On December 7th 20, the Commission nationale de l'informatique et des libertés, the so-called CNIL, made the decision to impose the highest fine to date, namely 100 million euros, in the history of the French data protection authority. The starting point is the behaviour of Google, which is considered to be in breach of the ePrivacy Directive (Directive 2002/58/EC). The facts of the case concern the search engine’s cookie consent policy, the lack of information to users of the Google search engine in France (google.fr), and the failure of the opt-out mechanism and the control of cookies. Almost 50 million users are affected.
The fine is divided into two parts: 60 million euros against Google LLC and 40 million euros against Google’s Irish subsidiary firm. According to the CNIL, the two companies are jointly liable and the CNIL has declared itself territorially competent under Article 3 of the French Data Protection Act (loi informatique et liberté) because the use of cookies would therefore have taken place “in the context of the activities” of Google's French subsidiary, which is the “establishment” of the two convicted companies on French territory, where it promotes its products and services.
This fine could be increased as the CNIL’s decision carries a penalty of €100,000 (one hundred thousand euros) per day of delay from March 7th 2021 if the proof of compliance to be sent to the CNIL is not provided by then. Compared to Google’s holding company Alphabet Inc., with a turnover of more than $161 billion in 2019, this record fine no longer looks very impressive in Europe.
Already on January 21st 2019, a fine was issued by the CNIL against Google, at that time the amount was 50 million euros. This complaint was triggered by the violation of the GDPR, or the European Data Protection Regulation, which has been in force since May 2018. More specifically, it concerned the processing of personal data by Google LLC (Limited Liability Company) in connection with the Android operating system. Google argued that the proceedings should fall within the remit of the CNIL’s Irish counterpart (under Art.56(1) GDPR), considering that the company's European registered office is in Ireland. However, the CNIL declared itself competent and substantiated this claim with the lack of decision-making power of the Irish head office at the time. (pursuant to Art. 83 GDPR).
As a reminder, in regard to cookies, the CNIL published its amending guidelines on October 1st 2020 and estimates that the deadline for compliance with the new rules should not exceed six months, i.e. by the end of March 2021 at the latest.
Link to CNIL decision
Sources:
Comments