CNIL (France) - SAN-2020-013

From GDPRhub
(Redirected from CNIL - SAN-2020-013)
CNIL - SAN-2020-013
LogoFR.png
Authority: CNIL (France)
Jurisdiction: France
Relevant Law: Article 6 GDPR
Article 9 GDPR
Article 83 GDPR
Article 94 GDPR
Directive 2002/58/EC
Ordonnance n° 2014-1329 du 6 novembre 2014 relative aux délibérations à distance des instances administratives à caractère collégial
loi no 78-17 du 6 janvier 1978 relative à l'informatique, aux fichiers et aux libertés
Type: Investigation
Outcome: Violation Found
Started:
Decided: 07.12.2020
Published: 10.12.2020
Fine: 35000000 EUR
Parties: Amazon Europe Core
National Case Number/Name: SAN-2020-013
European Case Law Identifier: n/a
Appeal: Unknown
Original Language(s): French
Original Source: Legifrance (in FR)
Initial Contributor: Roka

The French DPA (CNIL) imposed a €35,000,000 fine on Amazon Europe Core for placing commercial cookies without data subject consent and providing insufficient information regarding the use of cookies. Amazon unsuccessfully tried to challenge the DPA's territorial competence and the legality of its investigation procedure.

English Summary

Facts

Between December 2019 and May 2020, the CNIL conducted three online and one on-site investigations on Amazon Europe Core (AEC), a subsidiary company of the Amazon group operating the shopping site amazon.fr. These investigations aimed at assessing the company's compliance with the French data protection law.

The French DPA reported several infringements of the data protection law by AEC when placing cookies. The company responded by contesting the competence of the CNIL on this matter due to the fact that its main establishment is located in Luxembourg and by challenging the legality of the investigation procedure.

Dispute

Is the French DPA competent to sanction a company whose main establishment is not located in France?

Does the investigation procedure of the CNIL infringes with the right to a fair trial as guaranteed by Article 6 of the European Convention for the Protection of Human Rights and Fundamental Freedoms?

Did AEC infringe on the French data protection law by placing cookies on the user's computer prior to any action on its part?

Did AEC failed to properly inform the user of its use of cookies?

Holding

The CNIL considered itself competent to investigate AEC and ruled that the company infringed on the French data protection law and on the Directive 2002/58/EC (ePrivacy) while placing cookies. As a consequence, the CNIL imposed a € 35000000 fine on AEC, coupled with an injunction to comply with the Law within three months with a € 100000 penalty per overdue day. Due to the seriousness of the wrongdoings and the high number of Amazon services' users, the CNIL decided to make this sanction publicly available for a two year period.

On the territorial competence of the CNIL

AEC argued that the French DPA is not competent to investigate on its activity due to the one-stop-shop principle of GDPR. To support this claim, AEC higlights that the CNIL's investigation initial purpose was, among other things, to ensure that the company complied with GDPR, meaning that the sanction could only be given by the authority relevant to the main establishment of the company in the EU.

Furthermore, AEC argued that even though the investigation dealt with cookies which are regulated by the Directive ePrivacy, cookies cannot be dissociated from personal data processing, meaning that the GDPR rules on national competence should prevail.

The CNIL rejected this interpretation and deemed itself competent as it was not only investigating GDPR infringements but also breaches of the Directive ePrivacy, transcribed into French law. It reminded that GDPR and ePrivacy each had their own investigating procedure when dealing with their respective requirements. Also, it clarifies that ePrivacy applies as a specialia generalibus derogant rule, based on the interpretation of Article 95 GDPR in the line of the Rec (173) GDPR and Article 1(2) and 15a of the ePrivacy Directive. The CNIL added that the investigation focused on the amazon.fr website targeting french customers.

On the legality of the investigation procedure

Regarding the legality of the procedure, AEC accuses the investigating party of submitting the company to questions without telling the purpose and legal basis of the controls carried out. This meant that the company could not exercise its right not to contribute to its own indictment .

AEC also argued that the investigating party's method, involving reproducing a user's path was inaccurate as it did not allow to differentiate between Amazon's cookies and the ones placed by third parties when visiting other websites.

The CNIL responded by quoting Article 18 of the French data protection law which states that the investigated body has to answer to the CNIL's questions without the CNIL having to justify them and that at the time of those questions no accusation was being made against AEC.

Regarding the investigation method, the CNIL argued that it reproduced several user's path in order to determine which cookies were placed when visiting the Amazon website and that it excluded from the perimeter of the investigation those that originated from a third party website.

As such, the CNIL considers its investigation procedure to be licit.

On the placement of cookies prior to any action from the user

While investigating, the CNIL noticed that more than 40 cookies for commercial purposes were placed on the user's device prior to any act of consent from its part.

AEC responded that its cookie practice is subject to the Luxembourg law and not the French law and that Luxembourg allowed to base the consent on the cookie parameters of the web browser. The company added that it changed its french cookie policy in September 2020, but affirmed that it never infringed on the Luxembourg law on cookies.

The CNIL rejected this argumentation, considering that the website targeted french customers, and that cookies for commercial purposes always require consent from the data subject as they are not part of the exemptions listed in Article 5(3) of the Directive ePrivacy transcribed in Article 82 of the French data protection law.

On the information of the user regarding cookies

The amazon.fr website displayed the following notice regarding cookies: "By using this site, you agree to os ar use of cookies to provide and improve our services. Further information"

The DPA found that this wording is not sufficient in order to comply with the transparency principle as it did not provide the data subject with any information on how to exercise its rights or oppose cookies. It added that the expression "to provide and improve our services" does not inform the user of the commercial purposes of some cookies.

Finally, the CNIL reminded Amazon that it had already pronounced several sanctions on insufficient information regarding cookies.

Comment

Share your comments here!

Further Resources

Share blogs or news articles here!

English Machine Translation of the Decision

The decision below is a machine translation of the French original. Please refer to the French original for more details.

Resolution of the restricted session no. SAN-2020-013 of December 7, 2020 regarding the company AMAZON EUROPE CORE
---
The Commission Nationale de l'Informatique et des Libertés, gathered in its restricted session composed of Alexandre LINDEN, President, Philippe-Pierre CABOURDIN, Vice-President, and Dominique CASTERA, Anne DEBET and Christine MAUGÜE, members;

Having regard to Convention No. 108 of the Council of Europe of 28 January 1981 for the protection of individuals with regard to automatic processing of personal data ;

Having regard to Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of personal data and on the free movement of such data ;

Having regard to Directive 2002/58/EC of the European Parliament and of the Council of 12 July 2002 concerning the processing of personal data and the protection of privacy in the electronic communications sector ;

Having regard to Law No. 78-17 of 6 January 1978 relating to data processing, data files and liberties, in particular Articles 20 et seq. thereof;

Having regard to the ordinance n° 2014-1329 of November 6, 2014 relating to the remote deliberations of the administrative bodies of a collegial nature;

Having regard to decree no. 2019-536 of 29 May 2019 taken for the application of law no. 78-17 of 6 January 1978 relating to data processing, data files and liberties;

Having regard to deliberation no. 2013-175 of 4 July 2013 adopting the internal regulations of the National Commission for Data Processing and Liberties;

Having regard to Decision No. 2019-224C of November 29, 2019 of the President of the National Commission on Data Processing and Liberties to instruct the Secretary General to carry out or to have carried out a mission to verify the processing accessible from the domain amazon.fr or concerning personal data collected from the latter ;

Considering Decision No. 2020-042C of December 27, 2019 of the President of the Commission Nationale de l'Informatique et des Libertés (CNIL) to instruct the Secretary General to carry out or have carried out a mission to verify the processing implemented by the company AMAZON ONLINE France SAS;

