CNIL (France) - SAN-2020-012

From GDPRhub
(Redirected from CNIL - SAN-2020-012)
CNIL - SAN-2020-012
LogoFR.png
Authority: CNIL (France)
Jurisdiction: France
Relevant Law: Article 4(7) GDPR
Article 26(1) GDPR
Article 56 GDPR
Article 60 GDPR
Directive 2002/58/EC of the European Parliament and the Council of 12 July 2002 concerning the processing of personal data and the protection of privacy in the electronic communication sector
Loi n° 78-17 du 6 janvier 1978 relative à l'informatique, aux fichiers et aux libertés
Type: Investigation
Outcome: Violation Found
Started:
Decided: 07.12.2020
Published: 10.12.2020
Fine: 100000000 EUR
Parties: Google Ireland Ltd
Google LLC
National Case Number/Name: SAN-2020-012
European Case Law Identifier: n/a
Appeal: Unknown
Original Language(s): French
Original Source: Légifrance (in FR)
Initial Contributor: Fra-data67

The French DPA (Commission Nationale de l’Informatique et des Libertés – CNIL) imposed a sanction on Google LLC and Google Ireland Ltd for a total amount of €100 million for depositing cookies on user’s device without prior consent or information.

English Summary

Facts

Google LLC is a company headquartered in USA, California. Since its creation in 1998, it has developed numerous services for individuals and businesses, such as the Google Search engine, the Gmail email box, the Google Maps mapping service, and the YouTube video platform. It has more than 70 offices in some 50 countries and employed more than 110,000 people worldwide in 2019. Since August 2015, it has been a wholly owned subsidiary of Alphabet Inc, the parent company of the Google group.

Google Ireland Ltd, based in Dublin (Ireland), is the headquarters of the Google Group for its activities in the European Economic Area and Switzerland. Google France SARL is the French branch of the Google Group.

On 16 March 2020, the French DPA (CNIL) carried out an online check on the google.fr website. The CNIL then found several violations of the rules relating to cookies, contained in Article 82 of the French Data Protection Act (Loi Informatique et Libertés), as transposed from the e-Privacy Directive.

Dispute

  • Is the French DPA materially and territorially competent to control and sanction cookies deposited by companies on users' computers? More specifically, is the lead authority mechanism as detailed in Articles 56 and 60 GDPR applicable in this case?
  • Are Google LLC and Google Ireland LTD to be considered as joint controllers within the meaning of article 26 GDPR?
  • Does an information banner at the bottom of the page referring to the privacy policy constitute information in compliance with Article 82 of the French Data Protection Act (prior, clear and complete information on the purposes and rights of the persons concerned)?
  • Does the deposit of a cookie for advertising purposes require the prior consent of the persons concerned under Article 82 of the French Data Protection Act?
  • Is the fact that several cookies for advertising purposes remained stored on the user's terminal and continued to read information to the server to which these cookies were attached during each new interaction with the domain concerned, even though the person concerned had deactivated the personalization of ads on Google search, consistent with the opt-out mechanism?

Holding

The French DPA fined GOOGLE LLC 60 millions euros and GOOGLE IRELAND LIMITED 40 millions euros, both of which were made public. Insofar as the practices of these companies have affected nearly 50 millions users, and the considerable profits that the companies derive from the advertising revenues indirectly generated from the data collected by these advertising cookies, the CNIL has issued an injunction under penalty so that the companies proceed to inform people in accordance with Article 82 of the French Data Protection Act within 3 months of notification. Otherwise, the companies will be liable to a penalty payment of 100 000 euros per day of delay.

In order to justify its decision, the French DPA has identified several failings in terms of cookie management, with regard to the provisions of article 82 of the French Data Protection Act.

On the material and territorial competence of the French DPA

In its decision, the CNIL’s sub-commission recalls that the French DPA is materially competent to control and sanction cookies deposited by companies on the computers of users residing in France. Indeed, the CNIL notes that when a processing operation falls within the material scope of both the ePrivacy Directive and the GDPR, reference should be made to the relevant provisions of two texts that provide for their articulation. Thus, recital 173 of the Regulation explicitly provides that it is not applicable to processing of personal data which are subject to specific obligations set out in the ePrivacy Directive.

The CNIL also stresses that this articulation was confirmed by the Court of Justice of the European Union in its PLANET49 decision of 1 October 2019 (C-613/17). In doing so, the French DPA concludes that the lead authority mechanism provided for by the GDPR was not intended to apply in this procedure since operations related to the use of cookies fall within the scope of the ePrivacy Directive, as transposed in Article 82 of the French Data Protection Act.

Also, the CNIL’s sub-commission considered that it is also territorially competent in application of article 3 of the French Data Protection Act because the use of cookies is carried out within the framework of the activities of the company Google France which constitutes the establishment on French territory of the companies Google LLC and Google Ireland Ltd and ensures the promotion of their products and services.

On the determination of responsibilities

The CNIL’s sub-commission notes that Articles 4(7) and 26(1) GDPR are applicable to the present proceedings because of the use of the concept of controller in Article 82 of French Data Protection Act, which is justified by the reference made by Article 2 of the ePrivacy Directive to Directive 95/46/EC on the protection of personal data, which has been replaced by the GDPR.

According to Article 4(7) GDPR, the controller is defined as the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data. According to Article 26(1) GDPR, when two or more controllers jointly determine the purposes and means of processing, they shall be joint controllers.

The CNIL considers that Google Ireland Ltd and Google LLC should be considered as joint controllers for the processing in question, since the companies both determine the purposes and means of the processing consisting of operations to access or deposit cookies in the terminal of Google Search users residing in France.

Indeed, Google Ireland Ltd is involved in the development and supervision of the internal policies that guide the products and their design, the setting of parameters, the determination of privacy rules and all checks carried out prior to the launch of the products, in application of the principle of privacy by design.

With regard to Google LLC, the CNIL considers that although it appears from the contract concluded with Google Ireland Ltd that Google LLC acts as a processor of Google Ireland Ltd, it appears that the actual involvement of Google LLC in the processing in question goes far beyond that of a processor that merely carries out processing operations on behalf of Google Ireland Ltd and on its sole instructions. Thus, Google LLC also determines the means of processing since, as mentioned above, it is Google LLC that designs and builds the technology of cookies placed on the terminals of European users. The CNIL therefore concludes that Google LLC must also be granted the status of data controller.

On the violation of provisions on cookies

During the online check carried out on 16 March 2020, the CNIL noted that, when users reached the google.fr website, seven cookies were placed on their terminal equipment, before any action. In its letter dated 30 April 2020, Google Ireland Ltd indicated that four of these seven cookies were used for advertising purposes.

In this context, the CNIL’s sub-commission recalls on provisions of Article 82 of the French Data Protection Act, according to which any deposit of cookies or tracers must be preceded by the information and consent of users. This requirement does not apply to cookies whose sole purpose is to enable or facilitate communication by electronic means or which are strictly necessary for the provision of an online communication service at the express request of the user.

As a result, the CNIL found several violations of these provisions: the lack of prior information to users, the failure to obtain the consent of individuals before depositing cookies on their terminal, and the impossibility for individuals to refuse the deposit of all cookies.

The lack of information to users

The CNIL notes that the information provided to users residing in France relating to operations to access or deposit information in their terminal when using the Google Search engine was insufficient and unclear, and therefore violated the provisions of Article 82 of the French Data Protection Act. More specifically, the CNIL emphasized that:

  • Access or deposit of a cookie can only be made on the condition that user has consented to it after having received clear and complete information relating to the purposes of the cookies deposited and the means at his disposal to oppose. Firstly, the CNIL noticed that when a user reached the google.fr website, an information banner was displayed at the bottom of the page, containing the following notice "Reminder regarding Google's privacy policy", opposite which were two buttons entitled "Remind me later" or "Consult now". The CNIL highlights that the simple reference to the privacy policy is not explicit enough to enable the individuals to obtain information in accordance with the provisions of Article 82 of the French Data Protection Act. Then, the CNIL noted during the online checks that the privacy rules that opened in pop-up windows when people clicked on the “View Now” button still did not contain any developments dedicated to the use of cookies and other tracers, despite general information about the personal data processed by Google services. In addition, the data subjects were still not informed at this stage of their ability to refuse cookies on their terminal equipment. Consequently, the CNIL concluded that the information provided by the companies, both in the banner and in the pop-up window, did not allow users residing in France, when using the Google Search engine, to be priorly and clearly informed of the existence of operations allowing access and deposit of information in their terminal and, consequently, to be priorly and clearly informed of the purpose of such operations and the means made available to them as to the possibility of refusing them.
  • The CNIL underlines that since the initiation of the sanction proceedings, the companies have undertaken a series of changes in the way they use cookies. Thus, since 20 September 2020, all users visiting the google.fr website now see, in the middle of their screen, before being able to access the search engine, a pop-up window entitled "Before continuing" which contains prior information relating to cookies. However, although the French DPA highlights a definite change compared to previous information banners, the CNIL considers that the information provided is still not clear and complete within the meaning of Article 82 of the French Data Protection Act, insofar as this information does not inform the user of all the purposes of the cookies deposited and the means at his disposal to oppose them. Indeed, the presentation of the different purposes mentioned in this banner remains too general for users to easily and clearly understand why cookies are deposited on their terminal. Furthermore, the information provided is incomplete as users are still not informed about their right to oppose to these cookies, nor about the means made available to them for this purpose (the terms "Options" or "More information" are not explicit enough to enable users to directly understand the extent of their rights).
The failure to obtain the consent of individuals before depositing cookies on their terminal

In this respect, after recalling the provisions of Article 82 of the French Data Protection Act, the CNIL concludes that since these four cookies do not have the sole purpose of enabling or facilitating communication by electronic means nor are they strictly necessary for the provision of an online communication service at the express request of the user, the sub-commission considers that the companies should have obtained the prior consent of the users, before depositing cookies on the user's terminal.

