CNIL (France) - SAN-2023-024: Difference between revisions

CNIL - SAN-2023-024
Authority:	CNIL (France)
Jurisdiction:	France
Relevant Law:	Article 6(1) GDPR Article 7(3) GDPR Article 7(4) GDPR Directive 2002/58/EC of the European Parliament and the Council of 12 July 2002 concerning the processing of personal data and the protection of privacy in the electronic communication sector Loi n° 78-17 du 6 janvier 1978 relative à l'informatique, aux fichiers et aux libertés
Type:	Complaint
Outcome:	Upheld
Started:	07.10.2020
Decided:	29.12.2023
Published:	18.01.2024
Fine:	10000000 EUR
Parties:	Yahoo EMEA Limited
National Case Number/Name:	SAN-2023-024
European Case Law Identifier:	n/a
Appeal:	Unknown
Original Language(s):	French
Original Source:	Legifrance (in FR)
Initial Contributor:	n/a

The DPA imposed €10 million fine on Yahoo for depositing cookies on data subject’s devices without prior consent and for not taking into account the withdrawal of consent.

English Summary

Facts

Between 12 June 2019 and 2 October 2020, the French DPA ("CNIL") received 27 complaints, concerning among other things, the deposit of cookies on the data subjects terminals before any action was taken, as well as the failure to take into account their refusal to the deposit of these cookies.

Following these complaints, the CNIL carried out online investigations of the "yahoo.com" website and the "Yahoo mail" messaging service. The first investigation consisted of two scenarios: during a first scenario, the CNIL found that at least 20 cookies for advertising purposes had been placed on their terminal even though they had not expressed consent. They also discovered that on the Yahoo page, there was a "Your data. Your experience" window which included an "I accept" and "Manage settings" button. The "Manage settings" button used push buttons which were activated by default. The CNIL did not activate any of the buttons and clicked "Save and continue" but still noted the deposit of 26 cookies, 7 of which were used for advertising purposes.

During a second scenario, the CNIL browsed on "yahoo.com" in order to create a "Yahoo mail" account. As in the first scenario, the CNIL did not express consent to the deposit of cookies. During this investigation, they also discovered that when a user tried to withdraw their consent, a window was displayed and indicated that "You must accept them to be able to use Verizon Media products. If you disable them, you revoke your consent and will no longer be able to access Verizon Media products, including Yahoo Mail, Yahoo News, Huffington Post, etc." The CNIL clicked on the "Find out more" link where there were questions, such as "What happens if I withdraw my consent to cookies from the privacy dashboard? "and that the answer to this question stated that while "users in the European Union can withdraw this cookie agreement for their account from the privacy dashboard", "withdrawing this agreement will result in blocked access to our products and other Verizon Media sites and applications".

During its second inspection, the CNIL also discovered that when browsing on "Yahoo.com" without creating an account, a data subject could revoke their consent from a page entitled "Privacy dashboard and controls (visitors)", but when doing so, a page appeared followed by the words "Are you sure? You will no longer be able to access YAHOO or other Verizon Media products".

The CNIL started a sanctioning procedure on 10 July 2023.

Holding

Firstly, regarding the material scope of the CNIL's jurisdiction, the DPA indicated that with regard to a Conseil d'Etat decision, the control tied to a cross-border processing, falls within the jurisdiction of the CNIL and the one-stop shop mechanism provided by the GDPR is not applicable. Therefore, the CNIL considered that they are competent to monitor and initiate sanctioning proceedings concerning the processing implemented by the controller as it fell within the scope of the ePrivacy directive, which is lex specialis to the GDPR.

Regarding the territorial scope of the CNIL's jurisdiction, the CNIL indicated that under Article 82 of the law "Informatique et Libertés" ("LIL"), they are competent, as the processing in this case was carried out as part of the activities of an establishment of the controller on the French territory. In particular, the CNIL took into account the purpose of the controller, which is, among other things, "to promote Yahoo's advertising products and solutions on the French market (...)". Therefore, the CNIL concluded that the processing consisting of operations to access or record information in the terminal of data subjects residing in France, when browsing "yahoo.com" or using the "Yahoo mail service" is carried out in the context of the activities of Yahoo France. Thus, the CNIL found that French law is applicable, and that the CNIL is materially and territorially competent.

Secondly, regarding the controllership, the CNIL noted that Article 4(7) GDPR applied due to the reference made by Article 2 of the ePrivacy directive. The CNIL considered that the controller indicated in a letter that they determine the purposes and means of the personal data processing, and is therefore a controller.

Thirdly, concerning the absence of prior consent, Article 82 of the LIL requires consent for operations involving the reading and writing of information on a data subject's terminal. Regarding what the CNIL found during its investigation concerning the absence of consent and the deposit of advertising cookies even though none of the buttons were activated, the DPA considered that numerous cookies requiring prior consent were deposited without collecting prior consent, therefore breaching Article 82 of the LIL.

The CNIL added that regarding cookies deposited by third parties, the French Supreme Administrative Court ruled that site publishers who authorize the deposit and use of such 'cookies' by third parties when their site is visited must also be considered as data controllers. Therefore, the DPA considered that the controller breached Article 82 of the LIL.

Finally, regarding the withdrawal of consent, the CNIL indicated that the withdrawal of consent must be possible under Article 82 of the LIL. Consent under this Article must be understood within the meaning of Article 4(11) GDPR meaning it must be given freely, specifically, in an informed and unambiguous manner and manifested by a clear positive act. The CNIL noted that the controller only informed data subjects that the use of its services was conditional on acceptance of certain cookies during the withdrawal process. The CNIL considered that linking the use of a service to the registration of cookies that are not strictly necessary for the service provided is not in itself illegal, under the condition that consent is free, which implies that both the refusal of consent and its withdrawal are without prejudice to the data subject. The CNIL found that the it was not possible to withdraw consent without interrupting the services and noted that the absence of alternatives offered by the company necessarily affects the free nature of the withdrawal of consent. The DPA also considered that despite the presence of buttons allowing the withdrawal of consent, the messages that appeared were likely to constitute a serious obstacle for data subjects. The CNIL also observed that during the user paths it followed, the CNIL systematically clicked on buttons and tabs with intuitive headings such as "Your account", then "General consent" or "Find out more". Thus, the paths followed by the CNIL during the two online checks are those that users are most likely to follow when they wish to withdraw their consent.

The CNIL therefore concluded that the controller breached Article 82 of the LIL and imposed a €10 million fine.

Comment

From the original contributor: This is another decision concerning cookies taken by the CNIL, reflecting the focus of the DPA on this issue. This decision is similar to CNIL (France) - SAN-2020-012, concerning Google as far as it underlines the complementary nature of GDPR and national provisions as they result from the transposition of the ePrivacy Directive.

Lengthy proceedings are of note, as they were significantly longer than those in case of others (such as Google decision).

Further Resources

Share blogs or news articles here!

English Machine Translation of the Decision

The decision below is a machine translation of the French original. Please refer to the French original for more details.

