CNIL (France) - SAN-2023-009

From GDPRhub
CNIL - SAN-2023-009
LogoFR.png
Authority: CNIL (France)
Jurisdiction: France
Relevant Law: Article 7(1) GDPR
Article 7(3) GDPR
Article 12 GDPR
Article 13 GDPR
Article 15(1) GDPR
Article 17(1) GDPR
Article 26 GDPR
Type: Complaint
Outcome: Upheld
Started:
Decided:
Published: 22.06.2023
Fine: 40,000,000 EUR
Parties: Criteo
Privacy International
None of Your Business (NYOB)
National Case Number/Name: SAN-2023-009
European Case Law Identifier: n/a
Appeal: Appealed - Confirmed
Original Language(s): French
Original Source: Légifrance (in FR)
Initial Contributor: allan.v

The French DPA fined the online advertising group Criteo €40 million for violations relating to the processing of personal data, in particular for failing to check that data subjects have given their consent.

English Summary[edit | edit source]

Facts[edit | edit source]

On 15 June 2023, the French DPA (CNIL) fined the online advertising company Criteo - the controller - €40,000,000. The DPA’s decision followed complaints lodged by the NGOs Privacy International and None of Your Business (noyb).

Criteo used a behavioural targeting approach that tracked data subjects’ online activities to display personalised advertising. By collecting browsing data through its tracking tool (the cookie "Criteo") Criteo analysed data subjects’ browsing habits to determine the most relevant ads for each data subject. Online advertising companies participated then in real-time bidding and displayed personalised ads if they won the bid.

Holding[edit | edit source]

The DPA found five breaches of the GDPR against the controller:

  1. Regarding the failure to demonstrate consent, the DPA held that Criteo failed to ensure that data subjects gave their consent to the placement of the tracker on their devices in violation of Article 7(1) GDPR. The DPA discovered instances in which the controller’s tracker was used by several of the controller's commercial partners without data subjects’ consent. According to the DPA, obtaining consent from Internet users for the processing of data concerns both Criteo and its commercial partners pursuant to Article 7 GDPR. The DPA insisted on a dual system of responsibility (joint controllership) to ensure an effective right to consent at every stage of the processing.
  2. Concerning the lack of information and transparency, the DPA considered Criteo's privacy policy to be incomplete and unclear about the intended purposes of the data processing, thus violating Articles 12 and 13 GDPR. Some purposes were only vaguely formulated, so that data subjects could not fully understand which personal data were used for which purposes.
  3. As to the failure to comply with the right of access, the DPA established that Criteo did not adequately fulfil data subjects’ right of access in breach of Article 15(1) GDPR. When data subjects requested access to their personal data, Criteo only provided data from a subset of its database tables and did not disclose the information from other relevant tables.
  4. As to the failure to respect the right to withdraw consent and delete data, the DPA found a violation of Articles 7(3) and 17(1) GDPR. When data subjects exercised their right to withdraw consent or requested deletion of their data, Criteo stopped displaying personalised ads but failed to remove the identifier assigned to the data subject or delete the related browsing events.
  5. Lastly, the DPA highlighted the lack of agreement between the joint controllers in breach of Article 26 GDPR. The agreements between Criteo and its commercial partners did not contain specific obligations in relation to the requirements of the GDPR, such as data subjects' rights, data breach notification or impact assessments.

Comment[edit | edit source]

In response to the breaches, Criteo has implemented measures to address the issues raised by the DPA. The controller has taken steps to ensure valid collection of consent by its partners and has included a clause to prove consent in its partner agreements. The controller has also revised its privacy policy to include comprehensive information, simplified language and clear explanations of the purposes of data processing.

However the controller notified the DPA of its intention to appeal to the decision. It considers, inter alia, that the violations found by the DPA did not involve any risk for individuals or any harm caused to them. Criteo states that it only uses pseudonymised data that is not directly identifiable and is not sensitive in its activities. Criteo also believes that the penalty remains disproportionate to the alleged breaches and out of line with general market practices in this area.

Further Resources[edit | edit source]

Share blogs or news articles here!

English Machine Translation of the Decision[edit | edit source]

The decision below is a machine translation of the French original. Please refer to the French original for more details.

Deliberation SAN-2023-009 of June 15, 2023

National Commission for Computing and Liberties

Nature of the deliberation: Sanction
Legal status: In force
Date of publication on Légifrance: Thursday, June 22, 2023
Deliberation of the restricted formation n°SAN-2023-009 of June 15, 2023 concerning the company CRITEO
The National Commission for Computing and Liberties, meeting in its restricted formation composed of Mr Alexandre LINDEN, President, Mrs Christine MAUGÜÉ and Messrs Alain DRU and Bertrand du MARAIS, members;

Having regard to Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 relating to the protection of personal data and the free movement of such data;

Having regard to Directive 2002/58/EC of the European Parliament and of the Council of July 12, 2002 concerning the processing of personal data and the protection of privacy in the electronic communications sector;

Considering the law n° 78-17 of January 6, 1978 relating to data processing, files and freedoms, in particular its articles 20 and following;

Having regard to decree no. 2019-536 of May 29, 2019 taken for the application of law no. 78-17 of January 6, 1978 relating to data processing, files and freedoms;

Having regard to deliberation no. 2013-175 of July 4, 2013 adopting the internal regulations of the National Commission for Computing and Liberties;

Having regard to decision n° 2020-005C of December 27, 2019 of the President of the National Commission for Computing and Liberties to instruct the Secretary General to carry out or to have carried out a mission to verify the processing implemented by the company CRITEO or on its behalf, in any place likely to be affected by their implementation;

Having regard to the decision of the President of the National Commission for Computing and Freedoms appointing a rapporteur before the restricted formation, dated June 23, 2021;

Considering the report of Mr. François PELLEGRINI, commissioner rapporteur, notified to the company CRITEO on August 3, 2022;

Having regard to the written observations submitted by the board of CRITEO on October 31, 2022;

Having regard to the rapporteur's response to these observations notified to CRITEO on December 7, 2022;

Having regard to the new written observations submitted by the board of CRITEO, received on January 30, 2023;

Having regard to the oral observations made during the session of the Restricted Committee;

Having regard to the other documents in the file;

Were present at the restricted training session of March 16, 2023:

- Mr. François PELLEGRINI, commissioner, heard in his report;

As representatives of CRITEO:

- […]

By videoconference: […]

CRITEO having the last word;

The Restricted Committee adopted the following decision:

I. Facts and procedure

1. Founded in 2005 in France, the company CRITEO SA (hereinafter the "company") specializes in the display of targeted advertising on the web. In 2022, the CRITEO group employed around 3,000 employees and had achieved overall revenue of around €1.9 billion for a net profit of around €10 million.

2. The company implements so-called "advertising retargeting" data processing, which consists of monitoring the browsing habits of Internet users to display them personalized advertisements, by means of cookies placed in user terminals.

3. On November 8, 2018, the National Commission for Computing and Liberties (hereinafter "the CNIL" or "the Commission") received a complaint from the association "Privacy International", which underlined in particular that the company did not process the data of Internet users in accordance with the principles set out in Article 5, paragraph 1, of Regulation (EU) 2016/679 of the European Parliament and of the Council of April 27, 2016, relating to the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (hereinafter "the GDPR").