The Google’s partially flawed opposition mechanism

First of all, the CNIL underlines that the use of the expression "withdraw consent" is particularly abusive, insofar as the cookies were deposited on the user's terminal even before their consent was obtained (absence of opt-in).

Also, the DPA's sub-commission hold that, after having nevertheless deactivated the personalisation of ads on Google search, and while continuing its browsing on the site, several of these cookies for advertising purposes remained stored on user's computer and continued to read information for the server to which this cookie was attached (for example google.com or google.fr) during each new interaction with the domain concerned.

Consequently, the CNIL concluded that the system put in place by the companies to oppose cookies for advertising purposes placed on the user's terminal was partially defective, in violation of the requirements of Article 82 of the French Data Protection Act.

Comment

This decision is highly interesting, as it clarifies the articulation between two instruments for the protection of personal data in the context of the deposit of cookies: on the one hand, the GDPR which provide a general framework, and on the other hand, the national provisions as they result from the transposition of the ePrivacy Directive. The decision recalls the complementary nature of the two instruments, and underlines in particular the special nature of the scope of the ePrivacy Directive, which provide specific obligations in the electronic communication sector.

Further Resources

Share blogs or news articles here!

English Machine Translation of the Decision

The decision below is a machine translation of the French original. Please refer to the French original for more details.

Deliberation of restricted training session no SAN-2020-012 of December 7, 2020 concerning the companies GOOGLE LLC and GOOGLE IRELAND LIMITED

The National Commission for Informatics and Freedoms, meeting in its restricted formation composed of Messrs Alexandre LINDEN, President, Philippe-Pierre CABOURDIN, Vice-President, and Ladies Dominique CASTERA, Anne DEBET and Christine MAUGÜE, members;

Considering the Convention n o 108 of the Council of Europe of 28 January 1981 for the protection of individuals with regard to automatic processing of personal data in character;

Having regard to Regulation (EU) 2016/679 of the European Parliament and of the Council of April 27, 2016 relating to the protection of personal data and the free movement of such data;

Considering the law n o 78-17 of January 6, 1978 relating to data processing, files and freedoms, in particular articles 20 and following ;

Considering the ordinance n ° 2014-1329 of November 6, 2014 relating to the remote deliberations of the administrative bodies of a collegial nature;

Considering the decree n o 2019-536 of May 29, 2019 taken for the application of the law n o 78-17 of January 6, 1978 relating to data processing, files and freedoms;

Considering the deliberation n o 2013-175 of July 4, 2013 adopting the internal regulations of the National Commission of data processing and freedoms;

Considering the decision n o 2020-072C of March 15, 2020 of the President of the National Commission for Informatics and Freedoms to instruct the Secretary General to carry out or have carried out a verification mission of the treatments accessible from the google domain. fr or relating to personal data collected from the latter;

Having regard to the decision of the President of the National Commission for Informatics and Freedoms appointing a rapporteur before the restricted formation, dated June 8, 2020;

Having regard to the hearing of the companies GOOGLE LLC and GOOGLE IRELAND LIMITED in the premises of the CNIL, on July 22, 2020;

Having regard to the report by Mr. Bertrand du MARAIS, commissioner rapporteur, notified to the companies GOOGLE LLC and GOOGLE IRELAND LIMITED on August 12, 2020;

Having regard to the written observations made by the boards of the companies GOOGLE LLC and GOOGLE IRELAND LIMITED on September 25, 2020;

Having regard to the rapporteur's response to these observations notified on October 9, 2020 to the company councils;

Considering the written observations made by the councils of the companies GOOGLE LLC and GOOGLE IRELAND LIMITED received on October 26, 2020;

Having regard to the oral observations made during the session of the restricted formation;

Considering the note under advisement of December 2, 2020 sent by the boards of the companies GOOGLE LLC and GOOGLE IRELAND LIMITED to the president of the restricted formation;

Having regard to the other documents in the file;

Were present during the restricted training session on November 12, 2020:

- Mr. Bertrand du MARAIS, commissioner, heard in his report;

As representatives of GOOGLE LLC and GOOGLE IRELAND LIMITED:

- […]

As interpreters for GOOGLE LLC and GOOGLE IRELAND LIMITED:

- […]

The companies GOOGLE LLC and GOOGLE IRELAND LIMITED having spoken last;

The restricted committee adopted the following decision:

I. Facts and procedure

1. GOOGLE LLC is a limited liability company headquartered in California (United States). Since its creation in 1998, it has developed many services for individuals and businesses, such as the search engine Google Search , the mailbox, the Gmail mapping Google Maps service and the video YouTube platform . It has more than 70 offices in some 50 countries and in 2019 employed more than 110,000 people around the world. Since August 2015, it has been a 100% -owned subsidiary of ALPHABET Inc., parent company of the GOOGLE group.

2. In 2019, ALPHABET Inc. had sales of over $ 161 billion, while GOOGLE LLC had sales of over $ 160 billion . […]

3. GOOGLE IRELAND LIMITED (hereinafter GIL) presents itself as the headquarters of the GOOGLE group for its activities in the European Economic Area (hereinafter EEA) and in Switzerland. Based in Dublin (Ireland), it employs around 9,000 people. In 2018, it achieved a turnover of more than 38 billion euros.

4. GOOGLE FRANCE SARL is the French establishment of the GOOGLE group. Subsidiary 100% owned by GOOGLE LLC, its head office is located in Paris (France). In 2018, it employed around 1,400 people and had a turnover of more than 400 million euros.

5. Pursuant to the Commission President's decision n ° 2020-072C of March 15, 2020, the CNIL services carried out an online check, on March 16, 2020, on the google.fr website.

6. This mission was especially designed to verify compliance by the companies GOOGLE LLC and GIL (the companies) to all the provisions of Law n o 78-17 of 6 January 1978 relating to IT, files and freedoms (hereinafter the Data Protection Act) and in particular Article 82.

7. As part of the online control, the delegation was thus able to observe that when a user goes to the google.fr page, several cookies are automatically placed on his terminal, without any action on his part, as soon as he arrives on the website. site. On March 16, 2020, the delegation notified the companies of the report drawn up in the context of the online control, asking them, in particular, to specify the purposes of the various cookies whose deposit had been noted.

8. By letter of April 30, 2020, the company GIL responded on its behalf to the latter request while considering that the CNIL did not have the competence to control the google.fr website.

9. For the purposes of examining these elements, the President of the Commission appointed Mr. Bertrand du MARAIS as rapporteur, on June 8, 2020, on the basis of article 22 of the Data Protection Act.

10. By letter of June 29, 2020, the companies were invited to a hearing on the following July 15, in application of article 39 of decree n ° 2019-536 of May 29, 2019. At the companies' request, the rapporteur accepted , by letter of the following July 9, a postponement of the hearing to July 22, 2020.

11. During the hearing on July 22, 2020, which gave rise to a report signed by all the parties present, the companies notably provided answers to the rapporteur's questions relating to the determination of the controller. concerning the processing consisting of operations of accessing or registering information in the terminal of users residing in France when using the search engine Google Search .

12. By letter of July 29, 2020, the company GIL responded to several of the additional requests made by the rapporteur at the end of the hearing on July 22, 2020, by providing, in particular, the subcontracting contract of December 11. 2018 concluded with the company GOOGLE LLC. On the other hand, they did not produce the income of the company GIL from the activity of google.fr and GOOGLE FRANCE under its commission of business introducer, however requested by the rapporteur.

