CNIL - SAN-2020-013
|CNIL - SAN-2020-013|
|Relevant Law:||Article 6 GDPR|
Article 9 GDPR
Article 83 GDPR
Article 94 GDPR
Ordonnance n° 2014-1329 du 6 novembre 2014 relative aux délibérations à distance des instances administratives à caractère collégial
loi no 78-17 du 6 janvier 1978 relative à l'informatique, aux fichiers et aux libertés
|Parties:||Amazon Europe Core|
|National Case Number/Name:||SAN-2020-013|
|European Case Law Identifier:||n/a|
|Original Source:||Legifrance (in FR)|
English Summary[edit | edit source]
Facts[edit | edit source]
Between December 2019 and May 2020, the CNIL conducted three online and one on-site investigations on Amazon Europe Core (AEC), a subsidiary company of the Amazon group operating the shopping site amazon.fr. These investigations aimed at assessing the company's compliance with the French data protection law.
The French DPA reported several infringements of the data protection law by AEC when placing cookies. The company responded by contesting the competence of the CNIL on this matter due to the fact that its main establishment is located in Luxembourg and by challenging the legality of the investigation procedure.
Dispute[edit | edit source]
Is the French DPA competent to sanction a company whose main establishment is not located in France?
Does the investigation procedure of the CNIL infringes with the right to a fair trial as guaranteed by Article 6 of the European Convention for the Protection of Human Rights and Fundamental Freedoms?
Did AEC infringe on the French data protection law by placing cookies on the user's computer prior to any action on its part?
Holding[edit | edit source]
The CNIL considered itself competent to investigate AEC and ruled that the company infringed on the French data protection law and on the Directive 2002/58/EC (ePrivacy) while placing cookies. As a consequence, the CNIL imposed a € 35000000 fine on AEC, coupled with an injunction to comply with the Law within three months with a € 100000 penalty per overdue day. Due to the seriousness of the wrongdoings and the high number of Amazon services' users, the CNIL decided to make this sanction publicly available for a two year period.
On the territorial competence of the CNIL[edit | edit source]
AEC argued that the French DPA is not competent to investigate on its activity due to the one-stop-shop principle of GDPR. To support this claim, AEC higlights that the CNIL's investigation initial purpose was, among other things, to ensure that the company complied with GDPR, meaning that the sanction could only be given by the authority relevant to the main establishment of the company in the EU.
Furthermore, AEC argued that even though the investigation dealt with cookies which are regulated by the Directive ePrivacy, cookies cannot be dissociated from personal data processing, meaning that the GDPR rules on national competence should prevail.
The CNIL rejected this interpretation and deemed itself competent as it was not only investigating GDPR infringements but also breaches of the Directive ePrivacy, transcribed into French law. It reminded that GDPR and ePrivacy each had their own investigating procedure when dealing with their respective requirements. Also, it clarifies that ePrivacy applies as a specialia generalibus derogant rule, based on the interpretation of Article 95 GDPR in the line of the Rec (173) GDPR and Article 1(2) and 15a of the ePrivacy Directive. The CNIL added that the investigation focused on the amazon.fr website targeting french customers.
On the legality of the investigation procedure[edit | edit source]
Regarding the legality of the procedure, AEC accuses the investigating party of submitting the company to questions without telling the purpose and legal basis of the controls carried out. This meant that the company could not exercise its right not to contribute to its own indictment .
AEC also argued that the investigating party's method, involving reproducing a user's path was inaccurate as it did not allow to differentiate between Amazon's cookies and the ones placed by third parties when visiting other websites.
The CNIL responded by quoting Article 18 of the French data protection law which states that the investigated body has to answer to the CNIL's questions without the CNIL having to justify them and that at the time of those questions no accusation was being made against AEC.
Regarding the investigation method, the CNIL argued that it reproduced several user's path in order to determine which cookies were placed when visiting the Amazon website and that it excluded from the perimeter of the investigation those that originated from a third party website.
As such, the CNIL considers its investigation procedure to be licit.
[edit | edit source]
While investigating, the CNIL noticed that more than 40 cookies for commercial purposes were placed on the user's device prior to any act of consent from its part.
The CNIL rejected this argumentation, considering that the website targeted french customers, and that cookies for commercial purposes always require consent from the data subject as they are not part of the exemptions listed in Article 5(3) of the Directive ePrivacy transcribed in Article 82 of the French data protection law.
[edit | edit source]
The DPA found that this wording is not sufficient in order to comply with the transparency principle as it did not provide the data subject with any information on how to exercise its rights or oppose cookies. It added that the expression "to provide and improve our services" does not inform the user of the commercial purposes of some cookies.
Finally, the CNIL reminded Amazon that it had already pronounced several sanctions on insufficient information regarding cookies.
Comment[edit | edit source]
Share your comments here!
Further Resources[edit | edit source]
Share blogs or news articles here!
English Machine Translation of the Decision[edit | edit source]
The decision below is a machine translation of the French original. Please refer to the French original for more details.