Having regard to the decision of the President of the National Commission for Data Processing and Liberties appointing a rapporteur before the restricted session, dated March 23, 2020;

Having regard to the report of Mr. Éric PÉRÈS, commissioner rapporteur, notified to the company AMAZON EUROPE CORE on July 17, 2020;

Having regard to the written observations made by the Board of AMAZON EUROPE CORE on September 15, 2020;

Considering the response of the rapporteur to these observations notified to AMAZON EUROPE CORE on October 9, 2020;

Considering the new written observations made by the Board of AMAZON EUROPE CORE, received on November 2, 2020;

Having regard to the oral observations made during the restricted session;

Considering the letter addressed by AMAZON EUROPE CORE to the chairman of the restricted session on November 17, 2020;

Considering the other documents of the file;

Were present at the restricted session of November 12, 2020:

- Mr. Éric PÉRÈS, commissioner, heard in his report;

As representatives of the company AMAZON EUROPE CORE:

- […]

The company AMAZON EUROPE CORE had the last word;

The restricted session adopted the following decision:

I. Facts and procedure

1. AMAZON EUROPE CORE (hereinafter referred to as the Company or AEC ) is a company governed by Luxembourg law, whose registered office is located at 5 rue Plaetis, L 2338 in Luxembourg, and which is part of the AMAZON Group. Its main activity is the operation of the European Amazon websites that allow the online sale of commercial goods. For the needs of its activities, particularly in France, the company operates the Amazon.fr website accessible from the URL address https://www.amazon.fr/. For the year 2019, it has achieved revenues of approximately 7.7 billion euros.

2. Pursuant to Decisions No. 2019-224C of November 29, 2019 and No. 2020-042C of December 27, 2019 of the President of the Commission Nationale de l'Informatique et des Libertés (hereinafter the CNIL or the Commission), a delegation of the CNIL conducted the following control operations:

- three online checks of the Amazon.fr website carried out on December 12, 2019, March 6, 2020 and May 19, 2020;

- an inspection carried out on January 30, 2020 on the premises of AMAZON ONLINE France SAS, the French subsidiary of the AMAZON Group;

- […]

3. The purpose of these missions was to verify the company's compliance with the provisions of Law No. 78-17 of January 6, 1978, as amended, relating to information technology, files and freedoms (hereafter the "Loi Informatique et Libertés" or the Law of January 6, 1978). In particular, it was a question of carrying out investigations in connection with processing consisting of access or registration operations deposited on the terminal of Internet users residing in France during their visit to the Amazon.fr website.

4. During these investigations, several exchanges took place between AEC and AMAZON ONLINE France SAS on the one hand, and the CNIL control delegation on the other.

5. For the purposes of investigating these elements, the President of the Commission appointed Mr. Éric PÉRÈS as rapporteur on March 23, 2020, on the basis of Article 22 of the Law of January 6, 1978.

6. At the end of his investigation, the rapporteur had a bailiff serve a report on AEC, on July 17, 2020, detailing the breach of the Data Protection Act which he considered to have occurred in this case. Also attached to the report was a summons to the restricted session of October 15, 2020, indicating to the company that it could submit its observations in response by September 8, 2020 at the latest.

7. The report proposed to the Commission's restricted session to impose an administrative fine on AEC and an injunction, together with a penalty payment, to bring the processing into compliance with the provisions of Article 82 of the French Data Protection Act. It also proposed that this decision be made public and that the company no longer be identified by name after a period of two years from its publication.

8. In a letter dated August 19, 2020, the Company requested that the chairman of the restricted session be granted an additional period of time to submit his observations in response to the rapporteur's report. On September 1, 2020, the chairman of the restricted session granted the company an additional period of one week.

9. On September 15, 2020, the Company, through its Board, filed comments in response to the Reporter's Report and requested that the restricted session before the Restricted Session be held in camera. The request was renewed on October 13, 2020.

10. 10. By e-mail dated September 24, 2020, pursuant to Article 40, paragraph 4, of Decree no. 2019-536 of May 29, 2019 implementing the French Data Protection Act (hereinafter the Decree of May 19, 2019), the rapporteur asked the chairman of the restricted session for an additional period of nine days to respond to the Company's observations, which was granted on September 28, 2020. The company was informed of this request on the same day.

11. On October 1, 2020, the Secretary General of the CNIL informed the Company that the restricted session initially scheduled for October 15 was postponed to November 12, 2020.

12. The rapporteur responded to the company's observations on October 9, 2020.

13. On October 22, 2020, the chairman of the restricted session granted the company's request for an in camera session on the grounds that [...] The company's request for an in camera session had not been complied with.

14. On November 2, 2020, the company submitted new observations in response to those of the rapporteur.

15. On November 4, 2020, the Company requested a postponement of the restricted session scheduled for November 12, 2020. By letter dated November 5, 2020, the chairman of the restricted session refused to grant the request.

16. 16. The Company and the rapporteur made oral submissions at the restricted session on November 12, 2020.

17. On November 17, 2020, the Company wrote to the chairman of the restricted session indicating that some of its representatives attending the session via videoconference were not able to hear all of the discussions between their boards and the rapporteur, [...].

II. Reasons for the decision

A. On the competence of the CNIL

1. On the material competence of the CNIL and the applicability of the single window mechanism provided for by the RGPD

18. Under the terms of Article 16 of the French Data Protection Act, the restricted session takes measures and imposes sanctions against data controllers or subcontractors who do not comply with the obligations arising from [...] the present Act. Pursuant to Article 20, paragraph III, of the same law, where the data controller or its processor does not comply with the obligations arising from [...] the present law, the president of the National Commission for Data Processing and Liberties [...] may refer the matter to the restricted session for a ruling, after an adversarial procedure, one or more of the following measures [...] 2° An injunction to bring the processing into conformity with the obligations resulting from Regulation (EU) 2016/679 of 27 April 2016 or from this Law or to comply with the requests made by the person concerned to exercise his rights, which may be accompanied, except in cases where the processing is implemented by the State, by a penalty payment not exceeding € 100,000 per day of delay from the date set by the restricted session; an administrative fine not exceeding €10 million or, in the case of an undertaking, 2% of its total worldwide annual turnover for the previous financial year, whichever is the higher.

19. Under Article 5(3) of Directive 2002/58/EC of the European Parliament and of the Council of 12 July 2002 concerning the processing of personal data and the protection of privacy in the electronic communications sector (hereinafter the ePrivacy Directive ) Member States shall ensure that the storage of information, or obtaining access to information already stored in a subscriber's or user's terminal equipment shall only be allowed on condition that the subscriber or user has given his consent, after having received, in compliance with Directive 95/46/EC, clear and comprehensive information, inter alia, on the purposes of the processing [...].

20. These provisions have been transposed into domestic law in Article 82 of the French Data Protection Act, in Chapter IV of this Act, relating to the rights and obligations specific to processing in the electronic communications sector. This article provides that any subscriber or user of an electronic communications service must be informed in a clear and complete manner, unless he has been previously informed by the controller or his representative:

1° Of the purpose of any action tending to access, by electronic transmission, information already stored in its electronic communications terminal equipment, or to enter information in this equipment ;

2° The means at his disposal to oppose it.

Such access or registration may only take place on condition that the subscriber or user has expressed, after receiving this information, his or her consent, which may result from the appropriate parameters of his or her connection device or any other device under his or her control.

These provisions shall not apply if the access to or registration of information stored in the user's terminal equipment :

1° Either, has the exclusive purpose of allowing or facilitating communication by electronic means ;

2° Or, is strictly necessary for the provision of an online communication service at the express request of the user.