13. At the end of his investigation, on August 12, 2020, the rapporteur had the company councils personally served and by email to their representatives a report detailing the breach of the Data Protection Act that he considered constituted. in this case.

14. This report proposed to the restricted formation of the Commission to issue an injunction to bring the processing into line with the provisions of Article 82 of the Data Protection Act, accompanied by a fine, as well as an administrative fine to against both companies. He also proposed that this decision be made public and no longer allow companies to be identified by name after a period of two years from its publication.

15. On August 18, 2020, through their counsel, the companies made a request that the session before the restricted panel be held in camera, a request which was rejected by the chair of the restricted panel by letter from the September 23, 2020.

16. On September 25, 2020, the companies filed comments in response to the sanction report.

17. The rapporteur responded to the companies' comments on October 9, 2020.

18. By e-mail of October 15, 2020, the companies requested an extension of the fifteen-day period provided for by article 40 of decree n ° 2019-536 of May 29, 2019 to produce rejoinder observations, a request which was rejected. by the president of the restricted formation by letter of October 16, 2020.

19. On October 26, 2020, the companies filed new comments in response to those of the rapporteur.

20. The companies and the rapporteur presented oral observations during the session of the restricted formation.

21. By email of December 2, 2020, the companies sent a note under advisement to the chairman of the restricted formation.

II. Reasons for the decision

A. On the competence of the CNIL

1. On the material competence of the CNIL and the applicability of the one-stop-shop mechanism provided for by the GDPR

22. The provisions of Directive 2002/58 / EC of the European Parliament and of the Council of 12 July 2002 concerning the processing of personal data and the protection of privacy in the electronic communications sector (hereinafter the ePrivacy Directive ) relating to the storage or access to information already stored in the terminal equipment of a subscriber or user have been transposed into internal law in article 82 of the Data Protection Act, within the chapter IV Rights and obligations specific to processing in the electronic communications sector of this law.

23. Pursuant to article 16 of the Data Protection Act , the restricted body takes measures and pronounces penalties against data controllers or subcontractors who do not comply with the obligations arising from […] from this law . Under the terms of article 20, paragraph III, of the same law, when the data controller or his subcontractor does not comply with the obligations resulting […] from this law, the president of the National IT Commission and freedoms […] can seize the restricted formation .

24. The rapporteur considers that the CNIL is materially competent in application of these provisions to control and sanction the operations of access or registration of information implemented by the companies in the terminals of users of the search engine Google Search residing in France.

25. The companies recognize that the facts of the present procedure are materially covered by the ePrivacy directive but consider that they should be subject to the procedural framework provided for by Regulation (EU) 2016/679 of the European Parliament and of the Council of April 27, 2016. (hereinafter the Regulation or the GDPR), that is to say the cooperation mechanism between the supervisory authorities, known as the one-stop-shop mechanism, provided for in Chapter VII of the Regulation. Pursuant to this mechanism, the supervisory authority competent to hear the facts in question would not be the CNIL but the Irish data protection authority, the Data Protection Commission (hereinafter the DPC), which should act as as the leading authority with regard to the deployment of cookies by the company GOOGLE IRELAND LIMITED, the latter being competent according to the companies both under the GDPR and the ePrivacy directive.

26. In support of this, the companies rely, in particular, on the adage specialia generalibus derogant according to which, according to them, the absence of specific rules relating to the determination of the competence of the supervisory authority in the event of cross-border processing in the ePrivacy directive should be supplemented by the application of the procedural framework provided for by the GDPR. They maintain that a teleological reading of the preparatory work of the GDPR and its recitals would support the same direction. They add that the exclusion of the one-stop-shop mechanism in the present case would contribute to the fragmentation of European regulations on personal data relating to cookies, a fragmentation which would already be verified by the fact that several supervisory authorities (the authorities French, British and Spanish) have adopted guidelines or even divergent repressive policies with regard to these devices.

27. The restricted formation notes, first of all, that it emerges from the provisions cited above that the French legislator has instructed the CNIL to ensure that data controllers comply with the provisions of the ePrivacy directive transposed to the article 82 of the Data Protection Act, in particular by giving it the power to penalize any disregard of this article. It underlines that this competence was recognized by the Council of State in its decision Association of communication consulting agencies of June 19, 2020 concerning the CNIL deliberation n o 2019-093 adopting guidelines relating to the application of article 82 of the law of January 6, 1978 amended to read or write operations in a user's terminal, since the latter noted that article 20 of this law entrusts its president [of the CNIL] the power to take corrective measures in the event of non-compliance with the obligations resulting from Regulation (EU) 2016/279 or its own provisions, as well as the possibility of seizing the restricted committee with a view to the pronouncement of sanctions that may be imposed (CE, June 19, 2020, req. 434684, pt. 3).

28. It notes, next, that when processing falls both within the material scope of the ePrivacy directive and the material scope of the GDPR, reference should be made to the relevant provisions of the two texts which provide for their joint. Thus, Article 1 st paragraph 2 of the ePrivacy Directive provides that the provisions of this Directive particularise and complement Directive 95/46 / EC of the European Parliament and of the Council of 24 October 1995 on the protection of personal data (hereinafter after Directive 95/46 / EC on the protection of personal data ), it being recalled that since the entry into application of the Regulation, the references made to this last directive must be understood as made to the GDPR, in accordance with article 94 of the last. Likewise, it is apparent from recital 173 of the GDPR that this text explicitly provides that it does not apply to the processing of personal data subject to specific obligations having the same objective [of protecting fundamental rights and freedoms] set out in Directive 2002 / 58 / EC of the European Parliament and of the Council, including the obligations of the controller and the rights of natural persons. This articulation was confirmed by the Court of Justice of the European Union (hereinafter ECJ) in its decision Planet49 1 st October 2019 (CJEU, 1 st October 2019, C-673/17, pt. 42).

29. In this regard, the Restricted Committee notes that, contrary to what companies maintain, the ePrivacy Directive does provide, for the specific obligations it entails, its own mechanism for implementing and monitoring its application within of its article 15bis. Thus, the first paragraph of this article leaves to the Member States the competence to determine the system of sanctions, including criminal sanctions if necessary, applicable to violations of the national provisions adopted in application of this directive and to take any measures necessary to ensure the implementation of these. The penalties provided for must be effective, proportionate and dissuasive and may be applied to cover the duration of the infringement, even if it has subsequently been corrected . However, the rule laid down in 3 of article 5 of the ePrivacy directive, according to which read and write operations must systematically be the subject of a prior consent of the user, after information, constitutes a special rule in the with regard to the GDPR since it prohibits taking advantage of the legal bases mentioned in article 6 which do not require the consent of the user in order to be able to lawfully carry out these read and write operations on the terminal. The control of this rule therefore falls under the special control and sanction mechanism provided for by the ePrivacy directive and not by the data protection authorities and the EDPS in application of the GDPR. It is by their own choice that the legislator in France has entrusted this mission to the CNIL.

30. In addition, the second paragraph of the same article obliges member states to ensure that the competent national authority and, where appropriate, other national bodies have the power to order the cessation of the offenses referred to in paragraph 1. .

31. The Restricted Committee considers that these latter provisions as such exclude the application of the one-stop-shop mechanism provided for by the GDPR to facts falling under the ePrivacy directive.

32. It adds, moreover, that that exclusion is corroborated by the fact that the Member States, which are free to determine the national authority competent to deal with violations of the national provisions adopted pursuant to the ePrivacy directive, may have attributed this jurisdiction to an authority other than their national data protection authority established by the GDPR, in this case to their telecommunications regulatory authority. Therefore, insofar as these latter authorities are not part of the European Data Protection Board (hereinafter EDPS), while this committee plays an essential function in the consistency control mechanism implemented in Chapter VII of the GDPR, it is in fact impossible to apply the one-stop shop to practices liable to be sanctioned by national supervisory authorities not sitting on this committee.

33. It emphasizes that the EDPS also shares the same interpretation, having specified in particular, in his opinion n ° 5/2019 of 12 March 2019 relating to the interactions between the Directive on privacy and electronic communications and the GDPR, that the mechanisms of GDPR does not apply to monitoring the application of the provisions of the Privacy and Electronic Communications Directive as such (pt. 80, free translation).

34. Finally, the restricted committee noted that the possible application of the one-stop-shop mechanism to processing governed by the ePrivacy directive is currently the subject of numerous discussions as part of the development of the current draft ePrivacy regulation. negotiation for three years at European level. It notes that the very existence of these debates confirms that, as it stands, the one-stop-shop mechanism provided for by the GDPR is not applicable for matters governed by the current ePrivacy directive. It underlines that the EDPS opinion of 19 November 2020, invoked by the companies in their note under advisement of 2 December 2020, corroborates this analysis since in this opinion the EDPS merely calls for the application of the window. unique to the future regulation, proof that in the state of positive law, this mechanism does not apply to the cookie provisions of the ePrivacy directive in force.