Deliberation of restricted training n°SAN-2023-024 of December 29, 2023 concerning the company YAHOO EMEA LIMITED

The National Commission for Information Technology and Freedoms, gathered in its restricted formation composed of Mr. Alexandre LINDEN, president, Mr. Philippe-Pierre CABOURDIN, vice-president, MM. Alain DRU and Bertrand du MARAIS, members;

Having regard to Regulation (EU) 2016/679 of the European Parliament and of the Council of April 27, 2016 relating to the protection of personal data and the free movement of such data (GDPR);

Having regard to Directive 2002/58/EC of the European Parliament and of the Council of July 12, 2002 concerning the processing of personal data and the protection of privacy in the electronic communications sector;

Having regard to law n°78-17 of January 6, 1978 relating to data processing, files and freedoms, in particular its articles 20 et seq.;

Considering Decree No. 2019-536 of May 29, 2019 taken for the application of Law No. 78-17 of January 6, 1978 relating to computing, files and freedoms;

Having regard to deliberation no. 2013-175 of July 4, 2013 adopting the internal regulations of the National Commission for Information Technology and Liberties;

Having regard to decision no. 2020-127C of August 14, 2020 of the president of the National Commission for Information Technology and Freedoms to instruct the Secretary General to carry out or have carried out the verification of compliance with law no. 78- 17 of January 6, 1978 relating to data processing, files and freedoms, amended and Regulation (EU) 2016/679 of the European Parliament and of the Council of April 27, 2016 processing accessible from the domain "yahoo.com";

Having regard to decisions No. 2020-254C of August 14, 2020 and No. 2021-123C of January 4, 2021 of the President of the National Commission for Informatics and Liberties to instruct the Secretary General to carry out or have carried out a mission verification of the processing implemented by the companies VERIZON France and OATH BRANDS (France) SAS;

Having regard to the decision of the president of the National Commission for Information Technology and Liberties appointing a rapporteur before the restricted panel, dated July 10, 2023;

Having regard to the report of Mr. François PELLEGRINI, statutory auditor, notified to the company YAHOO EMEA LIMITED on August 11, 2023;

Having regard to the written observations submitted by the company YAHOO EMEA LIMITED on September 29, 2023;

Having regard to the rapporteur's response to these observations notified to the company YAHOO EMEA LIMITED on October 25, 2023;

Considering the new written observations submitted by the company YAHOO EMEA LIMITED on November 28, 2023;

Considering the oral observations made during the restricted training session of December 21, 2023;

Considering the other documents in the file;

Were present during the restricted training session:

- Mr. François PELLEGRINI, commissioner, heard in his report;

As representatives of YAHOO EMEA LIMITED:

[…]

YAHOO EMEA LIMITED having spoken last;

The restricted formation adopted the following decision:

I. Facts and procedure

1. The VERIZON group, whose parent company VERIZON COMMUNICATIONS INC. is located in the United States, is made up of several branches, including a "media" branch, managed for Europe by the subsidiary VERIZON MEDIA NETHERLANDS B.V, located in the Netherlands. This company has several subsidiaries, including VERIZON MEDIA EMEA LIMITED and OATH HOLDING (France) SAS. The company OATH HOLDING (France) SAS owns the company OATH BRANDS (FRANCE), which has been the name, since 2018, of the company YAHOO! FRANCE, created in 2002.

2. The company VERIZON COMMUNICATIONS Inc. also has a VERIZON BUSINESS branch, which offers telecommunications services for professionals, including the company VERIZON FRANCE.

3. After the acquisition of the VERIZON MEDIA group by the American company APOLLO GLOBAL MANAGEMENT, the company VERIZON MEDIA EMEA LIMITED became the company YAHOO EMEA LIMITED (hereinafter "the company").

4. The turnover of the company YAHOO EMEA LIMITED amounted to […] euros for the year 2022 and […] for the year 2021. It employed […] people as of August 26, 2021.

5. Between June 12, 2019 and October 2, 2020, the National Commission for Information Technology and Liberties (hereinafter "the CNIL" or "the Commission") was contacted by twenty-seven complainants denouncing in particular the filing of cookies on their terminal before any action, the failure to take into account their refusal when depositing these cookies as well as the terms of refusal of the latter from the domain "yahoo.com" and the messaging service "Yahoo mail" .

6. Following these complaints, a Commission delegation, on October 7, 2020, carried out an initial online check on the website "yahoo.com" and on the messaging service "Yahoo mail", in application of decision no. 2020-254C of August 14, 2020 of the president of the CNIL.

7. During this inspection, the delegation reproduced, on the one hand, the journey of a user visiting the domain "yahoo.com", which provides access to the Yahoo! search engine. and on the other hand, the journey of a user who registers for the “Yahoo Mail” messaging service.

8. On June 10, 2021, a second online check with the same purpose as that carried out on October 7, 2020 was carried out by the CNIL delegation.

9. By letter dated June 3, 2021, in application of article 19-III of the Data Protection Act, the company OATH BRANDS (FRANCE) was summoned to a hearing on June 23, 2021. All of these data processing operations control gave rise to exchanges between the delegation and the controlled companies focusing particularly on the purpose of cookies whose deposit had been noted during online controls, on their activities and on the governance of the processing of personal data .

10. For the purposes of examining these elements, the President of the Commission, on July 10, 2023, appointed Mr. François PELLEGRINI as rapporteur on the basis of Article 39 of Decree No. 2019-536 of May 29 2019.

11. The rapporteur, on August 11, 2023, notified the company of a report proposing to the restricted body to impose an administrative fine for a breach of article 82 of law no. 78-17 of January 6, 1978 relating to computing, files and freedoms (hereinafter "the Data Protection Act") which he considered constituted in this case. He also proposed that this decision be made public, but that it would no longer be possible to identify the company by name after a period of two years from its publication.

12. On September 5, 2023, the company requested additional time to present its observations in response.

13. On September 18, 2023, the president of the restricted panel decided to grant him an additional period of seven days.

14. On September 29, 2023, the company produced its observations in response to the sanction report.

15. On October 25, 2023, the rapporteur sent his response to the company's observations.

16. On November 28, 2023, the company produced new observations in response to those of the rapporteur.

17. On November 30, 2023, the rapporteur informed the company and the president of the restricted panel of the closure of the investigation. The same day, the president of the restricted formation sent a summons to the session of the restricted formation of December 21, 2023.

18. The rapporteur and the company YAHOO EMEA LIMITED presented oral observations during the restricted training session.

II. Reasons for decision

A. On the competence of the CNIL

On the material competence of the CNIL

19. The processing subject to this procedure relates to the placement of cookies and trackers on the terminals of users residing in France when browsing the “yahoo.com” site and using the “Yahoo Mail” service.

20. This processing is carried out in the context of the provision of electronic communications services accessible to the public through a public electronic communications network offered within the European Union. As such, it falls within the material scope of Directive 2002/58/EC of the European Parliament and of the Council of 12 July 2002 on the processing of personal data and the protection of privacy in the sector of electronic communications, as amended by Directive 2006/24/EC of March 15, 2006 and by Directive 2009/136/EC of November 25, 2009 (hereinafter the "ePrivacy" Directive).

21. Article 5(3) of that directive, relating to the storage or access to information already stored in the terminal equipment of a subscriber or user, was transposed into domestic law. Article 82 of the Data Protection Act, within Chapter IV of the law relating to the rights and obligations specific to processing in the electronic communications sector.

22. Under the terms of article 16 of the Data Protection Act, "the restricted body takes measures and imposes sanctions against data controllers or subcontractors who do not respect the obligations arising [...] of this law". According to Article 20, paragraph III, of this same law, "when the data controller or its subcontractor does not respect the obligations resulting [...] from this law, the president of the National Commission for Informatics and freedoms […] can enter the restricted formation ".

