France fines Google USD 170 Million and Facebook USD 68 Million over Cookie Consent Violation

On 6th January,2022, The Commission Nationale de l’ Informatique et des Libertes CNIL announced that it has imposed a record fine on Google and Facebook to the tune of USD 170 Million and 68 million respectively for violating the e-Privacy Directive and EU GDPR Regulation.

CNIL in its statement said that the websites facebook.com, google.fr and youtube.com websites did not allow users the easy refusal of cookies – a small text file that is placed on the web browser while the user visits the website with the objective the building of the profile of the person for commercial use.

The CNIL said that refusing cookies should be as easy as to accept them.  However, despite giving three months notices to Google and Facebook, the issue was not resolved to the satisfaction of CNIL.  Citing the example of Facebook, CNIL said several clicks are required to refuse all cookies as opposed to single one to accept them.

Source: France fines Google and Facebook over cookies – BBC News

Google and Facebook also face a daily penalty of Euro 1,00,000/- if they do not fix their practices within three months of the CNIL issuing the decision which applies to Google.fr and Youtube.fr as well as Facebook.com.

Decision of CNIL against Google and Facebook

As per the decision and the statement issued by CNIL, Facebook and Google have been fined over two main legal texts for  cookie consent violation as well as online trackers, the French Data Protection Act, Article 82 Article 82 – Law No. 78-17 of 6 January 1978 relating to data processing, files and freedoms – Légifrance (legifrance.gouv.fr) which implements the EU Directive 2002/58/EC concerning the processing of personal data and the protection of privacy in the electronics communication sector (e-Privacy Directive) and the 2nd one being EU General Data Protection Regulation, which is directly applicable to all the EU Member States.

The complete judgement can be found at the below mentioned link

Deliberation SAN-2021-024 of 31 December 2021 – Légifrance (legifrance.gouv.fr)

What is CNIL

CNIL is a French Data Regulation and Protection Authority created in 1978.  The CNIL is an independent administrative body that operates in accordance with the data protection legislation of the 6th January 1978 and as amended on the 6th August 2004.

The independence of CNIL is guaranteed on account of its composition and organisation.  The CNIL is responsible for ensuring that information technology remains at the service of citizens.

For more on CNIL, kindly visit Homepage | CNIL

So, let’s explore what are the types of cookies and various laws around it especially in the European Union.

Types of Cookies

Pre-dominantly there are two types of Cookies:

  1. Strictly Necessary These cookies are essential to navigate through the website and use its feature. E.g cookies allowing webshops or e-commerce platforms to keep items in the carts while doing on-line shopping.
  • Non-Essential These cookies re not needed to enable the core-functionality of the website.  E.g Marketing by using Facebook Pixels or Analysis using Google Analytics.

For learning more on cookies, kindly visit our blog at  A Comprehensive Guide to Browser Cookie – DATA SECURE

EU Cookie Law

In the European Union, the following laws are used to regulate the use of cookies and online trackers:

  1. E-Privacy Directive
  • Art 5(3) e-Privacy Directive

Member states shall ensure that the storing of information or the gaining of access to information already stored in the terminal

equipment of a subscriber or user is only allowed on condition that the subscriber or user concerned has given his or her consent having been provided with clear and comprehensive information, in accordance with directive 95/ 46/ IC inter alia about the purposes of the processing.

This shall not prevent any technical storage or access for the sole purpose of carrying out the transmission of a communication over an electronic communications network, or as strictly necessary in order for the provider of an Information Society service explicitly requested by the subscriber or user to provide the service

For more on E-Privacy Directive, kindly read EU ePrivacy Directive – DATA SECURE

Let’s analyse the above a bit deeper for the purpose of understanding the meaning of various terms:

What does storing of information or gaining of access to stored information mean? 

It means that data is being processed by keeping/analysis/further use of data for any other purpose.

What is Terminal Equipment?

The terminal equipment are PC/Phone or Tablet devices.

However, as per European Data Protection Borad (EDPB), in case

“If as a result of placing and retrieving information through the cookie or similar device, the information collected can be considered personal data, then in addition to Article 5(3), Directive 95/46/EC will also apply.”

The Directive 95/46/EC is replaced by EU GDPR effective 25th May 2018.

  • EU GDPR
  • Recital 30

Natural persons may be associated with online identifiers provided by their device’s applications tools and protocols, such as Internet Protocol addresses, cookie identifiers or other identifiers such as radio frequency identification tags.

This may leave traces which in particular when combined with unique identifiers and other information received by the servers may be used to create profile of the natural persons and identify them.

So, cookies can only be placed on when the user or the visitor provides a specific consent as per the following:

“Consent as per Article 2(f) e-privacy Directive “Consent by a user or subscriber corresponds to the data subject’s consent in the GDPR”

Also, clear and comprehensive information about the purposes of processing should be provided in accordance with GDPR.