21. The rapporteur considers that the CNIL is materially competent in application of these provisions to control and initiate a sanction procedure concerning the operations of access or registration of information implemented by the company in the terminals of the users of the Amazon.fr site in France.

22. The company AEC challenges the jurisdiction of the CNIL. It considers that only the Luxembourg data protection authority (Commission nationale pour la protection des données, hereinafter the CNPD) is competent to initiate a sanction procedure and possibly impose an administrative fine against it in the event of failure to comply with its obligations regarding cookies.

23. 23. The CNPD maintains first of all that its cookie practices must be examined in the context of the provisions of Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of personal data and on the free movement of such data (hereinafter RGPD) because of the close links between this text and the ePrivacy Directive.

24. In support of its argument, the company argues that the registration of cookies on users' terminals cannot be dissociated from the subsequent use of the data collected by these cookies for the purposes pursued by the data controller. […].

25. The Company also notes that both the decision of the President of the CNIL of November 29, 2019 to open an audit procedure and the correspondence exchanged with the CNIL in the context of these audits expressly mention that the purpose of the audits is to assess the compliance of the Company's practices with the DPGR. It also notes that the rapporteur himself used concepts from the RGPD in his sanction report when analyzing the consequences for users of the use of cookies. She also notes that the French legislator chose to transpose article 5(3) of the ePrivacy Directive not in a dedicated text, but directly in the French Data Protection Act, thus demonstrating the unity of the two subjects.

26. The company then considers that even in the event that the CNIL's investigations were to focus solely on the provisions of Article 82 of the Loi Informatique et Libertés, the mechanism for cooperation between supervisory authorities, known as the one-stop shop mechanism, provided for in Chapter VII of the Regulation, should apply and that, consequently, the CNIL would not be the competent authority to act as lead authority. Indeed, it considers that since the ePrivacy Directive does not provide for any rules of jurisdiction when a processing it regulates is cross-border, it is appropriate to apply those provided for by the RGPD, particularly in view of the fact that, since the entry into force of the RGPD, the references made by the ePrivacy Directive to the repealed Directive 95/46/EC should be understood as being made to the RGPD.

27. The Company also considers that the fact that certain Member States of the European Union have chosen to entrust the monitoring of compliance with the ePrivacy Directive to their telecommunications regulatory authority and not to their data protection authority is not an obstacle to the application of the one-stop-shop mechanism insofar as cooperation agreements between these different authorities have been signed in several Member States, thus allowing data protection authorities to participate in the one-stop-shop mechanism in situations involving provisions arising from the ePrivacy Directive. The Commission considers that any sanction imposed on it by the restricted session based on the infringement of the provisions of Article 5(3) of the ePrivacy Directive would run counter to the principle of harmonization contained in Article 15a of the Directive, which provides that The competent national regulatory authorities may adopt measures to ensure effective cross-border cooperation in the enforcement of national laws adopted pursuant to this Directive and to create harmonised conditions for the provision of services involving cross-border data flows and the principle of freedom to provide services as contained in Article 56 of the Treaty on the Functioning of the European Union (TFEU), according to which restrictions on the freedom to provide services within the Union are prohibited in respect of nationals of Member States established in a Member State other than that of the recipient of the service.

28. The restricted session notes, first of all, that the operations that are the subject of the present procedure are carried out in the context of the provision of publicly available electronic communications services on public communications networks and that they concern exclusively reading and writing actions on the terminal of Internet users located in France when they visit the Amazon.fr site, operations that take the form of depositing and reading cookies.

29. The restricted session reminds that such processing is governed by the provisions of the directive on privacy and electronic communication, commonly known as ePrivacy, and in particular by Article 5(3), which has been transposed into national law in Article 82 of the Data Protection Act. The restricted session notes, first of all, that it is clear from the provisions cited above that the French legislator has mandated the CNIL to ensure compliance by data controllers with the provisions of the ePrivacy Directive, in particular by entrusting it with the power to sanction any breach of this article. It underlines that this power was recognized by the Council of State in its decision Association des agences-conseils en communication of June 19, 2020 concerning CNIL deliberation no. 2019-093 adopting guidelines relating to the application of Article 82 of the law of January 6, 1978 as amended to reading or writing operations in a user's terminal, since the latter noted that article 20 of this law gives its president [of the CNIL] the power to take corrective measures in the event of non-compliance with the obligations resulting from Regulation (EU) 2016/279 or its own provisions, as well as the possibility to refer the matter to the restricted session with a view to the sanctions that may be imposed (EC, 19 June 2020, req. 434684, pt. 3).

30. It then notes, secondly, that when a processing operation falls within both the material scope of the ePrivacy Directive and the material scope of the DPMR, reference should be made to the relevant provisions of the two texts which provide for their articulation. Thus, Article 1(2) of the ePrivacy Directive provides that the provisions of this Directive specify and supplement Directive 95/46/EC of the European Parliament and of the Council of 24 October 1995 on the protection of personal data (hereinafter Directive 95/46/EC on the protection of personal data), it being recalled that since the entry into force of the Regulation, references to the latter Directive should be understood as references to the DPMR, in accordance with Article 94 of the latter. Likewise, it follows from recital 173 of the GDPMR that this text explicitly provides that it is not applicable to the processing of personal data subject to specific obligations having the same objective [of protection of fundamental rights and freedoms] as laid down in Directive 2002/58/EC of the European Parliament and of the Council, including the obligations incumbent on the controller and the rights of natural persons. This articulation was confirmed by the Court of Justice of the European Union (hereinafter CJEU ) in its Planet decision49 of October 1, 2019 (CJEU, October 1, 2019, C-673/17, pt. 42).

31. In this respect, the restricted session notes that, contrary to what the company maintains, the ePrivacy Directive does indeed provide, for the specific obligations it entails, its own implementation and enforcement mechanism within its Article 15a. Thus, the first paragraph of this directive leaves Member States the competence to determine the sanctions regime, including criminal sanctions if necessary, applicable to violations of the national provisions adopted pursuant to this directive and take all necessary measures to ensure their implementation. The penalties thus provided for must be effective, proportionate and dissuasive and may be applied to cover the duration of the infringement, even if the infringement has subsequently been rectified, However, the rule laid down in Article 5(3) of the ePrivacy Directive, according to which reading and writing operations must systematically be subject to the prior agreement of the user, after information, constitutes a special rule with regard to the RGPD since it prohibits the use of the legal bases mentioned in Article 6 that do not require the user's agreement in order to lawfully carry out these read and write operations on the terminal. The supervision of this rule is therefore a matter for the special control and sanction mechanism of the ePrivacy Directive and not for the data protection authorities and the EDPS under the DPMR. The French legislator has chosen to entrust this mission to the CNIL.

32. The restricted session notes, secondly, that the second paragraph of the same article obliges Member States to ensure that the competent national authority and, where appropriate, other national bodies have the power to order the cessation of the infringements referred to in paragraph 1.

33. The Commission considers that the latter provisions exclude as such the application of the one-stop-shop mechanism provided for in the RGPD to facts falling within the scope of the ePrivacy Directive.

34. It adds, moreover, that this exclusion is corroborated by the fact that Member States, which are free to determine the national authority competent to deal with violations of national provisions adopted pursuant to the ePrivacy Directive, may have conferred that competence on an authority other than their data protection authority, in this case their telecommunications regulatory authority. Therefore, insofar as the latter authorities are not part of the European Data Protection Committee (hereinafter EDPS), although this Committee plays an essential role in the consistency checking mechanism implemented in Chapter VII of the DPMR, it is in fact impossible to apply the one-stop shop to practices that may be sanctioned by national supervisory authorities that are not members of this Committee.