23. The rapporteur considers that the CNIL is materially competent to control and, where applicable, sanction the operations of access or registration of information implemented by the company VERIZON MEDIA EMEA LIMITED, now the company YAHOO EMEA LIMITED, in the terminals of users of the domain "yahoo.com" and the messaging service "Yahoo Mail" residing in France, which the latter does not dispute.

24. In defense, the companies did not make any observations on the material competence of the CNIL.

25. The restricted panel recalls that the Council of State has, in its decision Company GOOGLE LLC and company GOOGLE IRELAND LIMITED of January 28, 2022, confirmed that the control of access operations or registration of information in the terminals of users in France of an electronic communications service, even involving cross-border processing, falls under the jurisdiction of the CNIL and that the one-stop shop system provided for by the GDPR is not applicable: "it has not been provided for the application of the so-called "one-stop shop" mechanism applicable to cross-border processing, defined in Article 56 of this regulation, for the implementation and control measures of Directive 2002/58/EC of July 12, 2002, which fall within the competence of the national supervisory authorities under Article 15a of this directive. It follows that, with regard to the control of access operations and registration of information in the terminals of users in France of an electronic communications service, even resulting from cross-border processing, measures to control the application of the provisions having transposed the objectives of Directive 2002/58/EC fall within the competence conferred on the CNIL by the law of January 6, 1978 […] "(CE, January 28, 2022, 10th and 9th chambers combined, company GOOGLE LLC and company GOOGLE IRELAND LIMITED, no. 449209, in the compendium). The Council of State reaffirmed this position in a judgment of June 27, 2022 (CE, 10th and 9th chambers combined, June 27, 2022, company AMAZON EUROPE CORE, n° 451423, at the Tables).

26. Therefore, the restricted panel considers that the CNIL is competent to control and initiate a sanction procedure concerning the processing implemented by the company falling within the scope of the "ePrivacy" directive, provided that the processing is relates to its territorial jurisdiction.

On the territorial jurisdiction of the CNIL

27. The rule of territorial application of the requirements appearing in article 82 of the Data Protection Act is set out in article 3, paragraph I, of the same law, which provides: "without prejudice, with regard to the processing falling within the scope of Regulation (EU) 2016/679 of April 27, 2016, the criteria provided for in Article 3 of this regulation, all the provisions of this law apply to the processing of personal data carried out in the context of the activities of an establishment of a data controller […] on French territory, whether or not the processing takes place in France.

28. The rapporteur considers that the CNIL has territorial jurisdiction in application of these provisions since the processing subject to this procedure, consisting of operations of access or registration of information in the terminal of users residing in France during navigation on the site "yahoo.com" and the use of the "Yahoo Mail" service, is carried out within the "context of the activities" of the company OATH BRANDS (FRANCE), now YAHOO France, which constitutes "the establishment " on the French territory of the company YAHOO EMEA LIMITED, which the latter contests in defense on two counts.

29. Regarding the notion of establishment, the company YAHOO EMEA LIMITED maintains that the company YAHOO FRANCE is a distinct legal entity, of which it is not a shareholder, and that this cannot be considered as its establishment in the meaning of the Weltimmo decision of the Court of Justice of the European Union (hereinafter "the Court of Justice" or "the CJEU") (October 1, 2015, C-230/14). It notes in this regard that the site "yahoo.com" is not exclusively or mainly focused on French territory, that YAHOO FRANCE does not represent it to recover debts resulting from the site "yahoo.com", nor in the procedures administrative and judicial matters relating to the processing of personal data. She emphasizes that in any event, the CNIL could have communicated the complaints to the Irish authority.

30. Firstly, the restricted bench recalls that, consistently, the CJEU considers that the notion of establishment must be assessed flexibly and that to this end, it is appropriate to assess both the degree of stability of the installation as the reality of carrying out activities in a Member State, taking into account the specific nature of the economic activities and provision of services in question.

31. In this regard, the Court of Justice noted that "recital 19 of Directive 95/46 specifies that establishment in the territory of a Member State presupposes the effective and real exercise of an activity by means of 'a stable installation' and that 'the legal form chosen for such an establishment, whether it is a simple branch or a subsidiary with legal personality, is not decisive' (CJEU, May 13, 2014 , Google Spain, C-131/12, paragraph 48).

32. Along the same lines, the Court of Justice has clarified that "the concept of establishment, within the meaning of Directive 95/46, extends to any real and effective activity, even minimal, carried out by means of an installation stable", the criterion of stability of the installation being examined with regard to the presence of "human and technical resources necessary for the provision of concrete services in question" (CJEU, October 1, 2015, Weltimmo, C 230/14, points 30 and 31).

33. The assessment of the existence of an “establishment on French territory” within the meaning of I of Article 3 of the Data Protection Act therefore proceeds from a flexible and casuistical assessment.

34. Secondly, the restricted training notes, as indicated in the report without being contested on these points by the company YAHOO EMEA LIMITED, that it appears from the statutes of the company OATH BRANDS (FRANCE), which became the company YAHOO FRANCE , that its head office is located at 50-52 boulevard Haussmann in Paris (75009) and that its purpose is: "the promotion on the French market of YAHOO products and advertising solutions, which includes in particular the following missions: / - prospect and develop new customers; / - maintain and maintain customer relationships; / identify and understand market trends; / provide industry-specific information to customers; / and more generally, all financial, commercial, industrial, movable, real estate, which may be directly or indirectly linked to the corporate object and to all similar or related objects likely to facilitate its extension and development.

35. Furthermore, during its hearing at the CNIL on June 23, 2021, the company OATH BRANDS (FRANCE) indicated that "a service contract was concluded between the companies OATH BRANDS (FRANCE) SAS and VERIZON MEDIA EMEA ltd ., which provides that the first acts as a service provider on behalf of the second in order to promote the products marketed by the company VERIZON MEDIA EMEA ltd. to its French customers. (…) ".

36. In addition, and as indicated in point 1, the company OATH BRANDS (FRANCE) is wholly and directly owned by a holding company whose share capital is itself wholly and directly owned by the company VERIZON MEDIA NETHERLANDS BV, which also directly holds the entire share capital of the company VERIZON MEDIA EMEA LIMITED.

37. Finally, as indicated by the company OATH BRANDS (FRANCE) during its hearing at the CNIL on June 23, 2021, the presidency of the latter is directly exercised by the company VERIZON MEDIA NETHERLANDS BV, parent company of the company VERIZON MEDIA EMEA LIMITED, now the company YAHOO EMEA LIMITED, responsible for the processing.

38. Moreover, it was also specified during this hearing that "the company OATH BRANDS (FRANCE) re-invoices its operating costs to the company VERIZON MEDIA EMEA LTD with a margin" and that the person "in charge of the commercial branch of the company OATH BRANDS (FRANCE), namely the promotion of advertising products supplied and sold by the company VERIZON MEDIA EMEA LTD. (…) reports [to the latter]".

39. Finally, the restricted panel indicates that in its decision Société Google LLC and Société Google Ireland Limited (CE, January 28, 2022, no. 449209, in the Recueil), the Council of State excluded the application of the mechanism of one-stop shop for reading and writing operations in a terminal. Thus, the CNIL would not, in any event, have been able to communicate the complaints it received to its Irish counterpart.

