Cookies: The Council of State confirms the sanction imposed by the CNIL in 2020 on Google LLC and Google Ireland Limited
In its judgment of 28 January 2022, the Conseil d'État (French Council of State) confirmed the jurisdiction of the CNIL to impose sanctions regarding cookies, outside the "one-stop shop mechanism". This judgment follows an appeal by the companies GOOGLE LLC and GOOGLE IRELAND LIMITED against the administrative fine of 100 million euros imposed by the CNIL in 2020.
The decision of the CNIL of 7 December 2020
On 7 December 2020, the CNIL imposed an administrative fine of a total amount of 100 million euros on the companies GOOGLE LLC and GOOGLE IRELAND LIMITED, in particular because of the deposit of advertising cookies on computers of users of the search engine google.fr, without obtaining prior consent and without providing adequate information.
In its decision, the CNIL noticed three violations of Article 82 of the French Data Protection Act (transposing the e-Privacy Directive).
First, the CNIL noted that when a user visited the page google.fr, a large number of cookies used for advertising purposes was automatically deposited on his or her computer, before any action required on his or her part. Since this type of cookies is not essential to the service, the CNIL considered that the companies did not comply with the obligation to obtain the consent of the users before the deposit of cookies.
Then, the CNIL considered that the information banner displayed at the bottom of the page of the search engine google.fr didn't enable the users residing in France to be previously and adequately informed of the deposit of cookies, and in particular concerning the purpose of these cookies and the means available to refuse them.
The judgment of the Council of State of 28 January 2022
In its judgment of 28 January 2022, the Council of State recognized that it is within the jurisdiction of the CNIL to issue sanctions regarding cookies outside the "one-stop-shop" mechanism provided for in the GDPR and therefore confirmed the sanction imposed by the CNIL on the companies GOOGLE LLC and GOOGLE IRELAND LIMITED.
First, the Council of State confirmed that the "one-stop shop" mechanism provided for by the GDPR doesn't apply regarding the deposit of cookies, which is covered by the French Data Protection Act.
It also stated that, since the cookies in question are implemented in the context of the activities of Google France, establishment in France of the Google companies, the CNIL had jurisdiction pursuant to the Act. Therefore, it did not have to forward the case to the Irish Data Protection Authority (the DPC), which is the lead supervisory authority for Google companies under the GDPR.
The Council of State judged that the exclusion from the "one-stop-shop" mechanism concerning cookies was sufficiently clear so that it doesn't need to refer the matter to the Court of Justice of the European Union for a preliminary ruling, as required by the companies.
Finally, the Council of State judged that the amount of the fines imposed by the CNIL is not disproportionate in view of the seriousness the violations, the scope of the processing and the financial capabilities of the companies.