4. On December 4, 2018, the CNIL received a complaint sent by the association "None of Your Business" (hereinafter "NOYB") mandated by […], which denounced the formalism imposed by the company on from which he had wished to withdraw his consent and oppose the processing of his data (hereinafter "the complainant"). The complainant reported that, despite sending an e-mail to this effect to the company, the latter had redirected him to various online procedures devoted to the exercise of rights.

5. On January 14, 2019, in accordance with Article 56 of the GDPR, the CNIL informed all the European supervisory authorities of its competence to act as lead supervisory authority concerning the cross-border processing implemented by the company, competence derived by the CNIL from the fact that the main establishment of the company is in France.

6. After discussions between data protection authorities, it turned out that all European authorities are concerned within the meaning of Article 4, 22) of the GDPR.

7. As part of the investigation of the complaint filed by the NOYB association, the CNIL questioned the company on the follow-up given to the complainant's requests. This instruction gave rise to an exchange of letters between the CNIL and the company, dated March 27, April 29, September 9, October 9, December 27, 2019 and February 17, 2020. A meeting was also held on January 17 2020.

8. In the extension of this instruction and in application of decision no. 2020-005C of December 27, 2019 of the President of the Commission, a CNIL delegation carried out several checks at the company in order to verify compliance with the provisions of Law No. 78-17 of January 6, 1978 as amended relating to data processing, files and freedoms (hereinafter "the Data Protection Act" or "law of January 6, 1978") and the GDPR.

9. Thus, on January 29, 2020, the delegation sent a questionnaire to the company, to which the latter replied on March 27, 2020, relating to its organization, the processing of personal data that it implements, the its qualification as data controller, on its relations with its customers and partners and on its management of requests to exercise rights.

10. On 16 and 17 September 2020, the delegation carried out an on-site inspection at the company's premises, during which it notably carried out checks on the websites of two of the company's partners. The delegation also checked the follow-up given to the request to exercise the complainant's rights and obtained information on the procedures for implementing the right to withdraw consent and the right to erasure. The on-site inspection gave rise to two reports no. 2020-005/1 and 2020-005/2, notified to the company on September 30, 2020.

11. On October 13, 2020, based on a list provided by the company of the hundred websites from which it collects the most data, the delegation carried out an online check of several of these sites to check in particular the terms of the deposit of the Criteo cookie in the user's terminal and the device implemented to collect their consent. The online check gave rise to a report no. 2020-005/3, notified to the company on October 14, 2020.

12. On June 23, 2021, on the basis of Article 22 of the law of January 6, 1978, the President of the Commission appointed Mr François PELLEGRINI as rapporteur for the purposes of examining these elements.

13. On June 9, 2022, the rapporteur sent an additional request to the company to receive, in particular, the latest versions of the general conditions of use of Criteo services, as well as a recent sample of contracts concluded by the company with its partners. . The company responded on June 17, 2022.

14. On August 3, 2022, at the end of his investigation, the rapporteur notified the company of a report detailing the breaches of Articles 7, 12, 13, 15, 17 and 26 of the GDPR that he considered constituted in l 'species.

15. This report proposed that the restricted committee of the Commission impose an administrative fine on the company in an amount that could not be less than sixty million euros. He also proposed that this decision be made public and no longer allow the company to be identified by name after the expiry of a period of two years from its publication.

16. On October 31, 2022, the company submitted observations in response to the rapporteur's report.

17. On December 7, 2022, the rapporteur responded to the company's observations.

18. On January 30, 2023, the company submitted new observations in response to those of the rapporteur.

19. By letter dated February 21, 2023, the rapporteur informed the company's board that the investigation was closed, pursuant to Article 40, III, of decree no. 2019-536 of May 29, 2019 issued for the application of the Data Protection Act.

20. The rapporteur and the company presented oral observations during the restricted training session of March 16, 2023.

II. Reasons for decision

A. On the European cooperation procedure

21. Pursuant to Article 60(3) of the GDPR, the draft decision adopted by the Restricted Committee was sent on 16 May 2023 to the European supervisory authorities concerned.

22. As of 13 June 2023, none of the supervisory authorities concerned had raised a relevant and reasoned objection to this draft decision, so that, pursuant to Article 60(6) of the GDPR , the latter are deemed to have approved it.

B. On the processing in question, the qualification of personal data and the responsibility for processing.

1. On the processing in question for the purpose of displaying personalized advertising

23. Article 4, 2) of the GDPR defines processing as "any operation or set of operations whether or not carried out by automated means and applied to personal data or sets of personal data, such as the collection, recording, organization, structuring, storage, adaptation or modification, extraction, consultation, use, communication by transmission, dissemination or any other form of making available , reconciliation or interconnection, limitation, erasure or destruction".

24. In the present case, the Restricted Committee notes that the company implements so-called "advertising retargeting" data processing for the purpose of displaying personalized advertising (hereinafter the "processing in question").

25. In concrete terms, the company collects Internet users' browsing data using cookies which are placed on their terminals when they visit one of the sites of their […] partners, including publishers and advertisers. When an Internet user visits a partner's website, the company places a cookie in the terminal of his browser, which is assigned a unique identifier, called Criteo ID, which will allow him to recognize him during his future visits. on other partner sites.

26. Thus, when an Internet user visits the website of a partner advertiser, the company records in its database the actions of the Internet user via the cookie (for example, the visit to the home page, the connection to a user account, clicking on a "product" page, adding an item to the shopping cart).

27. Then, when the Internet user visits the website of a partner publisher, the publisher sends a request to the company in order to send it information such as the size of the advertising insert, the nature of the publisher site as well as an identifier allowing the company to recognize the Internet user.

28. The company then uses its data processing technologies to determine which advertising would be the most relevant to display to the Internet user according to his browsing habits and the products or services that could interest him. Based on this analysis, the company then participates in a real-time bidding or "RTB" auction for the display of an advertisement on the publisher's advertising space. If the company wins the auction, an advertiser's banner ad is displayed in the insert available on the publisher's website.

29. Thus, as an intermediary between advertisers and publishers of websites, the company helps, on the one hand, advertisers to reach their target audience with more relevant advertisements, on the other hand, publishers to enhance their advertising space.

30. The Restricted Committee notes that the company acknowledges implementing the processing described in the preceding paragraphs.

2. On the qualification of personal data of the data processed by the company CRITEO

31. Article 4, 1) of the GDPR defines personal data as "any information relating to an identified or identifiable natural person (hereinafter referred to as "data subject"); is deemed to be an "identifiable natural person" a natural person who can be identified, directly or indirectly, in particular by reference to an identifier, such as a name, an identification number, location data, an online identifier, or to one or more specific elements specific to his physical, physiological, genetic, psychic, economic, cultural or social identity.

32. Recital 30 of the GDPR, which is part of well-established case law of the Court of Justice of the European Union (CJEU, 24 Nov. 2011, Scarlet Extended SA C 70/10, pt. 51 and 19 Oct. 2016, Breyer, C-582/14) provides that an online identifier associated with a natural person, such as an IP address or a cookie, can "leave traces which, in particular when they are combined with unique identifiers and other information received by the servers, can be used to create profiles of natural persons and to identify these persons".

