and its affiliates, including YouTube and Android, as well as services offered on third-party sites, such as advertising services. "111. Thus, in the information they provide to French users, the GOOGLE LLC and GIL companies still make no distinction in their presentation of the cookies used by the GOOGLE group. 112. Secondly, the restricted committee also noted, in its aforementioned deliberation, that "despite the undisputed participation of the company GIL in the various stages and bodies related to the definition of the methods of implementation of cookies placed on Google Search, the The matrix organization described by the companies […] has shown that the company GOOGLE LLC is also represented in the bodies adopting decisions relating to the deployment of products within the EEA and in Switzerland and to the processing of personal data of the users residing there and that it exercises a significant influence there "or that" the data protection officer appointed by the company GIL […] as well as its deputy DPOs are based in California as employees of the company GOOGLE LLC ". 113. Thirdly, the restricted committee considered that, "although by virtue of a formal reading of the subcontracting contract of December 11, 2018, the company GOOGLE LLC would act as a subcontractor of the company GIL in the processing of European user data collected via cookies, the real involvement of the company GOOGLE LLC in the processing in question goes far beyond that of a subcontractor who would simply carry out processing operations for the account of the company GIL and on its instructions only. "114. In view of the elements in the file, the restricted panel maintains that the company GOOGLE LLC plays a fundamental role in the entire decision-making process relating to the treatments in question. It also determines the means of processing given that, as mentioned above, it is it who designs and builds the technology for cookies placed on the terminals of European users. The restricted committee notes that, although it only ruled with regard to the Google Search search engine in its deliberation n ° SAN-2020-012 of 7 December 2020, it considers that the same reasoning is applicable, on the basis of these same elements, for YouTube, in particular insofar as, when the user clicks on "Confidentiality rules" and "terms of use" from "youtube.com", it is referred to the confidentiality rules and GOOGLE group terms of use. 115. It follows from all of the foregoing that the GOOGLE LLC and GIL companies jointly determine the purposes and means of processing consisting of operations to access or register information in the terminal of users residing in France during the use of the Google Search search engine and of YouTube G. On the breach of obligations regarding cookies 116. Under the terms of article 82 of the law "Informatique et Libertés", "any subscriber or user of an electronic communications service must be informed in a clear and complete manner, unless he has been previously informed by the controller or his representative: 1 ° The purpose of any action aimed at accessing, by electronic transmission, information already stored in his terminal electronic communications equipment, or entering information in this equipment; 2 ° means at his disposal to oppose this access or registration can only take place if the subscriber or user has expressed, after receiving this information, his consent which may result from appropriate parameters of his device connection or any other device under its control. […] ". 117. The" ePrivacy "directive provides in its article 2, f), that the consent of a user or a subscriber corresponds to the consent of the data subject set out in directive 95/46 / EC, which has been replaced by the RGPD.118 Thus, since the entry into application of the RGPD, the "consent" provided for in the aforementioned article 82 must be understood within the meaning of article 4, paragraph 11 , of the GDPR, that is to say that it must be given in a free, specific, informed and unambiguous manner and be manifested by a clear positive act.119 In this regard, recital 42 of this Regulation provides that: “Consent should not be considered to have been freely given if the person concerned does not have a genuine freedom of choice or is not in a position to withhold or withdraw consent without suffering prejudice.” 120. the case, as part of the online control of June 1, 2021, the delegation noted that, in order to give its consent to the reading re and / or writing information in his terminal, the user going to the home page of the "google.fr" and "youtube.com" sites must only click on the "I accept" button of the pop-up window, which makes this window disappear and allows it to continue browsing. On the other hand, the user going to these same home pages and wishing to refuse cookies must click on the "Personalize" button of this first window, which gives him access, both on the "google.fr" sites. and "youtube.com", to an interface offering him to choose to activate or deactivate cookies, on which he has the possibility of performing various actions.121. The rapporteur notes, for clarification, that under his guidelines 5/2020 on consent within the meaning of Regulation (EU) 2016/679, adopted on 4 May 2020, the EDPS recalled that "the adjective "free" implies real choice and control for those concerned "(§13) .122. Likewise, in the context of its deliberation n ° 2020-092 of September 17, 2020 adopting a recommendation proposing practical modalities of compliance in the event of recourse to "cookies and other tracers", the Commission considered, taking into account the aforementioned applicable texts, that "the data controller must offer users both the possibility of accepting and refusing read and / or write operations with the same degree of simplicity" .123. On the basis of the findings made in the context of the online control, the rapporteur thus observes that, if the banner displayed on the "google.fr" and "youtube.com" sites contains a button allowing immediate acceptance of cookies, no Similar means are not offered to the user to be able to refuse, as easily, the deposit of these cookies. To refuse cookies, they must perform at least five actions (the first click on the "Customize" button, then click on each of the three buttons to select "Disabled" - each button corresponding to "personalization of the search", l '"YouTube history" and "ad personalization" - and finally a click on "Confirm"), for a single action to accept them. According to the rapporteur, such a mechanism does not therefore present the same facility as that allowing to express consent, in disregard of the legal requirements of freedom of consent, which imply not to encourage the Internet user to accept cookies rather than to refuse them. It therefore considers that making the mechanism for refusing cookies more complex than accepting them actually amounts to discouraging users from refusing cookies and encouraging them to use the facility of the "I accept" button. The rapporteur concludes that the methods of refusing cookies implemented by the companies GOOGLE LLC and GIL on the sites "google.fr" and "youtube.com" do not comply with the provisions of article 82 of the law " Informatique et Libertés "as informed by the reinforced requirements in terms of consent posed by the GDPR. 124. The companies consider that neither the “ePrivacy” directive, nor the GDPR, nor article 82 of the “Informatique et Libertés” law provide that the action of refusing cookies should be as simple as accepting them. They add that, for many years, the CNIL itself had not deduced this principle even though the regulations in question had remained unchanged since the entry into force of the GDPR. They note that the CNIL cannot, through its guidelines and recommendations, introduce new requirements relating to the refusal of consent and consider that it is up to each data controller to choose the most appropriate method of obtaining consent. In this, the companies consider that the mechanism for collecting consent set up on the "google.fr" and "youtube.com" sites already complies with the provisions of article 82 of the "Informatique et Libertés" law. ". The companies consider that the fact of not offering, at the first level of information, a button "refuse all" is not contrary to the principle of freedom of consent insofar as users have the possibility of refusing cookies by clicking on the "Customize" button. 125. In the first place, the restricted formation recalls that in application of article 8 I, 2 °, b) of the law "Informatique et Libertés", the CNIL "establishes and publishes guidelines, recommendations or standards intended to facilitate the compliance of the processing of personal data with the texts relating to the protection of personal data […] ".126. It is in this context that the CNIL took deliberation n ° 2019-093 of July 4, 2019 adopting guidelines relating to the application of article 82 of the law of January 6, 1978 amended to reading operations or writing in a user's terminal (in particular cookies and other tracers), which provided in article 2, "that it must be as easy to refuse or withdraw consent as to give it"; then decisions n ° 2020-091 of September 17, 2020 adopting guidelines relating to the application of article 82 of the law of January 6, 1978 amended to read and / or write operations in the terminal of a user (in particular to "cookies and other tracers") and n ° 2020-092 adopting a recommendation proposing practical methods of compliance in the event of recourse to "cookies and other tracers". These instruments aim to interpret the applicable legislative provisions and to inform stakeholders on the implementation of concrete measures to ensure compliance with these provisions, so that they implement these measures or measures of equivalent effect. In this sense, it is specified in the guidelines that these "have as their main purpose to recall and clarify the law applicable to the operations of reading and / or writing of information […] in the terminal equipment. electronic communications of the subscriber or user, and in particular for the use of cookies ".127. As indicated above, the Commission considered, in the context of its recommendation of September 17, 2020, that "the data controller must offer users both the possibility of accepting and refusing read and / or read operations. writing with the same degree of simplicity. "128. As regards the possible methods of refusal, in this same recommendation, the Commission strongly recommended "that the mechanism for expressing a refusal to consent to read and / or write operations be accessible on the same screen and with the same facility as the mechanism allowing to express a consent. Indeed, it considers that the interfaces of collection of the consent which require a single click to consent to the tracing while several actions are necessary to "configure" a refusal to consent present, in in most cases, the risk of biasing the choice of the user, who wants to be able to view the site or use the application quickly.For example, at the stage of the first level of information, users may have the choice between two buttons presented at the same level and in the same format, on which are respectively written "accept all" and "refuse all", "authorize" and "prohibit", or "consent" e t "do not consent", or any equivalent and sufficiently clear wording. The Commission considers that this modality constitutes a simple and clear means of allowing the user to express his refusal as easily as his consent. "129 The restricted committee considers that the CNIL confined itself, in its recommendation mentioned above. above, to clarify the obligations provided for by French and European legislators, in particular by drawing all the consequences of the principle of freedom of consent as defined in Article 4, paragraph 11, of the GDPR, and by applying them to the assumptions of the acceptance and refusal by the user to deposit cookies on his terminal. Indeed, this principle of freedom of consent now implies that the user benefits from a "real freedom of choice", as underlined in recital 42 of the GDPR, and therefore that the modalities offered to him for manifesting this choice are not biased in favor of consent. As the EDPS recalled in his guidelines on consent, adopted on May 4, 2020, the adjective "free" implies real choice and control for those affected. 130. It thus appears that the CNIL in its recommendation did not create new obligations for the actors but confined itself to illustrating concretely how article 82 of the law should be applied.131. Second, the restricted committee notes that the CNIL's position on this point, according to which it must be as simple for users to refuse cookies as to consent to them, already appeared in article 2 of the guidelines of 4 July 2019 - repealed by those of September 17, 2020 - and that it was ratified by the Council of State. Indeed, seized of an appeal for excess of power brought against these first guidelines, the Council of State ruled, in its decision Association of communication consulting agencies, that "the CNIL which, by indicating that it had to "to be as easy to refuse or withdraw consent as to give it", has confined itself to characterizing the conditions of the user's refusal, without defining any particular technical modalities of expression of such a refusal, has marred its deliberation by any disregard of the applicable rules "(CE, June 19, 2020, n ° 434684, T., pt 15) .132. The restricted committee considers that this reading is all the more necessary in view of the conclusions of the public rapporteur on this judgment, which noted: "As indicated by the CNIL, the contested guidelines do not impose any technical modality for the collection of this refusal. They limit themselves to demanding, in a general way and rightly, that it is no more complicated to refuse than to accept "(EC, conclusions of the public rapporteur on judgment n ° 434684, p. 17) .133. Thirdly, the training notes that in this case, users residing in France going to the Google Search search engine and / or to YouTube must perform a single action to accept cookies, whereas they must do so. five to refuse them. It is therefore not as easy to refuse cookies as it is to accept them.134. However, several recent studies show that organizations that have set up a "refuse all" button on the first-level consent collection interface have seen the consent rate relating to the acceptance of cookies decrease. Thus, according to the "Privacy barometer - 2021 edition" published by the COMMANDERS ACT company, the computer consent rate rose from 70% to 55% in April-May 2021, since the collection of consent is explicit. Likewise, according to a 366-Kantar study, it appears that 41% of Internet users in France refused, systematically or partially, the deposit of cookies in June 2021. 135. The restricted party therefore considers that making the mechanism for refusing cookies more complex than that consisting in accepting them actually amounts to discouraging users from refusing cookies and encouraging them to favor the facility of the "Accept all" button. Indeed, an Internet user is generally led to consult many sites. Internet browsing is characterized by its speed and fluidity. The fact of having to click on "Personalize" and of having to understand the way in which the page allowing to refuse cookies is constructed is likely to discourage the user, who would nevertheless wish to refuse the deposit of cookies. It is not disputed that in the present case, the companies offer a choice between the acceptance or the refusal of cookies, but the modalities by which this refusal can be expressed, in the context of internet browsing, bias the 'expression of choice in favor of consent so as to impair freedom of choice.136. In view of the foregoing, the restricted committee considers that a breach of the provisions of article 82 of the law "Informatique et Libertés", interpreted in the light of the RGPD, is constituted, insofar as the companies do not put available to users located in France, on the "google.fr" and "youtube.com" websites, a means of refusing operations for reading and / or writing information in their terminal, which presents the same degree of simplicity than that intended to accept its use. III. On corrective measures and publicity137. Article 20, paragraph III, of the "Informatique et Libertés" law provides: "When the data controller or his subcontractor does not comply with the obligations resulting from Regulation (EU) 2016/679 of the European Parliament and of the Council of April 27, 2016 cited above or of this law, the president of the National Commission for Informatics and Freedoms may also, if necessary after having sent him the warning provided for in I of this article or, if necessary in addition to '' a formal notice provided for in II, seize the restricted formation of the committee with a view to pronouncing, after adversarial proceedings, one or more of the following measures: […] 2 ° An injunction to bring the processing into conformity with the obligations resulting from Regulation (EU) 2016/679 of April 27, 2016 or from this law or to meet the requests made by the data subject in order to exercise their rights, which may be accompanied, except in cases where the processing is implemented by the State, a fine the amount of which may not exceed 100,000 € per day of delay from the date set by the restricted group; […] 7 ° With the exception of cases where the processing is implemented by the State, an administrative fine not exceeding 10 million euros or, in the case of a company, 2% of the turnover. total worldwide annual business for the previous fiscal year, whichever is greater. […] The restricted committee takes into account, in determining the amount of the fine, the criteria specified in the same article 83 ".138. Article 83 of the GDPR, as referred to in article 20, paragraph III, of the "Informatique et Libertés" law, provides that "Each supervisory authority ensures that the administrative fines imposed by virtue of this article for violations of this regulation referred to in paragraphs 4, 5 and 6 are, in each cases, effective, proportionate and dissuasive ", before specifying the elements to be taken into account in deciding whether to impose an administrative fine and in deciding the amount of this fine.A. On the imposition of fines administrative authorities and their amount.139 The companies argue that the amount of the fines proposed by the rapporteur is unpredictable, disproportionate and unjustified. They dispute the fact that, unlike other French or European administrative authorities, n having the power to sanction, the CNIL has not provided guidelines for calculating its fines. The companies also add that the rapporteur does not explain the distribution of the amount of the fine between GOOGLE LLC and GIL.140. In addition, the companies maintain that by refusing to engage in discussions with them, the rapporteur deprived them of the possibility of cooperating with the CNIL, and, therefore, of invoking the mitigating circumstance of article 83-2. f) of the GDPR to reduce the amount of the fine. 141. The restricted