40. Thus, the restricted panel considers that the company OATH BRANDS (FRANCE), now the company YAHOO France, constitutes an establishment, within the meaning of article 3 of the Data Protection Act, of the company VERIZON MEDIA EMEA LIMITED, now the company YAHOO EMEA LIMITED,

41. Regarding the existence of processing carried out within the framework of the activities of this establishment, the company YAHOO EMEA LIMITED maintains that the processing in question does not occur within the framework of the activities of YAHOO FRANCE. It indicates in this regard that YAHOO FRANCE is not involved in the processing, nor in the design or management of the data processing that it carries out and does not represent it in these tasks. She adds that YAHOO FRANCE is not the supplier of the “yahoo.com” site and is not involved in relations with its French users. It specifies that YAHOO FRANCE is also not involved in the sale of advertising space on the “yahoo.com” site, its role being limited to promoting Yahoo services to advertisers. It deduces from this that the activity of YAHOO FRANCE is not necessary for the processing of the data that it carries out, so that there are no inextricable links between their two activities, and refers on this point to the decisions of the Council of State Google Inc. (CE, March 27, 2020, No. 399922, in the Recueil) and Amazon Europe Core S.A.R.L.

42. Finally, the company YAHOO EMEA LIMITED notes that the broad interpretation of the notion "in the context of activities" retained in the Google Spain SL and Google Inc. decision was justified by the circumstances specific to the present case, in order to avoid any attack on the protection of users residing in the European Union, a risk which does not arise in this case since it has its headquarters and main establishment in a Member State.

43. Firstly, the restricted panel notes that the Council of State, in its AMAZON EUROPE CORE decision, recalled that "it follows from the case law of the Court of Justice of the European Union, in particular from its judgment of June 5, 2018, Unabhängiges Landeszentrum für Datenschutz Schleswig-Holstein v Wirtschaftsakademie Schleswig-Holstein GmbH (C-210/16), that in view of the objective pursued by this directive [the "ePrivacy" directive], consisting of ensuring protection effective and complete freedoms and fundamental rights of natural persons, in particular the right to the protection of private life and the protection of personal data, processing of personal data can be regarded as carried out "within the framework of the activities "of a national establishment not only if this establishment itself intervenes in the implementation of this processing, but also in the case where the latter is limited to ensuring, on the territory of a Member State, the promotion and the sale of advertising space making it possible to monetize the services offered by the controller consisting of collecting personal data through connection trackers installed on the terminals of visitors to a site" (CE, 10th and 9th assembled chambers, June 27, 2022, company AMAZON EUROPE CORE, n° 451423, at the Tables).

44. The Council of State also considered, in this decision, that this was the case when the activities of the establishment of the data controller consist of the promotion and marketing of advertising tools controlled and operated by the data controller functioning in particular thanks to data collected through connection trackers deposited on the terminals of users of the site operated by the data controller (point 15 of the aforementioned decision). Thus, the fact that the company YAHOO FRANCE is not involved either in the processing in question or directly in the sale of advertising space has no impact on the fact that the processing carried out by the company YAHOO EMEA LIMITED can fall within the framework activities of this establishment.

45. Secondly, the restricted training underlines, as indicated in the report, that the company YAHOO EMEA LIMITED markets advertising space and technological platforms available in this area. It also specifies that the YAHOO France company is responsible for promoting the products sold by this company on the French market.

46. Thus, during its hearing on June 23, 2021, the company YAHOO FRANCE indicated that “most of the employees [of the company] work to promote the products sold by the company VERIZON MEDIA EMEA Ltd. located in Ireland , which publishes the "yahoo.com" sites available in the EMEA region and in particular the "fr.yahoo.com" site. It also specified that these products, "marketed by the company VERIZON MEDIA EMEA Ltd. are essentially advertising products and technological platforms allowing the distribution of advertisements on the Internet. "Promoted by the company OATH BRANDS (FRANCE) SAS", these products "are present on the site "fr.yahoo.com" or other partner customer sites that use VERIZON MEDIA EMEA Ltd. SSP. "It appears from this hearing that among these technological platforms are programmatic advertising tools called "Supply Side Platform" (platform for supply) and "Demand Supply Platform" (platform for demand).

47. However, these technological platforms which YAHOO FRANCE promotes exploit the deposit of cookies in their operation. Indeed, the deposit of cookies is necessary to ensure the traceability of the user's navigation over time and their reading from a page where an advertiser buys advertising space is in order to be able to offer him a set of Personalized ads based on this navigation.

48. Thus, the processing consisting of operations of access or registration of information in the terminal of users residing in France, when browsing the site "yahoo.com" and using the service "Yahoo Mail", is carried out as part of the activities of the company YAHOO FRANCE.

49. The restricted panel notes that the two criteria provided for in Article 3, paragraph I, of the Data Protection Act are therefore met.

50. It follows that French law is applicable and that the CNIL is materially and territorially competent to exercise its powers, including that of taking sanctions concerning processing falling within the scope of the "ePrivacy" directive.

B. On the determination of the data controller

51. The restricted panel notes that paragraph 7 of Article 4 of the GDPR, which applies due to the reference made by Article 2 of the "ePrivacy" directive to the former directive 95/46/EC to which replaced the GDPR, provides that the data controller is "the natural or legal person, public authority, service or other body which, alone or jointly with others, determines the purposes and means of the processing ".

52. In this case, the restricted panel notes, without this having been contested by the company, that the confidentiality policy, in the versions available on the day of the inspections, indicates that "We use cookies and other technologies when you consult our Products and use third-party applications and websites using our Services", it being noted that the term "We" is defined at the beginning of the privacy policy as referring to the company VERIZON MEDIA EMEA LIMITED. In addition, the latter, in its letter of July 2, 2021, indicated that it “determines the purposes and means of the processing of personal data relating to targeted advertising on all the domains which were visited during the verifications” and that On this occasion, it communicated to the control delegation the purpose of the cookies whose deposit had been noted during online controls.

53. Furthermore, both the company YAHOO FRANCE and the company VERIZON FRANCE indicated to the delegation that the processing responsibility with regard to the site "yahoo.com" and the messaging service "Yahoo Mail" fell to the company VERIZON MEDIA EMEA LIMITED.

54. Thus, the restricted panel considers, without this having been contested by the company, that the company YAHOO EMEA LIMITED acts as controller of the processing in question, in that it determines the purposes and means of the processing consisting of access operations or registration of information in the terminal of users residing in France when using the “yahoo.com” domain and “Yahoo Mail” messaging.

C. On the complaint based on the irregularity of the procedure

55. The company highlights the length of this procedure, the last control by the CNIL then the appointment of the rapporteur dating respectively from October 2021 and July 2023. It considers that the period of time elapsed between these two procedural stages has affected infringement of the rights of the defense and constitutes a violation of the right to good administration, in an impartial and fair manner, and within a reasonable time, as enshrined in Article 41 of the Charter of Fundamental Rights of the European Union.

56. In addition, the company contests the methodology followed by the CNIL delegation during its online inspection no. 2020-127/1 to the extent that one of the screenshots reproduced on page 14 of the minutes does not correspond to that to which the minutes refer and which is annexed as exhibit no. 25.