33. In its aforementioned Breyer judgment, delivered under the influence of Directive 95/46/EC, the CJEU stressed the importance of a casuistical approach to the identifying or non-identifying nature of data rather than a general position and of principle. It indicated that, in order to determine whether a person is identifiable, it was necessary to take into consideration all the means likely to be reasonably implemented, either by the controller or by another person, to identify the said person. .

34. The rapporteur considers that the company processes personal data, given that given the number and diversity of data collected and the fact that they are all linked to an identifier, it is possible, with reasonable means, to re-identify the natural persons to whom this data relates.

35. The company considers that it deals with "browsing events", which are pseudonymised technical data that do not allow it to directly identify the Internet users to whom they are attached. It maintains that it is only required to recognize the identity of a person in the event of a request for a right of access where it can make the correspondence between the Criteo cookie identifier (Criteo ID) and the identity of the natural person. Apart from such a hypothesis, it considers that the risk of re-identification is very low and produces simulations carried out by service providers on this point.

36. It draws the conclusion that since it only processes pseudonymised data, any breaches it may have committed have had a very limited impact for the persons concerned, which the restricted committee should take into account in its assessment. .

37. The Restricted Committee points out that only true anonymization of the data processed, by causing the data to lose their "personal" character, that is to say, without the possibility of re-identifying the natural person to whom they relate, would escape the processing to all GDPR requirements.

38. In this case, the Restricted Committee notes that while the company does not claim to process anonymised data, it claims to process only pseudonymised data presenting a very low risk of re-identification.

39. The Restricted Committee also notes that the Criteo ID cookie identifier, assigned by the company by means of the cookies it deposits, is intended to distinguish each individual whose data it collects and that a great deal of information intended to enrich the Internet user's advertising profile are associated with this identifier, including:

- data related to the identification of the person: geographical location from IP address, Criteo user identifier, terminal identifier, identifiers provided by partners, e-mail address in hashed form provided by partners;

- data related to the activity of the person, which corresponds to the monitoring of the Internet user's browsing history through the sites visited, the products consulted, those added to the basket as well as the act of purchase. This also includes the possible interactions of the user with the advertisements presented to him (has the user clicked on the banner? has he made a purchase?);

- data derived or inferred from the previous information in order to be able to offer the user the most relevant products, taking into account his centers of interest.

40. Thus, the Restricted Committee notes that if the company does not directly have the identity of the natural persons to whom the terminals on which cookies are registered are linked, re-identification may be facilitated by the fact that, in certain cases, the company collects, in addition to data related to browsing events, other data that facilitates re-identification such as the email addresses of people who have made their browsing journey from an authenticated (or "logged in") environment in hashed form, identifiers corresponding generated by other actors, the IP address in hashed form or even the user agent of the terminal used.

41. Consequently, when the company is able to re-identify persons by reasonable means, the data processed retains a personal character, within the meaning of Article 4, 1) of the GDPR.

42. It follows that the GDPR is applicable and that, in view of what has been indicated above, the company is responsible for processing the processing in question.

C. Failure to comply with the obligation to be able to demonstrate that the person concerned has given his consent

43. According to Article 6(1) of the GDPR: "processing is only lawful if and insofar as at least one of the following conditions is fulfilled:

(a) the data subject has consented to the processing of his or her personal data for one or more specific purposes;

b) processing is necessary for the performance of a contract to which the data subject is a party or for the performance of pre-contractual measures taken at the request of the data subject;

c) processing is necessary for compliance with a legal obligation to which the controller is subject;

d) processing is necessary to protect the vital interests of the data subject or of another natural person;

e) processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller;

f) the processing is necessary for the purposes of the legitimate interests pursued by the controller or by a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject which require protection of personal data, in particular when the data subject is a child.

Point f) of the first paragraph does not apply to processing carried out by public authorities in the performance of their tasks”.

44. Under Article 4, 11) of the GDPR, consent is defined as "any expression of will, free, specific, informed and unambiguous by which the data subject accepts, by a declaration or by a clear positive act, that personal data concerning him are processed".

45. Article 7, paragraph 1, of the GDPR relating to the conditions applicable to consent provides that: "in cases where the processing is based on consent, the controller is able to demonstrate that the data subject has given his consent to the processing of personal data concerning him".

46. The rapporteur considers that the company has not put in place any measure allowing it to ensure that the personal data it processes are only those for which the person's valid consent has been obtained. It notes in this that among the websites controlled by the CNIL, more than half of the sites published by its partners did not obtain valid consent and that the company had not implemented an audit mechanism for its partners.

47. The company, invoking the Fashion ID judgment (CJEU, July 29, 2019, C 40/17), argues that its partners, who have the status of joint controllers, remain the best placed to collect the consent of data subjects. concerned in that the Criteo cookie is placed in the terminal of Internet users when browsing their website.

48. The company adds that as such, the various agreements entered into with its partners pursuant to Article 26 of the GDPR (in particular the aforementioned General Conditions of Use of Services and its Data Protection Agreement) provide that this obligation comes back to them. It considers that this contractual distribution is sufficient to ensure compliance with this obligation, which is binding on its partners by virtue of the principle of the binding force of contracts.

49. It maintains that there is nothing to establish that the practices observed on the twelve websites visited by the delegation of control would be representative of the state of compliance of its […] partners.

50. Although it claims not to have any specific obligation to ensure that its partners have validly obtained the consent of the persons concerned, the company nevertheless emphasizes that it does not hesitate to terminate the contracts concluded with those who do not respect their obligations. in terms of obtaining the consent of Internet users.

51. It adds that it has implemented other control mechanisms, such as an audit strategy for its partners which, as of 31 October 2022, made it possible to verify the compliance status of nearly […] of its partners, as well as a so-called "Know your client" process by which it verifies the compliance of its future partners with several regulatory requirements (presence of a cookie banner and a confidentiality policy) prior to the conclusion of a service contract with them. Finally, it indicates that it terminated its contract with one of its partners who had been checked by the CNIL delegation and that it sent a warning to another partner that did not comply with the applicable regulations regarding the collection of consent from Internet users.

52. The Restricted Committee recalls that in the event of joint responsibility, Article 26 of the GDPR obliges the joint controllers to ensure, by means of an agreement, that they mutually respect the GDPR and in particular that they organize among themselves the best way to respond to the rights of the data subjects, depending on the nature of the processing and their respective responsibility vis-à-vis this processing.

53. It points out that in points 167 and 168 of its guidelines 07/2020 concerning the notions of controller and processor in the GDPR, the European Data Protection Board (EDPB) considers that in the event of of joint responsibility, "both controllers are always required to ensure that they both have a legal basis for the processing" and that they "may have a certain degree of flexibility in the distribution and allocation of the obligations between them, provided that they ensure full compliance with the requirements of the GDPR with regard to the specific processing”.

54. Firstly, with regard to the respective roles and obligations of the Criteo company and the partner sites, the Restricted Committee notes that in the context of its processing for the purpose of displaying personalized advertising, the company processes the data to personal nature of Internet users visiting the sites of its partners which are previously collected via the Criteo cookie.