committee recalls, in general terms, that article 20, paragraph III, of the law "Informatique et Libertés" gives it competence to pronounce various sanctions, in particular administrative fines of which the maximum amount can be, in this case, equivalent to 2% of the total worldwide annual turnover for the previous financial year made by the data controller. It adds that the determination of the amount of these fines is assessed in the light of the criteria specified by Article 83 of the GDPR. 142. The restricted party notes that the rapporteur is not required to specify how the fines she proposes to the restricted party are calculated. The Council of State has also ruled that the restricted formation was not subject to this obligation (CE, 10th / 9th, June 19, 2020, req. No. 430810). The restricted committee notes that the European courts share this position, since they have already ruled that "it is not incumbent on the Commission, under the obligation to state reasons, to indicate the quantified elements in its decision. relating to the method of calculating fines "(judgment of the Court of 16 November 2000, Stora Kopparbergs Bergslags v Commission, C ‑ 286/98 P, ECR I ‑ 9925, paragraph 66). The case-law only requires that the sanctioning panel show "in a clear and detailed manner the reasoning which it followed, thus enabling the applicant to know the elements of assessment taken into account in order to measure the seriousness of the offense for the purposes of of the calculation of the amount of the fine and for the General Court to exercise its control "(judgment of the Court of First Instance, Third Chamber, July 8, 2008, BPB plc v Commission of the European Communities, judgment ECLI: EU: T: 2008: 254 , paragraph 337, case law 008 II-01333). This position is justified, on the one hand, by the fact that "fines constitute an instrument of the policy" of an institution "which must be able to enjoy a margin of appreciation in fixing their amount in order to guide the behavior of undertakings in the sense of compliance with the rules "and, on the other hand, because" it is important to prevent fines from being easily foreseeable by economic operators. Indeed, if the Commission had the obligation to indicate in its decision the figures relating to the method of calculating the amount of the fines, the deterrent effect thereof would be undermined. If the amount of the fine were the result of a calculation obeying a simple arithmetic formula, companies would have the possibility of foreseeing the possible sanction and of comparing it with the profits which they would derive from the infringement of the rules of law ".143. Firstly, the restricted panel emphasizes that it is appropriate, in this case, to apply the criterion provided for in subparagraph a) of Article 83, paragraph 2, of the GDPR relating to the seriousness of the breach, taking into account the nature and scope of the processing and the number of people concerned by it. 144. The restricted committee notes that, if the companies GIL and GOOGLE LLC have refused to communicate the volume of the number of unique visitors from the “google.fr” and “youtube.com” sites over the past twelve months from France, it The figures available on the internet show that in June 2020, Google had more than 51 million unique visitors residing in France per month and YouTube more than 46 million (press release of August 24, 2020 published on the Médiamétrie website). The number of people affected by the treatments in question is therefore extremely large for the French population. 145. As the restricted formation recalled in its deliberation n ° SAN-2020-012 of December 7, 2020, the Competition Authority noted that, on the French market for online search-related advertising, Google has a a dominant position which in many respects exhibits "extraordinary" characteristics. Its search engine now accounts for more than 90% of searches carried out in France and its market share in the online search advertising market is probably over 90% (ADLC, Dec. 19, 2019, Dec. N ° 19-D-26). The Google Search search engine therefore has considerable reach in France. 146. Secondly, the restricted panel considers that it is appropriate to apply the criterion provided for in subparagraph b) of Article 83 paragraph 2 of the GDPR, relating to the fact that the violation was committed deliberately. 147. The restricted committee recalls that the companies were the object of a recent sanction relating to breaches of article 82 of the law "Informatique et Libertés" concerning the information and the collection of the consent of the persons before the deposit of cookies on their terminal. If this sanction is not final since it is the subject of an appeal before the Council of State, the restricted formation notes however that the attention of the companies had been explicitly drawn by the services of the CNIL on the modalities refusal of cookies. As part of the follow-up to the injunction pronounced by the restricted formation, the companies, on December 18, 2020, through their advisers, sent the CNIL a document in which they presented the changes that GOOGLE intended to deploy on the "google.fr" web page to respond to the injunction pronounced. On February 17, 2021, the Secretary General of the CNIL sent GOOGLE LLC and GIL a response constituting assistance for the companies in order to comply. Said letter went "beyond the scope of the injunction" and also referred to "the terms of refusal of cookies". The secretary general of the CNIL reminded companies that it must be as easy to give consent as to refuse to give or withdraw it and indicated that it would be up to them to insert an "I refuse" button next to the button "I accept", while specifying that they could "of course change the titles of these buttons as long as they allow the user to clearly and directly understand the consequences of his choices". It was also specified that: "If different ways of respecting the legal requirements are possible, it appears to me that the proposal appearing in your mail, where only one button" I accept "and a button" Configure "appear, which you have to click to then understand how it is possible to refuse cookies, does not comply with the legal requirements of freedom of consent ". The secretary general of the CNIL had therefore indicated to the companies, as early as February 2021, the actions expected with a view to bringing them into conformity at the end of the adaptation period left by the CNIL to the players and which ended on April 1, 2021.148. In addition, the restricted training recalls the more general context in which the GOOGLE LLC and GIL companies have chosen not to offer their users, on the "google.fr" and "youtube.com" sites, the ability to easily refuse them. Cookies. Indeed, the CNIL has implemented a compliance plan on the issue of cookies spread over several years and has communicated publicly on its website, on several occasions, on the fact that it must be so easy for the Internet user to refuse cookies than to accept them, in particular on October 1, 2020 on the occasion of the publication of the aforementioned guidelines and recommendation of September 17, 2020. The adaptation period left to the actors ended on April 1, 2021. Hundreds of thousands of actors, from the smallest to the largest sites, have complied and have introduced a button on their consent collection interface " refuse "or" continue without accepting ". 149. In this context, the restricted party considers that the fact that the companies GOOGLE LLC and GIL, appearing among the major and unavoidable global players of the internet and managing some of the most visited sites, refuse to set up an easy refusal system cookies at the very moment when they were the subject of an injunction follow-up procedure clearly alerting them on the same subject, reveals a marked desire of these companies not to modify their practices. It considers that the companies have intended not to bring into conformity the processing consisting of operations of access or registration of information in the terminal of users residing in France when using the sites "google.fr" and " youtube.com ", nor use the recommendations of the CNIL to do so. 150. Third, the restricted party considers that companies cannot claim exemplary cooperation with the CNIL, even though they have never communicated the volume of the number of unique daily visitors to the "google.fr" and "youtube.com" over the past twelve months from France, elements however requested by the CNIL control delegation. The restricted committee notes that it appears from article 18 of the law "Informatique et Libertés" that the data controllers "cannot oppose the action of the Commission" and that they must take "all useful measures in order to facilitate its task ". Cooperation with the supervisory authority is thus first of all an obligation provided for by law. Thus, the obligation to cooperate is far from being fully satisfied in the present case, so that there is no need to apply a mitigating circumstance under subparagraph (f) of paragraph 2 of the 'article 83 of the GDPR. 151. Fourth, the Panel considers that it is appropriate to apply the test provided for in subparagraph k) of Article 83, paragraph 2, of the Regulations on financial advantages obtained as a result of the breach. 152. In this regard, the restricted committee notes that the reading and writing operations, allowing the collection of user data for the purposes of targeted advertising via the “google.fr” and “youtube.com” sites, allow companies to obtain a considerable financial benefit. While it admits that all of the companies' revenues are not directly linked to cookies, the restricted party stresses that online advertising is based essentially on targeting Internet users, in which the cookie directly participates by making it possible to identify and reach the target. 'identified user with a view to displaying advertising content corresponding to their areas of interest and profile. 153. It recalls that, as it noted in its deliberation n ° SAN-2020-012 of 7 December 2020 mentioned above, the GOOGLE group realizes most of its profits in the two main segments of the online advertising market that constitute Display Advertising and Contextual Advertising (Search Advertising), in which cookies play an undeniable, albeit different, role. 154. First, in the display advertising segment, the object of which is to display content in a specific area of a website and in which cookies and trackers are used to identify users during their navigation, in order to offer them the most personalized content, it is established that the GOOGLE group offers products at all levels of the value chain in this segment and that its products are systematically dominant on these different levels. In this regard, the GOOGLE group indicates, on one of its websites, that it offers for advertising an ecosystem accessible from its tools and services capable of reaching more than 2 million sites, videos and applications and more than 90 % of Internet users worldwide 155. Then, the segment of contextual advertising, the object of which is to display sponsored results based on the keywords typed by users in a search engine, also requires the use of cookies in its practical implementation, for example example to be able to determine the geographical location of users and, thereby, adapt the advertisements offered according to this location. In this regard, it emerges from the annual report of the company ALPHABET for the year 2019 that this segment alone, through in particular the Google Ads service - formerly AdWords -, 61% of the turnover of the GOOGLE group. 156 . If, within the framework of the procedure which gave rise to the aforementioned deliberation, the restricted committee was not aware of the amount of profit derived by the GOOGLE group from the collection and use of cookies on the French market via income generated by advertising targeted at French Internet users, she noted "that a proportional approximation based on publicly available figures would lead to an estimate that France would contribute between 680 and 755 million dollars to the annual net income of ALPHABET, the parent company of the GOOGLE group, that is, at the current exchange rate, between 580 and 640 million euros. "157. In addition, the restricted formation again underlines that it emerges from the studies mentioned above that the companies which have set up a "refuse all" button on the interface for collecting consent have seen the rate of consent relating to the 'acceptance of cookies decrease. Indeed, when a button appearing at the first level allows them to refuse cookies, a large part of Internet users completely or partially refuse cookies and other tracers, which necessarily has an impact in terms of income related to online advertising. . These elements therefore confirm the undeniable financial advantage derived from the breach committed by the companies GOOGLE LLC and GIL by not setting up a mechanism for refusing consent as easy as that of accepting cookies. 158. Lastly, the restricted committee reminds that in application of the provisions of article 20 paragraph III of the law "Informatique et Libertés", the companies GOOGLE LLC and GIL incur a financial penalty of a maximum amount of 2% of their turnover, which was respectively […] dollars in 2020 for GOOGLE LLC and more than […] euros in 2019 for GIL.159. In its deliberation n ° SAN-2020-012 of December 7, 2020, the restricted committee demonstrated the greater involvement of the company GOOGLE LLC in determining the purposes and means of cookies used on the "google.fr" site. compared to the company GIL. Indeed, it is the company GOOGLE LLC that designs and builds the technology of GOOGLE products. In addition, GOOGLE LLC exercises significant influence in the bodies deciding on the deployment of GOOGLE products in Europe and the processing of personal data of European users. 160. The restricted party emphasizes that due to the massive use of the Google Search search engine and of YouTube in France, the number of people affected by the alleged infringement is considerable. It also notes the considerable profits derived by companies, through advertising revenues indirectly generated by the data collected by these cookies. 161. Therefore, having regard to the respective responsibilities of the companies, their financial capacities and the relevant criteria of Article 83, paragraph 2, of the Regulation mentioned above, the restricted committee considers that a fine of 90 million euros to the against the company GOOGLE LLC and a fine of 60 million euros against the company GIL appear justified. On the issuance of an injunction 162. The companies argue that the rapporteur's request for an injunction is unnecessary, considering that there was no need to initiate sanction proceedings.163. They also dispute the amount of the daily penalty payment proposed in addition to the injunction since the rapporteur does not demonstrate the need for this penalty or the proportionality of its amount, which is the maximum amount provided for by the law "Informatique et Libertés" .164. Finally, they dispute the deadline proposed by the rapporteur after which the penalty payment could be liquidated, considering that the modification of the mechanism for obtaining consent requires complex and substantial computer programming work. They indicate that GIL would need at least six months to comply with the terms of the injunction. 165. In the first place, the restricted committee notes that in the current state of the cookies banner on the “google.fr” and “youtube.com” sites, users still do not have a means of refusing the operations of reading and / or writing information in their terminal having the same degree of simplicity as that provided to accept its use. It therefore considers it necessary to issue an injunction in order for companies to comply with the applicable obligations in this area.166. Secondly, the restricted committee recalls that in order to keep its comminatory function on call, its amount must be both proportional to the seriousness of the breaches committed but also adapted to the financial capacities of the data controller. It notes, moreover, that in determining this amount, account must also be taken of the fact that the breach concerned by the injunction indirectly contributes to the profits generated by the controller.167. Third, with regard to the time that would be necessary to execute the injunction, the restricted panel takes note of the arguments put forward by the companies while taking into account the technical and human resources at their disposal.168. In view of these elements, the restricted committee considers as justified the pronouncement of an injunction accompanied by a fine in the amount of 100,000 euros per day of delay and which can be liquidated at the end of a period of three months. . On advertising169. The restricted committee considers that the publicity of this decision is justified in view of the number of people concerned and the seriousness of the breach. 170. The restricted formation notes that this measure will make it possible to alert the users residing in France of the sites "google.fr" and "youtube.com" of the characterization of the violation of article 82 of the law "Informatique et Libertés" and to them inform of the persistence of the breach on the date of this deliberation and of the injunction issued against the companies to remedy it. 171. Finally, the measure is not disproportionate since the decision will no longer identify the companies by name after the expiration of a period of two years from its publication. deliberated, decides to: • pronounce against the company GOOGLE LLC an administrative fine in the amount of 90,000,000 euros (ninety million euros) for breach of article 82 of the law " Informatique et Libertés ", • pronounce against the company GOOGLE IRELAND LIMITED an administrative fine in the amount of 60,000,000 euros (sixty million euros) for breach of article 82 of the law" Informatique et Libertés , • issue against the companies GOOGLE LLC and GOOGLE IRELAND LIMITED an injunction to modify, on the “google.fr” and “youtube.com” websites, the methods of obtaining the consent of users located in France to the operations of reading and / or writing of information in their end al, by offering them a means of refusing these transactions, which is as simple as the mechanism provided for their acceptance, in order to guarantee the freedom of their consent; • attach a fine of 100,000 euros (one hundred thousand euros) to the injunction by day of delay at the end of a period of three months following the notification of this deliberation, the proof of compliance must be sent to the restricted body within this period; • send this decision to the company GOOGLE FRANCE in view of its execution; • make public, on the CNIL website and on the Légifrance website, its deliberation, which will no longer identify the companies by name after the expiration of a period of two years from its publication. President Alexandre Linden This decision may be appealed against to the Council of State within four months of its notification.