35. It stresses that the cooperation agreements between data protection authorities and telecommunications regulatory authorities in certain States invoked by the company, for example, in the Netherlands, Sweden or Hungary, are intended to establish cooperation at the national level between the various regulators in order to ensure the consistency of their doctrines when a processing operation falls within the material scope of both the DPMR and the ePrivacy Directive, but that they are not intended to involve the telecommunications regulatory authorities as such in the one-stop-shop mechanism provided for in Chapter VII of the DPMR.

36. Finally, the restricted session underlines that the EDPS, in his Opinion No 5/2019 of 12 March 2019 on the interactions between the ePrivacy Directive and the DPMR, considered that In accordance with Chapter VII of the DPMR, the cooperation and consistency checking mechanisms available to data protection authorities under the DPMR are relevant to the supervision of the application of the provisions of the DPMR. The mechanisms of the DPMR do not apply to the enforcement of the provisions of the ePrivacy Directive as such and that the authority or authorities designated as competent under the ePrivacy Directive by the Member States are exclusively responsible for the enforcement of the national provisions transposing the ePrivacy Directive that are applicable to that specific processing, including in cases where the processing of personal data falls within the material scope of both the DPMR and the ePrivacy Directive.

37. The restricted session also notes that the possible application of the one-stop-shop mechanism to a treatment governed by the ePrivacy Directive is the subject of numerous discussions in the context of the ePrivacy Regulation project that has been under negotiation for three years at the European level. Therefore, the very existence of these discussions confirms that, as it stands, the single window mechanism provided for by the RGPD is not applicable to matters governed by the current ePrivacy Directive.

38. It is therefore necessary to distinguish between, on the one hand, read and write operations on a terminal, which are governed by the provisions of article 82 of the Data Protection Act and for which the French legislator has entrusted the CNIL with a supervisory role and in particular the power to sanction any breach of this article and, on the other hand, the subsequent use of data collected through cookies, which is governed by the RGPD and may therefore, where appropriate, be subject to the one-stop-shop mechanism .

39. The restricted session also notes that the company has chosen to use a domain name in .fr, which is an extension designating the territorial space of France, enabling it to benefit from optimal visibility among French Internet users.

40. Finally, the restricted session notes that the references to the RGPD contained in certain documents communicated by the CNIL during the audit did not affect the legality of the procedure insofar as the audits were general in nature but the CNIL only intended to pursue, subsequently, breaches for which it has the power to impose sanctions, which were clearly indicated in the notification of grievances by the rapporteur and on which the company was able to present its observations under conditions that comply with the rights of the defense.

41. It follows from the foregoing that the one-stop-shop mechanism provided for by the RGPD is not applicable to the present procedure and that the CNIL is competent to control and initiate sanction proceedings concerning the reading and writing operations of cookies implemented by the company that fall within the scope of the ePrivacy Directive, provided that they are within its territorial jurisdiction.

2. On the territorial jurisdiction of the CNIL

42. The rule for the territorial application of the requirements provided for in Article 82 of the Data Protection Act is set out in Article 3, paragraph I, of the Data Protection Act, which provides as follows without prejudice, as regards processing operations falling within the scope of Regulation (EU) 2016/679 of 27 April 2016, to the criteria provided for in Article 3 of that Regulation, all the provisions of this law apply to the processing of personal data carried out in the context of the activities of an establishment of a controller or a processor on French territory, whether or not the processing takes place in France .

43. The rapporteur considers that the CNIL is territorially competent in application of these provisions since the processing that is the subject of the present procedure, consisting of operations of access or registration of information in the terminal of users residing in France when using the Amazon.fr site, is carried out within the framework of the activities of the company AMAZON ONLINE France SAS, which constitutes the establishment on French territory of the company AEC, which is specifically responsible for the implementation of the cookies involved in this procedure, which it has not contested, moreover.

44. In defense, the company considers that the territorial jurisdiction of the CNIL is lacking in this case insofar as one of the conditions allowing the CNIL's action provided for in Article 3(I) of the French Data Protection Act, namely that relating to the fact that the processing of personal data must be carried out in the context of the activities of an establishment of a data controller, is not met. It emphasizes that the company AMAZON ONLINE France SAS does not intervene in the deposit of cookies on users' terminals and that its business is to provide marketing solutions and advice to companies wishing to market their products in the Amazon.fr store as well as on third party sites. It also specifies that it is the company that places advertisements on third-party sites on behalf of its customers and not AMAZON ONLINE France SAS.

45. It thus considers that there is no indissociable link between, on the one hand, the activities of AMAZON ONLINE France SAS and, on the other hand, the deposit of cookies by AMAZON EUROPE CORE from the Amazon.fr website.

46. The restricted session reminds that by virtue of article 3 of the French Data Protection Act, the CNIL is competent to exercise its powers as soon as the two criteria provided for in this article are met, in this case, the existence of an establishment of the data controller on French territory and the existence of a processing carried out within the framework of the activities of this establishment.

47. The restricted session recalls that the ePrivacy Directive, adopted in 2002 and amended in 2006 and again in 2009, does not itself explicitly establish the rule of territorial application of the various transposition laws adopted by each Member State. However, this directive indicates that it specifies and completes Directive 95/46.EC, which provided at the time, in Article 4, that Each Member State shall apply the national provisions it adopts pursuant to this Directive to the processing of personal data where: a) processing is carried out in the course of the activities of an establishment of the controller in the territory of the Member State; if the same controller is established in the territory of several Member States, it must take the necessary measures to ensure that each of its establishments complies with the obligations laid down by the applicable national law. This rule for determining the national law applicable within the Union is no longer relevant for the application of the rules of the PGRD, which replaced Directive 95/46/EC and applies uniformly throughout the Union, but it is logical that the French legislator has maintained the criterion of territorial application for specific rules of French law, in particular those transposing the ePrivacy Directive . Consequently, the case law of the CJEU on the application of article 4 of the former Directive 95/46/EC remains relevant, insofar as the French legislator used these same criteria to define the territorial jurisdiction of the CNIL.

48. As regards, first of all, the existence of an establishment of the data controller on French territory, the CJEU, in its Weltimmo judgment of October 1, 2015, specified that the notion of establishment, within the meaning of Directive 95/46, extends to any real and effective activity, even a minimal one, carried out by means of a stable installation, the criterion of stability of the installation being examined with regard to the presence of human and technical means necessary for the provision of the concrete services in question. The CJEU considers that a company, an autonomous legal person, of the same group as the data controller, may constitute an establishment of the data controller within the meaning of these provisions (CJEU, 13 May 2014, Google Spain, C-131/12, pt 48).

49. In the present case, the restricted session notes first of all that the status of establishment of the company AMAZON ONLINE France SAS is not contested by the company. It then notes that this company has stable premises located in France, at 67 boulevard du général Leclerc in Clichy, in which approximately 120 people work. Consequently, it is indeed an establishment of AEC within the meaning of Article 3 of the aforementioned Data Protection Act.

50. 50. Secondly, with regard to the existence of processing carried out in the context of the activities of this establishment, the restricted session recalls that, in its Google Spain decision of May 13, 2014, the CJEU considered that the processing relating to the search engine Google Search was carried out in the context of the activities of the company Google Spain, an establishment of the company Google Inc. insofar as this company is intended to ensure the promotion and sale in Spain of the advertising spaces offered by this search engine, which serve to make the service offered by this engine profitable. It also stated that in order to ensure effective and complete protection of the fundamental rights and freedoms of natural persons, this concept should not be interpreted restrictively. While in the Google Spain judgment the institution responsible for the processing was established outside the European Union, the Court subsequently, in its judgment of June 5, 2018, applied the same broad interpretation of processing carried out in the context of the activities of a national institution to a situation where the processing was partly under the responsibility of another institution present within the European Union (CJEU, June 5, 2018, C-210/16, pts 53 sq). Finally, it should be noted that the interpretation of the notion of processing implemented in the context of the activities of a national establishment of the controller does not affect the fact that the debtor of the obligations remains the controller and, where appropriate, its processor.