55. It also notes that the company and the sites of its partners from which the Criteo cookie is deposited in the terminal of Internet users are jointly responsible for the operations of depositing the Criteo cookie and the collection of data of Internet users operated thanks to this cookies.

56. With regard to the legal framework applicable to these different processing operations, the Restricted Committee recalls that if the deposit of the Criteo cookie in the terminal of the Internet user visiting a partner's website and which allows the company to assign a unique identifier to this Internet user is subject to the provisions of Article 5, paragraph 3, of Directive 2002/58/EC of the European Parliament and of the Council of 12 July 2002 on the protection of privacy in the electronic communications sector (hereinafter the "ePrivacy" directive), transposed into French law in article 82 of the Data Protection Act, the subsequent processing for advertising purposes, which is operated from personal data personal data collected through this cookie, is subject to the provisions of the GDPR.

57. With regard to the legal basis applicable to these different processing operations, the Restricted Committee first recalls that under the "ePrivacy" directive, the operations of reading or writing information in the terminal of 'a user can not be implemented without the prior consent of the latter.

58. It then notes, with regard to the processing in question, that the company indicated to the delegation of control in its response to the questionnaire of January 29, 2020 that: "all the processing that we carry out as part of our advertisements in Europe are based on user consent”. In addition, the company's processing confidentiality policy also mentions consent as the applicable legal basis for the purposes of displaying personalized advertising, whether targeted or contextual.

59. The Restricted Committee notes that, according to a constant position of the CNIL, the articulation of the rules of the "ePrivacy" directive and the GDPR allows the publisher of the site from which the cookie is deposited to obtain the consent necessary for the deposit of the cookie at the same time as that necessary for the subsequent processing implemented from the data collected by this cookie.

60. Specifically, it notes, in this case, that the company has organized itself in such a way with its partners that the general conditions of use of Criteo services, to which the company's partners have adhered, specify that it is up to the partner to obtain the consent of the person concerned for the subsequent processing carried out from the data collected by this cookie.

61. The Restricted Committee considers, however, that the fact that the collection of the consent of Internet users for the implementation of the processing in question is the responsibility of the partners does not exonerate the company from its obligation, pursuant to Article 7 of the GDPR, d be able to demonstrate that the person concerned has given his consent.

62. This dual liability regime makes it possible to guarantee that at all stages of the processing of data collected during the navigation of a user on one of the company's partner sites, each joint data controller complies with the obligations which it is responsible: for the partners, those relating to the deposit and reading of the Criteo cookie in the user's terminal and, for the company, those relating to the subsequent processing carried out from the data collected by means of this cookie.

63. Data subjects should effectively benefit from the protection offered by the texts in force to which they are entitled throughout their navigation and, in particular, that their data should only be processed by the company if they have requested it. previously and validly consented.

64. In addition, the company's core business consists of transforming raw navigation data into valuable information that it uses. Since the company plays a central role in the advertising ecosystem, it must all the more be able to ensure that the processing in question complies with the regulations in force.

65. Finally, the Restricted Committee notes that the Fashion ID judgment, invoked by the company, relates to the question of whether the site manager (the Fashion Id company) or the cookie publisher (the Facebook company) should obtain the consent of the persons concerned before depositing the cookie published by Facebook and that it has been issued under the influence of Directive 95/46/EC relating to data protection.

66. Insofar as the European legislator intended to strengthen the rights of individuals and the accountability of actors by establishing, in particular, the obligation for the data controller to be able to demonstrate that the person whose data he is processing has actually given its consent, pursuant to Article 7(1) of the GDPR, the Restricted Committee considers that the reference to the Fashion ID judgment is not relevant in this case.

67. Secondly, the Restricted Committee notes that in the context of the online checks carried out during the on-site check of 16 September 2020 and during the online check of 13 October 2020, the delegation noted on seven partner websites of the company that a Criteo cookie had been placed in the terminal used on this occasion, as soon as it arrived on the home page without it having performed the slightest action, whereas at the time of these findings, the CNIL had already had the opportunity to recall that such practices were in direct contravention of the provisions of the Data Protection Act applicable to cookies.

68. The Restricted Committee also notes that in three cases, the site visited did not allow the user to refuse cookies other than by setting their browser, which does not constitute a mechanism for valid refusal of consent, whereas, in two cases, a Criteo cookie was deposited after the delegation had expressed its refusal to this deposit.

69. In addition, during the on-site inspection of September 16, 2020, the delegation noted that the two sites visited did not include any mechanism allowing the collection of consent to the deposit of cookies, such as a button or a checkbox . Several events related to browsing these two sites were recorded in the company's database, such as visiting the pages of products sold by the company's partners.

70. It emerges from all of these checks that the absence of collection of valid consent was observed by the delegation on nearly one in two sites visited. However, the Restricted Committee also notes that nine of the twelve sites visited by the CNIL services were indicated by the company itself, as those generating the most data collected in its database.

71. While it is true that the inspection procedure did not make it possible to verify all of the sites of the […] partners of the company, the Restricted Committee considers that it can reasonably be inferred from the aforementioned findings that on the date of the checks, the company was processing a large volume of browsing data for which Internet users had not given valid consent.

72. Thirdly, the Restricted Committee notes that on the date of the initiation of the control procedure, the company had not implemented any satisfactory measure allowing it to be considered to be in compliance with the requirements of the 7(1) GDPR.

73. Thus, the Restricted Committee notes that at the start of the control procedure, to the question of the delegation aimed at knowing the measures put in place by the company to ensure the validity of the consent, in the event that it had to delegate the collection of this consent to a third party, the latter had limited itself to reproducing a mention of its general conditions of use, in their applicable version of May 2016, under the terms of which the company required its partners, "when the law provides for it", that the confidentiality policy of their site includes "notices and mechanisms of choice in accordance with the applicable laws and regulations".

74. However, the Restricted Committee considers that such a clause does not, on its own, guarantee the existence of a valid consent and that it should at the very least be supplemented to specify that the organization who obtains the consent must make proof of the consent available to the other party, so that each data controller wishing to rely on it can effectively report it.

75. In the present case, the Restricted Committee notes that on the date of initiation of the control procedure, this clause was not only not supplemented by a specific clause relating to proof of consent, but also that the company had also admitted that it had never terminated a contract due to a partner's non-compliance with its contractual obligations, nor implemented any other measure to control its partners.

76. In this sense, the Restricted Committee notes that the various measures put forward by the company were only gradually deployed from 2020, after the start of the control procedure initiated in January 2020.

77. The Restricted Committee thus takes note of the audit campaign conducted by the company with its partners since 2020 and of the fact that the company has also terminated the contract binding it to one of them who did not respect not its cookie obligations.

78. It also notes that in subsequent versions of its general terms and conditions of use, the company inserted a clause relating to proof of consent according to which the partner undertakes to "promptly provide Criteo, on request and at any time, proof that a consent of the data subject has been obtained by the partner".

79. In view of these elements, the Restricted Committee considers that the company has complied with the requirements of Article 7(1) of the GDPR.

80. It nevertheless emphasizes that this compliance, which occurred belatedly, has no effect on the fact that the company processed the personal data of Internet users without being able to demonstrate that they have validly consented to the processing for the purpose of the display of personalized advertising, in violation of Article 7(1) GDPR.