/ * <! [CDATA [* /
// Creation of a tag with sending in secure mode.
var tag = tagAtinternet;
// Marking the page with its level 2.
tag.page.set ({
level2: '54 '
});
// Send the hit.
tag.dispatch ();
/ *]]> * /
Return to the top of the page The National Commission for Informatics and Freedoms, meeting in its restricted formation composed of Mr. Alexandre LINDEN, president, Mr. Philippe-Pierre CABOURDIN, vice-president, Mrs. Anne DEBET and Mr. Alain DRU, members; Seen Regulation (EU) 2016/679 of the European Parliament and of the Council of April 27, 2016 relating to the protection of personal data and the free movement of such data; Having regard to Directive 2002/58 / EC of the European Parliament and of the Council of July 12, 2002 concerning the processing of personal data and the protection of privacy in the electronic communications sector; Considering Law No. 78-17 of January 6, 1978 relating to computers, files and freedoms, in particular its articles 20 and following; Considering the decree no 2019-536 of May 29, 2019 taken for the application of the law no 78-17 of January 6, 1978 relating to data processing, files and freedoms; Having regard to deliberation no 2013 -1 75 of 4 July 2013 adopting the internal regulations of the National Commission for Informatics and Freedoms; Having regard to decision no 2021-108C of 20 May 2021 of the President of the National Commission for Informatics and Freedoms to entrust the secretary general to carry out or have carried out a verification mission for the processing accessible from the "google.fr" and "youtube.com" domains or relating to personal data collected from them; Having regard to the decision of the President of the National Commission for Informatics and Freedoms appointing a rapporteur before the restricted party, dated July 28, 2021; Having regard to the report by Madame Valérie PEUGEOT, rapporteur commissioner, notified to the companies GOOGLE LLC and GOOGLE IRELAND LIMITED September 2, 2021; Having regard to the written observations submitted by the boards of the companies GOOGLE LLC and GOOGLE IRELAND LIMITED on October 8, 2021; Having regard to the rapporteur's response to these observations notified on October 22, 2021 to the boards of companies; Having regard to the written observations made by the boards of the companies GOOGLE LLC and GOOGLE IRELAND LIMITED received on November 12, 2021; Having regard to the oral observations made during the restricted training session; Having regard to the others documents from the file The following were present during the restricted training session of November 25, 2021: - Ms. Valérie PEUGEOT, auditor, heard in her report; As representatives of GOOGLE LLC and GOOGLE IRELAND LIMITED: - […]; As interpreters for the companies GOOGLE LLC and GOOGLE IRELAND LIMITED: - […]; The companies GOOGLE LLC and GOOGLE IRELAND LIMITED having spoken last; The restricted committee adopted the following decision: I. Facts and procedure 1. GOOGLE LLC is a limited liability company headquartered in the United States. Since its creation in 1998, it has developed many services for individuals and businesses, such as the Google Search search engine, Gmail email, the Google Maps mapping service and even the YouTube video platform. It has more than 70 offices located in around 50 countries and employs more than 135,000 people around the world. Since August 2015, GOOGLE LLC has been a 100% -owned subsidiary of ALPHABET Inc., parent company of the GOOGLE group. 2. In 2020, ALPHABET Inc. had sales of over $ 182 billion, while GOOGLE LLC had sales of $ […]. The Google Search search engine generated more than $ 104 billion in revenue, while advertising through GOOGLE group services generated nearly $ 147 billion in revenue and, through YouTube's services, nearly $ 20 billion. billion. 3. GOOGLE IRELAND LIMITED (hereinafter "GIL") presents itself as the headquarters of the GOOGLE group for its activities in the European Economic Area and in Switzerland. Based in Dublin (Ireland), it employs approximately […] people. It achieved a turnover of […] euros in 2019.4. GOOGLE FRANCE SARL is the French establishment of the GOOGLE group. Subsidiary 100% owned by GOOGLE LLC, its head office is located in Paris. It employs approximately […] people and achieved a turnover of […] euros in 2019.5. On March 16, 2020, within the framework of a previous procedure initiated against the companies GOOGLE LLC and GIL, a delegation of the National Commission for Informatics and Freedoms (hereinafter "the CNIL" or "the Commission ") carried out an online check on the" google.fr "website. The main purpose of this mission was to verify compliance by the companies GOOGLE LLC and GIL with the provisions of Law No. 78-17 of January 6, 1978, as amended, relating to information technology, files and freedoms (hereinafter " the Data Protection Act ") and in particular its article 82.6. Pursuant to article 22 of the "Informatique et Libertés" law, the president of the CNIL appointed a rapporteur on June 8, 2020. By deliberation n ° SAN-2020-012 of December 7, 2020, the restricted committee: - pronounced against the company GOOGLE LLC and GIL administrative fines in the respective amount of 60 million and 40 million euros for breach of article 82 of the law "Informatique et Libertés"; - pronounced against the companies GOOGLE LLC and GIL "an injunction to bring the processing into conformity with the obligations resulting from article 82 of the law" data processing and freedoms ", in particular: o inform the persons concerned in advance and in a clear and complete manner, for example on the information banner on the home page of the" google.fr "site: - of the purposes of all cookies subject to consent, - the means at their disposal to refuse them "; - accompanied by the injunction of a fine of 100,000 euros per day of delay at the end of a period of three months following the notification of the present deliberation; - made public, on the website of the CNIL and on the Légifrance website, its deliberation, which will no longer identify the companies by name after the expiration of a period of two years from its publication. 8. On January 29, 2021, the companies filed a summary appeal with the State Council, requesting the suspension of the injunction. This request was rejected by a decision of March 4, 2021 (CE, summary judge, March 4, 2021, N ° 449212). 9. At the same time, the companies have filed a full legal action against the deliberation of December 7, 2020. The proceedings are still pending before the Council of State. By deliberation n ° SAN-2021-004 of April 30, 2021, the restricted formation considered that the companies had satisfied the injunction within the time limit, insofar as "the people going on the site" google.fr " are now informed, in a clear and complete manner, of all the purposes of cookies subject to consent and of the means made available to them to refuse them, through the information banner displayed on their arrival on the site ".11 . On March 18, March 31, April 2 and April 28, 2021, the CNIL received several complaints denouncing the terms of refusal of cookies from the "google.fr" and "youtube.com" websites made available to users located in France. 12. In application of the decision n ° 2021-108C of May 20, 2021 of the President of the Commission, the services of the CNIL carried out an online check, on June 1, 2021, on the websites "google.fr" and " youtube.com ". 13. The main purpose of this mission was to verify compliance by the companies GOOGLE LLC and GIL (hereinafter the “companies”) with the provisions of the “Data Protection Act” .14. As part of the online check, the delegation made observations when the user went to the "google.fr" and "youtube.com" sites; when he clicks on the "Customize" button; when clicking on the "Privacy Policy" link and when clicking on "Terms of Service". 15. On June 3, 2021, the delegation notified the companies of the report drawn up as part of the online control, asking them to indicate, for each of the cookies mentioned in the said report, its purpose and to provide a volume of the number of daily unique visitors to the "google.fr" and "youtube.com" sites over the last twelve months from France.16. On June 21 and July 9, 2021, the CNIL received two new complaints denouncing the methods of refusing cookies from the "google.fr" website. 17. By letter of July 9, 2021, the company GIL responded to the delegation's request, indicating to provide a response "without prejudice to [its] rights under the GDPR, in particular the one-stop-shop mechanism and the role of chief authority lead by the Irish Data Protection Commission (“DPC”) in investigations ”. It clarified that it acts as the person responsible for processing personal data with regard to cookies deployed on the "google.fr" and "youtube.com" domains for users located within the European economic area and in Switzerland. . It also transmitted the purpose of each of the cookies placed on the users' terminal and identified in the report of findings. However, it refused to provide the volume of the number of unique visitors to these two websites over the last twelve months from France, considering that it was not necessary to provide this information at this stage. For the purposes of examining these elements, the President of the Commission appointed Ms. Valérie PEUGEOT as rapporteur, on July 28, 2021, on the basis of Article 22 of the "Data Protection Act" .19. At the end of her investigation, on September 2, 2021, the rapporteur had the company councils and by e-mail sent to their representatives, a report detailing the breach of article 82 of the "Data processing and information technology" law. Freedoms "which it considered constituted in the present case.20. This report proposed to the restricted formation of the Commission to pronounce an administrative fine against the two companies, as well as an injunction to bring into conformity the processing consisting of operations of reading and / or writing of information in the terminal of users located in France, on the “google.fr” and “youtube.com” websites, with the provisions of article 82 of the “Informatique et Libertés” law, accompanied by a penalty payment. He also proposed that this decision be made public and no longer allow companies to be identified by name after a period of two years from its publication. By letter of September 9, 2021, the companies, through their counsel, requested additional time to provide their comments in response. By letter of September 15, 2021, the president of the restricted party granted them additional time until October 8, 2021. By letter of September 27, 2021 addressed to the president of the restricted formation, the companies, through their advisers, requested the suspension of the procedure pending the decision of the Council of State in the context of the appeal. against deliberation n ° SAN-2020-012 of December 7, 2020. On September 30, 2021, the company councils informed the president of the restricted formation of the creation of a working group by the European Data Protection Committee (hereinafter "the EDPS"), intended to coordinate the response to complaints relating to cookie banners, filed by the None of Your Business association (hereinafter "the NOYB association") with various data protection authorities European. 23. By letter of October 4, 2021, the president of the restricted formation rejected the request for suspension of the procedure made by the companies. 24. On October 8, 2021, the companies filed submissions in response to the sanction report. 25. The rapporteur responded to the companies' comments on 22 October 2021. 26. On October 27, 2021, through their advisers, the companies submitted a request for an extension of the fifteen-day period provided for by article 40 of decree n ° 2019-536 of May 29, 2019 to produce their observations in response. , a request to postpone the session of the restricted formation set for November 25, 2021 and a request that the session be held in camera. 27. On October 29, 2021, the president of the restricted formation granted an additional eight days to the companies to produce their second observations and refused to postpone the date of the meeting of the restricted formation and to hold the said meeting in camera. 28. On 12 November 2021, the companies produced new observations in response to those of the rapporteur. The companies and the rapporteur presented oral observations during the session of the restricted formation. II. Reasons for the decision A. On the request for a stay of proceedings 30. The companies request that the restricted committee stay the decision pending the decision that will be rendered by the Council of State in the context of the appeal filed against deliberation n ° SAN-2020-012 of December 7, 2020. and pending the conclusions of the new EDPS working group mentioned above. They base their request on Article 66 of the CNIL's internal regulations and on the principle of the proper administration of justice. The companies argue in particular that they are asking the Council of State to rule on several means that will have direct and decisive consequences on the present sanctioning procedure. They maintain in particular before the Council of State that the CNIL was not competent to pronounce administrative sanctions against them, whereas in addition the legal framework applicable in the matter of cookies was not yet consolidated and that the sanctions pronounced are manifestly unjustified and disproportionate. 31. First, the restricted formation observes that article 66 of the internal regulations of the CNIL provides that "The sessions of the restricted formation are chaired by its president or, in the event of impediment, by its vice-president. The meeting directs the debates and ensures the police of the meeting. It can order any suspension that it deems useful ". The suspension mentioned in the context of this article does not concern the suspension of the sanctioning procedure, but relates to the suspension of the session of the restricted formation. 32. Second, the companies have already made these same arguments to the president of the restricted party in their letter of September 27, 2021, who refused to grant the request for suspension by letter of October 4, considering that the decision it is up to the President of the Commission to initiate a sanction procedure and that it is not within the powers of the President of the restricted formation to order its suspension. The president of the restricted formation also recalled in this letter that in application of article L. 4 of the code of administrative justice, the request for annulment formed against the deliberation of the restricted formation of December 7, 2020 before the Council of State has no suspensive effect and, moreover, the date on which this court will examine this file was not known. Finally, he added that the creation of a working group within the EDPS was not likely, in any event, to justify a suspension of the sanction procedure.33. Third, the decision of the Council of State may not be taken for several months. 34. Lastly, with regard to the creation of the working group by the EDPS concerning cookie banners, the restricted committee notes that the outcome of this work is not known to date. The restricted committee therefore considers that there is no need to stay the proceedings. The complaint alleging violation of the principle non bis in idem 36. The companies maintain that the restricted formation cannot rule again on the same facts as those concerned by deliberations n ° SAN-2020-012 of December 7, 2020 and n ° SAN-2021-004 of April 30, 2021, without violating the principle non bis in idem. They claim that the parties concerned by this procedure and the previous aforementioned deliberations are identical, that the two procedures concern the same facts and that a final decision, deliberation n ° SAN-2021-004 of April 30, 2021, has been taken. 37. In the first place, the restricted formation notes that, in its deliberation n ° SAN-2020-012 of December 7, 2020, it retained a breach of article 82 of the law "Informatique et Libertés" given the lack of information people, the failure to collect consent from people before cookies are placed on their terminal and the partially defective nature of the "opposition" mechanism put in place by Google. It also pronounced against them an injunction "to bring the processing into conformity with the obligations resulting from article 82 of the law" Informatique et Libertés ", in particular: o Inform the persons concerned in advance and in a clear and complete manner , for example on the information banner on the home page of the "google.fr" site: - the purposes of all cookies subject to consent, - the means at their disposal to refuse them ". 38. The restricted committee thus notes that the first procedure leading to the aforementioned deliberation included an injunction relating to the information of users on the purposes of cookies subject to consent and on the means of refusing cookies. The current procedure focuses on the terms of refusal themselves, not just information. Thus, the two procedures do not concern the same facts. 39. Secondly, the companies argue that, under the terms of deliberation n ° SAN-2020-012 of December 7, 2020, the restricted formation ordered them to comply with article 82 of the law "Informatique et Libertés" in all its provisions and to provide, in particular, but not exclusively by virtue of the use of the terms "in particular", information on the purposes of cookies and on the means to oppose them. They add that, by deliberation n ° SAN-2021-004 of April 30, 2021, the restricted formation would have decided that the mechanism of consent and rejection of cookies, in its entirety, complied with article 82 of the law " Informatique et Libertés "and that the companies would have satisfied the injunction within the time limit. 