51. The restricted session notes that the company AMAZON ONLINE France SAS presented itself to the delegation of control as offering digital marketing solutions to client companies, themselves providing products and services sold or not sold on the amazon.fr site to companies wishing to improve the visibility of their products on the web. In this context, it is required to ensure, as indicated by the company AEC during the audit, the promotion and marketing of advertising tools (Sponsored Ads and Amazon DSP) that are controlled and operated by the company Amazon Europe Core S.à.r.l., established in Luxembourg. However, these products developed by the company AEC operate in particular thanks to the data collected through cookies deposited on the terminals of Internet users. The restricted session thus notes that the company AMAZON ONLINE France SAS carries out an activity allowing to ensure in France the promotion and the marketing of the tools developed by the company AEC. The restricted session notes that the two criteria provided for in Article 3, paragraph I, of the French Data Protection Act are therefore met and that the processing is sufficiently territorialized in France to be subject to French law. The application of French law only concerns reading and writing operations that are carried out on French territory (Article 4 of Directive 95/46/EC also specified that the law of the Member State only applied to the activities of the establishment on the territory of the Member State), which corresponds to data read from or written to terminals in France. Finally, the restricted session emphasizes that this is a constant position on its part since the intervention of the Google Spain case law in 2014 (see in particular the decision CNIL, restricted session, 27 April 2017, SAN-2017-006; CNIL, restricted session, 19 December 2018, SAN-2018-011).

52. As a result, French law is applicable and the CNIL is materially and territorially competent to exercise its powers, including that of taking a sanction measure concerning the processing in question which falls within the scope of the ePrivacy Directive . The competence of the CNIL is limited to such processing carried out in the context of the activity of AMAZON ONLINE France SAS on French territory, namely the reading and writing operations carried out by the data controller on the terminals (computers, computers, etc.) located in France.

[…]

C. On the procedure

60. In defense, the company argues that the procedure followed by the CNIL violated its right to a fair trial as guaranteed by Article 6 of the European Convention for the Protection of Human Rights and Fundamental Freedoms.

61. In particular, the company complains that it answered the questions of the CNIL's supervisory delegation without the latter indicating the purpose and legal basis of the inspections carried out, with the result that its right not to participate in its own criminalization would have been violated. She also explains that the decision of the president of the CNIL appointing a rapporteur on March 23, 2020, which constitutes an indictment, was only notified to her by e-mail on May 13, 2020, thus delaying the preparation of her defense.

62. The Company then considers that the procedure followed by the CNIL is flawed insofar as the CNIL agents carried out an online inspection on May 19, 2020 on the basis of the inspection decision of the CNIL president of November 29, 2019, when a rapporteur had already been appointed. It also explains that the methodology followed by the delegation of the CNIL during this control, which aimed to reproduce the course of a Net surfer going to the Amazon.fr site from an advertising banner present on third party sites, does not make it possible to distinguish the cookies deposited by the third party sites from those deposited on the Amazon.fr site.

a. On the respect of the right to a fair trial.

63. The restricted session recalls that the right not to participate in one's own criminalization and the right to have the time and facilities necessary for the preparation of one's defense invoked by the company are components of the right to a fair trial contained in Article 6 of the European Convention for the Protection of Human Rights and Fundamental Freedoms and must, in accordance with the case law of the European Court of Human Rights, be analyzed in light of their functions in the general context of the proceedings (see, among others, Mayzit v. Russia, January 20, 2005).

64. The restricted session notes, first of all, that under the terms of article 18 of the Data Protection Act, the persons questioned in the context of verifications carried out by the commission pursuant to g of 2° of I of article 8 are required to provide the information requested by the commission for the performance of its duties. Thus, the persons questioned by the CNIL delegation are required to respond to its requests in order to help it carry out its missions.

65. The restricted session then reminds that when the supervisory delegation requests information, in particular factual information, from an organization, no charges have yet been brought against it, so that the adversarial phase, as understood by the jurisprudence of the European Court of Human Rights, has not yet begun.

66. With regard to the notification to the body of the president's decision to appoint a rapporteur, the restricted session recalls that in application of article 39 of the decree of May 19, 2019, this appointment can only be made if a sanction is likely to be pronounced under III of article 20 of the French Data Protection Act.

67. It notes that under article 39 of the decree of May 19, 2019, it is precisely the responsibility of the rapporteur to take all necessary steps to determine whether or not the natural person or legal entity in question may be accused of breaches. It is for this reason that, in accordance with articles 8-2-g and 19 of Act no. 78-17 of January 6, 1978 as amended, the rapporteur has the right to carry out additional investigations or have them carried out before drafting his report.

68. The restricted session thus emphasizes that the decision to appoint a rapporteur does not include any grievance, so that this appointment is not intended, at this stage, to enable the company to understand what could possibly be reproached to it. It recalls that the grievances only take shape through the sanction report, which is equivalent to a notification of grievances, since it is this document that contains the breach or breaches that the rapporteur considers to have been committed. The two reports of the rapporteur explicitly indicated the legal basis of the breach. The restricted session also pointed out that the notification of this decision to the natural or legal person concerned is not subject to any time limit in the applicable texts.

69. The restricted session notes that the company has no grounds for claiming that it was not able to understand the scope of the CNIL's investigations. It notes in this respect that the inspection reports and their attachments, communicated to the Company after the inspections were carried out, clearly established the scope of the investigation carried out by the CNIL. It notes that among the attachments sent to the company were screenshots of the home page of the site where the information banner on cookies appears, as well as pages of information on cookies, but also the list of cookies whose registration on the terminal was noted. The restricted session also notes that when the minutes of the audit of March 6, 2020 were notified, the company was also asked to indicate, for each of the 46 cookies previously mentioned, their purpose (for example: technical, advertising, social network sharing button, audience measurement, etc.).

70 Finally, the restricted session recalls that Article 40 of Decree no. 2019-536 of May 29, 2019 provides that the natural or legal person to whom a report proposing a sanction is notified has a period of one month to submit its observations in response. In this case, this time limit was respected insofar as the company had an initial period of eight weeks to submit its initial observations on the rapporteur's report and that this period was extended by one week at its request. Consequently, the restricted session considers that the company was able to properly prepare its defense.

71. The company then had three weeks to respond to the rapporteur's second observations and was finally given the opportunity to make oral observations during the restricted session on November 12, 2020.

72. With regard to these elements, the restricted session considers that AEC's rights of defence have been respected.

b. On the regularity of the May 19, 2020 online audit

73. The restricted session reminds that, in application of articles 8-2-g and 19 of the amended Act no. 78-17 of January 6, 1978, the reporter has the possibility of asking CNIL agents to carry out checks. It emphasizes that in the case in point, the rapporteur wanted an online check to be carried out retracing two paths taken by users who visit the Amazon.fr site after clicking on an advertising link present on third-party sites.

74. The restricted session then considers that the fact that the minutes drawn up in the context of this control bears the reference of the control decision No. 2019-224C of November 29, 2019 of the President of the CNIL does not affect its validity insofar as the appointment of a rapporteur by the President of the CNIL does not in itself have the effect of closing the control procedure. Indeed, the audit of May 19, 2020 was carried out in the continuity of the audits preceding the appointment of the rapporteur and therefore in the extension of the decision of the President.