57. The restricted panel considers, first of all, that it is not up to it to assess the time elapsed between, on the one hand, the decision of the President ordering an inspection and, on the other hand, the decision by which she designates a rapporteur and enters into the restricted formation. In addition, the sanction procedure carried out since the appointment of the rapporteur and the referral of the training by the president of the CNIL, dated respectively July 10 and 11, 2023, took place in less than six months and therefore in respectful conditions. rights of defense, in terms of reasonable time.

58. Next, the restricted panel notes that the control report does not contain any error insofar as on page 14 of it there are two screenshots reproduced one below the other, separated by the mention "Let us note the following display" and that the reference made by the minutes to exhibit no. 25 annexed to the minutes only corresponds to the second screenshot. The first screenshot, reported by the defending company, does not refer to any annex. In addition to the absence of irregularity tainting the control procedure and consequently the procedure followed before the restricted panel, the latter notes that the presentation of the report and its annexes was never contested by the company after notification documents by the CNIL delegation.

59. Consequently, the complaint based on the irregularity of the procedure must be dismissed.

D. On breaches of the provisions of article 82 of the Data Protection Act

60. Under the terms of article 82 of the Data Protection Act: “Any subscriber or user of an electronic communications service must be informed clearly and completely, unless they have been informed previously, by the data controller or his representative: 1° The purpose of any action tending to access, by means of electronic transmission, information already stored in his terminal electronic communications equipment, or to enter information in this equipment; 2° The means available to him to oppose it. These accesses or registrations can only take place on condition that the subscriber or the user has expressed, after having received this information, his consent which can result from appropriate parameters of his device connection or any other device placed under its control. These provisions are not applicable if access to information stored in the user's terminal equipment or the recording of information in the user's terminal equipment : 1° Either, has the exclusive purpose of enabling or facilitating communication by electronic means; 2° Either, is strictly necessary for the provision of an online communication service at the express request of the user.

61. Article 7(3) of the GDPR provides that: The data subject has the right to withdraw consent at any time. Withdrawal of consent does not compromise the lawfulness of processing based on consent given before such withdrawal. The person concerned is informed of this before giving consent. It is as easy to withdraw as to give consent.

Regarding the placement of cookies on the user's terminal in the absence of prior consent

62. The rapporteur maintains that during the online inspection mission carried out on October 7, 2020, the results of which were recorded in minutes nos. 2020-127/1 and 2020-127/2, the CNIL delegation noted the deposit of at least 20 cookies pursuing a purpose requiring the user to have previously given consent, even though the delegation had not taken any action to give consent to the registration of these cookies.

63. In defense, the company maintains that it cannot be sanctioned for the breaches noted during the online inspection of October 7, 2020 to the extent that this inspection was carried out only a few days after the publication of the guidelines of October 1, 2020 , which did not give him sufficient time to become aware of it and adapt his treatment. It underlines that these breaches were committed during the transitional period of six months, from October 1, 2020 to April 1, 2021, during which the CNIL had declared that no control mission or repressive action would be undertaken, with the exception of particularly serious violation of privacy.

64. The company also contests the methodology followed by the CNIL delegation during the online control carried out on October 7, 2020 to refuse the deposit of all cookies. She notes that one of the screenshots taken by the delegation during this inspection, which is reproduced in the minutes, does not correspond to the document annexed to the minutes.

65. She also indicates that the rapporteur wrongly accuses her of registering 103 cookies during the online check on October 7, 2020, since the delegation was browsing the domain of a third party site, and not on the domain “yahoo.com”. It adds that a large number of cookies placed are strictly necessary for the provision of its services and were therefore exempt from consent while others were placed by third parties, while it has implemented all means enabling them to ensure that its partners do not place cookies on its site without complying with applicable legislation. It also specifies that after having received notification of the online report of findings of October 7, 2020, it immediately took additional measures, in particular with its partners, to ensure that consent was obtained before filing the application. Advertising cookies. It notes that these measures have demonstrated their effectiveness since no new cookies placed without prior consent were observed during the second online check, carried out on June 10, 2021.

66. Firstly, with regard to the applicable legal framework, the restricted panel emphasizes that the CNIL expressly indicated in a press release dated September 29, 2020 that if it gave organizations a period of time to comply with its guidelines of September 17, September 2020, it would continue to pursue breaches of the rules relating to cookies prior to the entry into force of the GDPR, informed by its recommendation of December 5, 2013. However, the restricted training recalls that if the recommendations regarding cookies have evolved, the practices accused of the company have continually been considered non-compliant by the CNIL and this position remains unchanged.

67. Secondly, with regard to the routes reproduced by the control delegation, the restricted panel notes that it appears from the online control report carried out on October 7, 2020 that during a first scenario, this found that at least 20 cookies serving an advertising purpose had been placed on her terminal even though she had not expressed her consent. She observed that during its trip, when the delegation visited the “yahoo.com” page, it noticed the display of a window bearing the words “Your data. Your experience”. relating to the company's use of cookies which included an "I accept" button and a "Manage settings" button.

68. After clicking on the "Manage settings" button, the delegation noted the appearance of an interface allowing the deposit of cookies to be configured, by purpose or by partners using push buttons, which were disabled by default. The delegation did not activate any of these buttons and then clicked on the “Save and continue” button to continue browsing. The restricted training notes that during this first control scenario, the CNIL delegation noted the deposit of 26 cookies, from which it appears, based on the information transmitted by the company during the investigation, that 7 'among them pursued an advertising purpose.

69. The restricted training notes that during a second scenario, started after deleting cookies in its browser, the delegation navigated to the domain "yahoo.com", in order to create an email account. Yahoo Mail ". As in the first scenario, she did not express her consent to the placement of cookies. The restricted panel observes, as appears from the documents in the file, that halfway through, the delegation noted the deposit of 26 cookies, 12 of which pursued an advertising purpose, according to the information provided by the company during the instruction. She notes that once its account creation process was completed, the delegation noted the presence of 47 cookies on its terminal, 8 of which pursued an advertising purpose, therefore adding to the 12 previously noted. In total, the delegation noted in this scenario the deposit of 20 cookies for advertising purposes.

70. It therefore considers that, contrary to what the company maintains, the methodology followed by the delegation of control clearly establishes that at least 20 cookies serving an advertising purpose were registered on its terminal, without prior consent.

71. The restricted panel then notes that in its response to the company's observations, the rapporteur excluded from the scope of the breach the 103 cookies whose deposit had been noted by the delegation from a page not belonging to the domains under the responsibility of society. Finally, it observes that all the documents placed in the file show, without the slightest ambiguity, that the delegation of control has never expressed its consent to the deposit of cookies by any action whatsoever.

72. Secondly, the restricted training recalls that article 82 of the Data Protection Act requires consent to operations of reading and writing information in a user's terminal but provides for cases in which certain tracers benefit from an exemption from consent: either when it has the exclusive purpose of enabling or facilitating communication by electronic means, or when it is strictly necessary for the provision of an online communication service at the express request of the user.

73. In this case, cookies for advertising purposes are neither tracers whose purpose is to enable or facilitate communication by electronic means, nor are they strictly necessary for the provision of an online communication service to the express request from the user, these cannot be placed or read on the person's terminal, in accordance with article 82 of the Data Protection Act, as long as the person has not provided consent.