40. The Restricted Committee does not subscribe to this analysis. The sanction report from the previous proceedings only dealt with the information put in place by the companies on the cookie banner, the deposit of cookies without consent and the partial failure of the "opposition" mechanism. There is therefore no doubt that the restricted panel was unable to rule on what was not before it in the adversarial proceedings. Thus, if the words "in particular" can lead to confusion, when the formula is taken in isolation, the restricted panel recalls that this injunction cannot be read in a decorrelated manner from the whole of the corresponding decision. However, in the context of this previous procedure, the restricted panel only ruled on the aforementioned perimeter and the injunction was only issued in connection with the information of individuals. The methods of refusing read and / or write operations, which are the subject of this sanctioning procedure, did not fall within the scope of this injunction. As deliberation n ° SAN-2021-004 of April 30, 2021 must necessarily be read in the light of deliberation n ° SAN-2020-012 of December 7, 2020, it cannot be considered that the injunction pronounced concerned the whole obligations resulting from article 82 of the law "Informatique et Libertés" .41. In this regard, the restricted committee notes that, in two letters of February 17, 2021 addressed to companies, the secretary general of the CNIL recalled that, as emerges from the reasons and the mechanism of deliberation n ° SAN-2020-012 of the December 7, 2020, the expected compliance in the context of the injunction procedure only concerned the information provided to people on the home page of the "google.fr" site. It was also indicated that, as regards the obligation to inform the persons concerned in a clear and complete manner of the means made available to them to refuse cookies, "this question is difficult to separate from the question of the methods of refusal on the first level, by a refuse button or an equivalent solution, which is not in the scope of the injunction ". From a support perspective - and in view of the changes expected under the entry into force of Regulation (EU) 2016/679 of the European Parliament and of the Council of April 27, 2016 (hereinafter "the Regulation" or "the RGPD "), enlightened by the recommendation of September 17, 2020, and for which an adaptation period had been left by the CNIL to the actors until April 1, 2021 - the letter included an analysis exceeding the scope of the injunction pronounced by the restricted training, which focused on the elements provided by the companies in response to the injunction, elements which themselves went beyond the perimeter of the deliberation mechanism. In this context, companies were reminded that it must be as easy to give consent as to refuse to give or withdraw it and they were told that it would be up to them to insert a "I refuse" button next to the "I accept" button, while specifying that they could "of course change the titles of these buttons as long as they allow the user to clearly and directly understand the consequences of his choices ". If this letter does not have any imperative value, the restricted formation notes that under a letter that GIL addressed to the president of the restricted formation on March 30, 2021, the company had replied: "we share the analysis of the services of the CNIL according to which Google's consent mechanism does not fall within the scope of the injunction pronounced by the restricted committee in its deliberation of December 7, 2020 ".42. Therefore, companies cannot assert that the restricted committee validated the new cookie banner set up by them following the first sanction procedure, even though they themselves were fully aware that the consent mechanism and rejection of cookies, in its entirety, was not the subject of this previous procedure and that the CNIL has reminded on various occasions that it did not rule on this point in the context of the previous procedure. The restricted committee notes in fact that, in its press release relating to the closure of the injunction of May 4, 2021, the CNIL had also taken care to specify that: "Seizure before the end of the adaptation period left to the actors by the CNIL, the restricted committee did not examine the compliance of the information banner provided on the "google.fr" site with the new rules on cookies, relating in particular to consent, which are informed by the guidelines and the recommendation of September 17, 2020. This closing decision therefore does not prejudge the analysis of the CNIL as to the compliance of google.fr with these requirements, according to which the user must now be able to refuse cookies as easily that it can accept them. The CNIL now reserves the right to control these methods of refusal and, if necessary, to mobilize its entire chain of repression ".44. Lastly, the restricted committee noted that the present procedure targets both the “google.fr” and “youtube.com” websites, while the previous procedure only concerned the “google.fr” site .45. The restricted committee therefore considers that the complaint alleging the violation of the principle non bis in idem must be rejected. On the competence of the CNIL 1. On the material competence of the CNIL and the non-application of the "one-stop-shop" mechanism provided for by the RGPD46. The processing operations subject to due diligence on June 1, 2021 by a CNIL delegation are carried out within the framework of the provision of electronic communications services accessible to the public through a public electronic communications network offered within the Union. European. As such, they fall within the material scope of the "ePrivacy" Directive. 47. Article 5 (3) of that directive, relating to the storage of or access to information already stored in the terminal equipment of a subscriber or user, has been transposed into domestic law in Article 82 of the "Informatique et Libertés" law, within chapter IV of the law relating to the rights and obligations specific to processing in the electronic communications sector. 48. Under the terms of article 16 of the "Informatique et Libertés" law, "the restricted formation takes measures and pronounces sanctions against data controllers or subcontractors who do not comply with the obligations arising from […] of this law ". Under Article 20, paragraph III, of this same law, "when the data controller or his subcontractor does not comply with the obligations resulting from [...] this law, the president of the National Commission for data processing and freedoms […] can apply for the restricted training ”.49. The rapporteur considers that the CNIL is materially competent in application of these provisions to control and sanction the operations of access or registration of information implemented by the companies in the terminals of users of the "google.fr" and "sites". youtube.com "in France.50. The companies contest the jurisdiction of the CNIL and believe that they should be subject to the procedural framework provided for by the GDPR, that is to say the cooperation mechanism between the supervisory authorities, known as the "one-stop-shop" mechanism, provided for in Chapter VII of the Regulations. In application of this mechanism, the supervisory authority competent to hear the facts in question would not be the CNIL but the Irish data protection authority, the Data Protection Commission (hereinafter the "DPC"), which should act as the lead authority with regard to the deployment of cookies, depending on the companies, this authority is competent under both the GDPR and the "ePrivacy" directive .51. To this support, companies invoke in particular the inextricable link between the RGPD and the "ePrivacy" directive, considering that the application of the RGPD cannot be excluded when article 82 of the "Data Protection Act" applies. They also invoke the principle of lex specialis - lex generalis under which, according to them, the "ePrivacy" directive specifies and supplements the GDPR. Companies consider that the absence of specific rules relating to the determination of the competence of the supervisory authority in the event of cross-border processing falling within the scope of the "ePrivacy" directive should be supplemented by the application of the framework. procedural provided for by the GDPR. They argue that the application of the "one-stop-shop" mechanism is not only in line with the intention of the European legislator, but also with the interpretation of the EDPS, and furthermore corresponds to the position taken by several European authorities. They point out in this regard that the power left to the Member States as regards the choice of the national authority responsible for ensuring compliance with the "ePrivacy" directive does not preclude the application of the "one-stop-shop" mechanism provided for by the GDPR. , insofar as cooperation agreements between these authorities have been concluded in several Member States so that the data protection authorities and the authorities responsible for the application of the "ePrivacy" Directive, in the case of different authorities, can jointly exercise enforcement powers on a matter falling within the scope of the GDPR and the "ePrivacy" directive and thus participate in the one-stop-shop mechanism. 52. The companies also add that the EDPS 'announcement of September 27, 2021 relating to the creation of a working group on cookie banners in response to the large number of complaints recently lodged with the supervisory authorities by the NOYB association constitutes a evidence that the EDPS considers cookie-related breaches to fall directly within the scope of the GDPR and, therefore, of the 'one-stop-shop' mechanism .53. As a preliminary point, the restricted committee underlines the distinction that should be made between, on the one hand, the operations consisting in depositing and reading a cookie on a user's terminal and, on the other hand, the subsequent use made of the data generated by these cookies, for example for profiling purposes, generally referred to as "subsequent processing" (also known as "subsequent"). Each of these two successive stages is subject to a different legal regime: while the read and write operations in a terminal are governed by special rules, fixed by the "ePrivacy" directive - in this case, by its article 5 paragraph 3 -, and transposed into national law, "subsequent processing" is governed by the GDPR and, as such, may be subject to the "one-stop-shop" mechanism in the event that it is cross-border.54 . In the present case, the restricted committee recalls that the present procedure only concerns the reading and writing operations implemented in the terminal of the user located in France going to the Google Search and YouTube search engine, the material findings made by the delegation during the online check of June 1, 2021, which focused only on these operations, without considering the subsequent processing carried out from the data collected via these cookies. 55. First of all, the restricted committee notes that it emerges from the provisions cited above that the French legislator has instructed the CNIL to ensure compliance with the provisions of the "ePrivacy" directive transposed to article 82 of the law " Informatique et Libertés ", in particular by giving it the power to sanction any disregard of this article. It underlines that this competence was recognized in particular by the Council of State in its decision Association of communication consulting agencies of June 19, 2020 concerning the deliberation of the CNIL no 2019-093 adopting guidelines relating to the application of article 82 of the law of January 6, 1978 amended to read or write operations in a user's terminal. The Council of State has indeed noted that "article 20 of this law gives [to the] president [of the CNIL] the power to take corrective measures in the event of non-compliance with the obligations resulting from the (EU) 2016 regulation / 279 or its own provisions, as well as the possibility of applying to the restricted committee with a view to the pronouncement of sanctions which may be pronounced "(CE, June 19, 2020, req. 434684, pt. 3) .56. Secondly, the restricted committee considers that when a processing operation can fall both within the material scope of the "ePrivacy" directive and the material scope of the GDPR, it is appropriate to refer to the relevant provisions of the two texts which provide for their articulation. Thus, Article 1, paragraph 2, of the "ePrivacy" directive provides that "the provisions of this directive specify and supplement Directive 95/46 / EC" of the European Parliament and of the Council of 24 October 1995 on the protection of personal data (hereinafter "Directive 95/46 / EC on the protection of personal data"), it being recalled that since the entry into application of the Regulation, the references made to this last directive must be understood as made to the RGPD , in accordance with article 94 thereof. Likewise, it is apparent from recital 173 of the GDPR that this text explicitly provides that it does not apply to the processing of personal data "subject to specific obligations having the same objective [of protecting fundamental rights and freedoms] set out in the directive. 2002/58 / EC of the European Parliament and of the Council, including the obligations of the controller and the rights of natural persons ". This articulation was confirmed by the CJEU in its Planet49 decision of October 1, 2019 (CJEU, October 1, 2019, C 673/17, pt. 42). 57. In this regard, the Restricted Committee notes that, contrary to what companies maintain, the "ePrivacy" directive constitutes a body of special rules, which does indeed provide, for the specific obligations it entails, its own implementation mechanism. and control of its application within its article 15bis. Thus, the first paragraph of this article leaves to the Member States the competence to determine "the system of sanctions, including criminal sanctions where appropriate, applicable to violations of the national provisions adopted pursuant to this Directive and [take ] any measure necessary to ensure that they are implemented. The penalties provided for must be effective, proportionate and dissuasive and may be applied to cover the duration of the infringement, even if it has subsequently been corrected ". The rule laid down in 3) of article 5 of the "ePrivacy" directive, according to which read and / or write operations must systematically be the subject of a prior agreement of the user, after information, constitutes a special rule with regard to the GDPR since it prohibits taking advantage of the legal bases mentioned in article 6 of the latter in order to be able to lawfully carry out these read and / or write operations on the terminal. The control of this rule therefore falls under the special control and sanction mechanism provided for by the "ePrivacy" directive, and not by the data protection authorities and the EDPS in application of the GDPR. It is by a specific choice that the legislator in France has entrusted this mission to the CNIL. In addition, the second paragraph of the same article obliges Member States to ensure "that the competent national authority and, where appropriate, other national bodies have the power to order the cessation of the offenses referred to in paragraph I" . 