Main Highlights:
- France’s data protection regulator levied headline-grabbing fines on Facebook and Google for breaking local (and pan-EU) cookie consent laws.
- France’s regulator has been particularly aggressive in this area, fining Google €100 million in December 2020 for unilaterally deleting tracking cookies.
- Google had not reacted to a request for comment on the CNIL’s sanction at the time of writing, but we will update this post if they do.
Another point in favor of decentralized enforcement: France’s data protection authority has hit Facebook and Google with headline-grabbing fines for violating local (and pan-EU) cookie consent requirements. Today, The CNIL said that it had fined Google €150 million ($170 million) and Facebook €60 million ($68 million) for violating French legislation in displaying tracking choices to users of google.fr, youtube.com, and facebook.com.
The agency stated that it was taking action in response to several complaints. In a blatant violation of EU and French legislation, it was discovered that the duo does not provide users with an easy way to refuse non-essential cookies, as they do with the option to accept all tracking.
In summary, the internet titans attempted to coerce permission through dark, manipulative patterns. Suppose consent is claimed as the legal basis for processing people’s data under EU legislation. In that case, specific standards must be followed – permission must be informed, precise, and freely supplied to be lawfully gained.
Meanwhile, long-standing complaints against Facebook and Google over similarly contentious consent issues continue to languish on the Irish Data Protection Commission’s (DPC) desk — which, under the EU’s General Data Protection Regulation’s (GDPR) one-stop-shop (OSS) mechanism, serves as a quasi-centralized enforcer for the majority.
The DPC has been accused of procrastinating in its surveillance of tech corporations under the GDPR., thereby creating a bottleneck for effective enforcement. The OSS promotes forum shopping — and Ireland’s low corporate tax environment is only too eager to oblige client firms with regulatory monitoring as well.
Notably, the CNIL prosecutes Facebook and Google on an older piece of EU legislation — the ePrivacy Directive — that vests national agencies with jurisdiction over their respective areas. Thus, despite the OSS and Irish GDPR blockade, the French continue to develop novel ways to implement GDPR data protection regulations on a national level.
Google and Facebook’s involvement in regional lobbying attempts
The irony is that Google and Facebook were active in regional lobbying attempts to block a planned modification to the ePrivacy Directive — which would have been superseded by legislation, as we previously documented.
Despite being introduced in 2017, the ePrivacy Regulation has yet to be approved! Which results in discrepancies in EU law. However, it allows Member State-level regulators such as CNIL free to implement privacy laws inside their territories, preserving the ePrivacy Directive’s decentralized authority to penalize big tech on its home territory. As a result, that has proven to be a costly error for Facebook and Google in France, at least.
France’s authority has been particularly active on this front, fining Google €100 million in December 2020 for unilaterally removing tracking cookies. Simultaneously, it fined Amazon €35 million over the same issue. Previously, the CNIL obtained an early GDPR penalty against Google — back in 2019 — before the corporation recognized its legal risk and relocated the legal entity responsible for EU users’ data from the US to Ireland, where it would come under the DPC’s ‘less muscular’ control.
Google has yet to face a single GDPR consequence outside of Ireland – despite several graves and long-running concerns against it, including coerced consent, its management of location data, and its ad tech. Not only are complaints mounting against tech giants for systemic violations of EU data protection law and against the DPC for its embarrassingly weak enforcement record — and, in a more recent complaint against Ireland, for alleged corruption — but also against the European Commission, which is accused of neglecting to supervise GDPR enforcement at the Member State level.
Late last year, the Commission intervened verbally in favor of centralized enforcement by the EU executive, telling data protection agencies that GPDR enforcement must become “effective” quickly or else DPAs’ authority may be revoked.
Simultaneously, the Commission attacked Google and Facebook, accusing them of prioritizing legal maneuvers over actual compliance with the bloc’s privacy laws, with commissioner Vera Jourová warning: “It is past time for those corporations to take personal data protection seriously.” I’m looking for complete compliance, not legal gimmicks. It is past time for us to stop hiding behind small print and instead confront the difficulties head-on.”
However, while taking a few potshots, the Commission looks hesitant to intervene and penalize Ireland. As a result, the Member States such as France have been left to demonstrate the argument differently — namely, having their authorities show that enforcement is not just possible but also occurring.
Along with today’s headline-grabbing fines, the CNIL has ordered Facebook and Google to alter how they present cookie choices to French users —Providing the couple with three months to develop a technique for denying cookies as simple as the current one for accepting them. If the corporations do not comply with the ruling, they will face further penalties of €100,000 per day of delay. For some time, the CNIL has concentrated its scrutiny on cookie consents.
The agency set a March 31, 2021 deadline for websites to comply with the authority’s new cookie advice, released in October 2020. And, since the end of March, it claims to have enacted nearly 100 “corrective actions” (acronyms for orders and punishments) in response to non-compliance with cookie-related legislation.
Ireland revised its cookie guidelines in April 2020, stating that it will give websites and data controllers six months to comply before enforcing them. However, the DPC has again demonstrated that it is all talk and no action: failing to issue any public fines against commercial firms for cookie consent violations (and certainly nothing against Facebook or Google on this front).
Late last year, a DPC verdict against Facebook-owned WhatsApp focused on transparency violations. The final penalty imposed on WhatsApp — $267 million — was also significantly increased following intervention by other EU data protection authorities and the European Data Protection Board; Ireland’s draft ruling had indicated a fine of up to €50 million. Meanwhile, Facebook is appealing the fine.
Additionally, the tech giant referred to a September announcement it made last year regarding an update to its local cookie controls — in which it announced that it would provide European residents a greater degree of control over their cookie preferences and more information about how they utilize various sorts of cookies, including information we collect from other apps and websites.
It said at the time that “This work is part of their continuous efforts to provide consumers more control over their privacy and to ensure compliance with increasing privacy regulations, Whatever tweaks Facebook made at the time did not appear to impress the French. Google had not reacted to a request for comment on the CNIL’s sanction at the time of writing, but we will update this post if we receive one.