D. On the breach of the obligations of information and transparency

81. Article 12, paragraph 1, of the GDPR provides that: "The controller shall take appropriate measures to provide any information referred to in Articles 13 and 14 as well as to carry out any communication under Articles 15 to 22 and Article 34 as regards processing to the data subject in a concise, transparent, comprehensible and easily accessible manner, in clear and simple terms, in particular for any information intended specifically for a child. writing or by other means including, where appropriate, electronically".

82. Pursuant to Article 13 of the GDPR, the controller must provide the data subject with the following information:

"a) the identity and contact details of the controller and, where applicable, of the controller's representative;

b) where applicable, the contact details of the data protection officer;

c) the purposes of the processing for which the personal data are intended as well as the legal basis for the processing;

d) where the processing is based on Article 6(1)(f), the legitimate interests pursued by the controller or by a third party;

e) the recipients or categories of recipients of the personal data, if they exist; And

f) where applicable, the fact that the controller intends to transfer personal data to a third country or to an international organization, and the existence or absence of a decision to adequacy rendered by the Commission or, in the case of transfers referred to in Article 46 or 47, or in the second subparagraph of Article 49(1), the reference to the appropriate or suitable guarantees and the means of obtaining one copy or the place where they have been made available".

83. In the present case, the rapporteur maintains that the information provided by the company to the persons concerned was not complete in that it did not indicate all the purposes relating to the processing in question in the version of its confidentiality policy. applicable on the date of the findings, in particular the purpose relating to the improvement of its technologies.

84. The rapporteur also criticizes a lack of clarity as to the legal basis of consent applicable to processing, which the company specified differs depending on the country, and as to the purposes implemented on the basis of legitimate interest.

85. The company responds that it has updated its privacy policy.

86. In any event, it disputes the first complaint, considering that it did not have to specify the purpose of improving its technologies since, in its view, this purpose includes technical elements contributing globally to the same purpose. than the display of personalized advertisements.

87. On the second complaint, it argues that any ambiguities denounced by the rapporteur never prevented the persons concerned from exercising their rights.

88. In its second observations, the company argues that no breach on its part of the obligations arising from Article 13 of the GDPR can be blamed on it insofar as it would only carry out an indirect collection of data.

89. The Restricted Committee recalls, firstly, that the GDPR distinguishes the system from the obligation to inform which is imposed on the data controller depending on the nature of the data collection: the data controller is subject to the provisions of Article 13 of the GDPR when the data is collected directly from the data subject and the provisions of Article 14 of the GDPR in the opposite case.

90. It adds that in point 26 of its guidelines of 29 November 2017 on transparency, in their revised version of 11 April 2018, the EDPS recalls that Article 13 of the GDPR also applies when the data is collected by the data controller "by observation", i.e. when the data controller collects the data through the use of sensors of any kind.

91. The Restricted Committee notes that the Council of State adopted the same interpretation in a decision rendered before the entry into force of the GDPR, considering that the fact that the collection does not require any intervention by the persons concerned had no impact on the direct nature of this collection (Council of State, 10th - 9th chambers combined, February 8, 2017, JCDecaux, no. 393714).

92. In the present case, the Restricted Committee notes that the data is indeed collected by the company directly from the Internet user, since when the latter browses the website of a partner of the company, the requests of the cookie Criteo allowing the latter to know that a user arrives on the home page, connects to an account or clicks on a "product" page, are sent directly to its servers, without passing through another data controller.

93. As the data is collected from individuals, the Restricted Committee concludes that Article 13 of the GDPR applies to the company.

94. Secondly, the Restricted Committee notes that the general conditions of use of Criteo services provide that the company's partners must integrate into their website a personal data protection policy including a link to the privacy policy from Criteo.

95. It notes that the "Legal basis for data processing" section of the company's privacy policy, in the version applicable on the date of the findings, stated that: "Criteo's processing operations comply with the regulations in force, in countries requiring user consent for the use of cookies or other similar technology. This consent is collected on the websites and mobile applications of Advertisers and Publishers".

96. Furthermore, it was also mentioned under the same section that: "Criteo considers that it has a legitimate interest in processing your data for the purposes expressed in this privacy policy, in particular to:

- respect the commercial agreements made with our customers and partners;

- allow our Advertisers to promote their products and services;

- allow our Publishers to finance their activities".

97. The Restricted Committee considers, first, that the first formulation creates uncertainty as to the legal basis of the processing in that it does not allow Internet users located within the European Union to understand that the processing of their data is based on their consent.

98. Next, it considers that the purposes announced by the company in the second formulation are expressed in vague and broad terms which do not allow the user to understand precisely what personal data is used and for what purposes. Furthermore, the Restricted Committee considers it contradictory to mention that the purposes relating to the promotion of advertisers' products and the financing of the activities of publishers are based on the legal basis of legitimate interest when these purposes are directly linked to the processing of display of personalized advertising, which is based, according to the company itself, on the legal basis of the consent of Internet users. The Restricted Committee adds that such an approximate and contradictory description of the purposes pursued on the basis of legitimate interest is liable to hinder the exercise by the persons concerned of their right to object, which is intrinsically linked to the quality of the information delivered.

99. The Restricted Committee notes that the company has responded to these shortcomings in the new version of its confidentiality policy, since the latter now specifies that consent applies to persons residing in the European Economic Area and that it includes a table summarizing all the purposes of its processing, including those based on the legal basis of legitimate interest, which includes a detailed description of these purposes and the categories of data concerned. The Restricted Committee observes that the company has also put an end to the contradiction noted above.

100. Thirdly, the Restricted Committee notes that the "Purpose of the processing of personal data" section of the company's privacy policy, in the version applicable on the date of the findings, contained only the following line: "Criteo processes your personal data for personalized ads".

101. However, during the on-site inspection of September 16 and 17, 2020, the company specified to the delegation that the processing also made it possible "to optimize the responses to be given at auction, the selection of items to be presented in an advertisement and propose the best layout for this banner".

102. While the Restricted Committee admits that certain technical operations described by the company contribute directly to the main purpose of displaying personalized advertising, it considers that others serve a distinct purpose.

103. Indeed, the company uses the data collected through cookies in order to improve its own technologies (so-called "machine learning" purpose, mobilizing the data collected by the company to self-configure algorithmic targeting processing). Thus, the main objective of this subsequent processing is to improve the effectiveness of the advertising targeting carried out by Criteo in general. It is therefore a separate purpose, which should be brought to the attention of the persons concerned.

104. The Restricted Committee notes that in the new version of its privacy policy, posted online on November 4, 2022, the company now clearly distinguishes, under the "Use of your data" section, on the one hand, the purpose of "display of personalized advertising" and, on the other hand, the purpose of "model training", defined as making it possible to "improve the performance of Criteo's advertising operations".

105. It follows from the foregoing that by not providing data subjects with all of the information provided, by using insufficiently clear and precise terms and by presenting an erroneous legal basis for processing, the company has failed in its transparency and information obligations provided for in Articles 12 and 13 of the GDPR. However, it notes that the company has complied during this procedure.