58. In view of the foregoing, the Restricted Panel considers that, in application of the adage specialia generalibus derogant, the specific rules relating to cookies arising from the "ePrivacy" directive prevail over the general rules of the GDPR. Thus, the "one-stop-shop" mechanism provided for by the GDPR cannot be applied to the processing operations covered by the directive, as the companies claim. Thirdly, the Restricted Committee adds that this exclusion is corroborated by the fact that the Member States, which are free to determine the national authority competent to deal with violations of the national provisions adopted in application of the "ePrivacy" directive, may have attributed this competence to an authority other than their national data protection authority established by the GDPR, in this case to their telecommunications regulatory authority. Therefore, insofar as these latter authorities are not part of the EDPS, while this committee plays an essential function in the consistency control mechanism implemented in Chapter VII of the GDPR, it is in fact impossible to apply the "one-stop-shop" for practices liable to be sanctioned by national supervisory authorities not sitting on this committee.60. The restricted formation emphasizes that the cooperation agreements concluded between data protection authorities and telecommunications regulatory authorities in certain Member States, invoked by the company, aim to establish cooperation at national level between the various regulators in order to ensure the consistency of their doctrines on related subjects but do not aim to involve as such the telecommunications regulatory authorities in the "one-stop-shop" mechanism provided for by Chapter VII of the GDPR. 61. Fourthly, the restricted committee notes that the EDPS, in his opinion n ° 5/2019 of 12 March 2019 relating to the interactions between the "privacy and electronic communications" directive and the GDPR, explicitly excluded the application of the "one-stop-shop" for matters materially falling under the "ePrivacy" directive in these terms: "in accordance with chapter VII of the GDPR, the cooperation and consistency mechanisms available to the data protection authorities under the GDPR concern the control of the application of the provisions of the GDPR. The mechanisms of the GDPR do not apply to monitoring the application of the provisions of the "privacy and electronic communications" directive as such "(EDPS, opinion 5/2019, 12 March 2019, pt. 80) 62. Fifth, the restricted committee notes that the CJEU, in a Facebook Belgium judgment delivered on June 15, 2021, took over the aforementioned EDPS opinion 5/2019. The CJEU followed on this point the conclusions of its Advocate General, Mr BOBEK, who considered that "in order to decide whether a case actually falls within the material scope of the GDPR, a national court, including any referring court , is required to seek the precise source of the legal obligation incumbent on an economic operator which it is alleged to have violated. If the source of this obligation is not the GDPR, the procedures established by this instrument, which are linked to its main objective, are logically not applicable either "(CJEU, conclusions of Advocate General M. BOBEK, January 13, 2021, Facebook Belgium, C 645/19, pts. 37 and 38) .63. In this case, the restricted committee notes that, in the present procedure, the precise source of the legal obligation subject to the control finds its origin in Article 5, paragraph 3, of the "ePrivacy" directive, transposed to the article 82 of the "Informatique et Libertés" law, informed by the conditions of consent as provided for by the RGPD, article 2, f), of the "ePrivacy" directive providing that the consent of a user corresponds to the consent of the data subject listed in Directive 95/46 / EC, which has been replaced by the GDPR. 64. The restricted formation also points out that other national data protection authorities have also already pronounced sanctions relating to breaches relating to operations of reading and / or writing information in the users' terminal. The Spanish authority has thus issued several sanction decisions against various data controllers in application exclusively of the national provisions transposing the "ePrivacy" directive, in this case article 22, paragraph 2 of Ley 34/2002 de 11 de julio de Servicios de la Sociedad de la Información y de Comercio Electrónico, without implementing the cooperation procedure established by the GDPR. 65. Sixthly, the restricted committee notes that the possible application of the "one-stop-shop" mechanism to processing governed by the "ePrivacy" directive is the subject of numerous discussions in the context of the preparation of the "ePrivacy" regulation project. "under negotiation for more than four years at European level. The very existence of these debates confirms that as it stands, the one-stop-shop mechanism provided for by the GDPR is not applicable to matters governed by the current "ePrivacy" directive. 66. Finally, according to the restricted party, the creation of a working group on cookie banners in response to the large number of complaints lodged with European supervisory authorities by the NOYB association does not mean, contrary to what is argued , that the EDPS considers that all breaches related to cookies necessarily fall within the scope of the GDPR. The restricted committee also notes that some of the questions raised in these complaints concern subsequent processing which, in turn, falls within the scope of the GDPR. In addition, pursuant to Article 70 (1) (u), the EDPS has, inter alia, the task of promoting cooperation and effective bilateral and multilateral exchange of information and good practice between supervisory authorities. The purpose of the working group is thus to discuss the analysis of the numerous complaints filed by the NOYB association. The creation of this working group does not call into question the position of the EDPS, in his aforementioned opinion 5/2019. 67. Thus, the restricted committee considers that the "one-stop-shop" mechanism provided for by the GDPR is not applicable to this procedure and that the CNIL is competent to control and sanction processing consisting of reading and / or reading operations. writing of information in the terminal of users located in France implemented by companies falling within the scope of the "ePrivacy" directive, provided that they fall under its territorial jurisdiction. 2. On the territorial jurisdiction of the CNIL68. The rule of territorial application of the requirements fixed in article 82 of the law "Informatique et Libertés" is fixed in article 3, paragraph I, of the law "Informatique et Libertés" which provides: "without prejudice, in this which concerns the processing within the scope of Regulation (EU) 2016/679 of April 27, 2016, of the criteria provided for by article 3 of this regulation, all the provisions of this law apply to the processing of data to personal character carried out within the framework of the activities of an establishment of a controller […] on French territory, whether or not the processing takes place in France ".69. The rapporteur considers that the CNIL has territorial jurisdiction in application of these provisions when the processing object of this procedure, consisting of operations to access or enter information in the terminal of users residing in France during the he use of the Google Search search engine and of YouTube, in particular for advertising purposes, is carried out within the "framework of the activities" of the company GOOGLE FRANCE, which constitutes the "establishment" on the French territory of the GOOGLE group. 70. The companies refer, for their part, on this point to the observations they had produced in the context of the previous sanctioning procedure and in which they maintained that, in so far as it would be appropriate to apply the rules of jurisdiction and the procedures cooperation defined by the RGPD, the CNIL would not have the territorial competence to hear this case given that the "real seat" of the GOOGLE group in Europe, that is to say the place of its central administration within the meaning of article 56 of the GDPR, is located in Ireland. 71. The restricted committee once again retains that the facts in question are materially covered by the provisions of the "ePrivacy" directive, and not of the GDPR. It follows that it is appropriate to refer to the provisions of article 3, paragraph I, of the law "Informatique et Libertés", determining the scope of the territorial jurisdiction of the CNIL. 72. In this regard, the restricted committee emphasizes that the "ePrivacy" directive does not itself explicitly lay down the rule for the territorial application of the various transposition laws adopted by each Member State. However, this directive indicates that it "specifies and supplements Directive 95 / 46.CE", which at the time provided, in Article 4, that "Each Member State shall apply the national provisions which it adopts by virtue of the this Directive to the processing of personal data when: a) the processing is carried out within the framework of the activities of an establishment of the controller in the territory of the Member State; if the same controller is established in the territory of several Member States, it must take the necessary measures to ensure that each of its establishments complies with the obligations provided for by the applicable national law ". While this rule for determining the national law applicable within the Union no longer applies for the application of the rules of the GDPR, which replaced Directive 95/46 / EC on the protection of personal data and applies uniformly throughout the territory of the Union, it appears that the French legislator has maintained these criteria of territorial application for the specific rules contained in the law "Informatique et Libertés", and therefore in this case for those which transpose the "ePrivacy" directive. Therefore, the case law of the CJEU on the application of Article 4 of the former Directive 95/46 / EC on the protection of personal data remains relevant to shed light on the scope to be given to these two criteria. First, with regard to the existence of an "establishment of the controller on French territory", the CJEU has consistently considered that the notion of establishment should be assessed in a flexible manner and that this Finally, it was necessary to assess both the degree of stability of the installation and the reality of carrying out activities in another Member State, taking into account the specific nature of the economic activities and the provision of services in question (see , for example, CJEU, Weltimmo, 1 Oct. 2015, C 230/14, pts. 30 and 31). The CJEU further considers that a company, an autonomous legal person, of the same group as the controller, can constitute an establishment of the controller within the meaning of these provisions (CJEU, May 13, 2014, Google Spain, C-131 / 12, pt 48) 74. In this case, the restricted formation notes, first of all, that the company GOOGLE FRANCE is the head office of the French subsidiary of the company GOOGLE LLC, that it has premises located in Paris, that it employs approximately [... ] people and that, according to its statutes filed with the registry of the Paris Commercial Court, its particular object is "the provision of services and / or advice relating to software, the Internet, telematic or online networks, in particular the 'intermediation in the sale of online advertising, the promotion of all forms of online advertising, the direct promotion of products and services and the setting up of data processing centers ". The restricted formation then notes, as it recalled in its deliberation of December 7, 2020, "that the company GOOGLE FRANCE is responsible for ensuring the promotion of online advertising on behalf of the company GIL, which is a co-contractor of advertising contracts concluded with French companies or French subsidiaries of foreign companies "and" that the company GOOGLE FRANCE effectively participates in the promotion of products and services designed and developed by the company GOOGLE LLC, such as Google Search , in France, as well as the advertising activities managed by the company GIL "(deliberation of the restricted party n ° SAN-2020-012 of December 7, 2020 concerning the companies GOOGLE LLC and GOOGLE IRELAND LIMITED, pt. 42). It notes that these findings still appear to be valid on the date of this deliberation.75. Secondly, with regard to the existence of processing carried out "within the framework of the activities" of this establishment, the restricted committee notes that the CJEU, in its Google Spain judgment of 13 May 2014, considered that the processing relating to the search engine Google Search was carried out "within the framework of the activities" of the company GOOGLE SPAIN, establishment of the company GOOGLE INC - since become GOOGLE LLC -, insofar as this company is intended to ensure in Spain the promotion and the sale of advertising space offered by this search engine, which is used to make the service offered by this search engine profitable. The CJEU clarified that "Article 4 (1) (a) of Directive 95/46 does not require that the processing of personal data in question be carried out" by "the establishment concerned itself, but only that it is "within the framework of the activities" of this one "(pt. 52). According to the Court, "Article 4 (1) (a) of Directive 95/46 must be interpreted as meaning that processing of personal data is carried out in the context of the activities of an establishment of responsible for this processing in the territory of a Member State, within the meaning of this provision, when the operator of a search engine creates in a Member State a branch or a subsidiary intended to ensure the promotion and sale of advertising space offered by this engine and whose activity targets the inhabitants of that Member State "(pt. 60) .76. In addition, the restricted panel notes that the CJEU subsequently considered, in its Wirtschaftsakademie and Facebook Belgium decisions, that the processing consisting of the collection of personal data via cookies placed in the terminals of visiting users, in Germany and Belgium, pages hosted on the Facebook social network were respectively made "within the framework of the activities" of the companies FACEBOOK GERMANY and FACEBOOK BELGIUM, German and Belgian establishments of the Facebook group, insofar as these establishments are intended to provide , in their respective country, the promotion and sale of advertising space offered by this social network, which is used to make the service offered by Facebook profitable (CJEU, large chamber, June 5, 2018, Wirtschaftsakademie, C-210/16, pts. 56 to 60; June 15, 2021, Facebook Belgium, C-645/19, pts. 92 to 95). If in the Google Spain judgment, Spanish jurisdiction had been retained for processing for which the effective responsibility fell to companies based in the United States, outside the European Union, in these latter judgments, the CJEU extended its reasoning to cases where the effective responsibility for the processing lies with a company located in another country of the European Union. 77. The restricted committee noted that, even if these three judgments concerned more specifically the "subsequent processing" implemented from cookies placed in users' terminals, which justified the application of Directive 95/46 / EC for business Google Spain and Wirtschaftsakademie and of the RGPD for the Facebook Belgium case, this case law remains relevant to shed light on the scope to be given to the concept of processing carried out "within the framework of the activities" of an establishment, insofar as the French legislator l 'resumed during the transposition of the "ePrivacy" directive to found the territorial jurisdiction of the CNIL with regard to processing covered by this directive.78. In this case, and in addition to the previous developments appearing above in paragraph 74, the restricted committee notes that, according to the information posted on its website, the company GOOGLE FRANCE supports in particular small and medium-sized enterprises in France "through the development of collaboration tools, advertising solutions or to give them the keys to understanding their markets and their consumers ". Then, it has already noted, in its deliberation n ° SAN-2020-012 of December 7, 2020 that, "in its letter of April 30, 2020, the company GIL indicates that" Google France has a sales team dedicated to promoting and the sale of GIL's services to advertisers and publishers based in France, such as Google Ads "" (item n ° 44). This observation still appears to be valid on the date of this deliberation. The limited training finally notes that it is specified on the website "ads.google.com" that "Google Ads allows French companies to promote their products or services on the search engine and on a large advertising network". 79. Thus, the processing consisting of operations of access or registration of information in the terminal of users of the Google Search search engine and of YouTube residing in France, in particular for advertising purposes, is carried out within the framework of the activities of the company GOOGLE FRANCE on French territory, which is in charge of the promotion and marketing of GOOGLE products and their advertising solutions in France. The restricted committee notes that the two criteria provided for in Article 3, paragraph I, of the "Informatique et Libertés" law are therefore met.80. It follows that French law is applicable and that the CNIL is materially and territorially competent to exercise its powers, including that of imposing sanctions concerning processing operations falling within the scope of the "ePrivacy" directive. On the complaint alleging the illegality of the present sanctioning procedure81. The companies dispute the fact of not having received any formal notice before the president of the CNIL decides to open a sanction procedure, unlike other actors, thus invoking a difference in treatment between GIL and GOOGLE LLC and the sixty companies that the CNIL declared to have put on formal notice for similar acts in its press releases of 25 May and 19 July 2021 posted on its website. First, with regard to the companies' argument according to which the provisions opposed to them by the rapporteur entered into force less than five months before the start of the sanction procedure, the restricted committee recalls that, in the context of of this deliberation, it is based exclusively on the provisions of article 82 of the law "Informatique et Libertés", informed by the reinforced requirements in terms of consent of the GDPR, which came into force in May 2018. Therefore, the framework legal applicable to the facts giving rise to the present sanction proceedings is fully established. 