35. It follows from the foregoing that the one-stop-shop mechanism provided for by the GDPR is not applicable to this procedure and that the CNIL is competent to control and sanction the processing carried out by companies falling within the scope of application of the ePrivacy directive, provided that they fall within its territorial jurisdiction.

2. On the territorial jurisdiction of the CNIL

36. The rule of territorial application of the requirements set in Article 82 of the Data Protection Act is set out in Article 3, paragraph I, of the Data Protection Act which provides: without prejudice, with regard to processing within the scope of Regulation (EU) 2016/679 of April 27, 2016, of the criteria provided for in Article 3 of this Regulation, all the provisions of this law apply to the processing of personal data carried out within the framework of the activities of an establishment of a controller (…) on French territory, whether or not the processing takes place in France .

37. The rapporteur considers that the CNIL has territorial jurisdiction in application of these provisions when the processing object of this procedure, consisting of operations to access or register information in the terminal of users residing in France during the use of the search engine Google Search , in particular for advertising purposes, is carried out within the framework of the activities of the company GOOGLE FRANCE, which constitutes the establishment on the French territory of the GOOGLE group.

38. The companies maintain that insofar as it would be appropriate to apply the rules of jurisdiction and the cooperation procedures defined in the GDPR, the CNIL does not have the territorial jurisdiction to hear this case given that the actual headquarters of the group GOOGLE in Europe, i.e. the place of its central administration within the meaning of Article 56 of the GDPR, is located in Ireland.

39. The Restricted Panel once again holds that since the facts in question materially fall under the provisions of the ePrivacy directive, and not of the GDPR, the one-stop-shop mechanism provided for by the latter is not applicable in the present case. It deduces from this that it is appropriate to refer to the provisions of Article 3, paragraph I, of the Data Protection Act , determining the scope of the territorial jurisdiction of the CNIL.

40. In this regard, the restricted committee emphasizes that the ePrivacy directive, adopted in 2002 and amended in 2006 and then in 2009, does not itself explicitly set the rule of territorial application of the various transposition laws adopted by each Member State. . However, this directive indicates that it clarifies and supplements Directive 95 / 46.CE, which at the time provided, in Article 4, that Each Member State shall apply the national provisions which it adopts pursuant to this Directive to processing of personal data when: a) the processing is carried out within the framework of the activities of an establishment of the controller in the territory of the Member State; if the same controller is established in the territory of several Member States, he must take the necessary measures to ensure that each of his establishments complies with the obligations provided for by the applicable national law. This rule for determining the national law applicable within the Union is no longer relevant for the application of the rules of the GDPR, which replaced Directive 95/46 / EC on the protection of personal data and 'applies uniformly throughout the territory of the Union, but it is logical that the French legislator has maintained the criterion of territorial application for the specific rules of French law, in particular those which transpose the ePrivacy directive. Consequently, the case law of the CJEU on the application of Article 4 of the former Directive 95/46 / EC on the protection of personal data remains relevant, insofar as the French legislator has used these same criteria to define the territorial jurisdiction of the CNIL.

41. Thus, as regards, in the first place, the existence of an establishment of the controller on French territory , the CJEU has consistently considered that the concept of establishment should be assessed extensively and that To this end, it was necessary to assess both the degree of stability of the installation and the reality of carrying out activities in another Member State, taking into account the specific nature of the economic activities and the provision of services in question ( see, e.g., ECJ Weltimmo , 1 st October 2015, C-230/14, pts. 30 and 31). The CJEU further considers that a company, an autonomous legal person, of the same group as the controller, can constitute an establishment of the controller within the meaning of these provisions (CJEU, May 13, 2014, Google Spain , C-131 / 12, pt 48).

42. In this case, the restricted formation notes, first of all, that the company GOOGLE FRANCE is the head office of the French subsidiary of the company GOOGLE LLC, that it has premises located in Paris, that it employs approximately 1,400 people and that, according to its statutes filed with the registry of the Paris Commercial Court, its main purpose is to provide services and / or advice relating to software, the Internet, telematic or online networks, in particular 'intermediation in the sale of online advertising, promotion in all its forms of online advertising, direct promotion of products and services and the implementation of information processing center . The restricted committee then notes that it emerges from the hearing of July 22, 2020 that the company GOOGLE FRANCE is responsible for promoting online advertising on behalf of the company GIL, which is a co-contractor of advertising contracts concluded with French companies or French subsidiaries of foreign companies. It notes, finally, that the company GOOGLE FRANCE effectively participates in the promotion of products and services designed and developed by the company GOOGLE LLC, such as Google Search , in France, as well as in the advertising activities managed by the company GIL.

43. As regards, secondly, the existence of processing carried out in the context of the activities of this establishment, the restricted committee notes that the CJEU, in its judgment Google Spain of 13 May 2014, considered that the processing relating to the search engine Google Search was carried out within the framework of the activities of the company GOOGLE SPAIN, establishment of the company GOOGLE INC - since now GOOGLE LLC -, insofar as the company GOOGLE SPAIN is intended to ensure the promotion in Spain and the sale of advertising space offered by this search engine, which is used to make the service offered by this search engine profitable. If, in the judgment, Google Spain the establishment of the controller was established outside the European Union, the Court subsequently, in its judgment Facebook Ireland Ltd of 5 June 2018, applied the same extensive interpretation of processing carried out within the framework of the activities of a national establishment in a situation where the processing was partly under the responsibility of another establishment present within the European Union (CJEU, June 5, 2018, C-210/16, pts 53 sq). Finally, it should be noted that the interpretation of the concept of processing carried out within the framework of the activities of a national establishment of the controller has no impact on the fact that the debtor of the obligations remains the controller and, the if applicable, its subcontractor.

44. In the present case, the restricted formation notes, first of all, that it appears from the press releases of the company GOOGLE FRANCE posted online on its website that the latter's mission is in particular to support small and medium-sized enterprises. in France through the development of collaboration tools, advertising solutions or to give them the keys to understanding their markets and consumers . It then notes that in its letter of April 30, 2020, the company GIL indicates that Google France has a sales team dedicated to the promotion and sale of GIL's services with regard to advertisers and publishers based in France, like Google Ads. Finally, it notes that the GOOGLE group specifies on its ads.google.com website that Google Ads allows French companies to promote their products or services on the search engine and on a large advertising network.

45. Therefore, the processing consisting of operations of access or registration of information in the terminal of users of the search engine Google Search residing in France, in particular for advertising purposes, is carried out within the framework of the activities of the company GOOGLE FRANCE on French territory, which is in charge of promoting and marketing GOOGLE products and their advertising solutions in France. The restricted committee notes that the two criteria provided for in Article 3, paragraph I, of the Data Protection Act are therefore met and that the processing is sufficiently territorialized in France to be subject to French law. The application of French law only concerns reading and writing operations carried out on French territory (Article 4 of Directive 95/46 / EC on the protection of personal data also specified that the Member State law only applied to the activities of the establishment on the territory of the Member State ), which corresponds to data read on terminals in France or writing on these terminals in France. Lastly, the restricted panel underlines that this is a constant position on its part since the intervention of the case law Google Spain in 2014 (see in particular the CNIL decision, restricted panel, April 27, 2017, SAN-2017-006 ; CNIL, restricted training, December 19, 2018, SAN-2018-011).

46. ​​It follows from the foregoing that French law is applicable and that the CNIL is materially and territorially competent to exercise its powers, including that of taking a sanctioning measure concerning the processing in question which falls within the scope of application of the ePrivacy directive.

B. On the determination of the controller

47. According to Article 4 (7) of the GDPR, the controller is the natural or legal person, public authority, department or other body which, alone or jointly with others, determines the purposes and means of processing . According to Article 26 (1) of the GDPR, where two or more controllers jointly determine the purposes and means of processing, they are the joint controllers.

48. The rapporteur considers that the companies GIL and GOOGLE LLC are jointly responsible for the processing in question in application of these provisions since the companies both determine the purposes and means of the processing consisting of access or access operations. registration of information in the terminal of users Google Search residing in France.

49. The companies reply that the GIL company is solely responsible for the processing in question. […] The company GIL would be responsible for processing most Google services and products processing the personal data of users residing in the EEA and Switzerland, including cookies, while the company GOOGLE LLC would only be sub- dealing with the first. They also highlight the participation of the company GIL in the various stages and instances of the decision-making process set up by the group to define the characteristics of the cookies placed on Google Search and underline that a series of differences concerning specifically the cookies placed on the terminals of European users using the engine Google Search (different retention periods, compliance with obligations relating to minors within the meaning of the GDPR, etc.) attest to the decision-making autonomy of GIL in this area.