75. The restricted session notes that the cookies whose presence was noted by the delegation when arriving on the home page of the Amazon.fr site during the first two controls are also among those present when arriving on another page of the site in the event that the user accesses it via a third party site. Thus, the other cookies identified by the delegation are those registered by the third-party sites in question and are therefore not part of the scope of the investigations. Consequently, it considers that the findings made on May 19, 2020, compared to those made on December 12, 2019 and March 6, 2020, show without ambiguity which cookies are, on the one hand, deposited by third-party sites displaying an advertisement for an Amazon product and, on the other hand, those deposited when the user arrives on the Amazon.fr site after having clicked on the said advertisement.

76. In view of these elements, the restricted session considers that the online control of May 19, 2020 is not tainted by irregularities.

D. On breaches of the provisions of Article 82 of the French Data Protection Act (Loi Informatiques et Libertés)

77. As recalled in point 20, Article 82 of the Data Protection Act constitutes the transposition into domestic law of Article 5(3) of the ePrivacy Directive.

78. The rapporteur considers that AEC's operations with regard to the deposit and reading of cookies present two sets of serious relative negligence:

- The deposit of cookies on the user's terminal before any action on his part and without obtaining his consent;

- the information delivered to the user regarding the operations of access or registration of information in their terminal.

79. The rapporteur considers that by placing cookies on the terminal of Internet users located in France who visit the Amazon.fr site before any action on their part, the company necessarily prevents the latter from validly expressing their consent. He reminds that the French Data Protection Act expressly provides that the operations of access or registration of information in the user's terminal, with certain exceptions, can only take place after the user has expressed his consent.

80. The rapporteur then considers that the information provided by the company on the home page of the Amazon.fr website by means of the information banner is insufficient in that it only constitutes a general and approximate description of the purposes of all cookies deposited and that it does not mention the means available to the Internet user to oppose the deposit of cookies. It adds that when the user goes to the Amazon.fr site not via the home page, but from an ad published on a third party site, cookies are deposited when the user arrives on the Amazon.fr site without any information being delivered.

81. In its defense, the company reminds that its practices with respect to cookies are subject to Luxembourg law and not to French law. It emphasizes that it has launched a vast project to overhaul its policy on the use of cookies as of 2019 and that these changes have been effective on the Amazon.fr site since September 2, 2020. It argues that in any event, its practices regarding cookies have always been in accordance with the provisions of Luxembourg law.

82. In this respect, while the company does not in itself dispute the fact that prior to the changes introduced in September 2020, cookies were deposited on the user's terminal as soon as he or she arrived on the page of the Amazon.fr site, it argues that insofar as Luxembourg law provides that consent may be expressed through the browser settings, it has always validly collected the consent of users.

83. With respect to the information provided to users, the company believes that even if the French Data Protection Act were applicable, the information it provided was, in any event, in compliance with the provisions of Article 82 of that Act. It points out that by clicking on the Learn more link in the information banner, the user was redirected to a page with information on its cookie policy. She explains that in the case of a user who comes to the Amazon.co.uk site via an advertisement posted on a third-party site, most of those advertisements include an AdChoices icon that takes the user to a page where the user can view information about its targeted advertising policy.

84. The Company further states that the vast majority of Internet users who click on Amazon advertisements are customers who have already visited or purchased from the site and therefore have already received information about its cookie policy.

85. The Company further states that its information system is supplemented by the presence at the bottom of the page of links to its pages dedicated to the cookie and targeted advertising sections.

86. Finally, the company points out that there is no common doctrine among all European regulators on the use of cookies and that it is therefore difficult for players to know what is expected of them in this area. It argues, through a comparative study, that the vast majority of French websites do not comply with the legislation in force. The company also points out the fact that when the CNIL's investigations were launched in November 2019, the recommendation on cookies and other tracers adopted on December 5, 2013 had already been repealed, which contributed to the legal vagueness of the rules on cookies.

87. First of all, with respect to the collection of consent, the restricted session emphasizes that it appears from the observations made by the delegation on December 12, 2019, March 6, 2020 and May 19, 2020 and from the information transmitted by the company that regardless of the user's path, whether the user goes to the home page of the Amazon.fr site or goes to a product page of the site via an ad, more than 40 cookies with an advertising purpose were placed on the user's terminal.

88. Cookies referred to as advertising cookies do not fall within the scope of the exceptions defined in Article 82 of the French Data Protection Act insofar as they are not intended to enable or facilitate communication by electronic means and are not strictly necessary for the provision of an online communication service at the express request of the user. Consequently, such cookies may not be deposited or read on the person's terminal as long as he or she has not provided his or her consent.

89. The restricted session observes that the information banner, written as follows : By using this site, you agree to our use of cookies to offer and improve our services. Read more , did not contain any specific information regarding the means available to users to express their choice regarding the registration of cookies. In any event, cookies were deposited before any action by the user, even if it was a simple continuation of navigation, which had been accepted as a valid means of expressing consent in a deliberation No. 2013-378 of December 5, 2013 of the CNIL (but which no longer corresponds to the state of law, informed by the deliberation No. 2020-091 of September 17, 2020 of the CNIL).

90. The restricted session considers that the company should have collected the prior consent of users before proceeding to deposit cookies for advertising purposes on their terminal. It notes that in any event, even though the browser settings may in some cases constitute a valid mechanism for collecting consent, it is on the condition that the user has been previously informed that he has this possibility, which is not the case here.

91. Moreover, the restricted session reminds you that, as indicated above, it is the Company's responsibility to comply with the provisions of Article 82 of the French Data Protection Act when cookies are placed on user terminals located on French territory from the Amazon.fr site.

92. Secondly, the restricted session considers that the information provided by the company with respect to the operations of access or registration of cookies is, depending on the case, either incomplete or non-existent.

93. It recalls that both Article 5-3 of the ePrivacy Directive and Article 82 of the French Data Protection Act expressly provide that the user must be fully informed of the purposes pursued by the operations of depositing and reading cookies and the means at his disposal to oppose them.

94. However, the restricted session notes that the aforementioned information banner displayed on the home page only contained a general and approximate description of the purposes of the set of cookies deposited. On this point, it considers that the terms offer and improve our services only allow the user to be informed that cookies are registered in order to allow the company to ensure the proper functioning of its activity and to make it evolve. Thus, when reading this banner, the user is not able to understand the type of content and ads that can be personalized according to his or her behavior.

95. In addition, the information banner does not mention the means available to the Internet user to refuse the registration of cookies.

96. The restricted session further notes that the company's failure to provide information to individuals is even more apparent when the user comes to the Amazon.co.uk site through an advertisement posted on a third-party site, for example, after clicking on a link in a search engine results list or an advertisement on a third-party site promoting a product sold on the Amazon.co.uk site.

97. The observations made by the CNIL delegation show that, in this hypothesis, cookies for advertising purposes were in fact placed on the terminals of users located on French territory without any information being provided to them. However, the provisions of Article 82 of the French Data Protection Act provide that such access or registration may only take place on condition that the subscriber or user has expressed his or her consent after receiving this information (emphasis added). The restricted session considers that this situation is particularly prejudicial to the rights of users located on French territory insofar as the company places cookies on their terminal without ever having informed them.

98. The restricted session considers that the observations presented by the company in defense do not allow the existence of this breach to be called into question.

99. First of all, the Company cannot hide behind the fact that certain advertisements displayed on third-party sites contain an Adchoices icon that users can click on to view a page informing them of the Company's cookie policy. In fact, beyond the fact that this device only concerns Internet users coming from a third party site on which an advertisement with an Adchoices icon is displayed, the restricted session considers that it cannot reasonably be expected of the user to whom an advertisement is presented to have the reflex to click on a small icon before clicking on the advertisement itself. Moreover, this icon does not allow people watching the advertisement to know that information relating to cookies is available if they click on it.