Source : GDPR General Data Protection Regulation – DATA SECURE

Mandatory Requirements to be met by Cookies

The following requirements should be met and incorporated  by Cookies in order to avoid any violation of law and thus inviting huge financial and legal penalties.

  1. Legal Notice
  • Personal Data, Article 4 (1) GDPR

Any information relating to an individual or identified natural person (data subject)

IP Address is considered as personal data under GDPR as per Case -582/14 Breyer)

Source : Case C-582/14: Judgment of the Court (Second Chamber) of 19 October 2016 (request for a preliminary ruling from the Bundesgerichtshof — Germany) — Patrick Breyer v Bundesrepublik Deutschland (Reference for a preliminary ruling — Processing of personal data — Directive 95/46/EC — Article 2(a) — Article 7(f) — Definition of ‘personal data’ — Internet protocol addresses — Storage of data by an online media services provider — National legislation not permitting the legitimate interest pursued by the controller to be taken into account) (europa.eu)

  • Processing, Article 4(2) GDPR

Any operation (or set of operations) which is performed on personal data (or on sets of personal data), whether or not by automated means.

Examples are collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.

  • Basic information to be provided as per Article 13, GDPR
  • Data Controller – Identity & contact details
  • DPO – Contact details
  • Purposes + Legal Basis
  • Recipients of the personal data
  • Data Transfer to 3rd Country or any international organisation
  • To ensure fair & transparent processing, Article 13, GDPR

In order to ensure fair and transparent processing of personal data as per Article 13, GDPR, the following points must be adhered to:

  • Retention Period
  • Data Subject Rights (right to access, rectification, erasure, restriction, object to processing, data portability)
  • Right to withdraw consent
  • Right to lodge a complaint with a Supervisory Authority
  • Automated decision-making e.g profiling
  • Legal basis of processing personal data, Article 6 (1)(a) GDPR

“Processing shall be lawful only if and to the extent that at least one of the following applies.

  • The data subject has given consent to the processing of his or her personal data for one or more specific purposes.
  • Cookie Banner and Consent Management

As per Article 4(11), GDPR, the consent shall be:

  • Freely given
  • Specific
  • Informed and
  • Unambiguous

The cookie banner should have clear indication of the data subject’s wishes by which he or she by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her.

Response by Facebook and Google on fines by CNIL

Response by the Facebook and Google has been a very standard one that assures of reviewing the privacy controls embedded in the cookie and also to make the privacy of the user as their topmost priority. 

However, a spokesperson for Facebook’s holding company Meta, said that “we are reviewing the authority’s decision and remain committed to working with relevant authorities”. Our cookie consent controls provide people with greater control over their data including new settings menu you on Facebook and Instagram where people can revisit and manage their decisions at any time, and we continue to develop and improve these controls.”

“People trust us to respect their right to privacy and keep them safe. We understand our responsibility to protect that trust and are committed to further changes and actively work with the CNIL in light of this decision and under the e-Privacy Directive,” a Google spokesperson said.

Conclusion

The global laws around data privacy are dynamically evolving and changing at a rapid pace.  The users and the consumers are becoming more and more aware about their privacy rights and want to get the power of decision making about their choices in their hands.  The Government across the globe is enacting data protection and privacy regulations to avoid the misuse and abuse of personal information by corporates and big techs and social media platforms.

CNIL has done an excellent job by imposing huge fines on Google and Facebook to protect the unlawful collection and misuse of personal information of their citizens.  It clearly indicates that the data protection authority of the country is acting as a watchdog and is protecting the citizens by enforcing relevant legal regulations, in case of misuse, on the Big Techs and the social media platforms.

Source : GDPR General Data Protection Regulation – DATA SECURE

Source : India Draft Personal Data Protection Bill 2019 – DATA SECURE

We at Data Secure (DATA SECURE – Privacy Automation Solution) can help you to understand Privacy and Trust while dealing with personal data and provide Privacy Training and Awareness sessions in order to increase the privacy quotient of the organisation.

We can design and implement RoPA, DPIA and PIA assessments for meeting compliance and mitigating risks as per the requirement of legal and regulatory frameworks on privacy regulations across the globe especially conforming to India PDPB 2019. For more details, kindly visit DPO India – Your outsourced DPO service (dpo-india.com).

For any demo/presentation of solutions on Data Privacy and Privacy Management as per EU GDPR, CCPA, CPRA or Draft India PDPB 2019 and Secure Email transmission, kindly write to us at info@datasecure.ind.in or info@dpo-india.com.

For downloading various Global Privacy Laws kindly visit the Resources page in DATA SECURE – Privacy Automation Solution

Leave a Reply

Your email address will not be published. Required fields are marked *