E. On the breach of the obligation to respect the right of access of data subjects to personal data concerning them

106. Article 12, paragraph 1, of the GDPR provides that: "The controller shall take appropriate measures to provide any information referred to in Articles 13 and 14 as well as to carry out any communication under Articles 15 to 22 and Article 34 with regard to the processing to the data subject in a concise, transparent, understandable and easily accessible manner, in clear and simple terms".

107. Article 15(1) of the GDPR provides that: "The data subject has the right to obtain confirmation from the controller as to whether personal data relating to him or her are being processed and, where are, access to said personal data […]”.

108. In this case, as part of the investigations carried out by the CNIL, the company provided the delegation with three examples of responses sent to data subjects who had made access requests.

109. It appears that when a person exercised his right of access, the company transmitted to him the data extracted from the following three tables:

- the "Advertiser_advent" table, which stores all the data related to advertiser events;

- the "Banner_display" table, which stores all the data necessary to display an advertisement to the user (for example, the country of the user, the data linked to the advertiser or the version of the operation of the user's device);

- the "Click_cas" table, which stores all the data related to a user's interactions with advertising banners.

110. The rapporteur considers that the company only partially responded to the requests for right of access referred to it since it did not communicate the data appearing in three other tables:

- the "Usermatching" table, which contains information allowing Criteo identifiers to be reconciled (in the event that the same user uses several devices) in a "deterministic" manner (the company uses information provided by its partners, such as a number loyalty card, an Apple or Android ID, and/or an email address in hashed form to create a link between two Criteo IDs);

- the "bc_tcp_timestamp" table, which contains information allowing the reconciliation of identifiers in a "probabilistic" way (the company applies a prediction model from the data linked to two identifiers that it thinks correspond to the same user);

- the "Bid_request" table, which contains information related to events relating to the online auction protocol.

111. He also considers that the information provided was not intelligible to the user since the company contented itself with a brief description of the purpose of each table without however providing any explanation of the purpose of each. columns appearing in these tables, nor on their content.

112. The company argues that its procedures in the event of requests made under the right of access comply with the requirements of Article 15 of the GDPR. More specifically, it goes back to each of the three tables listed by the rapporteur and explains why, in the event of an access request, it did not communicate the data they contained.

113. With regard to the "Usermatching" table, the company claims that it only contains data allowing the reconciliation of the Criteo identifier with other identifiers, but that it nevertheless undertook to provide this data as part of its responses to access requests from November 2022.

114. With regard to the "bc_tcp_timestamp" table, the company explains that it is based on a probabilistic method and can potentially reconcile two separate people, so that the communication of data risks infringing the rights and interests of third parties in the event that data relating to another person is communicated to the author of the access request. For this reason, it excluded this table from its responses to access requests.

115. With regard to the "bid_request" table, the company explains that it contains approximately 400 fields relating to bid requests, so that it is essentially technical data and that the remaining data is identical to those appearing in the "Banner_display" table already provided by the company. However, it specifies that it had undertaken to provide all of this data as part of its responses to access requests before March 2023, the time to implement an action plan that would allow it to extract this data by profile.

116. On the intelligibility of the information provided to the persons concerned, it indicates that it has supplemented the explanations with a table listing, for each table, the nature of the data processed, and providing a description and examples of data, which it transmits in responding to access requests.

117. The Restricted Committee takes note of the explanations given by the company for the "bc_tcp_timestamp" table and indeed considers that the company did not have to communicate the data of this table insofar as they may relate to several people without the company is able to identify with certainty which data relate exclusively to the person making the request.

118. With regard to the "Usermatching" and "bid_request" tables, it considers that the elements put forward and produced by the company now allow the user to better understand the information transmitted to him.

119. The Restricted Committee notes, however, that the explanations provided by the company do not justify, on the date of the findings, the non-communication of the data contained in these two tables, whereas it is not disputed that these tables contain personal data which may be combined with other data recorded by the company and, in particular, with the identifier assigned to each Internet user.

120. It adds that it is apparent from those same findings that, in the context of its response to requests for the right of access, the company explained in a succinct sentence the purpose of each table and invited users to send an e-mail to get more information. Thus, in the absence of systematic communication of information on the purpose and content of each of the columns appearing in these tables, the company placed the user in uncertainty as to the nature of the data processed concerning him.

121. It follows from the foregoing that by not communicating all of the personal data of persons exercising their right of access to it and by not automatically providing them with documentation enabling them to understand the data communicated to them, the company has breached its obligations under Articles 12 and 15 of the GDPR.

F. On the breach of the obligation to respect the right to withdraw consent and erase data

122. Article 7(3) of the GDPR provides that: “The data subject has the right to withdraw consent at any time. Withdrawal of consent does not affect the lawfulness of processing based on consent made prior to such withdrawal. The data subject is informed before giving consent. Withdrawing is as easy as giving consent."

123. Pursuant to Article 17(1) of the GDPR, “The data subject has the right to obtain from the controller the erasure, without undue delay, of personal data concerning him and the data controller processing has the obligation to erase this personal data as soon as possible, when one of the following grounds applies:

[…]

b) the data subject withdraws the consent on which the processing is based pursuant to point (a) of Article 6(1) or point (a) of Article 9(2) and there is no other legal basis for the processing

[…]

d) the personal data has been unlawfully processed

[…]".

124. In the present case, exchanges took place between the CNIL departments and the company following receipt of […]'s complaint concerning his individual situation but also more generally, the procedures put in place by the company to respond to requests to exercise the rights of individuals. The company indicated that it had changed the measures implemented, in particular to make effective the right to withdraw consent and the right to erase data.

125. It appears from the investigations following these exchanges and the deployment of the measures announced by the company that the persons concerned who wished to withdraw their consent to the processing of their data by the company or who exercised their right to erasure could do so by clicking on the "Disable Criteo services" button accessible in the company's privacy policy on the "criteo.com" website. The company clarified that when a person clicks on this button, an "opt-out" cookie is deposited in the person's browser, thus preventing the subsequent deposit of Criteo cookies and the display of personalized advertisements. .

126. The company clarified that the deactivation of Criteo services, i.e. the fact of no longer displaying personalized advertisements to the person, could also be done by using the platforms made available by professional associations. representative of the sector such as the "YourOnlineChoices" platform.

127. During the on-site inspection of September 17, 2020, the delegation noted that the company no longer kept track in its databases of the user identifier assigned to […]. During this same check, the company declared that the procedure for deactivating its services no longer allowed it "to link the user identifier concerned to the user's browser in such a way that no advertising will be proposed to this identifier", without having the effect of deleting from its tables the identifier of the user at the origin of the request for opposition or deletion. The company added that: "in the event that a user identifier has been subject to a deactivation procedure, it will no longer be possible to later reconcile the events linked to this identifier with the other possible identifiers linked to this user". Finally, the company indicated that it could reuse the Criteo user ID as well as the events related to the deactivation request as part of improving its technologies.

128. The rapporteur considers that the company does not meet the requirements of Article 17 of the GDPR since it neither deletes the person's identifier nor deletes the related browsing events and this whereas the processing of […]'s complaint demonstrates that it is indeed capable of effectively erasing the data it processes.

