The CNIL decision of December 7, 2020
On December 7, 2020, the CNIL pronounced a fine of a total amount of 100 million euros against Google LLC and Google Ireland Limited companies, in particular for having deposited advertising cookies on user computersGoogle search.en without prior consent or satisfactory information.
In its decision, the CNIL has retained three violations in article 82 of the Data Protection Act (transposing the "E-Privacy" directive).
First, the CNIL noted that when a user went to the Google page.fr, several cookies pursuing an advertising purpose were automatically deposited on his computer without action on his part.This type of cookies is not essential to the service, the CNIL considered that companies had not respected the obligation to collect the consent of Internet users before the deposit of cookies.
Then the CNIL estimated that the headband which was displayed at the length of the Google search engine.fr did not allow users residing in France to be beforehand and clearly informed about the deposit of cookies, in particular on the objectives of these cookies and the means to refuse them.
Finally, the CNIL considered that the mechanism proposed by companies to refuse cookies was partially faulty.Indeed, when a user deactivated the customization of advertisements on Google search, an advertising cookie remained stored on his computer and continued to read information for the server to which he is attached.
The judgment of the Council of State of January 28, 2022
By its decision of January 28, 2022, the Council of State confirmed the jurisdiction of the CNIL to take sanctions on cookies outside the single window mechanism provided by the GDPR and thus validated the sanction of the CNIL pronounced at theContrary to the companies Google LLC and Google Ireland Limited.
The Council of State first confirms that the one -counter system provided by the GDPR is not applicable in terms of cookie deposits, which are framed by the Data Protection Act.
He also noted that the cookies in question being implemented within the framework of the activities of Google France, an establishment in France of Google companies, the CNIL was competent under this law.It therefore did not have to transmit the file to the Irish data protection authority (the DPC), which is the leader authority of Google companies under the GDPR.
The Council of State estimated that the exclusion of the "one -stop" system in matters of cookies was clear enough for it to have to seize the Court of Justice of the European Union for a preliminary row, as theasked the companies.
On the merits, the Council of State confirms the three violations in article 82 of the Data Protection Act sanctioned by the CNIL: the deposit of cookies without prior consent of the user, the lack of information of the userand the partial failure of the mechanism proposed to refuse cookies.
Finally, the Council of State considers that the amount of fines pronounced by the CNIL is not disproportionate with regard to the severity of the shortcomings, the scope of the treatments and the financial capacities of the two companies.
Farewell Touch Bar, I won't regret...
Caddy, the only web server to use H...
Burkina Faso / Gabon (TV / Streamin...
What the future of work will not b...