As the UK Government talks a good game over plans to bring technology giants to heel, the French have once again shown they are not prepared to pussyfoot around them after whacking both Google and Amazon with fines totalling €135m (£123m) for cookie violations under their domestic data protection legislation and not GDPR.
Following a 12-month investigation into their French websites by data protection regulator CNIL (Commission Nationale de l’informatique et des Libertés), both companies were found to have been automatically placing cookies on users’ computers without consent. Several of these cookies were used for advertising purposes.
Google been hit with two fines; €60m (£54.5m) for Google LLC and €40m (£36.4m) for Google Ireland.
The ruling states: “When a user visited the page google.fr, an information banner displayed at the bottom of the page, with the following note ‘Privacy reminder from Google’, in front of which were two buttons: ‘Remind me later” and ‘Access now’.
“This banner did not provide the user with any information regarding cookies that had however already been placed on his or her computer when arriving on the site. The information was also not provided when he or she clicked on the button ‘Access now’.
“Therefore…the information provided by the companies did not enable the users living in France either to be previously and clearly informed regarding the deposit of cookies on their computer or, therefore, to be informed of the purposes of these cookies and the available means enabling to refuse them.”
CNIL also found that when a user selected to deactivate personalised advertising – through an option provided by Google’s cookie notice – the mechanism only partially worked, as one advertising cookie remained stored on their machine and continued to process data in clear violation of the consent law.
Meanwhile, Amazon has been nobbled with a €35m (£31.8m) penalty for a similar breach on the Amazon .fr domain.
Its ruling states: “The committee noted that when a user visited one of the pages of the website amazon.fr, a large number of cookies used for advertising purposes was automatically placed on his or her computer, before any action required on his or her part.
“Yet, the committee recalled that these types of cookies, which are not essential to the service, can only be placed after the user has expressed his or her consent. It considered that the deposit of cookies at the same time as arriving on the site was a practice which, by its nature, was incompatible with a prior consent.”
Interestingly, both companies have been fined under the ePrivacy Directive transposed in Article 82 of the French Data Protection Act and not GDPR.
This meant that the investigation did not have to go through the Irish Data Protection Commission or be approved by other EU states under the so-called one-stop shop mechanism, a process many have criticised as too slow and laborious.
Privacy organisation NOYB, fronted by Austrian Max Schrems, recently filed two complaints against Apple, in Germany and Spain, also under the ePrivacy Directive, insisting the move was a deliberate attempt not to trigger the cooperation mechanism of GDPR.
At the time, the organisation said it wanted to avoid involving the Irish DPC and the “endless procedures” which have seen complaints it registered against Facebook go through protracted legal procedures, bouncing from the Irish High Court to the European Court of Justice, and back again, for years.
The CNIL ruling explained: “In its decision, the committee recalled that the CNIL is materially competent to control and sanction cookies placed by the companies on the computers of users living in France. Thus, it emphasised that the cooperation mechanism provided for by the GDPR was not intended to apply in this procedure.”
The French regulator has already beaten off a legal appeal by Google against its record €50m (£44m) fine for breaching GDPR – issued in January 2019 – in a significant victory against what many view as illegal adtech practices.
Google and Amazon have yet to comment on the latest rulings.
Tech giants face tailored rules – and fines – in CMA plan
Apple cut to the core by new unlawful tracking claims
Irish data regulator ‘go-slow’ triggers judicial review
Google must ditch ‘forced consent’, French court rules
Google faces defeat in appeal against €50m GDPR fine
Google appeals €50m fine, insisting it followed guidance
Google ruling puts digital marketing industry on alert
Google hit for €50m as French issue first GDPR fine
Now Germans call for GDPR shake-up to avoid ‘collapse’
Brussels urged to act on GDPR failings or risk demise