129. The company argues that it is not required to carry out such erasure if it has a legitimate interest in storing and processing the data of persons who have made a request for erasure under the six purposes: sales matching/attribution, fraud prevention/anti-fraud, model training, invoicing, reporting and incident resolution.

130. In this sense, it considers itself justified in not effectively deleting this data as long as the pursuit of these other purposes based on legitimate interest justifies their retention. For each of these six purposes, the company produces a study demonstrating the relevance of using this legal basis.

131. With specific regard to the purpose of training models, the company considers that this allows data subjects to receive even more personalized advertisements, which is also in their interest. It adds that the CNIL has already recognised, in a sanction deliberation no. legitimate interest of a controller.

132. The Restricted Committee notes that when it follows a deletion request, the company limits itself to interrupting the display of personalized advertisements in the terminal of the person making the request, without carrying out a deletion. effective data relating to this person.

133. The Restricted Committee notes that the company claims that it cannot carry out such erasure on the grounds that it needs the data collected as part of its advertising targeting processing, based on consent, to carry out six other purposes which are based, according to the latter, on the legal basis of legitimate interest.

134. However, without it being necessary to rule on the adequacy of the legitimate interest as the legal basis for each of the six purposes put forward by the company, the Restricted Committee considers that, in cases where the company was not in any case unable to ensure that the person making the request had validly consented to the processing of his data by the company, the latter could not continue to process the data of this person for subsequent purposes based on the basis of legitimate interest. However, as demonstrated above, the company did not keep any proof of the valid consent of the persons, in violation of Article 7 of the GDPR. The company could not therefore limit itself to interrupting the display of personalized advertisements and had to proceed to the effective erasure of the data processed.

135. This conclusion is all the more necessary since the investigations show that the company processes a large volume of data for which it has been established that it came from cookies deposited before any manifestation of the Internet user's will and even , in certain cases, when the latter has expressly refused.

136. It follows from the above that by limiting oneself to interrupting the display of personalized advertisements and by not proceeding with the erasure of personal data in the event of exercise of their right to erasure, for persons for whom the company could not ensure the reality of the consent, the company failed in its obligations under articles 7 and 17 of the GDPR.

G. On the breach of the obligation to provide for an agreement between joint controllers

137. Article 26 of the GDPR provides that: "1. The joint controllers shall define in a transparent manner their respective obligations for the purpose of ensuring compliance with the requirements of this Regulation, in particular with regard to the exercise of data processing rights. the data subject, and their respective obligations regarding the communication of the information referred to in Articles 13 and 14, by agreement between them 2. The agreement referred to in paragraph 1 duly reflects the respective roles of the joint controllers and their relations vis-à-vis the persons concerned".

138. The rapporteur notes that on the date of the findings, the company had indeed entered into a contract with its partners, joint controllers (advertisers, publishers and online auction platforms), which contained a description of the processing objects of joint responsibility and the role of each controller vis-à-vis this processing.

139. He nevertheless emphasizes that this agreement did not make it possible to conclude that the company complied with Article 26 of the GDPR.

140. The company argues that, as drafted, the agreement concluded with its partners did not harm the data subjects who benefited from the full protection of the GDPR since the general conditions of use of its services provide that partners must provide a link to Criteo's privacy policy and allow data subjects to express their consent to targeted advertising.

141. It nevertheless justifies having adopted a new agreement which entered into force on 5 July 2022.

142. The Restricted Committee considers that it follows from the wording of Article 35 of the GDPR that the act allocating the obligations of the joint data controllers must cover all the obligations provided for by the GDPR in order to determine, for each of these obligations, which of the joint controllers will be responsible for them.

143. In this case, the Restricted Committee notes that on the date of the findings, the agreement concluded by the company with its partners did not specify some of the respective obligations of the data controllers with regard to the requirements contained in the GDPR, such as the exercise by the persons concerned of their rights, the obligation to notify a data breach to the supervisory authority and to the persons concerned or, if necessary, the carrying out of a study of impact under Article 35 of the GDPR.

144. It notes that the obligation to conclude an agreement in the event of joint responsibility is a specific obligation imposed on joint controllers under Article 26 of the GDPR.

145. If, in its version of July 5, 2022, the agreement concluded by the company with its partners now includes the information expected under this provision, the Restricted Committee notes that this late compliance does not call into question the characterization of the breach for the past.

146. It follows from the above that the company breached its obligation under Article 26 of the GDPR.

III. On the pronouncement of corrective measures and publicity

147. Article 20 of Law No. 78-17 of 6 January 1978 as amended provides that: "when the data controller or its subcontractor does not comply with the obligations resulting from Regulation (EU) 2016/679 of 27 April 2016 or this law, the president of the National Commission for Computing and Liberties may […] seize the restricted formation of the commission with a view to the pronouncement, after adversarial procedure, of one or more of the following measures : […]

7° With the exception of cases where the processing is implemented by the State, an administrative fine not exceeding 10 million euros or, in the case of a company, 2% of the annual worldwide turnover total for the previous year, whichever is higher. In the cases mentioned in 5 and 6 of Article 83 of Regulation (EU) 2016/679 of April 27, 2016, these ceilings are increased, respectively, to 20 million euros and 4% of said turnover. The restricted committee takes into account, in determining the amount of the fine, the criteria specified in the same article 83".

148. Article 83 of the GDPR, as referred to in Article 20, paragraph III, of the Data Protection Act, provides that: "Each supervisory authority shall ensure that the administrative fines imposed under the this Article for breaches of this Regulation referred to in paragraphs 4, 5 and 6 are, in each case, effective, proportionate and dissuasive", before specifying the elements to be taken into account in deciding whether to impose an administrative fine and to decide on the amount of this fine.

A. On the pronouncement of an administrative fine and its amount

149. The company first argues that the CNIL violated the principle of non-discrimination by only taking legal action against it, after having established that the websites of its partners did not comply with the regulations applicable to cookies.

150. It then maintains that it should not be penalized for not having ensured that its partners obtain valid consent other than by contractual means since these checks should in fact fall to the services of the CNIL, which would operate thus a "privatization" of its missions.

151. The company considers that better consideration of the criteria provided for in Article 83, paragraph 2, of the GDPR, in particular with regard to the absence of proof of damage, the non-deliberate nature of the breaches, the measures taken to mitigate the damage, of the cooperation which it claims to have shown with the supervisory authority and of the categories of personal data concerned, which are of low intrusiveness, would justify that, in the event that the Restricted Committee decided to impose a fine , it significantly reduces the amount of EUR 60 million proposed by the rapporteur.

152. It argues that the rapporteur's proposed fine represents 50% of its earnings and nearly 3% of its worldwide turnover, which is close to the legal maximum provided for in Article 83 of the GDPR. By comparison, it highlights the previous decisions pronounced by the CNIL against Google (CNIL, FR, December 31, 2021, sanction deliberation no. SAN-2021-023) and Facebook (CNIL, FR, December 31, 2021). 2021, sanction deliberation no. SAN-2021-024) in terms of cookies, the amount of which reached respectively 0.07% and 0.06% of their overall turnover.

153. The Restricted Committee recalls, as a preliminary point, that it is not for the Restricted Committee to assess the decision of the President of the CNIL to initiate proceedings against the company alone.