50. The restricted committee notes, first of all, that Articles 4, paragraph 7, and 26, paragraph 1, of the GDPR are applicable to this procedure because of the use of the concept of data controller in Article 82 of the Data Protection Act, which is justified by the reference made by Article 2 of the ePrivacy Directive to Directive 95/46 / EC on the protection of personal data, which has been replaced by the GDPR.

51. The restricted panel then recalls that the CJEU has ruled, on several occasions, on the concept of joint responsibility for processing, in particular in its judgment Jehovah's Witnesses under which it considered that according to the provisions of the Article 2 (d) of Directive 95/46 on the protection of personal data, the concept of controller refers to the natural or legal person who, alone or jointly with others, determines the purposes and means of processing of personal data. This concept does not therefore necessarily refer to a single natural or legal person and may concern several actors participating in this processing, each of them then having to be subject to the applicable data protection provisions (…). The objective of this provision being to ensure, by a broad definition of the concept of responsible, an effective and complete protection of the persons concerned, the existence of a joint liability does not necessarily translate into an equivalent liability, for a same processing of personal data, of the different actors. On the contrary, these actors can be involved at different stages of this processing and to different degrees, so that the level of responsibility of each of them must be assessed taking into account all the relevant circumstances of the case ( CJEU, July 10, 2018, C ‑ 25/17, pts. 65 and 66).

52. The restricted committee therefore considers that these developments make it possible to usefully shed light on the concept of joint processing responsibility invoked by the rapporteur with regard to the GOOGLE LLC and GIL companies concerned by the processing in question.

1. On the responsibility of the company GIL

53. The companies claim that GIL is acting as the controller in question, which the rapporteur also acknowledges.

54. The Restricted Committee shares this analysis.

55. In the first place, it thus notes that, during the hearing of 22 July 2020, the representatives of the companies declared that the company GIL participates in the development and supervision of the internal policies which guide the products and their design, in the setting up the parameters, determining the confidentiality rules and all the checks carried out before the launch of products, in application of the principle of privacy by design .

56. Secondly, it emphasizes that, more particularly with regard to cookies, the representatives stated during the hearing that GIL applies, for example, shorter retention periods for cookies compared to other regions of the world and that it limits the scope of processing related to the personalization of advertising in Europe compared to the rest of the world. For example, GIL does not use certain categories of data to perform personalized advertising such as deemed household resources. GIL does not set up personalized advertising for children whom it assumes are minors within the meaning of the GDPR .

57. It emerges from this that the company GIL is, at least in part, responsible for the controlled processing consisting of operations of access or registration of information in the terminal of users residing in France when using the search engine. search Google search .

2. On the responsibility of GOOGLE LLC

58. The companies dispute the rapporteur's analysis according to which the company GOOGLE LLC shares the responsibility for the processing in question with the company GIL.

59. The restricted committee notes, firstly, that during the hearing of July 22, 2020, the companies affirmed that it is indeed the company GOOGLE LLC which designs and builds the technology of Google products and that, as regards the cookies placed and read when using the search engine Google Search , there is no difference in technology between the cookies placed from the different versions of the search engine.

60. Similarly, companies, in the information they offer to French users in the rules of use accessible from google.fr, make no distinction in their presentation of the cookies used by the GOOGLE group when they indicate using different types of cookies for the products associated with the advertisements and the websites of Google.

61. Secondly, the restricted committee observes that despite the undisputed participation of the company GIL in the various stages and bodies related to the definition of the methods of implementation of the cookies placed on Google Search , the matrix organization described by the companies during the hearing of July 22, 2020 showed that the company GOOGLE LLC is also represented in the bodies adopting decisions relating to the deployment of products within the EEA and in Switzerland and to the processing of users' personal data therein. resident and exerts a significant influence there […].

62. Similarly, the restricted committee notes that the data protection officer appointed by the company GIL (hereinafter DPO) and its deputy DPOs are based in California as employees of the company GOOGLE LLC. In this regard, it emerges from the own statements of the representatives of the companies made during the hearing of July 22, 2020 that the GOOGLE group made this choice so that the DPO of the company GIL is as close as possible to the decision-makers of the company .

63. Third, the restricted panel considers that the differences that companies highlight between cookies placed on European user terminals and those intended for other users (different retention periods, compliance with obligations relating to minors within the meaning of of the GDPR, etc.) are only differences in execution which do not call into question the overall advertising purpose for which they are used, this purpose being determined in particular by the company GOOGLE LLC. Although the main purpose of these differences is to ensure compliance with European law on cookies placed on European user terminals, they do not, as such, illustrate GIL's decision-making autonomy over all essential characteristics of the means and purposes of the processing in question.

64. Fourth, the restricted committee notes that although by virtue of a formal reading of the subcontracting contract of December 11, 2018, the company GOOGLE LLC would act as a subcontractor of the company GIL in the processing of data European users collected via cookies, the real involvement of the company GOOGLE LLC in the processing in question goes far beyond that of a subcontractor who would be content to carry out processing operations on behalf of the GIL company and on its sole instructions.

65. The restricted committee considers that these latest developments show that, despite the entry into force of the subcontracting contract on January 22, 2019, the company GOOGLE LLC continues to play a fundamental role in the entire decision-making process relating to on the treatment in question. It also determines the means of processing given that, as mentioned above, it is it who designs and builds the technology for cookies placed on the terminals of European users. Consequently, the restricted committee retains that it is appropriate to also attribute to him the quality of controller.

66. It follows from all of the foregoing that the companies GOOGLE LLC and GIL jointly determine the purposes and means of processing consisting of operations to access or register information in the terminal of users residing in France. when using the search engine Google Search .

C. On the breach of obligations regarding cookies

67. Under the terms of article 82 of the Data Protection Act (formerly, article 32, paragraph II, of this same law) any subscriber or user of an electronic communications service must be informed in a clear and complete manner, except if it has been previously, by the controller or his representative: 1 ° The purpose of any action aimed at accessing, by electronic transmission, information already stored in his electronic communications terminal equipment, or to write information in this equipment; 2 ° The means at his disposal to oppose it.

These accesses or registrations can only take place on condition that the subscriber or user has expressed, after receiving this information, his consent which may result from appropriate parameters of his connection device or any other device placed under his control.

These provisions are not applicable if access to information stored in the user's terminal equipment or the recording of information in the user's terminal equipment: 1 ° Either, for the sole purpose of enabling or facilitate electronic communication; 2 ° Either, is strictly necessary for the provision of an online communication service at the express request of the user .

68. In this case, the members of the delegation noted during the online check of March 16, 2020 that, when they arrived on the google.fr website, seven cookies were placed on their terminal equipment, before any action on their part. In its letter of April 30, 2020, the company GIL indicated that four of these seven cookies pursue an advertising purpose.

1. On the lack of information of people

69. The rapporteur maintains that the information provided to users residing in France relating to operations to access or register information in their terminal when using the search engine Google Search was insufficient and unclear, in violation of the requirements of article 82 of the Data Protection Act.

70. The company GIL, which considers itself the sole data controller in question, replies that no legal provision prescribes specific practical arrangements for the data controller to inform its users, as long as they are effectively informed, and maintains that it has opted for level information, as recommended by the Article 29 Group (which has become EDPS since the entry into force of the GDPR) in its guidelines on transparency within the meaning of the Regulation, adopted in their revised version on 11 April 2018.

71. It thus argues that its first level of information complied with the requirements of transparency and accessibility of information since it redirected users to the rest of the information, and in particular that relating to cookies. It argues that it provided, as part of the second level, specific information on the processing of cookies, namely their purposes and the means made available to the user to oppose them.

72. First of all , the restricted committee recalls that under article 82 of the Data Protection Act, access to or registration of cookies in a user's terminal can only take place on the condition that this the latter has consented to it after having received [ ] information clear and complete relating to the purposes of the cookies placed and the means at his disposal to oppose them.

73. The Restricted Committee considers that for the purposes of interpreting these provisions, it is relevant to refer to recital 25 of the ePrivacy directive, which provides that the methods used to communicate information, offer a right of refusal or request the consent should be as user-friendly as possible .

74. The restricted committee also points out that the CNIL has adopted several flexible law legal instruments detailing the obligations of data controllers with regard to tracers, including, in particular, a recommendation of 5 December 2013 as well as guidelines of 4 July 2019, in force on the date of the online check. Although devoid of mandatory value, these instruments provide useful insight to data controllers by informing them about the implementation of concrete measures to ensure compliance with the provisions of the Data Protection Act relating to trackers so that they either implement these measures, or they implement measures having equivalent effect.

