CNIL - SAN-2020-012

From GDPRhub
CNIL - SAN-2020-012
LogoFR.png
Authority: CNIL (France)
Jurisdiction: France
Relevant Law: Article 4(7) GDPR
Article 26(1) GDPR
Article 56 GDPR
Article 60 GDPR
Directive 2002/58/EC of the European Parliament and the Council of 12 July 2002 concerning the processing of personal data and the protection of privacy in the electronic communication sector
Loi n° 78-17 du 6 janvier 1978 relative à l'informatique, aux fichiers et aux libertés
Type: Investigation
Outcome: Violation Found
Decided: 07.12.2020
Published: 10.12.2020
Fine: 100000000 EUR
Parties: Google Ireland Ltd
Google LLC
National Case Number/Name: SAN-2020-012
European Case Law Identifier: n/a
Appeal: Unknown
Original Language(s): French
Original Source: Légifrance (in FR)
Initial Contributor: Fra-data67

The French DPA (Commission Nationale de l’Informatique et des Libertés – CNIL) imposed a sanction on Google LLC and Google Ireland Ltd for a total amount of 100 million euros for depositing cookies on user’s device without prior consent or information.

English Summary

Facts

Google LLC is a company headquartered in USA, California. Since its creation in 1998, it has developed numerous services for individuals and businesses, such as the Google Search engine, the Gmail email box, the Google Maps mapping service, and the YouTube video platform. It has more than 70 offices in some 50 countries and employed more than 110,000 people worldwide in 2019. Since August 2015, it has been a wholly owned subsidiary of Alphabet Inc, the parent company of the Google group.

Google Ireland Ltd, based in Dublin (Ireland), is the headquarters of the Google Group for its activities in the European Economic Area and Switzerland. Google France SARL is the French branch of the Google Group.

On 16 March 2020, the French DPA (CNIL) carried out an online check on the google.fr website. The CNIL then found several violations of the rules relating to cookies, contained in Article 82 of the French Data Protection Act (Loi Informatique et Libertés), as transposed from the e-Privacy Directive.

Dispute

  • Is the French DPA materially and territorially competent to control and sanction cookies deposited by companies on users' computers? More specifically, is the lead authority mechanism as detailed in Articles 56 and 60 GDPR applicable in this case?
  • Are Google LLC and Google Ireland LTD to be considered as joint controllers within the meaning of article 26 GDPR?
  • Does an information banner at the bottom of the page referring to the privacy policy constitute information in compliance with Article 82 of the French Data Protection Act (prior, clear and complete information on the purposes and rights of the persons concerned)?
  • Does the deposit of a cookie for advertising purposes require the prior consent of the persons concerned under Article 82 of the French Data Protection Act?
  • Is the fact that several cookies for advertising purposes remained stored on the user's terminal and continued to read information to the server to which these cookies were attached during each new interaction with the domain concerned, even though the person concerned had deactivated the personalization of ads on Google search, consistent with the opt-out mechanism?

Holding

The French DPA fined GOOGLE LLC 60 millions euros and GOOGLE IRELAND LIMITED 40 millions euros, both of which were made public. Insofar as the practices of these companies have affected nearly 50 millions users, and the considerable profits that the companies derive from the advertising revenues indirectly generated from the data collected by these advertising cookies, the CNIL has issued an injunction under penalty so that the companies proceed to inform people in accordance with Article 82 of the French Data Protection Act within 3 months of notification. Otherwise, the companies will be liable to a penalty payment of 100 000 euros per day of delay.

In order to justify its decision, the French DPA has identified several failings in terms of cookie management, with regard to the provisions of article 82 of the French Data Protection Act.

On the material and territorial competence of the French DPA

In its decision, the CNIL’s sub-commission recalls that the French DPA is materially competent to control and sanction cookies deposited by companies on the computers of users residing in France. Indeed, the CNIL notes that when a processing operation falls within the material scope of both the ePrivacy Directive and the GDPR, reference should be made to the relevant provisions of two texts that provide for their articulation. Thus, recital 173 of the Regulation explicitly provides that it is not applicable to processing of personal data which are subject to specific obligations set out in the ePrivacy Directive.

The CNIL also stresses that this articulation was confirmed by the Court of Justice of the European Union in its PLANET49 decision of 1 October 2019 (C-613/17). In doing so, the French DPA concludes that the lead authority mechanism provided for by the GDPR was not intended to apply in this procedure since operations related to the use of cookies fall within the scope of the ePrivacy Directive, as transposed in Article 82 of the French Data Protection Act.

Also, the CNIL’s sub-commission considered that it is also territorially competent in application of article 3 of the French Data Protection Act because the use of cookies is carried out within the framework of the activities of the company Google France which constitutes the establishment on French territory of the companies Google LLC and Google Ireland Ltd and ensures the promotion of their products and services.

On the determination of responsibilities

The CNIL’s sub-commission notes that Articles 4(7) and 26(1) GDPR are applicable to the present proceedings because of the use of the concept of controller in Article 82 of French Data Protection Act, which is justified by the reference made by Article 2 of the ePrivacy Directive to Directive 95/46/EC on the protection of personal data, which has been replaced by the GDPR.

According to Article 4(7) GDPR, the controller is defined as the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data. According to Article 26(1) GDPR, when two or more controllers jointly determine the purposes and means of processing, they sall be joint controllers.

The CNIL considers that Google Ireland Ltd and Google LLC should be considered as joint controllers for the processing in question, since the companies both determine the purposes and means of the processing consisting of operations to access or deposit cookies in the terminal of Google Search users residing in France.

indeed, Google Ireland Ltd is involved in the development and supervision of the internal policies that guide the products and their design, the setting of parameters, the determination of privacy rules and all checks carried out prior to the launch of the products, in application of the principle of privacy by design.

