Why did CNIL sanction Google and Amazon ?
Gianclaudio Malgieri, Associate Professor, Researcher at the EDHEC Augmented Law Institute, discusses in an article originally published on The Conversation the legal battle against cookie-walls, and in particular against the two giants Google and Amazon.
The Commission nationale de l’informatique et des libertés de France (CNIL) was actively pursuing its legal battle against “cookie walls” when it fired two significant shots at the IT giants Google and Amazon. On 7 December 2020, CNIL imposed fines of 100 million euros on Google (LLC and Ireland Limited) and 35 million euros on Amazon for infringing the “vie privée et communications électroniques” (privacy and electronic communications) directive (as interpreted in article 82 of the French law on information technology and freedom of 6 January 1978), in particular in relation to transparency obligations vis-à-vis cookies, the right to refuse them, and information about how they collect data (deemed to be based on an opaque and flawed opt-out system for obtaining user consent).
The Google and Amazon infringements relate to two elements: the duty to inform and the legality of cookies, the files that the website puts on your computer in order to follow your
navigation. What CNIL seemed to suggest is that these two giant technological firms created de facto illegal cookie walls. Cookie walls are barriers put on a website to inform visitors that cookies are being used, without providing the option to reject them: the only way to look at the content is to accept and continue.
In principle, these cookies, which are not necessary for the correct functioning of a website, can only be installed and accessed after the person concerned has been correctly informed (by a “user-friendly” instruction that conforms with the privacy and electronic communications directive) and has given their consent.
CNIL notes that, when people go onto Google.fr, the first information that appears on the web banner “vie privée” (“privacy”) are not linked to cookies. Nevertheless, several cookies (also
placed for publicity purposes) are immediately installed on the user’s device. In addition, even if they click on “more information”, users do not understand straight away what cookies are
collecting and to what ends. They cannot deactivate these cookies unless they run through the whole confidentiality policy (while avoiding clicking on any hyperlink) and finally clicking on “other
options”.
A "Flawed" withdrawal system
Just after the CNIL enquiry began, Google modified its transparency policy in relation to cookies. However, CNIL noted that, even after these improvements, the declared purposes for processing cookie data are too general and not specific enough; the effects (for example, the personalisation of ads on the various Google services) are not explained adequately, and the cookies refusal procedures are always hidden behind opaque buttons like “options” or “more information”.
In addition, CNIL noted that even if the user disactivates these functions, some unnecessary cookies remain in the system: in other words, the withdrawal system is not only opaque but
also “flawed”. Finally, CNIL declared that Google’s expression “withdraw your consent” is “abusive”, since users never actually gave their consent in the first place – the opt-out system
assumed it.
CNIL’s reasons for sanctioning Amazon are similar. In particular, when someone accesses the Amazon.fr site, they can only read a banner stating “by using this site, you accept our use of cookies used to improve our services.” This is an infringement of the latest CNIL guidelines of September 2020 (and the order European Court of Justice’s order “Planet49”): there must be an unambiguous expression of consent, and the opt-out system (which had been accepted before the entry into force of the Règlement général sur la protection des données, the RGPD, in May 2018) is no longer acceptable.
A question of territorial jurisdication
CNIL’s territorial scope and the applicability of French law was also discussed. Google claimed that according to the RGPD requires that the data protection authority of the member state where Google is headquartered (Ireland) take the lead in the infraction case (that is, the Irish data protection authority). And Amazon claimed that since its headquarters is in Luxembourg, it follows Luxembourg law on cookies and should not be required to follow the French rules (which, it should be noted, are more restrictive and tougher).
CNIL rejected both these arguments: the personal data linked to the cookies are governed by the privacy and electronic communications law where the RGPD cooperation mechanism does not apply. In addition, this regulation allows (in article 15 bis) member states, by virtue of their national law, to determine the procedures for applying the rules relative to privacy and electronic communications. Thus, each member state can follow their national regulations (in implementing the European rules).
The applicability of French law and the competence of CNIL are clear since the cookies are installed in the hardware devices of people in France: the treatment of data is done in France and, consequently, the principal of territoriality of French IT and freedom law (article 3) is respected.
A non-explicit prohibition
The main conclusion that we can draw from these decisions is that not only are cookie walls
(on a case-by-case basis) likely to be illegal, but they are also generally de facto illegal. In
other words, the fact of forcing someone to run a difficult obstacle course of clicks, scrolling and ambiguous buttons before being able to refuse cookies has the same effect of a cookie wall and should be prohibited.
From a broader perspective, this episode makes clear the urgence of reform of the privacy
and electronic communications directive. The ban on cookie walls is not explicit in the
European Union law (the directive on privacy and electronic communications seems to tolerate them, in conflict with the notion of consent in the RGPD) as interpreted by the European Data
Protection Committee.
Moreover, we do not see why the procedural rules of the RGPD (for example, the
cooperation mechanism) cannot be applied to the rules about privacy online, which are,
on the contrary, fragmented and to be found in numerous different national regulations
(which are often incompatible with each other). However, reform of the EU rules regarding privacy online seems a long way away.
This article was co-published with The Conversation France France under the Creative Commons
licence.. Read the original article.