75. In this regard, in Article 2 of its 2013 recommendation, the Commission recalled in particular that the information had to be prior to the collection of consent but also visible, highlighted and complete . Consequently, the Commission recommended that data controllers implement a two-stage consent collection mechanism:

- first step: the Internet user who visits a publisher's site (home page or secondary page of the site) must be informed, by the appearance of a banner: of the precise purposes of the cookies used; the possibility of opposing these cookies and changing the settings by clicking on a link in the banner ;

- second step: people must be informed in a simple and intelligible way of the solutions made available to them to accept or refuse all or part of the Cookies requiring the collection of consent: for all the technologies referred to in the aforementioned article 32-II ; by categories of purposes: in particular advertising, social network buttons and audience measurement .

76. Such recommendations were included in the guidelines of 4 July 2019, in equivalent terms.

77. In the present case, the restricted committee notes, first, that it emerges from the online control of March 16, 2020 that when a user arrived on the google.fr page, an information banner was displayed at the bottom of page, containing in particular the following statement Reminder concerning the rules of confidentiality of Google in front of which appeared two buttons entitled Remind me later or Consult now.

78. The restricted committee thus holds that no information relating to the deposit of cookies on the terminal equipment was provided at this stage to the persons concerned on this banner even though cookies with an advertising purpose had already been deposited on their terminal. as soon as they arrive on the google.fr page. She adds that the simple reference to the rules of confidentiality was far from being sufficiently explicit at this stage to allow people reading this banner to know that information relating to cookies was available later in the navigation path, to respond to their requests. expectations in this area and to meet the requirements of Article 82 of the Data Protection Act.

79. The Restricted Committee stresses, second, that it emerges from the findings made during the online check that the confidentiality rules which opened in pop-up windows when people clicked on the button Consult now still did not contain any development dedicated to the use of cookies and other tracers, despite general information relating to personal data processed by Google services.

80. Furthermore, people were still not informed at this stage that they could refuse cookies on their terminal equipment, since they were only advised that they could manage the search results according to the search activity in this browser or manage the types of Google ads that appear .

81. Finally, the information provided in the context of this pop-up window did not include, again, any explicit reference to the confidentiality rules applicable to cookies. If the companies ensure that the latter were well provided to the user, the limited training notes that the information architecture implemented by the companies was such that to achieve this the user had to understand for himself that he had to scroll through the content of the entire pop-up window, without clicking on one of the five hypertext links appearing in this content ( our rules, Find out more, Modify search parameters, Modify ad parameters, Modify Youtube parameters ), to finally click on the button More options at the bottom of the window.

82. Consequently, the Restricted Committee notes that the information provided by the companies, both in the context of the banner and that of the pop-up window, did not allow users residing in France, when they arrived on the search engine Google Search, to be previously and clearly informed of the existence of operations allowing access and registration of information contained in their terminal nor, consequently, of the purpose of these and the means available to them. provision as to the possibility of refusing them.

83. Secondly , the restricted committee notes that since the initiation of the sanction procedure, companies have undertaken a series of changes in the way they use cookies.

84. The first update was first made available to search engine users not logged in to a Google account as of August 17, 2020 and fully rolled out to all users on September 10, 2020 […]

85. The company GIL highlights that […], the new information provided to users meets the requirements of article 82 of the Data Protection Act.

86. The restricted training notes that people who go to the google.fr site now see, in the middle of their screen, before being able to access the search engine, a pop-up window entitled Before continuing which contains the development next: Google uses cookies and other data to provide, manage and improve its services and ads. If you agree, we'll personalize the content and ads you see based on your activity on Google services like Search, Maps, and YouTube. Some of our partners also assess how our services are used. Click on "More Information" to find out what options are available to you or visit g.co/privacytools at any time , the terms cookies , partners and g.co/privacytools being clickable links. At the bottom of this pop-up window are two buttons labeled More Info and I Agree .

87. The restricted committee notes that companies now provide prior information relating to cookies as soon as users visiting the google.fr page are now openly and directly informed of the fact that companies use cookies, which constitutes a undeniable advance compared to previous information banners.

88. However, the restricted committee considers that the information provided is still not clear and complete within the meaning of Article 82 of the Data Protection Act, insofar as this information does not inform the user on the '' all the purposes of the cookies placed and the means at his disposal to oppose them.

89. Thus, the description of the various purposes mentioned in this banner remains too general for users to be able to easily and clearly understand for what specific uses cookies are placed on their terminal.

90. The user is in particular not able to understand the type of content and advertisements likely to be personalized according to his behavior - for example, if it is geolocated advertising -, the exact nature Google services that use personalization or the fact that this personalization operates between these different services.

91. The restricted committee considers, moreover, that the information provided is incomplete since users are still not informed about their possibility of refusing these cookies, nor about the means made available to them for this. Indeed, the terms options or More information are not explicit enough to allow users to directly understand the extent of their rights with regard to cookies placed on their terminal.

92. […]

93. In view of all of the foregoing, the restricted committee considers that a breach of the provisions relating to the information of persons of article 82 of the Data Protection Act has been established.

94. The restricted committee notes that this breach persists at the date of the closing of the investigation, the modifications made by the companies since the initiation of the sanction procedure not having made it possible to bring this information into conformity with the requirements. of article 82 data processing and freedoms.

2. On the failure to collect consent from people before placing cookies on their terminal and the inability for people to refuse the deposit of all cookies

at. On the failure to collect consent from people before placing cookies on their terminal

95. The rapporteur maintains that the companies violated the provisions of Article 82 of the Data Protection Act relating to the consent of individuals insofar as, during the online check of March 16, 2020, it was found that from the When the user arrived on the google.fr page, several cookies pursuing an advertising purpose were placed on his terminal before any action on his part.

96. The company GIL does not dispute this branch of the infringement.

97. The restricted committee notes that under Article 82 of the Data Protection Act, access or registration [of cookies] can only take place on condition that the subscriber or the user has expressed, after have received this information, their consent which may result from appropriate parameters of their connection device or any other device under their control . Only cookies whose sole purpose is to allow or facilitate communication by electronic means, or those strictly necessary for the provision of an online communication service at the express request of the user, are exempt from this obligation.

98. In the present case, the restricted committee emphasizes that the online check of March 16, 2020 made it possible to observe that upon arrival on the google.fr page, seven cookies were automatically placed on the delegation terminal, before any action on his part.

99. The restricted committee notes that the company GIL indicated in its letter of April 30, 2020 that four of the seven cookies deposited, namely the NID, IDE, ANID and 1P_JAR cookies, pursue an advertising purpose.

100. Since these four cookies are not intended exclusively to allow or facilitate communication by electronic means nor are they strictly necessary for the provision of an online communication service at the express request of the user, the restricted training considers that companies should have obtained prior consent from users, before depositing them on the latter's terminal.

101. In view of the foregoing, the restricted committee considers that a breach of the obligation provided for by article 82 of the Data Protection Act to obtain prior consent from people before placing cookies on their terminal has been established. .

102. It nonetheless emphasizes that during the sanctioning procedure the companies made changes to the google.fr page, which in particular led, since September 10, 2020, to stopping the automatic deposit of these four cookies upon arrival. of the user on the page.

b. On the partially defective nature of the opposition mechanism put in place by Google.

103. The rapporteur maintains that in addition to the fact that consent, when necessary, was not obtained, the system put in place by companies to oppose cookies for advertising purposes placed on the terminal of the user was also partially defective, in violation of the requirements of Article 82 of the Data Protection Act.

104. The company GIL disputes this assessment and replies that it took, and continues to take into account, the user's choice to withdraw his consent through a mechanism allowing users to personalize ads on Google search as well as on the web .

105. In the present case, the restricted committee firstly emphasizes that the companies depositing these cookies for advertising purposes even before having obtained the consent of the users (absence of opt-in ), the use of the expression withdrawing consent by GIL is particularly abusive. Therefore, companies could at most put forward the fact of having put in place a mechanism of opposition to these cookies (opt-out ).

106. In addition, the restricted committee notes that it emerges from the online control of March 16, 2020 that when people clicked on the button Consult now on the information banner at the bottom of the google.fr page, a window appeared. where they could click the button Change ad settings , then turn off Google search and ad personalization web ad personalization with slide buttons. When people turned off ad personalization using this sliding button, a new window was displayed asking them to confirm their choice and telling them that ads will continue to appear but will no longer be personalized.