With regard to Google LLC, the CNIL considers that although it appears from the contract concluded with Google Ireland Ltd that Google LLC acts as a processor of Google Ireland Ltd, it appears that the actual involvement of Google LLC in the processing in question goes far beyond that of a processor that merely carries out processing operations on behalf of Google Ireland Ltd and on its sole instructions. Thus, Google LLC also determines the means of processing since, as mentioned above, it is Google LLC that designs and builds the technology of cookies placed on the terminals of European users. The CNIL therefore concludes that Google LLC must also be granted the status of data controller.

On the violation of provisions on cookies

During the online check carried out on 16 March 2020, the CNIL noted that, when users reached the google.fr website, seven cookies were placed on their terminal equipment, before any action. In its letter dated 30 April 2020, Google Ireland Ltd indicated that four of these seven cookies were used for advertising purposes.

In this context, the CNIL’s sub-commission recalls on provisions of Article 82 of the French Data Protection Act, according to which any deposit of cookies or tracers must be preceded by the information and consent of users. This requirement does not apply to cookies whose sole purpose is to enable or facilitate communication by electronic means or which are strictly necessary for the provision of an online communication service at the express request of the user.

As a result, the CNIL found several violations of these provisions: the lack of prior information to users, the failure to obtain the consent of individuals before depositing cookies on their terminal, and the impossibility for individuals to refuse the deposit of all cookies.

The lack of information to users

The CNIL notes that the information provided to users residing in France relating to operations to access or deposit information in their terminal when using the Google Search engine was insufficient and unclear, and therefore violated the provisions of Article 82 of the French Data Protection Act. More specifically, the CNIL emphasized that:

  • Access or deposit of a cookie can only be made on the condition that user has consented to it after having received clear and complete information relating to the purposes of the cookies deposited and the means at his disposal to oppose. Firstly, the CNIL noticed that when a user reached the google.fr website, an information banner was displayed at the bottom of the page, containing the following notice "Reminder regarding Google's privacy policy", opposite which were two buttons entitled "Remind me later" or "Consult now". The CNIL highlights that the simple reference to the privacy policy is not explicit enough to enable the individuals to obtain information in accordance with the provisions of Article 82 of the French Data Protection Act. Then, the CNIL noted during the online checks that the privacy rules that opened in pop-up windows when people clicked on the “View Now” button still did not contain any developments dedicated to the use of cookies and other tracers, despite general information about the personal data processed by Google services. In addition, the data subjects were still not informed at this stage of their ability to refuse cookies on their terminal equipment. Consequently, the CNIL concluded that the information provided by the companies, both in the banner and in the pop-up window, did not allow users residing in France, when using the Google Search engine, to be priorly and clearly informed of the existence of operations allowing access and deposit of information in their terminal and, consequently, to be priorly and clearly informed of the purpose of such operations and the means made available to them as to the possibility of refusing them.
  • The CNIL underlines that since the initiation of the sanction proceedings, the companies have undertaken a series of changes in the way they use cookies. Thus, since 20 September 2020, all users visiting the google.fr website now see, in the middle of their screen, before being able to access the search engine, a pop-up window entitled "Before continuing" which contains prior information relating to cookies. However, although the French DPA highlights a definite change compared to previous information banners, the CNIL considers that the information provided is still not clear and complete within the meaning of Article 82 of the French Data Protection Act, insofar as this information does not inform the user of all the purposes of the cookies deposited and the means at his disposal to oppose them. Indeed, the presentation of the different purposes mentioned in this banner remains too general for users to easily and clearly understand why cookies are deposited on their terminal. Furthermore, the information provided is incomplete as users are still not informed about their right to oppose to these cookies, nor about the means made available to them for this purpose (the terms "Options" or "More information" are not explicit enough to enable users to directly understand the extent of their rights).
The failure to obtain the consent of individuals before depositing cookies on their terminal

In this respect, after recalling the provisions of Article 82 of the French Data Protection Act, the CNIL concludes that since these four cookies do not have the sole purpose of enabling or facilitating communication by electronic means nor are they strictly necessary for the provision of an online communication service at the express request of the user, the sub-commission considers that the companies should have obtained the prior consent of the users, before depositing cookies on the user's terminal.

The Google’s partially flawed opposition mechanism

First of all, the CNIL underlines that the use of the expression "withdraw consent" is particularly abusive, insofar as the cookies were deposited on the user's terminal even before their consent was obtained (absence of opt-in).

Also, the DPA's sub-commission hold that, after having nevertheless deactivated the personalisation of ads on Google search, and while continuing its browsing on the site, several of these cookies for advertising purposes remained stored on user's computer and continued to read information for the server to which this cookie was attached (for example google.com or google.fr) during each new interaction with the domain concerned.

Consequently, the CNIL concluded that the system put in place by the companies to oppose cookies for advertising purposes placed on the user's terminal was partially defective, in violation of the requirements of Article 82 of the French Data Protection Act.

Comment

This decision is highly interesting, as it clarifies the articulation between two instruments for the protection of personal data in the context of the deposit of cookies: on the one hand, the GDPR which provide a general framework, and on the other hand, the national provisions as they result from the transposition of the ePrivacy Directive. The decision recalls the complementary nature of the two instruments, and underlines in particular the special nature of the scope of the ePrivacy Directive, which provide specific obligations in the electronic communication sector.

Further Resources

Share blogs or news articles here!

English Machine Translation of the Decision

The decision below is a machine translation of the French original. Please refer to the French original for more details.