74. However, the restricted panel observes that during the two scenarios followed by the delegation, numerous cookies requiring prior consent were placed on its terminal without it having previously expressed its agreement.

75. Even though the restricted training notes that the company has actually set up an interface allowing users to express their choice regarding the registration of cookies in their terminal via push buttons, this has not prevented the deposit of cookies even though the delegation has not activated any of these buttons. It considers that the ineffectiveness of this interface has serious consequences for the user who has not authorized the deposit of any cookie since the latter cannot reasonably think that his choice will not be respected by the company.

76. Finally, regarding the circumstance that the cookies placed without consent were placed by third parties, the panel recalls that the Council of State ruled (CE, June 6, 2018, Editions Croque Futur, n ° 412589, in the Recueil), that among the obligations which weigh on the publisher of a site on which "third-party cookies" are placed, include that of ensuring with its partners, on the one hand, that 'they do not issue, through its site, trackers which do not respect the regulations applicable in France and, on the other hand, that of taking any useful steps with them to put an end to breaches . The Council of State ruled in particular that "site publishers who authorize the deposit and use of such "cookies" by third parties when visiting their site must also be considered as data controllers, even though they are not subject to all the obligations imposed on the third party who issued the "cookie", in particular when the latter retains sole control over compliance with its purpose or its retention period. The obligations that weigh on the site editor in such a case include ensuring that its partners do not issue, through its site, "cookies" that do not respect the regulations applicable in France and to take any useful steps with them to put an end to any breaches.

77. In addition, as it indicated in its deliberation SAN-2021-013 of July 27, 2021, the restricted training notes that if the recommendations issued by the plenary training of the CNIL regarding cookies have evolved to take into account the developments induced by the GDPR in terms of consent in particular, these developments have no impact in the present case and it has continually been considered, as indicated in article 3 of deliberation no. 2013-378 of December 5, 2013 adopting a recommendation relating to cookies and other tracers covered by article 32-II of the law of January 6, 1978, that "when several actors are involved in the deposit and reading of cookies (for example when publishers facilitate the deposit of cookies which are then read by advertising agencies), each of them must be considered as co-responsible for the obligations arising from the provisions of the aforementioned article 32-II [current article 82 of the law of January 6 1978]".

78. This deliberation specified that this is the case for "website publishers (or mobile application publishers, for example) and their partners (advertising agencies, social networks, publishers of audience measurement solutions, etc.) ). Indeed, to the extent that site editors often constitute the sole point of contact for Internet users and that the placement of third-party cookies is dependent on navigation on their site, it is up to them to proceed, alone or jointly with their partners, to prior information and the collection of consent, explained in Article 2 of this recommendation.

79. The restricted panel also emphasizes that it has, on several occasions, adopted financial sanctions against site publishers for facts relating to operations of reading and/or writing information, including included by third parties, in the terminal of users visiting their site, in particular in deliberation no. SAN-2020-009 of November 18, 2020 and in deliberation no. SAN-2020-013 of December 7, 2020.

80. In this case, the company maintains that it has deployed all means to ensure that its partners do not place cookies through the site "yahoo.com" without complying with the applicable regulations. In this regard, it relies on a document entitled “Practices, improvements and governance implemented […] regarding cookies”.

81. This document first mentions a management and integration program for its partners, providing in particular that they "can only rely on the consent collected via the Yahoo EMEA consent management platform ( "CMP"), on sites owned and operated by Yahoo EMEA, to be able to deposit or access information on users' terminals.

82. It is also stated that "Yahoo EMEA sent surveys to its partners to understand how they handled Yahoo EMEA's consent signals when Yahoo EMEA believed there was potential ambiguity or misinterpretation of the signals that it they received from Yahoo EMEA. Yahoo EMEA excluded all partners from the sites it owns and operates if Yahoo EMEA had reasonable cause to believe that the practices of these partners did not comply with Yahoo EMEA's policies and procedures ." This document then reports various improvements relating to cookie practices, including the reassessment of advertising systems, a strengthening of governance, the establishment of more formal and frequent control of sites owned and operated by Yahoo.

83. The restricted training notes that, if all of these measures have resulted in the company's partners no longer placing cookies without the user's consent, as emerges from the online control of June 10, 2021, they were only deployed after the first online check on October 7, 2020, as indicated by the company in its filings.

84. It considers that these measures have no impact on the fact that the company allowed, at least until October 2020, the deposit of cookies subject to the prior collection of users' consent without the latter's agreement, in violation of Article 82 of the “Informatics and Liberties Law”.

85. Under these conditions, the restricted panel considers that the company YAHOO EMEA LIMITED has disregarded the provisions of article 82 of the Data Protection Act.

Regarding the obstacle to the withdrawal, by the user, of his consent to cookies

86. The rapporteur notes that during the online checks of October 7, 2020 and June 10, 2021, when the delegation wished to withdraw its consent to the deposit of cookies, the messages displayed by the company in the context of the withdrawal of consent encouraged them not to withdraw their consent, under penalty of permanently losing access to their “Yahoo mail” electronic mail.

87. The company maintains that neither the ePrivacy directive, nor the GDPR, nor article 82 of the Data Protection Act precisely regulates the revocation of consent to the storage of cookies. She adds that French users had the possibility of refusing the deposit of cookies without having to give up access to Yahoo products. It specifies in this regard that it was also possible for users to revoke their consent via the main page of the Yahoo “Dashboard”. The company emphasizes that, in parallel with the practice of "cookie walls", no consensus exists to consider this practice as illegal, that in any case, there were alternatives to the "Yahoo Mail" service and that people concerned could request the portability of their data in accordance with Article 20 of the GDPR.

88. The restricted panel considers, firstly, with regard to the legal framework applicable to the withdrawal of consent, that if article 82 of the Data Protection Act conditions the deposit of cookies on the consent of the subscriber or of the user, it necessarily offers, in a correlative manner, the right to the interested party to withdraw their consent and thus reconsider their choice to accept that cookies are placed on their terminal.

89. The restricted training recalls that the "ePrivacy" directive provides in its article 2 (f), that the consent of a user or subscriber corresponds to the consent of the person concerned contained in directive 95/46/EC, which was replaced by the GDPR.

90. Thus, since the entry into force of the GDPR, the "consent" provided for in the aforementioned article 82 must be understood within the meaning of article 4, paragraph 11, of the GDPR, that is to say that it must be given in a free, specific, enlightened and unambiguous manner and manifested by a clear positive act.

91. In this regard, recital 42 of this Regulation provides that: "consent should not be considered to have been given freely if the person concerned does not have genuine freedom of choice or is not able to refuse or withdraw consent without suffering harm.

92. The restricted panel further observes that the last paragraph of article 2 of the CNIL recommendation resulting from deliberation no. 2013-378 of December 5, 2013 already recalled that "people who have given their consent to the deposit or to reading certain cookies must be able to withdraw it at any time. User-friendly solutions must therefore be implemented so that the person can withdraw their consent as easily as they were able to give it. Then, in its deliberation no. 2019-093 of July 4, 2019, the CNIL maintained this reminder in article 2, indicating "that it must be as easy to refuse or withdraw consent as to give it".