107. The restricted committee noted that after having nevertheless deactivated the personalization of ads on Google search, the delegation noted, while continuing to browse the site, that several of these cookies for advertising purposes remained stored on its terminal equipment. It emphasizes, in this regard, that at least one of these cookies did not belong to the category of so-called opposition cookies, which remain stored on the user's terminal with the value opt-out to indicate to the server of the domain to which they are linked that the user has expressed his refusal to future deposits of identical cookies from this same domain.

108. Since the company GIL itself acknowledged, in its letter of April 30, 2020, that the cookie in question pursues an exclusively advertising purpose, the restricted committee concluded that the opposition mechanism put in place by the companies was partially defective. . Indeed, since this cookie remains placed on the user's terminal without being assigned the value opt-out , the information it contained continued to be systematically read by the server of the domain to which the cookie is linked (for example google .com or google.fr) during each new interaction with the domain concerned.

109. In view of the foregoing, the restricted committee considers that the companies have disregarded the obligation provided for by article 82 of the Data Protection Act to set up an effective mechanism allowing users to refuse or no longer read cookies requiring their consent.

III. On corrective measures and advertising

110. Under article 20, paragraph III, of the Data Protection Act:

When the data controller or his subcontractor does not comply with the obligations resulting from (...) this law, the president of the National Commission for Informatics and Freedoms may also, if necessary after having sent him the warning provided for in I of this article or, where applicable in addition to a formal notice provided for in II, refer the matter to the restricted committee with a view to pronouncing, after adversarial proceedings, one or more of the following measures: […] 2 ° An injunction to bring the processing into conformity with the obligations resulting (…) from this law or to satisfy the requests presented by the data subject in order to exercise his rights, which may be accompanied, except in cases in the event that the processing is implemented by the State, a fine the amount of which may not exceed 100,000 € per day of delay from the date set by the restricted group; […] 7 ° With the exception of cases where the processing is implemented by the State, an administrative fine not exceeding 10 million euros or, in the case of a company, 2% of the turnover. total worldwide annual business for the previous fiscal year, whichever is greater . Under the assumptions mentioned in 5 and 6 of article 83 of regulation (EU) 2016/679 of April 27, 2016, these ceilings are raised, respectively, to 20 million euros and 4% of said turnover. The restricted committee takes into account, in determining the amount of the fine, the criteria specified in the same article 83.

111. Article 83 of the GDPR, as referred to in Article 20, paragraph III, of the Data Protection Act, provides:

1. Each supervisory authority shall ensure that administrative fines imposed under this Article for infringements of this Regulation referred to in paragraphs 4, 5 and 6 are, in each case, effective, proportionate and dissuasive.

2. Depending on the specific characteristics of each case, administrative fines are imposed in addition to or instead of the measures referred to in Article 58 (2) (a) to (h) and (j). In deciding whether to impose an administrative fine and in deciding the amount of the administrative fine, due account shall be taken in each individual case of the following:

a) the nature, gravity and duration of the breach, taking into account the nature, scope or purpose of the processing concerned, as well as the number of data subjects affected and the level of damage they suffered;

(b) whether the violation was committed willfully or negligently;

c) any measure taken by the controller or processor to mitigate the damage suffered by the data subjects;

d) the degree of responsibility of the controller or processor, taking into account the technical and organizational measures they have implemented pursuant to Articles 25 and 32;

e) any relevant breach previously committed by the controller or processor;

(f) the degree of cooperation established with the supervisory authority with a view to remedying the violation and mitigating any negative effects thereof;

g) the categories of personal data affected by the breach;

(h) how the supervisory authority became aware of the breach, including whether, and to what extent, the controller or processor notified the breach;

(i) where measures referred to in Article 58 (2) have previously been ordered against the controller or processor concerned for the same purpose, compliance with those measures;

(j) the application of codes of conduct approved under Article 40 or certification mechanisms approved under Article 42; and

k) any other aggravating or mitigating circumstance applicable to the circumstances of the case, such as the financial advantages obtained or the losses avoided, directly or indirectly, as a result of the violation.

A. On the legality of the present sanctioning procedure

112. The companies claim, first of all, that there is nothing to justify the CNIL having directly initiated a sanction procedure against them without a formal notice having been sent to them beforehand.

113. They then argue that in view of the instability of the legal framework relating to cookies, the pronouncement of a financial penalty for the facts in question would violate the principle of legality of offenses and penalties, guaranteed in Article 8 of the Declaration of the Rights of Man and of the Citizen. They argue in particular that the characterization of the breaches is based on the application of guidelines, the meaning of which was not binding at the time of the online check of March 16, 2020, the CNIL having granted, in July 2019, a deadline of adaptation of twelve months from the publication of the guidelines of July 4, 2019 so that data controllers can comply with them.

114. In the first place , the restricted committee recalls that, in accordance with article 20 of the Data Protection Act, the president of the CNIL is not required to send a formal notice to a data controller before sending initiate a sanction procedure against him. It adds that the possibility of directly initiating a sanction procedure has been confirmed by the Council of State (see, in particular, CE, 4 Nov. 2020, req. N ° 433311, pt. 3).

115. Secondly , the restricted committee recalls, first of all, that the various branches of the breach alleged against the companies have as their sole legal basis the provisions of Article 82 of the Data Protection Act which transposed the provisions relating to cookies and trackers of the ePrivacy directive. It points out that if these requirements were formerly provided for in Article 32, paragraph II, of the same law, before the text was overhauled as a whole by Ordinance No. 2018-1125 of 12 December 2018, their content is remained unchanged since 2011.

116. The restricted committee then notes that on the basis of these provisions, it has already adopted several sanctioning decisions, sometimes concerning identical practices, some of which have moreover been made public (see, in this regard, deliberation n ° SAN-2016-204 of July 7, 2016 and deliberation n ° SAN-2017-006 of April 27, 2017).

117. The restricted committee emphasizes, finally, that although communications from the CNIL relating to cookies and tracers have recently undergone certain changes, the practices at the origin of the various branches of the breach alleged in this case by the two companies have been continuously considered non-compliant by the CNIL, whether by the first recommendation of 5 December 2013 or by the guidelines of 4 July 2019, in force on the date of the findings made by the CNIL delegation. It notes, for information, that the second recommendation and the latest version of the guidelines, which date from September 17, 2020 and were published on October 1, 2020, are also part of this continuity. In any event, as recalled above, non-compliant practices identified in the context of this procedure are assessed with regard to the Data Protection Act and not the guidelines or recommendations of the CNIL.

118. As regards more particularly the period of adaptation from the publication of the guidelines of 4 July 2019 invoked by the companies, the restricted committee notes that it is, in this case, inoperative, since the practices in question relate precisely to the obligations which the CNIL had taken care, in its press release published on its website on July 18, 2019, to specify that they remained enforceable against data controllers, by warning them that this adaptation period [does will not prevent it] from fully monitoring compliance with the other obligations which have not been modified and, if necessary, from adopting corrective measures to protect the privacy of Internet users. In particular, operators must respect the prior nature of consent to the deposit of tracers […] and must provide a device for withdrawing consent that is easy to access and use .

119. Due to the permanence of the legal basis and the provisions with regard to which the breach is constituted and the consistency of the CNIL's position with regard to the practices which are the subject of this procedure, the restricted panel considers that the imposition of an administrative fine against each of the companies without prior notice would not contravene the principle of legality of offenses and penalties.

B. On the pronouncement of administrative fines and their amount

120. The companies argue that the amount of the fine proposed by the rapporteur is disproportionate and estimated on a discretionary basis since, unlike other French or European administrative authorities with powers of sanction, the CNIL does not did not provide guidelines for calculating its fines.

121. They add that this amount should be significantly reduced, in particular in application of subparagraph f) of Article 83, paragraph 2 of the Regulation in order to take into account their strong cooperation with the CNIL since the start of the procedure with a view to put an end to the breach and mitigate any negative effects.

122. The restricted committee recalls, in general, that Article 20, paragraph III, of the Data Protection Act gives it competence to impose various penalties, in particular administrative fines, the maximum amount of which may be equivalent to 2% of the figure. total worldwide annual business for the previous financial year carried out by the data controller. It adds that the determination of the amount of these fines is assessed in the light of the criteria specified by article 83 of the GDPR.

123. In the first place, the restricted panel emphasizes that it is appropriate, in this case, to apply the criterion provided for in subparagraph a) of Article 83, paragraph 2 of the Regulations relating to the seriousness of the breach, taking into account the nature and scope of the processing.

124. Thus, the restricted panel notes that the search engine Google Search , from which the cookies in question are deposited, has a considerable impact in France, the Competition Authority having noted that it dominates the search market online with a market share of over 90% (ADLC, Dec. 19, 2019, Dec. n ° 19-D-26, pt. 313).