83. The restricted committee also recalls that, from June 2019 and on various occasions thereafter, the CNIL communicated on its action plan which included two main stages: the publication of new guidelines in July 2019 and consultation with professionals. to develop a new recommendation, proposing operational modalities for obtaining consent. The CNIL had specified, in a press release dated June 28, 2019, that it would verify compliance with the recommendation six months after its final adoption. The restricted party noted that the CNIL had been perfectly transparent on the schedule, in order to give the organizations time to comply before carrying out checks.84. Secondly, the restricted committee recalls that, in accordance with article 20 of the law "Informatique et Libertés", the president of the CNIL is not required to send a formal notice to a data controller before sending initiate a sanction procedure against him. It adds that the possibility of directly initiating a sanction procedure has been confirmed by the Council of State (see, in particular, CE, 4 Nov. 2020, req. No. 433311, pt. 3) .85. It further notes that the secretary general of the CNIL reminded companies, in his letters of February 17, 2021, that it must be as easy to give consent as to refuse to give or withdraw it. It also notes that the companies GOOGLE LLC and GIL have already been the subject of a sanction procedure relating to their cookie policy. The companies were fully aware that they were exposed to possible other sanctions since, according to a press release published on May 4, 2021, the CNIL had indicated that the closure of the injunction only concerned the scope of the injunction pronounced by the restricted formation in its deliberation of December 7, 2020. It specified that this closing decision did not prejudge the analysis of the CNIL as to the compliance of "google.fr" with other rules on cookies , relating in particular to consent, which are informed by the guidelines and the recommendation of September 17, 2020, according to which the user should now be able to refuse cookies as easily as he can accept them. The CNIL specified that it reserved the right to control these methods of refusal and, if necessary, to mobilize its entire repressive chain, it being specified that the CNIL had received several complaints on this subject. GOOGLE LLC and GIL were not in the same situation as other organizations subject to formal notices from the CNIL and that the complaint alleging the illegality of the sanctioning procedure must be rejected. . On the request for a preliminary ruling86. In the alternative, the companies ask the restricted formation to refer a preliminary question to the Court of Justice of the European Union (hereinafter the "CJEU") in these terms: "the absence of a" refuse all "button to next to a button "accept all" should it be considered a violation of article 4, paragraph 11 and article 7 of the GDPR, read in conjunction with article 5, paragraph 3 of the e-Privacy directive while the data controller gives the data subject the right to refuse said processing in the second level of the cookies banner and through the browser settings and informs him of this possibility to refuse the processing and the means at his disposal to do it from the first level of the cookies banner? ". The companies consider that the restricted formation is a court within the meaning of Article 267 of the Treaty for the Functioning of the European Union (hereinafter "TFEU") and that it meets the criteria of a court: it is established permanently by the law "Informatique et Libertés"; it has compulsory jurisdiction when the president of the CNIL decides to initiate a sanction procedure; it follows a procedure of an adversarial nature opposing the rapporteur and the respondent; it applies the rules of law and is independent and impartial. 87. The restricted formation recalls that, for a body to be able to address a preliminary question to the CJEU, it must have the quality of "jurisdiction" within the meaning of Article 267 TFEU, an autonomous concept in Union law. To assess this status, the CJEU takes into consideration the following criteria: legal origin of the body, its permanence, its binding nature, adversarial nature of its procedure, application of the rules of law, its independence and the jurisdictional nature of its decisions.88 . The restricted formation notes that it is not classified as a jurisdiction in domestic law: no legislative provision has recognized this quality. If, as the companies point out, the Council of State has already ruled that "having regard to its nature, its composition and its powers", the restricted formation can be qualified as a "tribunal" within the meaning of the article 6-1 of the European Convention for the Protection of Human Rights and Fundamental Freedoms (hereinafter the "CESDH") (Council of State, summary judge, February 19, 2008, n ° 311974), this decision does not, however, recognize it as a court. 89. The restricted committee considers, contrary to what the companies maintain, that the criteria adopted by the CJEU on the notion of jurisdiction within the meaning of article 267 TFEU, in particular in its recent ANESCO judgment (CJEU, Sept. 16, 2020, Anesco, C-462/19), are not fulfilled by the restricted training. Indeed, in this judgment, the CJEU indicated that, "it must be noted that the decisions that the CNMC [the Spanish competition authority] is led to adopt in cases such as the one at issue in the main proceedings are similar to decisions of an administrative nature, excluding their being adopted in the exercise of judicial functions "(§41). However, the same applies to decisions taken by the restricted body, which are administrative decisions since they are sanction decisions which contribute to the effectiveness of the CNIL's action in its regulatory power. The sanction decision puts an end to the administrative procedure initiated and an administrative litigation appeal may then be initiated against him before the Council of State.90. In addition, the restricted formation notes that the Court of Cassation considered that "it follows from these texts of European Union law, as interpreted by the Court of Justice of the European Union, that the Authority of competition is not a court capable of asking it a preliminary question pursuant to article 267 of the TFEU (CJEU, judgment of September 16, 2020, Anesco, C-462/19, concerning the Comisión Nacional de los Mercados y la Competencia, Spanish competition authority) "(Cass. 2nd civ., September 30, 2021, n ° 20-18.302). However, the Competition Authority, as an independent administrative authority, has great organizational and procedural similarities with the restricted body.91. Therefore, the restricted formation cannot be classified as a court within the meaning of Article 267 TFEU, so that it is not able to ask a preliminary question to the CJEU. On the determination of the controller 92. The restricted committee notes, first of all, that Articles 4, paragraph 7, and 26, paragraph 1, of the GDPR are applicable to this procedure due to the use of the concept of "controller" in Article 82 of the "Informatique et Libertés" law, which is justified by the reference made by article 2 of the "ePrivacy" directive to directive 95/46 / CE on the protection of personal data, which has been replaced by the RGPD. 93. According to article 4, paragraph 7, of the GDPR, the controller is "the natural or legal person, public authority, service or other body which, alone or jointly with others, determines the purposes and the means of treatment ". According to Article 26 (1) of the GDPR, "where two or more controllers jointly determine the purposes and means of processing, they are the joint controllers" .94. The rapporteur considers that the companies GIL and GOOGLE LLC are jointly responsible for the processing in question in application of these provisions since the companies both determine the purposes and means of the processing consisting of access or registration operations. information in the terminal of users residing in France when using the Google Search search engine and YouTube. 95. The companies respond that the company GIL would be solely responsible for the processing of personal data of users located in the European Economic Area and in Switzerland. 96. The restricted panel recalls that the CJEU has ruled on several occasions on the concept of joint responsibility for processing, in particular in its Jehovah's Witnesses judgment. According to the latter, it considered that, according to the provisions of Article 2 (d) of Directive 95/46 on the protection of personal data, "the concept of" controller "refers to the person natural or legal person which, "alone or jointly with others", determines the purposes and means of the processing of personal data. This concept does not, therefore, necessarily refer to a single natural or legal person and may concern several actors participating in this processing, each of them then having to be subject to the applicable data protection provisions […]. The objective of this provision is to ensure, by a broad definition of the concept of "responsible" , effective and complete protection of the persons concerned, the existence of joint liability does not necessarily translate into equivalent liability, for the same processing of personal data, for differences ts actors. On the contrary, these actors may be involved at different stages of this processing and to different degrees, so that the level of responsibility of each of them must be assessed taking into account all the relevant circumstances of the case at hand " (CJEU, July 10, 2018, C 25/17, pts. 65 and 66) .97 The restricted committee considers that these developments usefully shed light on the concept of joint processing responsibility invoked by the rapporteur with regard to companies GOOGLE LLC and GIL concerned by the processing operations in question.98. December 2020 for the reasons developed above, it still concerns the read and write operations implemented in the user's terminal located in France by the companies GOOGLE LLC and GIL, for which the role of two companies has already been considered by the restricted formation in the deliberation mentioned above.99. The restricted committee also recalls that it, in this same deliberation of December 7, 2020, considered that the companies GOOGLE LLC and GIL jointly determine the purposes and means of the processing consisting of operations of access or registration of information. in the terminal of users residing in France when using the Google Search search engine (pts. 47 to 66 of the deliberation). It considers that this observation is still valid on the date of this deliberation and can be extended to the cookies used on the "youtube.com" site, as demonstrated by the elements developed below.1. On the responsibility of the company GIL100. The companies claim that GIL is acting as the data controller in question, which the rapporteur also considers. 101. The small group shares this analysis. 102. In the first place, it notes that it retained in its deliberation n ° SAN-2020-012, that "the representatives of the companies declared that the company GIL" participates in the development and the supervision of the internal policies which guide the products and their design, the setting up of parameters, the determination of confidentiality rules and all the verifications carried out before the launch of the products, in application of the principle of “privacy by design”. ”103 Secondly, she recalls that 'she also pointed out that, "with regard to cookies in particular, the representatives stated [...] that" GIL applies, for example, shorter cookie retention periods "compared to other regions of the world and that it "limits the scope of processing related to the personalization of advertising in Europe compared to the rest of the world. For example, GIL does not use certain categories of data to carry out personalized advertising such as than the assumed household resources. The company GIL does not set up personalized advertising for children whom it assumes are minors within the meaning of the RGPD. "104. The restricted committee concluded that" the company GIL is, at least in part, responsible for the controlled processing consisting of operations to access or register information in the terminal of users residing in France when using the Google Search search engine. ”105 The restricted committee considers that no modification of the role of GIL does not appear to have taken place since this recent finding, which therefore remains valid. , accessible both via the "google.fr" and "youtube.com" sites, it is identically indicated that: "In the European Economic Area (EEA) and in Switzerland, Google services are provided to you by the company below with which you are concluding a c ontrat: Google Ireland Limited ". 106. Thus, the company GIL is, at least in part, responsible for processing consisting of operations to access or register information in the terminal of users residing in France when using the Google Search search engine and YouTube. 2. On the responsibility of GOOGLE LLC107. The companies dispute the rapporteur's analysis that the company GOOGLE LLC shares the responsibility for the processing operations in question with the company GIL.108. The restricted formation has already taken a position on this subject, in its deliberation n ° SAN-2020-012 of December 7, 2020.109. First, it noted that, during the hearing on July 22, 2020, the representatives of the companies had affirmed that the company GOOGLE LLC "designs and builds the technology of Google products and that with regard to the cookies deposited and read when using the Google Search search engine, there is no difference in technology between the cookies placed from the different versions of the search engine. Similarly, companies, in the information they offer to French users in the rules of use accessible from "google.fr", make no distinction in their presentation of the cookies used by the GOOGLE group when they indicate using "different types of cookies for products associated with advertisements and Google "" websites, which also includes the "youtube.com" site according to the restricted formation. 110. It notes that even today, there is no difference in the presentation of the cookies used by Google (information provided to French users from the "Technologies" tab, "how Google uses cookies", after clicking on the "terms of use" button, accessible both on "google.fr" and on "youtube.com"). The company "describes the types of cookies used by Google", specifying that "some or all of the cookies described below may be stored in your browser". The restricted committee also notes that the confidentiality rules accessible both from "google.fr" and from "youtube.com" confirm this point when it is indicated that "These confidentiality rules apply to all the services offered by Google LLC and its affiliates, including YouTube and Android, as well as services offered on third-party sites, such as advertising services. "111. Thus, in the information they provide to French users, the GOOGLE LLC and GIL companies still make no distinction in their presentation of the cookies used by the GOOGLE group. 112. Secondly, the restricted committee also noted, in its aforementioned deliberation, that "despite the undisputed participation of the company GIL in the various stages and bodies related to the definition of the methods of implementation of cookies placed on Google Search, the The matrix organization described by the companies […] has shown that the company GOOGLE LLC is also represented in the bodies adopting decisions relating to the deployment of products within the EEA and in Switzerland and to the processing of personal data of the users residing there and that it exercises a significant influence there "or that" the data protection officer appointed by the company GIL […] as well as its deputy DPOs are based in California as employees of the company GOOGLE LLC ". 113. Thirdly, the restricted committee considered that, "although by virtue of a formal reading of the subcontracting contract of December 11, 2018, the company GOOGLE LLC would act as a subcontractor of the company GIL in the processing of European user data collected via cookies, the real involvement of the company GOOGLE LLC in the processing in question goes far beyond that of a subcontractor who would simply carry out processing operations for the account of the company GIL and on its instructions only. "114. In view of the elements in the file, the restricted panel maintains that the company GOOGLE LLC plays a fundamental role in the entire decision-making process relating to the treatments in question. It also determines the means of processing given that, as mentioned above, it is it who designs and builds the technology for cookies placed on the terminals of European users. The restricted committee notes that, although it only ruled with regard to the Google Search search engine in its deliberation n ° SAN-2020-012 of 7 December 2020, it considers that the same reasoning is applicable, on the basis of these same elements, for YouTube, in particular insofar as, when the user clicks on "Confidentiality rules" and "terms of use" from "youtube.com", it is referred to the confidentiality rules and GOOGLE group terms of use. 115. It follows from all of the foregoing that the GOOGLE LLC and GIL companies jointly determine the purposes and means of processing consisting of operations to access or register information in the terminal of users residing in France during the use of the Google Search search engine and of YouTube G. On the breach of obligations regarding cookies 116. Under the terms of article 82 of the law "Informatique et Libertés", "any subscriber or user of an electronic communications service must be informed in a clear and complete manner, unless he has been previously informed by the controller or his representative: 1 ° The purpose of any action aimed at accessing, by electronic transmission, information already stored in his terminal electronic communications equipment, or entering information in this equipment; 2 ° means at his disposal to oppose this access or registration can only take place if the subscriber or user has expressed, after receiving this information, his consent which may result from appropriate parameters of his device connection or any other device under its control. […] ".117. The "ePrivacy" directive provides for its part in its article 2, f), that the consent of a user or a subscriber corresponds to the consent of the data subject listed in Directive 95/46 / EC, to which s' the GDPR is replaced. 