93. It should also be noted that seized of an appeal for abuse of power filed against these guidelines, the Council of State ruled that "the CNIL which, by indicating that it should "be as easy to refuse or withdraw consent than to give it", limited itself to characterizing the conditions of the user's refusal, without defining particular technical modalities for expressing such refusal, did not taint its deliberation with any lack of knowledge of the rules applicable in this matter” (CE, June 19, 2020, no. 434684, at the Tables). Thus, this provision of the guidelines, which only recalls the legal rules, has not been reformed by the Council of State.

94. Finally, the guidelines of September 17, 2020 resulting from deliberation no. 2020-091 only reiterated this principle, indicating in point 31 that "it must be as simple to withdraw consent as to give. Users who have given consent to the use of trackers must be able to withdraw it simply and at any time. This is therefore not a new direction that these guidelines would have set.

95. Secondly, the restricted training notes that both during the online control of October 7, 2020 and during that of June 10, 2021, the CNIL delegation noted the display, during the process of withdrawing consent, messages intended to inform the user of the consequences of their choice on the use of Yahoo services.

96. In this regard, it emerges from the first check carried out on October 7, 2020 for the purposes of which the delegation had created a "Yahoo mail" account, that when the delegation followed the route allowing it to withdraw its consent it was seen display a window indicating that the data controller "store[s] cookies (or similar technology) on [the] user's device" as well as a notice specifying: "You must accept them in order to use the products Verizon Media. If you disable them, you revoke your consent and will no longer be able to access Verizon Media products, including Yahoo Mail, Yahoo News, Huffington Post, etc. ".

97. The restricted panel also notes that after clicking on the link entitled “Find out more” at the bottom of this window, the CNIL delegation arrived on a new page containing an article answering a question whose wording indicates “ What happens if I withdraw my cookie consent from the Privacy Dashboard?" and the answer to this question specified that if "users in the European Union can withdraw this cookie consent cookies on their behalf from the Privacy Dashboard", "withdrawal of this agreement will result in blocked access to our products and other Verizon Media sites and applications".

98. Regarding the second online control of June 10, 2021, during which the control delegation browsed the "yahoo" domain without creating an account, the restricted panel also notes that if an Internet user could revoke his general consent to From the page entitled "Privacy dashboard and controls (visitors)", it appears that before the interested party completes the procedure aimed at withdrawing consent, a page appears followed by the words "Are you Are you sure? You will no longer be able to access YAHOO or other Verizon Media products."

99. This alert was accompanied by text stating "if you revoke your general consent, you lose access to all Verizon Media products, including your email content, both through Verizon Media services and through third-party tools that may access Verizon Media services. Your account will be considered inactive and will be deleted after 12 months of inactivity. Please note that no content related to your account, such as your registration information or the content of your email, will not be deleted until your account has been deleted. You will continue to receive emails in your account but you will no longer be able to access them. If you wish to reuse a Verizon Media product, you will need to provide again your general consent before you can access it. If you want to perform other activities in the Privacy Dashboard (such as downloading a summary of your data) or in other Verizon Media products, please do so before revoking your consent". At the bottom of this window were two buttons, one labeled "Back" and the other "Revoke my general consent".

100. The restricted training notes that during the courses followed by the delegation, the user is invited to express their choice regarding the registration of cookies on their terminal. It observes, however, that during these visits, the company does not provide any information to the user regarding the fact that the registration of certain cookies, whatever their purposes, is inseparable from the provision of Yahoo services, including the service electronic messaging. It observes that it is only during the process dedicated to the withdrawal of consent that the company informs the user of the fact that the use of its services is conditional on the acceptance of certain cookies and what are the consequences of withdrawing consent.

101. The restricted panel observes that if the fact of linking the use of a service to the registration of cookies not strictly necessary for the service provided, a practice which is comparable to a cookie wall, is not in itself illegal, it This is on the condition that the consent is free, which implies that both the refusal of consent and its withdrawal do not cause harm to the user.

102. The restricted bench underlines on this point that in its Meta decision (C 252/21, July 4, 2023), the CJEU sheds light on the conditions in which the consent given by the user of a service and therefore, correlatively , its withdrawal, can be considered free. Thus, in point 150 of its decision, the Court indicates that "users must have the freedom to refuse individually, within the framework of the contractual process, to give their consent to particular data processing operations not necessary for the execution of the contract without them being required to completely renounce the use of the service offered by the operator of the online social network, which implies that said users are offered, if necessary against appropriate remuneration, an alternative equivalent not accompanied by such data processing operations."

103. However, in this case, the withdrawal of consent cannot be done without prejudice to the user since he can no longer use the messaging service. Even assuming that the company can validly claim the fact that it has set up a "cookie wall", and in addition to the fact that the company does not correctly inform users when creating an account or their arrival on the "Yahoo.com" page because the use of its services is inseparable from the deposit of cookies, it appears that the company does not offer an alternative to users wishing to withdraw their consent, for example by providing a service paid email service.

104. The restricted panel notes that the absence of an alternative proposed by the company necessarily affects the free nature of the withdrawal of consent. Indeed, the user of the "Yahoo Mail" service can, thanks to this service, communicate with other people using their email address, develop their network and their virtual address book and archive important personal or professional conversations. . Therefore, as he uses his email address, the user finds himself captive to the messaging service in question, which constitutes an element of his private, family and possibly professional life and which he cannot, therefore, except he started using it, plus replacing it with any similar service as easily as he would have done initially. Users who do not wish to change their email address and renounce the content of the messaging are therefore required to renounce the withdrawal of their consent since the company does not offer any alternative.

105. The restricted panel then observes that despite the presence of buttons allowing consent to be withdrawn, these messages are likely to constitute a serious obstacle for the user who, to withdraw their consent, must in particular be prepared to renounce the use of his email address, which hampers his ability to correspond with others. Such renunciation constitutes, according to the restricted panel, harm within the meaning of recital 42 of the aforementioned GDPR in the absence, as recalled in the previous paragraphs, of an alternative proposed by the company. In these circumstances, the restricted panel considers that the withdrawal of consent to the registration of cookies is not free.

106. Thirdly, the restricted training also notes that if the company indicates that there were other methods allowing users to withdraw their consent, via the "Yahoo Privacy Dashboard" and the "tab". General consent", it does not provide any element to this effect. The restricted training observed that during the user journeys it followed, the delegation systematically clicked on buttons and tabs with intuitive titles such as "Your account", then "General consent" or even, "Find out more". . Thus, the paths followed by the delegation during the two online checks are those that users are most likely to follow when they wish to withdraw their consent.

107. Finally, the panel considers that the circumstance, put forward by the company, according to which users no longer wishing to use the Yahoo messaging service could exercise their right to portability as provided for by Article 20 of the GDPR does not allow in no way prevent the deposit of cookies on the terminal, which is the subject of the right to withdraw consent. Furthermore, it does not follow from the instruction that the company offered this solution to these users when they wished to withdraw their consent.

108. Under these conditions, the restricted panel considers that by obstructing the user's withdrawal of consent, the company has failed to comply with its obligations under Article 82 of the Data Protection Act.