100 In any event, the restricted session notes that the page to which the Adchoices icon refers simply allows the user to check a box so that Amazon will no longer display ads based on their interests. This page does not contain any information about the purpose of the actions taken by the user to enter information into his or her terminal equipment and the means available to him or her to oppose such actions. Finally, no information is provided as to the user's right to refuse cookies, but simply a link to the Cookies page of the site. Such a device does not meet the requirements of the aforementioned article 82.

101. The restricted session also recalls that the CNIL has adopted several soft law legal instruments detailing the obligations of data controllers with regard to tracers, including, in particular, a recommendation of December 5, 2013 and guidelines of July 4, 2019, in force on the date of the online control. Although these instruments are not mandatory, they provide useful information to data controllers by informing them of the implementation of concrete measures to ensure compliance with the provisions of the French Data Protection Act relating to tracers, so that they can either implement these measures or implement measures with equivalent effect.

102. In this respect, in article 2 of its 2013 recommendation, the Commission recalled in particular that the information must be prior to the collection of consent, but must also be visible, obvious and complete. Consequently, the Commission recommended that data controllers implement a two-stage consent collection mechanism:

- first stage: the Internet user who goes on the site of a publisher (home page or secondary page of the site) must be informed, by the appearance of a banner: of the precise purposes of the cookies used; of the possibility of opposing these cookies and of changing the parameters by clicking on a link present in the banner;

- second stage: persons must be informed in a simple and intelligible manner of the solutions available to them to accept or refuse all or part of the cookies requiring consent: for all the technologies referred to in Article 32-II above; by categories of purposes: in particular advertising, social network buttons and audience measurement.

103. Such recommendations were included in the guidelines of July 4, 2019, in equivalent terms.

104. Second, the restricted session considers that the company's argument that the vast majority of people who click on an Amazon advertisement have already visited or purchased a product on the Amazon.co.uk site and therefore have previously received cookie registration information is not operative.

105. The restricted session indeed notes that before becoming customers, these persons necessarily had to visit the site for the first time, either via the home page or after clicking on an advertising banner. However, the findings of the CNIL show that during their very first visit to the site, Internet users are either insufficiently informed or are never informed of the registration of cookies and that whatever the level of information received, cookies are systematically registered on their terminal. Moreover, the alleged circumstance that the practices of other websites do not comply with the requirements of Article 82 does not affect the company's obligations.

106. Similarly, the restricted session considers that the Cookies links present at the foot of the page and which refer to a page of information do not constitute a satisfactory method of information since the deposit of cookies before any action of the user necessarily deprives the information of its prior nature, contrary to the provisions of Article 82 of the Data Protection Act, according to which Such access or registration can only take place if the subscriber or user has expressed, after having received this information, his consent (emphasis added).

107. Finally, the restricted session reminds that although the recommendations on cookies have evolved, the practices reproached to the company have continually been considered as non-compliant by the CNIL and this was confirmed in the guidelines of July 4, 2019 and that this position remains unchanged in its second recommendation and in the latest version of the guidelines which do not call this state of affairs into question.

108. The restricted session further notes that in its press release published on its website on July 18, 2019, which provided for a moratorium before the effective application of its second recommendation on cookies, the CNIL had been careful to specify that it would continue to monitor compliance with the obligations that had not been modified in any way, indicating that In particular, operators must respect the prior nature of consent to the deposit of tracers [... and] must provide a device for withdrawing consent that is easy to access and use. Thus, the company cannot validly argue that the obligations of which it is accused of being unaware in the present procedure were not clearly identified.

109. The restricted session specifies that, moreover, the breach alleged against the company is not based on a lack of knowledge of the guidelines or recommendations of the CNIL but on a lack of knowledge of the provisions of Article 82 of the Data Protection Act, which only contain obligations that were already included in the previous versions of the said Act.

110. 110. The restricted session also notes that on the basis of these provisions, it has already adopted several sanction decisions, sometimes concerning identical practices, some of which have been made public (see, in this regard, deliberation no. SAN-2016-204 of July 7, 2016 and deliberation no. SAN-2017-006 of April 27, 2017).

111. In light of these elements, the restricted session considers that the breach of the provisions of Article 82 of the French Data Protection Act is characterized by the fact that the company places cookies on the terminal of users located on French territory before collecting their consent and without providing them with the information prescribed by this article, under the conditions it defines.

III. On the pronouncement of corrective measures and advertising

112. Article 20 of Law no. 78-17 of January 6, 1978 as amended provides that: when the controller or its processor does not comply with the obligations resulting from Regulation (EU) 2016/679 of April 27, 2016 or the present law, the president of the Commission nationale de l'informatique et des libertés may [...] refer the matter to the restricted session of the commission with a view to the pronouncement, after an adversarial procedure, of one or more of the following measures: […]

2° An injunction to bring the processing into conformity with the obligations resulting from Regulation (EU) 2016/679 of 27 April 2016 or from this Law or to comply with the requests made by the data subject to exercise his rights, which may be accompanied, except in cases where the processing is implemented by the State, by a penalty payment not exceeding €100,000 per day of delay from the date set by the restricted session; [...].

7° Except in cases where the treatment is implemented by the State, an administrative fine may not exceed 10 million euros or, in the case of a company, 2% of the total annual worldwide turnover of the previous financial year, whichever is higher. In the cases referred to in Article 83 (5) and (6) of EU Regulation 2016/679 of April 27, 2016, these ceilings are increased to 20 million euros and 4% of said revenue, respectively. The restricted session takes into account, in determining the amount of the fine, the criteria specified in the same Article 83.

113. Article 83 of the RGPD, as referred to in Article 20(III) of the Data Protection Act, provides that :

1. Each supervisory authority shall ensure that the administrative fines imposed under this Article for violations of this Regulation referred to in paragraphs 4, 5 and 6 are, in each case, effective, proportionate and dissuasive.

2. 2. Depending on the specific features of each case, administrative fines shall be imposed in addition to or instead of the measures referred to in Article 58(2)(a) to (h) and (j). In deciding whether to impose an administrative fine and in deciding the amount of the administrative fine, due account shall be taken, in each individual case, of the following elements :

a) the nature, seriousness and duration of the violation, taking into account the nature, scope or purpose of the processing operation concerned, as well as the number of data subjects affected and the level of damage they have suffered ;

(b) whether the breach was committed intentionally or through negligence ;

(c) any measure taken by the controller or the processor to mitigate the damage suffered by the data subjects ;

(d) the degree of responsibility of the controller or processor, taking into account the technical and organisational measures they have implemented pursuant to Articles 25 and 32;

(e) any relevant breach previously committed by the controller or processor ;

(f) the degree of cooperation established with the supervisory authority with a view to remedying the breach and mitigating its possible negative effects ;

(g) the categories of personal data concerned by the breach;

(h) the manner in which the supervisory authority became aware of the breach, in particular whether and to what extent the controller or processor notified the breach;

(i) where measures referred to in Article 58(2) have previously been ordered against the controller or processor concerned for the same purpose, compliance with those measures ;

(j) the application of codes of conduct approved pursuant to Article 40 or certification schemes approved pursuant to Article 42; and

(k) any other aggravating or mitigating circumstances applicable to the circumstances of the case, such as financial benefits obtained or losses avoided, directly or indirectly, as a result of the violation.

A. On the imposition of an administrative fine

114 In defense, the company argues that the amount of the fine proposed by the rapporteur is disproportionate and that the rapporteur failed to take into account several criteria set out in Article 83(2) of the Regulation, including the fact that a user information system was in place, the lack of intent to commit the breach, the measures taken to mitigate the damage or the absence of previous violations. It argues that it is not possible, in order to determine the amount of the fine, to take into account the processing carried out using cookies because these elements are not part of the scope of the CNIL's investigations. Finally, it notes that the fine proposed by the rapporteur is out of proportion with the fines imposed by other authorities in relation to cookies.