125. It emphasizes that the search engine Google Search counts at least 47 million users in France, which corresponds to 70% of the French population, the number of people concerned by the processing is extremely high.

126. With regard to the structuring of this market, the restricted party considers that the seriousness of the breach is characterized by the fact that by not respecting several of the requirements of article 82 of the Data Protection Act, companies deprive users Google Search residing in France the possibility of choosing between search methods which further preserve the confidentiality of their data and methods allowing better personalization of the service, thus reducing the informational autonomy and choice of people.

127. Finally, the restricted committee notes that the breach is all the more serious with regard to the role played by search engines in access to information, a fortiori by that developed by companies. In this regard, the power of this dominant position gives unparalleled value to cookies placed by companies from their search engine because they ensure third-party sites reach the maximum number of users and, in the case of tracking cookies, to be able to follow them with the greatest efficiency.

128. Secondly , the Panel considers that it is appropriate to apply the criterion provided for in subparagraph k) of Article 83, paragraph 2, of the Regulations relating to the financial advantages obtained as a result of the breach.

129. Thus, it emphasizes that the GOOGLE group achieves most of its profits in the two main segments of the online advertising market, display advertising namely (Display Advertising) and contextual advertising ( Search Advertising ), in which cookies play an undeniable, albeit different, role.

130. First, in the display advertising segment, the purpose of which is to display content in a specific area of ​​a website and in which cookies and trackers are used to identify users during from their browsing in order to offer them the most personalized content, it is established that the GOOGLE group offers products at all levels of the value chain in this segment and that its products are systematically dominant on these different levels. In this regard, the GOOGLE group indicates, on one of its websites, that it offers for advertising an ecosystem accessible from its tools and services capable of reaching more than 2 million sites, videos and applications and more than 90% of Internet users around the world.

131. Next, the segment of contextual advertising, the object of which is to display sponsored results based on the keywords typed by users in a search engine, also requires the use of cookies in its practical implementation. , for example in order to be able to determine the geographical location of users and, thereby, adapt the advertisements offered according to this location. In this regard, it emerges from the annual report of the company ALPHABET for the year 2019 that this segment alone, through in particular the service Google Ads - formerly AdWords - , 61% of the turnover of the GOOGLE group.

132. The restricted party is not aware of the amount of profit derived by the GOOGLE group from the collection and use of cookies on the French market via the income generated by advertising targeted to French Internet users, the companies placed in cause not having provided this information when they were invited to do so as part of the investigation of the case. As an order of magnitude, and in order to assess the proportionality of the amount of sanction proposed by the rapporteur, it notes that a proportional approximation based on publicly accessible figures would lead to estimate that France would contribute between 680 and 755 million dollars in the annual net income of ALPHABET, the parent company of the GOOGLE group, that is, at the current exchange rate, between 580 and 640 million euros.

133. Thirdly , as regards the criterion provided for in subparagraph f) of article 83, paragraph 2 of the Regulation invoked by the companies in support of a reduction in the fine proposed against them by the rapporteur , the restricted committee notes that it is clear from Article 18 of the Data Protection Act that data controllers cannot oppose the action of the Commission and that they must take all necessary measures to facilitate its task . Cooperation with the supervisory authority is therefore first and foremost an obligation provided for by law.

134. In order for this cooperation to possibly become a mitigating circumstance in the characterization of the breach and, thereby, contribute to the reduction of the fine initially envisaged, the restricted committee emphasizes that the data controller must not only have previously fulfilled its obligation under the aforementioned Article 18 but also to have complied particularly diligently with the requests of the supervisory authority during the investigation phase and implemented any measure in its power to minimize the impact of the breach on the persons concerned.

135. In the present case, the restricted committee notes that the companies in particular never communicated to the Commission services the advertising revenues of the companies GOOGLE LLC and GIL made in France, financial information however requested on several occasions by the rapporteur, in upstream and following the hearing on July 22, 2020. Consequently, the cooperation they have shown should have no impact on the amount of their fine since it is barely in line with what the CNIL is. entitled to expect a data controller.

136. In conclusion, the restricted committee recalls that the breach of article 82 data processing and freedoms is in this case triply characterized, since by automatically depositing the cookies in question on the terminals of the users residing in France during their arrival on the google.fr page, the companies met neither the requirement of prior, clear and complete information to users, nor that of the compulsory collection of their consent and that, moreover, the opposition mechanism to these cookies turned out to be partially faulty.

137. It emphasizes that, due to the reach of the search engine Google Search in France, these practices have affected nearly fifty million users residing in France and that companies have derived considerable benefits from them through the advertising revenue indirectly generated. by the data collected by these cookies.

138. Pursuant to the provisions of article 20, paragraph III, of the Data Protection Act, companies incur a financial penalty of a maximum amount of 2% of their turnover, which was 38 billion euros. euros in 2018 for the company GIL and 160 billion dollars in 2019 for the company GOOGLE LLC.

139. Consequently, having regard to the respective responsibilities of the companies, their financial capacities and the relevant criteria of Article 83, paragraph 2, of the Rules mentioned above, the restricted panel considers that a fine of 60,000,000 euros against the company GOOGLE LLC and a fine of 40,000,000 euros against the company GIL appear to be effective, proportionate and dissuasive, in accordance with the requirements of article 83, paragraph 1, of these Regulations.

C. On the issuance of an injunction

140. The companies maintain that the requests formulated under the injunction proposed by the rapporteur and relating in particular to the information of individuals and the prior deposit of cookies subject to consent have become moot […].

141. They also dispute the amount of the daily penalty payment proposed in addition to the injunctions since the rapporteur does not demonstrate the need for this penalty or the proportionality of its amount, which is the maximum amount provided for by the Data Protection Act.

142. First of all , the Restricted Committee notes that in the current state of the information provided to users, companies still do not inform users residing in France, in a clear and complete manner, of the purposes of all cookies. subject to consent and the means at their disposal to refuse them, […] It therefore considers it necessary to issue an injunction in order for companies to comply with the applicable obligations in this area.

143. Secondly , the restricted committee emphasizes that a daily fine is a financial penalty per day of delay that the controller will have to pay in the event of non-compliance with the injunction at the end of the planned execution period. . Its pronouncement may therefore sometimes be necessary to ensure the compliance of the data controller within a certain period.

144. The restricted committee adds that in order to keep the penalty payment its comminatory function, its amount must be both proportional to the seriousness of the alleged breaches but also adapted to the financial capacities of the data controller. It notes, moreover, that in certain cases, as in the present case, this amount must be all the higher as the breach concerned by the injunction indirectly contributes to the profits generated by the data controller.

145. In the light of these two elements, the Restricted Committee considers the imposition of a fine of 100,000 euros per day of delay to be proportionate and which can be liquidated at the end of a period of three months. The execution time allowed is also reasonable given the technical means at the disposal of the companies and the adaptability which they avail themselves of.

D. On advertising

146. The restricted committee considers that the publication of this decision is justified in view of the seriousness of the breach in question, the scope of the processing and the number of people concerned.

147. The restricted committee considers that this measure will make it possible to alert French users of the search engine of Google Search the characterization of the breach of article 82 of the Data Protection Act in its various branches and to inform them of the persistence of the breach on the date of this deliberation and of the injunction pronounced against the companies to remedy it. It adds that this measure is made all the more necessary since the disputed cookies were placed without the knowledge of the users, so that only the publicity of this decision will enable them to become aware of the practices in question.

148. Finally, the measure is not disproportionate since the decision will no longer identify companies by name after the expiry of a period of two years from its publication.

FOR THESE REASONS

The restricted formation of the CNIL, after having deliberated, decides to:

· Pronounce against the company GOOGLE LLC an administrative fine in the amount of 60,000,000 euros (sixty million euros) for breach of article 82 of the Data Protection Act;

· Pronounce against the company GOOGLE IRELAND LIMITED an administrative fine in the amount of 40,000,000 euros (forty million euros) for breach of Article 82 of the Data Protection Act;

· Decide against companies GOOGLE GOOGLE IRELAND LIMITED LLC and an injunction to comply with treatment obligations of Article 82 of the Data Protection Act , in particular:

o Inform the people concerned in advance and in a clear and complete manner, for example on the information banner on the home page of the google.fr site:

- the purposes of all cookies subject to consent,

- the means at their disposal to refuse them;

· Match the injunction with a fine of 100,000 € (one hundred thousand euros) per day of delay at the end of a period of three months following the notification of this deliberation, the proof of the compliance having to be sent to the restricted group within this period;

· Send this decision to GOOGLE FRANCE SARL for the execution of this decision;

· Make public, on the CNIL website and on the Légifrance website, its deliberation, which will no longer identify the companies by name after the expiration of a period of two years from its publication.

President

Alexandre LINDEN