III. On corrective measures and publicity

109. Under the terms of III of article 20 of the Data Protection Act:

110. "When the data controller or its subcontractor does not comply with the obligations resulting from Regulation (EU) 2016/679 of April 27, 2016 or from this law, the president of the National Commission for Informatics and Liberties may also, where applicable after having sent him the warning provided for in I of this article or, where applicable in addition to a formal notice provided for in II, refer the matter to the restricted formation of the commission with a view to pronouncement, after procedure contradictory, of one or more of the following measures: (…) 7° With the exception of cases where the processing is implemented by the State, an administrative fine not exceeding 10 million euros or, In the case of a company, 2% of the total annual worldwide turnover of the preceding financial year, whichever is higher. In the cases mentioned in 5 and 6 of Article 83 of Regulation (EU) 2016 /679 of April 27, 2016, these ceilings are increased, respectively, to 20 million euros and 4% of said turnover. The restricted panel takes into account, in determining the amount of the fine, the criteria specified in the same article 83.

111. Article 83 of the GDPR, as referred to in Article 20, paragraph III, of the Data Protection Act, provides that: "Each supervisory authority ensures that the administrative fines imposed under the GDPR this Article for breaches of this Regulation referred to in paragraphs 4, 5 and 6 are, in each case, effective, proportionate and dissuasive", before specifying the elements to be taken into account in deciding whether to impose an administrative fine and to decide the amount of this fine.

A. On the imposition of an administrative fine

112. In defense, the company YAHOO EMEA LIMITED maintains that taking into account all the circumstances of the case, and more particularly its continuous and proactive efforts in matters of data protection, the administrative fine proposed by the rapporteur must be reduced and cannot, in any case, reach the legal ceiling. It indicates that the investigation period had a significant negative impact on the amount of the fine, which is now determined with regard to its 2022 turnover, which is significantly higher than that of 2020. which would have been taken into account if the restricted panel had examined the case in 2021. She adds that several of the factors mentioned in paragraph 2 of Article 83 of the GDPR justify reducing the amount of the administrative fine. As such, it specifies that the fine imposed must correspond to that imposed in similar cases, in accordance with the principles of non-discrimination and equal treatment. The company adds that the CNIL must, to determine the amount of the administrative fine, take into account the relative seriousness of the breaches, the number of people affected by them, their duration, and the measures taken following the first inspection. online and its cooperation with its services.

113. The restricted panel recalls that article 20, paragraph III, of the Data Protection Act gives it jurisdiction to impose various sanctions, in particular administrative fines the maximum amount of which may be equivalent to 2% of the global annual turnover. total of the previous financial year made by the data controller or 10 million euros. She adds that the determination of the amount of these fines is assessed with regard to the criteria specified by Article 83 of the GDPR.

114. Firstly, with regard to the imposition of an administrative fine, the restricted panel emphasizes that it is appropriate, in this case, to apply the criterion provided for in paragraph a) of Article 83, paragraph 2, of the GDPR relating to the seriousness of the breach taking into account the nature and number of people affected by it.

115. Regarding the nature of the first part of the breach, the restricted panel notes that the data controller seriously undermined the right of users of its services to maintain control of their data, by processing it without their knowledge. , in contravention of the very principle set by article 82 of the Data Protection Act which conditions such action on the express consent of the user.

116. Concerning the scope of reading and writing operations, the restricted panel notes that the breach results in the deposit of cookies by around fifteen companies specializing in personalized advertising whose aim is to follow its navigation on the web so that advertising corresponding to their behavior is subsequently displayed to them.

117. Regarding the second aspect of the breach, the restricted panel underlines its particular seriousness, the conditions for withdrawal of consent being intrinsically linked to the freedom to consent. However, in this case, its terms lead to pressure on users to dissuade them from withdrawing their consent to the deposit of cookies, by letting them believe that they might no longer be able to use Yahoo's services. The restricted panel considers that the violation of article 82 of the Data Protection Act is all the more serious as it involves users renouncing, in particular, the use of their messaging and their address. electronic which constitute important elements of their private, family and possibly professional life.

118. Finally, the restricted panel recalls that the two aspects of the breach were continually considered non-compliant by the CNIL, notably in the first recommendation of December 5, 2013.

119. Regarding the duration of the breach, for the first part, the restricted panel estimates that it lasted at least four months, between the first online check of October 7, 2020 and the finalization, on February 12, 2021, of the first measure to re-evaluate the company's practice to ensure that third parties comply with cookie legislation. For the second part, which was noted both during the first online check and during the second, on June 10, 2021, the duration of the breach ran at least until July 7, 2021, date on which the company removed the “General Consent” tab and accompanying text. The restricted training therefore estimates that it lasted at least 21 months.

120. The restricted training highlights the large number of people affected, numbering approximately 5 million unique visitors to the “yahoo.com” domain between 2019 and 2020.

121. Secondly, the restricted panel notes that the company collaborated with the services of the CNIL and that it responded to all requests for information within the allotted time limits. In doing so, the companies have complied with the obligations arising from article 18 of the Data Protection Act, without this constituting an attenuating circumstance within the meaning of f) of article 83 of the GDPR, from when the company does not demonstrate that its collaboration with the CNIL made it possible to remedy the identified violation and mitigate its negative effects.

122. Thirdly, the restricted training notes that the improvements relating to the company's cookie practices, summarized in the document entitled "Cookie practices, improvement and governance implemented by Yahoo EMEA", have been finalized. between February and July 2021, so that they cannot usefully be taken into account with regard to the practices previously identified, during the first online inspection which took place in October 2020 and the practice observed during the second inspection in line of June 2021. Furthermore and in any case, as indicated by the rapporteur in his response to the company's observations, updating the data protection process of users of Yahoo services is part of the management current affairs of the company, which must ensure that its digital activity is carried out legally and, more particularly, respects the Data Protection Act.

123. Fourthly, the restricted panel emphasizes that the company cannot usefully compare its situation to those of other companies having been sanctioned for breaches of article 82 of the Data Protection Act to the extent that the amount of A fine must be determined on a case-by-case basis.

124. Finally, the proposed administrative fine must be calculated taking into account the global annual turnover of the previous financial year, in accordance with what is required by article 20 of the Data Protection Act. The fact that the legal ceiling of the sanction incurred by the company would, taking into account the increase in its turnover between 2020 and 2022, have been lower if the practices in question had been examined in 2021 has no impact on this point.

125. It follows from all of the above and the criteria which were duly taken into account by the restricted panel, in view of the maximum amount incurred established on the basis of 2% of turnover, that it is justified to pronounce an administrative fine of ten million (10,000,000) euros.

B. On the publicity of the decision

126. YAHOO EMEA LIMITED maintains that such a measure is disproportionate for the same reasons as those relating to the imposition of an administrative fine.

127. The restricted panel considers, however, that the publicity of this decision is justified in view of the seriousness of the breach in question, the scope of the processing and the number of people concerned. It considers in particular that this measure will make it possible to alert users, to the extent that the disputed cookies were placed without their knowledge, of the nature of the breaches in question.

128. Finally, the restricted panel considers that the measure is proportionate since the decision will no longer identify the company by name at the end of a period of two years from its publication.

FOR THESE REASONS

The restricted formation of the CNIL, after having deliberated, decides to:

• impose an administrative fine against the company YAHOO EMEA LIMITED in the amount of ten million (10,000,000) euros for breach of article 82 of the Data Protection Act;

• make public, on the CNIL website and on the Légifrance website, its deliberation, which will no longer identify the company by name at the end of a period of two years from its publication;

• send this decision to the company YAHOO FRANCE for execution.

President

Alexandre LINDEN

This decision may be the subject of an appeal before the Council of State within four months of its notification.