115. In light of the elements developed above, the restricted session considers that the aforementioned facts, which constitute a breach of Article 82 of the French Data Protection Act, justify the imposition of an administrative fine against AEC, the legal entity responsible for the processing. It recalls that the changes made by the company to the Amazon.fr site since September 2020 have no impact on the imposition of a fine insofar as the fine is intended to punish the facts observed during the controls.

116. The restricted session recalls, as a general rule, that Article 20, paragraph III of the French Data Protection Act gives it the power to impose various sanctions, including an administrative fine, the maximum amount of which may be equivalent to 2% of the total annual worldwide turnover of the previous financial year of the data controller. It adds that the determination of the amount of this fine is assessed in the light of the criteria specified by article 83 of the RGPD.

117. In the case in point, the restricted session considers that the breach in question justifies the imposition of an administrative fine against the company for the following reasons.

118. First of all, the restricted session notes that the breach committed is particularly serious in so far as, by placing cookies on the terminals of users located in France prior to any action on their part, without providing them with the necessary information, the company deprives them of the possibility of exercising their choice in accordance with the provisions of Article 82 referred to above.

119. The restricted session considers that the seriousness of the breach is accentuated in the case of French users who access the Amazon.fr site after clicking on an ad in a search engine or on a third-party site. Indeed, given that the deposit of cookies is carried out in this context in the absence of any information from the persons concerned, it is thus carried out without their knowledge.

120. The restricted session observes that the seriousness of the breach must also be assessed with regard to the scope of the reading and writing operations and the number of persons concerned.

121. With respect to the scope of the reading and writing operations, the restricted session notes that the visit of an Internet user to the Amazon.fr site results in the filing of cookies by twenty or so companies specializing in personalized advertising, the purpose of which is to track the user's navigation on the Web so that advertising corresponding to his or her behavior can be displayed later.

122. 122. It considers that it is appropriate to take into account the extent of the processing that will be carried out thanks to the prior deposit of cookies on the terminals of users residing in France and the imperative need for the latter to maintain control over their data. In this sense, users must be put in a position to be sufficiently informed of the scope of the processing implemented.

123. With respect to the number of persons concerned, information provided by the company shows that approximately 300 million AMAZON identifiers were assigned in France over a nine-month period. The restricted session notes that even if a single person is likely to correspond to several different identifiers due to the use of multiple terminals and browsers, this volume reflects the central place occupied by the Amazon.fr site in the daily lives of people residing in France. The information that may be collected for a single identifier using these advertising cookies is also numerous, varied, and sometimes related to aspects affecting the privacy of individuals, and it is not impossible that some may reveal information corresponding to sensitive data (religious opinions, politics, state of health, etc.) governed by Article 9 of the RGPD.

124 Secondly, the restricted session considers that the company AEC, which in 2019 had a worldwide turnover of approximately 7.7 billion euros, derived a clear financial benefit from the breach. Indeed, as recalled in point 121, the use of cookies allows the company to present users, when they browse other sites, personalized advertisements promoting its products. The restricted session notes that if the company's main activity lies in the sale of consumer goods, the personalization of advertisements, made possible in particular by cookies, makes it possible to considerably increase the visibility of these goods and to increase the likelihood that they will be purchased. However, by not delivering clear and complete information to users and by placing cookies before individuals consent, the company eliminates the risk that these cookies will be refused.

125 It follows from all of the foregoing and the criteria duly taken into account by the restricted session, in view of the maximum amount incurred established on the basis of 2% of revenues, that an administrative fine of 35 million euros is warranted.

B. On the pronouncement of an injunction accompanied by a penalty payment

126. The rapporteur proposes, in addition to the administrative fine, that an injunction be issued with a penalty payment of 100,000 euros in that the company does not inform users of the exact purposes of the registration of cookies and the means available to them to oppose them.

127. In defense, the company argues that this injunction is unjustified insofar as, on the one hand, it has already changed its practices and, on the other hand, the amount proposed is disproportionate. It recalls that no more cookies are deposited before the user has expressed his consent. It also notes that the pronouncement of an injunction on this point may come up against the publication by the CNIL of its new guidelines and recommendations on cookies. It stresses that it would be forced to undertake two series of changes, the first to comply with the injunction and the second to implement the new recommendations of the CNIL.

128. The restricted session notes that since receiving the sanction report, the company has made changes to the Amazon.fr site. It notes first of all that regardless of the path by which the user goes to the site, no more cookies are deposited on his terminal before he has expressed his consent.

129. It then notes that upon arrival on the site, regardless of the path followed by the user, the banner displayed contains the following text:

Choose your cookie preferences. We use cookies and similar tools to facilitate your purchases, to provide our services, to understand how customers use our services so that we can make improvements, and to present advertisements. Approved third parties also use these tools as part of our ad display. This banner also contains two buttons, Accept Cookies and Personalize Cookies .

130. 130. The restricted session nevertheless considers that this new device still does not deliver clear and complete information as provided for in Article 82 of the French Data Protection Act .

131. The restricted session observes that the information provided still does not allow Internet users to understand precisely some of the purposes pursued by the deposit of cookies, in particular advertising purposes, whereas the latter are used largely to offer them personalized advertising based on their behavior.

132. Consequently, without ignoring the steps taken by the Company to comply with the provisions of Article 82 of the French Data Protection Act, the restricted session considers that it has not demonstrated, at the closing date of the investigation, its compliance with the provisions of the aforementioned article and that it is therefore appropriate to issue an injunction on this point.

133. With regard to the amount of the daily penalty, the restricted session recalls that it is a financial penalty per day of delay that the controller will have to pay in the event of non-compliance with the injunction at the end of the execution period provided for.

134. 134. In order to keep the on-call duty in its comminatory function, its amount must be both proportionate to the seriousness of the alleged breach but also adapted to the financial capacities of the data controller. It should also be taken into account that the breach in question indirectly contributes to the profits generated by the controller. In the light of these elements, the restricted session considers that a penalty payment of EUR 100 000 per day of delay from the notification of this Decision appears proportionate.

135. 135. With regard to the period of time granted to the company to comply with the injunction, the restricted session considers that a period of three months from the notification of this decision is sufficient to regularize the situation.

C On the publicity of the decision

[…]

137. The restricted session considers that, in view of what has been stated above, it is justified to impose an additional sanction of advertising. Account is also taken of the predominant place occupied by the company in the field of online commerce, the seriousness of the breaches and the interest that this decision represents for informing the public, in determining the duration of its publication.

[…]

FOR THESE REASONS

The restricted session of the CNIL, after having deliberated, decides to :

- impose an administrative fine of 35 (thirty-five) million euros on AMAZON EUROPE CORE;

- 35 (thirty-five million euros); to issue an injunction to bring the processing in conformity, within three months from the notification of this decision, with the provisions of article 82 of the French Data Protection Act, and in particular :

- inform the persons concerned beforehand in a clear and complete manner, for example by means of an information banner appearing at the time of the first arrival of the Internet user on the Amazon.fr site, regardless of the first page accessed:

- the precise purposes of all cookies whose registration is subject to consent

- as well as the means at their disposal to refuse them;

- attach to the injunction a penalty payment of 100,000 (one hundred thousand) euros per day of delay, with proof of compliance to be sent to the restricted session within this period;

- to send this decision to the company AMAZON ONLINE France SAS with a view to its execution;

- to make public, on the CNIL website and on the Légifrance website, its decision, which will no longer identify the company by name at the end of a period of two years from its publication.

The Chairman

Alexandre LINDEN

This decision may be appealed before the Council of State within four months of its notification.