118. Thus, since the entry into application of the RGPD, the "consent" provided for in the aforementioned article 82 must be understood within the meaning of article 4, paragraph 11, of the RGPD, that is to say it must be given in a free, specific, enlightened and unequivocal manner and be manifested by a clear positive act. 119. In this regard, recital 42 of this Regulation provides that: "consent should not be considered as having been freely given if the data subject does not have a genuine freedom of choice or is not in a position to refuse or to withdraw consent without being prejudiced. "120. In this case, as part of the online check of June 1, 2021, the delegation noted that, in order to give their consent to the reading and / or writing of information in their terminal, the user going to the home page of the "google.fr" and "youtube.com" sites must only click on the "I accept" button in the pop-up window, which makes this window disappear and allows it to continue browsing. On the other hand, the user going to these same home pages and wishing to refuse cookies must click on the "Personalize" button of this first window, which gives him access, both on the "google.fr" sites. and "youtube.com", to an interface offering him to choose to activate or deactivate cookies, on which he has the possibility of performing various actions.121. The rapporteur notes, for clarification, that under his guidelines 5/2020 on consent within the meaning of Regulation (EU) 2016/679, adopted on 4 May 2020, the EDPS recalled that "the adjective "free" implies real choice and control for those concerned "(§13) .122. Likewise, in the context of its deliberation n ° 2020-092 of September 17, 2020 adopting a recommendation proposing practical modalities of compliance in the event of recourse to "cookies and other tracers", the Commission considered, taking into account the aforementioned applicable texts, that "the data controller must offer users both the possibility of accepting and refusing read and / or write operations with the same degree of simplicity" .123. On the basis of the findings made in the context of the online control, the rapporteur thus observes that, if the banner displayed on the "google.fr" and "youtube.com" sites contains a button allowing immediate acceptance of cookies, no Similar means are not offered to the user to be able to refuse, as easily, the deposit of these cookies. To refuse cookies, they must perform at least five actions (the first click on the "Customize" button, then click on each of the three buttons to select "Disabled" - each button corresponding to "personalization of the search", l '"YouTube history" and "ad personalization" - and finally a click on "Confirm"), for a single action to accept them. According to the rapporteur, such a mechanism does not therefore present the same facility as that allowing to express consent, in disregard of the legal requirements of freedom of consent, which imply not to encourage the Internet user to accept cookies rather than to refuse them. It therefore considers that making the mechanism for refusing cookies more complex than accepting them actually amounts to discouraging users from refusing cookies and encouraging them to use the facility of the "I accept" button. The rapporteur concludes that the methods of refusing cookies implemented by the companies GOOGLE LLC and GIL on the sites "google.fr" and "youtube.com" do not comply with the provisions of article 82 of the law " Informatique et Libertés "as informed by the reinforced requirements in terms of consent posed by the GDPR. 124. The companies consider that neither the “ePrivacy” directive, nor the GDPR, nor article 82 of the “Informatique et Libertés” law provide that the action of refusing cookies should be as simple as accepting them. They add that, for many years, the CNIL itself had not deduced this principle even though the regulations in question had remained unchanged since the entry into force of the GDPR. They note that the CNIL cannot, through its guidelines and recommendations, introduce new requirements relating to the refusal of consent and consider that it is up to each data controller to choose the most appropriate method of obtaining consent. In this, the companies consider that the mechanism for collecting consent set up on the "google.fr" and "youtube.com" sites already complies with the provisions of article 82 of the "Informatique et Libertés" law. ". The companies consider that the fact of not offering, at the first level of information, a button "refuse all" is not contrary to the principle of freedom of consent insofar as users have the possibility of refusing cookies by clicking on the "Customize" button. 125. In the first place, the restricted formation recalls that in application of article 8 I, 2 °, b) of the law "Informatique et Libertés", the CNIL "establishes and publishes guidelines, recommendations or standards intended to facilitate the compliance of the processing of personal data with the texts relating to the protection of personal data […] ".126. It is in this context that the CNIL took deliberation n ° 2019-093 of July 4, 2019 adopting guidelines relating to the application of article 82 of the law of January 6, 1978 amended to reading operations or writing in a user's terminal (in particular cookies and other tracers), which provided in article 2, "that it must be as easy to refuse or withdraw consent as to give it"; then decisions n ° 2020-091 of September 17, 2020 adopting guidelines relating to the application of article 82 of the law of January 6, 1978 amended to read and / or write operations in the terminal of a user (in particular to "cookies and other tracers") and n ° 2020-092 adopting a recommendation proposing practical methods of compliance in the event of recourse to "cookies and other tracers". These instruments aim to interpret the applicable legislative provisions and to inform stakeholders on the implementation of concrete measures to ensure compliance with these provisions, so that they implement these measures or measures of equivalent effect. In this sense, it is specified in the guidelines that these "have as their main purpose to recall and clarify the law applicable to the operations of reading and / or writing of information […] in the terminal equipment. electronic communications of the subscriber or user, and in particular for the use of cookies ".127. As indicated above, the Commission considered, in the context of its recommendation of September 17, 2020, that "the data controller must offer users both the possibility of accepting and refusing read and / or read operations. writing with the same degree of simplicity. "128. As regards the possible methods of refusal, in this same recommendation, the Commission strongly recommended "that the mechanism for expressing a refusal to consent to read and / or write operations be accessible on the same screen and with the same facility as the mechanism for expressing consent. Indeed, it considers that the interfaces for collecting consent which require a single click to consent to the tracing while several actions are necessary to "configure" a refusal to consent present, in most cases, the risk of biasing the choice of the user, who wishes to be able to view the site or use the application quickly.For example, at the stage of the first level of information, users can have the choice between two buttons presented at the same level and in the same format, on which are entered respectively "accept all" and "refuse all", "authorize" and "prohibit", or "consent" and "do not consent", or any other equivalent and sufficiently clear wording. The Commission considers that this modality constitutes a simple and clear means of allowing the user to express his refusal as easily as his consent. "129 The restricted committee considers that the CNIL confined itself, in its recommendation mentioned above. above, to clarify the obligations provided for by French and European legislators, in particular by drawing all the consequences of the principle of freedom of consent as defined in Article 4, paragraph 11, of the GDPR, and by applying them to the assumptions of the acceptance and refusal by the user to deposit cookies on his terminal. Indeed, this principle of freedom of consent now implies that the user benefits from a "real freedom of choice", as underlined in recital 42 of the GDPR, and therefore that the modalities offered to him for manifesting this choice are not biased in favor of consent. As the EDPS recalled in his guidelines on consent, adopted on May 4, 2020, the adjective "free" implies real choice and control for those affected. 130. It thus appears that the CNIL in its recommendation did not create new obligations for the actors but confined itself to illustrating concretely how article 82 of the law should be applied.131. Second, the restricted committee notes that the CNIL's position on this point, according to which it must be as simple for users to refuse cookies as to consent to them, already appeared in article 2 of the guidelines of 4 July 2019 - repealed by those of September 17, 2020 - and that it was ratified by the Council of State. Indeed, seized of an appeal for excess of power brought against these first guidelines, the Council of State ruled, in its decision Association of communication consulting agencies, that "the CNIL which, by indicating that it had to "to be as easy to refuse or withdraw consent as to give it", has confined itself to characterizing the conditions of the user's refusal, without defining any particular technical modalities of expression of such a refusal, has marred its deliberation by any disregard of the applicable rules "(CE, June 19, 2020, n ° 434684, T., pt 15) .132. The restricted committee considers that this reading is all the more necessary in view of the conclusions of the public rapporteur on this judgment, which noted: "As indicated by the CNIL, the contested guidelines do not impose any technical modality for the collection of this refusal. They limit themselves to demanding, in a general way and rightly, that it is no more complicated to refuse than to accept "(EC, conclusions of the public rapporteur on judgment n ° 434684, p. 17) .133. Thirdly, the training notes that in this case, users residing in France going to the Google Search search engine and / or to YouTube must perform a single action to accept cookies, whereas they must do so. five to refuse them. It is therefore not as easy to refuse cookies as it is to accept them.134. However, several recent studies show that organizations that have set up a "refuse all" button on the first-level consent collection interface have seen the consent rate relating to the acceptance of cookies decrease. Thus, according to the "Privacy barometer - 2021 edition" published by the COMMANDERS ACT company, the computer consent rate rose from 70% to 55% in April-May 2021, since the collection of consent is explicit. Likewise, according to a 366-Kantar study, it appears that 41% of Internet users in France refused, systematically or partially, the deposit of cookies in June 2021. 135. The restricted party therefore considers that making the mechanism for refusing cookies more complex than that consisting in accepting them actually amounts to discouraging users from refusing cookies and encouraging them to favor the facility of the "Accept all" button. Indeed, an Internet user is generally led to consult many sites. Internet browsing is characterized by its speed and fluidity. The fact of having to click on "Personalize" and of having to understand the way in which the page allowing to refuse cookies is constructed is likely to discourage the user, who would nevertheless wish to refuse the deposit of cookies. It is not disputed that in the present case, the companies offer a choice between the acceptance or the refusal of cookies, but the modalities by which this refusal can be expressed, in the context of internet browsing, bias the 'expression of choice in favor of consent so as to impair freedom of choice.136. In view of the foregoing, the restricted committee considers that a breach of the provisions of article 82 of the law "Informatique et Libertés", interpreted in the light of the RGPD, is constituted, insofar as the companies do not put available to users located in France, on the "google.fr" and "youtube.com" websites, a means of refusing operations for reading and / or writing information in their terminal, which presents the same degree of simplicity than that intended to accept its use. III. On corrective measures and publicity137. Article 20, paragraph III, of the "Informatique et Libertés" law provides: "When the data controller or his subcontractor does not comply with the obligations resulting from Regulation (EU) 2016/679 of the European Parliament and of the Council of April 27, 2016 cited above or of this law, the president of the National Commission for Informatics and Freedoms may also, if necessary after having sent him the warning provided for in I of this article or, if necessary in addition to '' a formal notice provided for in II, seize the restricted formation of the committee with a view to pronouncing, after adversarial proceedings, one or more of the following measures: […] 2 ° An injunction to bring the processing into conformity with the obligations resulting from Regulation (EU) 2016/679 of April 27, 2016 or from this law or to meet the requests made by the data subject in order to exercise their rights, which may be accompanied, except in cases where the processing is implemented by the State, a fine the amount of which may not exceed 100,000 € per day of delay from the date set by the restricted group; […] 7 ° With the exception of cases where the processing is implemented by the State, an administrative fine not exceeding 10 million euros or, in the case of a company, 2% of the turnover. total worldwide annual business for the previous fiscal year, whichever is greater. […] The restricted committee takes into account, in determining the amount of the fine, the criteria specified in the same article 83 ".138. Article 83 of the GDPR, as referred to in article 20, paragraph III, of the "Informatique et Libertés" law, provides that "Each supervisory authority ensures that the administrative fines imposed by virtue of this article for violations of this regulation referred to in paragraphs 4, 5 and 6 are, in each cases, effective, proportionate and dissuasive ", before specifying the elements to be taken into account in deciding whether to impose an administrative fine and in deciding the amount of this fine.A. On the imposition of fines administrative authorities and their amount.139 The companies argue that the amount of the fines proposed by the rapporteur is unpredictable, disproportionate and unjustified. They dispute the fact that, unlike other French or European administrative authorities, n having the power to sanction, the CNIL has not provided guidelines for calculating its fines. The companies also add that the rapporteur does not explain the distribution of the amount of the fine between GOOGLE LLC and GIL.140. In addition, the companies maintain that by refusing to engage in discussions with them, the rapporteur deprived them of the possibility of cooperating with the CNIL, and, therefore, of invoking the mitigating circumstance of article 83-2. f) of the GDPR to reduce the amount of the fine. 141. The restricted committee recalls, in general terms, that article 20, paragraph III, of the law "Informatique et Libertés" gives it competence to pronounce various sanctions, in particular administrative fines of which the maximum amount can be, in this case, equivalent to 2% of the total worldwide annual turnover for the previous financial year made by the data controller. It adds that the determination of the amount of these fines is assessed in the light of the criteria specified by Article 83 of the GDPR. 142. The restricted party notes that the rapporteur is not required to specify how the fines she proposes to the restricted party are calculated. The Council of State has also ruled that the restricted formation was not subject to this obligation (CE, 10th / 9th, June 19, 2020, req. No. 430810). The restricted committee notes that the European courts share this position, since they have already ruled that "it is not incumbent on the Commission, under the obligation to state reasons, to indicate the quantified elements in its decision. relating to the method of calculating fines "(judgment of the Court of 16 November 2000, Stora Kopparbergs Bergslags / Commission, C ‑ 286/98 P, Rec. p. I ‑ 9925, paragraph 66). The case-law only requires that the sanctioning panel show "in a clear and detailed manner the reasoning which it followed, thus enabling the applicant to know the elements of assessment taken into account in order to measure the seriousness of the offense for the purposes of of the calculation of the amount of the fine and for the General Court to exercise its control "(judgment of the Court of First Instance, Third Chamber, July 8, 2008, BPB plc v Commission of the European Communities, judgment ECLI: EU: T: 2008: 254 , paragraph 337, case law 008 II-01333). This position is justified, on the one hand, by the fact that "fines constitute an instrument of the policy" of an institution "which must be able to enjoy a margin of appreciation in fixing their amount in order to guide the behavior of undertakings in the sense of compliance with the rules "and, on the other hand, because" it is important to prevent fines from being easily foreseeable by economic operators. Indeed, if the Commission had the obligation to indicate in its decision the figures relating to the method of calculating the amount of the fines, the deterrent effect thereof would be undermined. If the amount of the fine were the result of a calculation obeying a simple arithmetic formula, companies would have the possibility of foreseeing the possible sanction and of comparing it with the profits which they would derive from the infringement of the rules of law ".143. Firstly, the restricted panel emphasizes that it is appropriate, in this case, to apply the criterion provided for in subparagraph a) of Article 83, paragraph 2, of the GDPR relating to the seriousness of the breach, taking into account the nature and scope of the processing and the number of people concerned by it. 144. The restricted committee notes that, if the companies GIL and GOOGLE LLC have refused to communicate the volume of the number of unique visitors from the “google.fr” and “youtube.com” sites over the past twelve months from France, it The figures available on the internet show that in June 2020, Google had more than 51 million unique visitors residing in France per month and YouTube more than 46 million (press release of August 24, 2020 published on the Médiamétrie website). The number of people affected by the treatments in question is therefore extremely large for the French population. 