The ongoing legal fight between Google & Amazon, and the French regulatory body, the CNIL contains some interesting insights, especially as it looks as if the standard on cookies could be adopted elsewhere.
The case centres around the use of cookie walls and whether they are allowed under EU data protection laws.
The latest deliberation on the of 7 December, was the first opportunity for the CNIL to enforce its new “cookie Guidelines”. Google and Amazon were both given penalties after the CNIL seemed to suggest that the two big tech companies create “de facto” cookie-walls that are unlawful.
In December, the French Data Protection Authority (the “CNIL”) announced that it has levied fines of €60m on Google LLC and €40m on Google Ireland Limited under the French cookie rules for their alleged failure to (1) obtain the consent of users of the French version of Google’s search engine (google.fr) before setting advertising cookies on their devices; (2) provide users with adequate information about the use of cookies; and (3) implement a fully effective opt-out mechanism to enable users to refuse cookies.
On the same date, the CNIL announced that it has levied a fine of €35 million on Amazon Europe Core under the same rules for its alleged failure to (1) obtain the consent of users of the amazon.fr site before setting advertising cookies on their devices; and (2) provide adequate information about the use of cookies.
The French cookie rules are laid down in (1) Article 82 of the French Data Protection Act, which implements into French law the provisions of the EU ePrivacy Directive governing the use of cookies; and (2) soft law instruments aimed at guiding operators in implementing Article 82 of the French Data Protection Act in practice.
In short, the CNIL argued that the whole informational architecture of the two big tech companies for cookie collection is not based on a transparent opt-in system, but on an opaque opt-out system, which is an obstacle for ordinary people to do.
Professor Dr. Gianclaudio Malgieri (pictured), at the EDHEC Augmented Law Institute, a business school, tells IT Europa: “The CNIL is clearly a leading Data Protection Authority in the EU context in terms of the legal fight against big tech and their use of cookies. This is also evident in the strict CNIL Guidelines in terms of cookie regulation and in the previous penalties to Google about the invalid consent requested of its users.
Other regulators across Europe are also taking serious steps in limiting the power of big tech in terms of cookies, but in softer ways. For example the Italian “Garante” open consultation about cookie policies, or the interlocutory dialogue between the UK Data Protection Authority – the ICO – and Google, in the case from 2013.”
So how soon does he think will we see pressure to change, given the US companies always appeal?
“I think pressure on this topic will stay high, as recent proceedings for similar situations, for example in the European Parliament, have suggested, and, even if Google and Amazon do have successful appeals, the message is clear: cookies should only be collected upon unambiguous, free and informed consent.”
“I think the IT industry should quickly take notice and comply with the highest standards in terms of cookie policies across the EU (which at the moment seems to be the French standard).
The regulators of member states are paying more and more attention to the notion of really free and informed (and easy-to-give) consent under the GDPR. For example, the use of elusive cookie banners (where there is no clear yes-or-no choice for cookies), opaque opt-out mechanisms, and complex “obstacle courses” to refuse cookies are much more likely to be penalised within EU member states following the EU Court of Justice ruling on Planet49, in 2020. In addition, if companies take notice now, they will not have to rush to rapidly change cookie policies if a new e-Privacy regulation is adopted,” he concludes.
In the initial version of its Guidelines, the CNIL pointed oout that measures and sanctions under Article 82 of the French Data Protection Act, are independent of the GDPR’s cooperation and consistency mechanisms, because the French cookie rules are based on the EU ePrivacy Directive and *not* the GDPR. Unsurprisingly, therefore, the CNIL rejected the arguments of Google and Amazon, considering that the EU ePrivacy Directive provides for its own mechanism, designed to implement and control its application. Accordingly, the CNIL concluded that the one-stop-shop mechanism of the GDPR does not apply to the enforcement of the provisions of the EU ePrivacy Directive, as implemented under French law.