154. The Restricted Committee recalls that in order to assess whether to impose a fine and determine its amount, it must take into account the criteria specified in Article 83 of the GDPR such as the nature, gravity and duration of the violation, the number of data subjects, the measures taken by the data controller to mitigate the damage suffered by the data subjects, the degree of cooperation with the supervisory authority, the categories of personal data affected by the breach and the financial benefits obtained due to the breach.

155. Firstly, with regard to the imposition of an administrative fine, the Restricted Committee considers that it is first appropriate to apply the criterion provided for in subparagraph a) of Article 83, paragraph 2, of the GDPR relating to the seriousness of the breach taking into account the nature, the scope of the processing and the number of data subjects.

156. It recalls first of all that it has been established that the company was unable to demonstrate that the persons concerned had given their consent to the processing of personal data concerning them and that the findings of the delegation of control revealed that the company used browsing data partly from cookies deposited before any manifestation of the Internet user's will.

157. Next, with regard to the scope of the processing, the Restricted Committee observes that the breach is all the more serious since the processing in question, which aims to display personalized advertisements, is carried out on a very large scale and involves, for nature, a massive and intrusive character.

158. It recalls that for the advertisements displayed to be relevant, the company must collect large amounts of data relating to the browsing of Internet users in order to establish a precise image of their consumption habits, their preferences or current concerns.

159. Thus, each visit to the site of an advertiser or publisher, each click on a product or each purchase made by an Internet user is recorded by the company and then analyzed for advertising purposes. As such, the company claims on its website to collect 35 billion events per day related to navigation and purchases in the world. In addition, the company shares and receives data from its partners, in particular to enable it to better identify each Internet user or to establish a link between the different devices and browsers used by the same Internet user.

160. The Restricted Committee notes that, if taken in isolation, each of the data collected by the company has a low identifying value, combined with each other, these are likely to reveal with a high degree of precision many aspects of the privacy of people's lives, including their gender, their age and their consumption habits, that is to say their tastes, thus giving the processing in question a massive and intrusive character.

161. Consequently, the result of the combination of these data considerably reinforces the massive and intrusive nature of the processing in question and makes it all the more necessary that it be implemented in strict compliance with the rules in force, in particularly those surrounding the choice of individuals regarding the use of their data.

162. Similarly, the Restricted Committee recalls that the transformation of raw navigation data into usable information constitutes the company's core business. The latter must therefore all the more be able to ensure that the personal data it processes comply with the regulations in force.

163. With regard to the number of people affected by the processing in question, the Restricted Committee notes that the company announces that it has data relating to around 370 million user identifiers across the European Union, including around 50 million identifiers on French territory alone. While a single person is likely to match multiple IDs, these numbers reveal the substantial amount of data collected by the company.

164. With regard to the breach relating to the information of individuals, the Restricted Committee emphasizes that it has caused Internet users to lose control over their data insofar as the company has not provided them with complete information and understandable.

165. With regard to the breaches relating to the exercise of the rights of access, withdrawal of consent and erasure, the Restricted Committee emphasizes their structural nature and their seriousness in that the measures deployed by the company lead not only to that people's requests are incorrectly processed but also that they legitimately think that their request has been respected.

166. It thus recalls that on the date of the findings, the persons concerned at the origin of an access request were not provided with the data contained in two tables of the company's database.

167. The Restricted Committee also recalls that the sole effect of taking a deletion request into account by the company is to stop the display of personalized advertisements, the company also continuing to store the data of the person at the time. origin of the request and even to use them for other purposes.

168. With regard to the breach relating to the obligation to provide for an agreement between the joint data controllers, the Restricted Committee considers that the fact of not having regulated with more precision the processing carried out jointly with other actors has deprived data subjects of the full protection of their personal data offered by the GDPR.

169. Secondly, the Restricted Committee considers that the criterion provided for in subparagraph k) of Article 83(2) of the GDPR relating to the financial benefits obtained as a result of the breach should be applied.

170. It thus recalls that the company's business model is based exclusively on its ability to display to Internet users the most relevant advertisements to promote the products of its advertiser clients, and therefore on its ability to collect and process an immense amount of data of a personal nature.

171. However, it appears from the present proceedings that this collection and the processing in question are carried out in violation of the requirements of the GDPR and the rights of the persons concerned since the company is accused of not being able to demonstrate that the latter have given their consent to the processing of their data and that it is established, in certain cases, that the company was processing data for which the persons concerned had not consented or had not given valid consent.

172. Thus, the personal data collected and processed without the valid consent of individuals has enabled the company to unduly increase the number of individuals concerned by its processing and therefore its financial income.

173. The Restricted Committee adds that the company has also derived a financial advantage from the fact of not carrying out the erasure of the data by continuing to use the data which is not erased for the purposes of improving its technologies, which contributes to its competitiveness in the targeted advertising market.

174. Consequently, the Restricted Committee considers that an administrative fine should be imposed for breaches of Articles 7, 12, 13, 15, 17 and 26 of the GDPR.

175. Secondly, with regard to the determination of the amount of the fine, the Restricted Committee recalls that under the provisions of Article 20, paragraph III, of the Data Protection Act and Article 83 of the GDPR, the company incurs, with regard to the breaches mentioned above, a financial penalty of a maximum amount of 20 million euros or 4% of its total worldwide turnover for the previous financial year, which was €1.9 billion in 2022, whichever is higher.

176. Therefore, with regard to the liability of the company, its financial capacity and the relevant criteria of Article 83, paragraph 2, of the Rules mentioned above, the Restricted Committee considers that a fine of forty million euros appears justified.

177. It notes that although this amount constitutes nearly 2% of the company's worldwide turnover, it is nonetheless lower than the legal ceiling of 4% provided for in Article 83, paragraph 5 of the GDPR and in Article 20, paragraph III, 7°) of the Data Protection Act.

178. Furthermore, the Restricted Committee recalls that the amount of the fine may be higher than the profit generated by the data controller, insofar as this would be necessary in order to ensure the dissuasive nature of the sanction (see, in this sens, CE, 1 March 2021, Société Futura Internationale, n° 437808, pt. 6).

B. Publicity of the decision

179. The company asks the restricted committee not to make its decision public.

180. The Restricted Committee considers, on the contrary, that the publication of this decision is justified in view of the seriousness of the breaches in question, the scope of the processing and the number of persons concerned.

181. It also notes that this measure will make it possible to inform the persons concerned of the existence of the processing implemented by the company and of the fact that the latter may have processed their data without their knowledge, or even despite their lack of consent. This information will allow them, if necessary, to assert their computer rights and freedoms with the company.

182. Finally, it considers that this measure is proportionate since the decision will no longer identify the company by name at the end of a period of two years from its publication.

FOR THESE REASONS

The CNIL Restricted Committee, after having deliberated, decides to:

• pronouncing an administrative fine against the company CRITEO SA in the amount of forty million euros (€40,000,000) with regard to the breaches of Articles 7, 12, 13, 15, 17 and 26 of the GDPR ;

• make public, on the CNIL website and on the Légifrance website, its deliberation, which will no longer allow the company to be identified by name after a period of two years from its publication.

President

Alexander LINDEN

This decision may be appealed to the Council of State within two months of its notification.