145. As the restricted formation recalled in its deliberation n ° SAN-2020-012 of December 7, 2020, the Competition Authority noted that, on the French market for online search-related advertising, Google has a a dominant position which in many respects exhibits "extraordinary" characteristics. Its search engine now accounts for more than 90% of searches carried out in France and its market share in the online search advertising market is probably over 90% (ADLC, Dec. 19, 2019, Dec. N ° 19-D-26). The Google Search search engine therefore has considerable reach in France. 146. Secondly, the restricted panel considers that it is appropriate to apply the criterion provided for in subparagraph b) of Article 83 paragraph 2 of the GDPR, relating to the fact that the violation was committed deliberately. 147. The restricted committee recalls that the companies were the object of a recent sanction relating to breaches of article 82 of the law "Informatique et Libertés" concerning the information and the collection of the consent of the persons before the deposit of cookies on their terminal. If this sanction is not final since it is the subject of an appeal before the Council of State, the restricted formation notes however that the attention of the companies had been explicitly drawn by the services of the CNIL on the modalities refusal of cookies. As part of the follow-up to the injunction pronounced by the restricted formation, the companies, on December 18, 2020, through their advisers, sent the CNIL a document in which they presented the changes that GOOGLE intended to deploy on the "google.fr" web page to respond to the injunction pronounced. On February 17, 2021, the Secretary General of the CNIL sent GOOGLE LLC and GIL a response constituting assistance for the companies in order to comply. Said letter went "beyond the scope of the injunction" and also referred to "the terms of refusal of cookies". The secretary general of the CNIL reminded companies that it must be as easy to give consent as to refuse to give or withdraw it and indicated that it would be up to them to insert an "I refuse" button next to the button "I accept", while specifying that they could "of course change the titles of these buttons as long as they allow the user to clearly and directly understand the consequences of his choices". It was also specified that: "If different ways of respecting the legal requirements are possible, it appears to me that the proposal appearing in your mail, where only one button" I accept "and a button" Configure "appear, which you have to click to then understand how it is possible to refuse cookies, does not comply with the legal requirements of freedom of consent ". The secretary general of the CNIL had therefore indicated to the companies, as early as February 2021, the actions expected with a view to bringing them into conformity at the end of the adaptation period left by the CNIL to the players and which ended on April 1, 2021.148. In addition, the restricted training recalls the more general context in which the GOOGLE LLC and GIL companies have chosen not to offer their users, on the "google.fr" and "youtube.com" sites, the ability to easily refuse them. Cookies. Indeed, the CNIL has implemented a compliance plan on the issue of cookies spread over several years and has communicated publicly on its website, on several occasions, on the fact that it must be so easy for the Internet user to refuse cookies than to accept them, in particular on October 1, 2020 on the occasion of the publication of the aforementioned guidelines and recommendation of September 17, 2020. The adaptation period left to the actors ended on April 1, 2021. Hundreds of thousands of actors, from the smallest to the largest sites, have complied and have introduced a button on their consent collection interface " refuse "or" continue without accepting ". 149. In this context, the restricted party considers that the fact that the companies GOOGLE LLC and GIL, appearing among the major and unavoidable global players of the internet and managing some of the most visited sites, refuse to set up an easy refusal system cookies at the very moment when they were the subject of an injunction follow-up procedure clearly alerting them on the same subject, reveals a marked desire of these companies not to modify their practices. It considers that the companies have intended not to bring into conformity the processing consisting of operations of access or registration of information in the terminal of users residing in France when using the sites "google.fr" and " youtube.com ", nor use the recommendations of the CNIL to do so. 150. Third, the restricted party considers that companies cannot claim exemplary cooperation with the CNIL, even though they have never communicated the volume of the number of unique daily visitors to the "google.fr" and "youtube.com" over the past twelve months from France, elements however requested by the CNIL control delegation. The restricted committee notes that it appears from article 18 of the law "Informatique et Libertés" that the data controllers "cannot oppose the action of the Commission" and that they must take "all useful measures in order to facilitate its task ". Cooperation with the supervisory authority is thus first of all an obligation provided for by law. Thus, the obligation to cooperate is far from being fully satisfied in the present case, so that there is no need to apply a mitigating circumstance under subparagraph (f) of paragraph 2 of the 'article 83 of the GDPR. 151. Fourth, the Panel considers that it is appropriate to apply the test provided for in subparagraph k) of Article 83, paragraph 2, of the Regulations on financial advantages obtained as a result of the breach. 152. In this regard, the restricted committee notes that the reading and writing operations, allowing the collection of user data for the purposes of targeted advertising via the “google.fr” and “youtube.com” sites, allow companies to obtain a considerable financial benefit. While it admits that all of the companies' revenues are not directly linked to cookies, the restricted party stresses that online advertising is based essentially on targeting Internet users, in which the cookie directly participates by making it possible to identify and reach the target. 'identified user with a view to displaying advertising content corresponding to their areas of interest and profile. 153. It recalls that, as it noted in its deliberation n ° SAN-2020-012 of 7 December 2020 mentioned above, the GOOGLE group realizes most of its profits in the two main segments of the online advertising market that constitute Display Advertising and Contextual Advertising (Search Advertising), in which cookies play an undeniable, albeit different, role. 154. First, in the display advertising segment, the object of which is to display content in a specific area of a website and in which cookies and trackers are used to identify users during their navigation, in order to offer them the most personalized content, it is established that the GOOGLE group offers products at all levels of the value chain in this segment and that its products are systematically dominant on these different levels. In this regard, the GOOGLE group indicates, on one of its websites, that it offers for advertising an ecosystem accessible from its tools and services capable of reaching more than 2 million sites, videos and applications and more than 90 % of Internet users worldwide 155. Then, the segment of contextual advertising, the object of which is to display sponsored results based on the keywords typed by users in a search engine, also requires the use of cookies in its practical implementation, for example example to be able to determine the geographical location of users and, thereby, adapt the advertisements offered according to this location. In this regard, it emerges from the annual report of the company ALPHABET for the year 2019 that this segment alone, through in particular the Google Ads service - formerly AdWords -, 61% of the turnover of the GOOGLE group. 156 . If, within the framework of the procedure which gave rise to the aforementioned deliberation, the restricted committee was not aware of the amount of profit derived by the GOOGLE group from the collection and use of cookies on the French market via income generated by advertising targeted at French Internet users, she noted "that a proportional approximation based on publicly available figures would lead to an estimate that France would contribute between 680 and 755 million dollars to the annual net income of ALPHABET, the parent company of the GOOGLE group, that is, at the current exchange rate, between 580 and 640 million euros. "157. In addition, the restricted formation again underlines that it emerges from the studies mentioned above that the companies which have set up a "refuse all" button on the interface for collecting consent have seen the rate of consent relating to the 'acceptance of cookies decrease. Indeed, when a button appearing at the first level allows them to refuse cookies, a large part of Internet users completely or partially refuse cookies and other tracers, which necessarily has an impact in terms of income related to online advertising. . These elements therefore confirm the undeniable financial advantage derived from the breach committed by the companies GOOGLE LLC and GIL by not setting up a mechanism for refusing consent as easy as that of accepting cookies. 158. Lastly, the restricted committee reminds that in application of the provisions of article 20 paragraph III of the law "Informatique et Libertés", the companies GOOGLE LLC and GIL incur a financial penalty of a maximum amount of 2% of their turnover, which was respectively […] dollars in 2020 for GOOGLE LLC and more than […] euros in 2019 for GIL.159. In its deliberation n ° SAN-2020-012 of December 7, 2020, the restricted committee demonstrated the greater involvement of the company GOOGLE LLC in determining the purposes and means of cookies used on the "google.fr" site. compared to the company GIL. Indeed, it is the company GOOGLE LLC that designs and builds the technology of GOOGLE products. In addition, GOOGLE LLC exercises significant influence in the bodies deciding on the deployment of GOOGLE products in Europe and the processing of personal data of European users. 160. The restricted party emphasizes that due to the massive use of the Google Search search engine and of YouTube in France, the number of people affected by the alleged infringement is considerable. It also notes the considerable profits derived by companies, through advertising revenues indirectly generated by the data collected by these cookies. 161. Therefore, having regard to the respective responsibilities of the companies, their financial capacities and the relevant criteria of Article 83, paragraph 2, of the Regulation mentioned above, the restricted committee considers that a fine of 90 million euros to the against the company GOOGLE LLC and a fine of 60 million euros against the company GIL appear justified. On the issuance of an injunction 162. The companies argue that the rapporteur's request for an injunction is unnecessary, considering that there was no need to initiate sanction proceedings.163. They also dispute the amount of the daily penalty payment proposed in addition to the injunction since the rapporteur does not demonstrate the need for this penalty or the proportionality of its amount, which is the maximum amount provided for by the law "Informatique et Libertés" .164. Finally, they dispute the deadline proposed by the rapporteur after which the penalty payment could be liquidated, considering that the modification of the mechanism for obtaining consent requires complex and substantial computer programming work. They indicate that GIL would need at least six months to comply with the terms of the injunction. 165. In the first place, the restricted committee notes that in the current state of the cookies banner on the “google.fr” and “youtube.com” sites, users still do not have a means of refusing the operations of reading and / or writing information in their terminal having the same degree of simplicity as that provided to accept its use. It therefore considers it necessary to issue an injunction in order for companies to comply with the applicable obligations in this area.166. Secondly, the restricted committee recalls that in order to keep its comminatory function on call, its amount must be both proportional to the seriousness of the breaches committed but also adapted to the financial capacities of the data controller. It notes, moreover, that in determining this amount, account must also be taken of the fact that the breach concerned by the injunction indirectly contributes to the profits generated by the controller.167. Third, with regard to the time that would be necessary to execute the injunction, the restricted panel takes note of the arguments put forward by the companies while taking into account the technical and human resources at their disposal.168. In view of these elements, the restricted committee considers as justified the pronouncement of an injunction accompanied by a fine in the amount of 100,000 euros per day of delay and which can be liquidated at the end of a period of three months. . On advertising169. The restricted committee considers that the publicity of this decision is justified in view of the number of people concerned and the seriousness of the breach. 170. The restricted formation notes that this measure will make it possible to alert the users residing in France of the sites "google.fr" and "youtube.com" of the characterization of the violation of article 82 of the law "Informatique et Libertés" and to them inform of the persistence of the breach on the date of this deliberation and of the injunction issued against the companies to remedy it. 171. Finally, the measure is not disproportionate since the decision will no longer identify the companies by name after the expiration of a period of two years from its publication. deliberated, decides to: • pronounce against the company GOOGLE LLC an administrative fine in the amount of 90,000,000 euros (ninety million euros) for breach of article 82 of the law " Informatique et Libertés ", • pronounce against the company GOOGLE IRELAND LIMITED an administrative fine in the amount of 60,000,000 euros (sixty million euros) for breach of article 82 of the law" Informatique et Libertés , • issue against the companies GOOGLE LLC and GOOGLE IRELAND LIMITED an injunction to modify, on the “google.fr” and “youtube.com” websites, the methods of obtaining the consent of users located in France to the operations of reading and / or writing of information in their end al, by offering them a means of refusing these transactions, which is as simple as the mechanism provided for their acceptance, in order to guarantee the freedom of their consent; • attach a fine of 100,000 euros (one hundred thousand euros) to the injunction by day of delay at the end of a period of three months following the notification of this deliberation, the proof of compliance must be sent to the restricted body within this period; • send this decision to the company GOOGLE FRANCE in view of its execution; • make public, on the CNIL website and on the Légifrance website, its deliberation, which will no longer identify the companies by name after the expiration of a period of two years from its publication. President Alexandre Linden This decision may be appealed against to the Council of State within four months of its notification Deliberation SAN-2021-023 of December 31, 2021 Decision SAN-2021-023 of 31 december 2021