France sidesteps GDPR in fining Google, Amazon $163M combined

The €100 million (U.S. $121 million) fine against Google is the largest sanction the regulator has ever imposed, though under French legislation rather than the EU’s General Data Protection Regulation (GDPR).

In a warning to others, the CNIL has said it will begin in April 2021 to fine companies that do not meet the GDPR’s requirement of having an option to accept or refuse all cookies.

The CNIL justified the size of the penalty due to Google’s overwhelming dominance as the most popular search engine in France, coupled with the size of the profits the firm gained from allegedly gathering data illegally from some 50 million people to boost advertising services.

The CNIL said when users visited google.fr or amazon.fr, several cookies used for advertising purposes were automatically placed on their computers without any action on their part. Such practices are a breach of the French Data Protection Act, the law used to enforce ePrivacy rules before the GDPR came into effect in 2018.

The data regulator said users were not provided with sufficient information to let them know cookies were being automatically installed or given advice about how to block them. It has only been since September 2020 that the websites of both tech giants have stopped placing cookies on people’s computers without consent.

In a warning to others, the CNIL has said it will begin in April 2021 to fine companies that do not meet the GDPR’s requirement of having an option to accept or refuse all cookies.

In a statement, Google said: “We stand by our record of providing upfront information and clear controls, strong internal data governance, secure infrastructure, and above all, helpful products. Today’s decision under French ePrivacy laws overlooks these efforts and doesn’t account for the fact that French rules and regulatory guidance are uncertain and constantly evolving.”

Amazon, fined €35 million (U.S. $42 million), said: “We disagree with the CNIL’s decision. Protecting the privacy of our customers has always been a top priority for Amazon. We continuously update our privacy practices to ensure that we meet the evolving needs and expectations of customers and regulators and fully comply with all applicable laws in every country in which we operate.”

Experts believe the case shows national regulators are now more prepared to take on Big Tech firms if their lead supervisory authorities are slow to do so.

Emily Cox, partner in media disputes at London law firm Stewarts, says while the obvious course might have been to pursue a breach of the GDPR, the CNIL’s “creative” use of the ePrivacy directive, which governs cookies, has enabled it to be nimble and issue a fine itself.

She adds the CNIL’s “agile” approach to enforcing data privacy rights against tech firms for its own citizens is likely to prompt more of the other active European data protection authorities in countries like Spain, Germany, and Belgium to adopt a similar approach.

If the CNIL had opted to pursue the case under the GDPR, it would have had to refer the matter to the lead supervisory authorities for Google and Amazon (Ireland and Luxembourg, respectively) under the slow and much criticized “one-stop shop” mechanism. Given Ireland hasn’t issued a single major GDPR decision, and Luxembourg has yet to hand out any GDPR fines, such a prospect is becoming increasingly less appealing.

“This CNIL decision is a positive one, in that it shows the willingness of some European regulators to act quickly and think creatively with the legal tools and processes already available to them, pending big changes to the regulation of Big Tech in the EU,” says Cox. “It will also sound a warning bell to Big Tech that forum shopping for a lead supervisory authority won’t enable them to act with impunity.”

Sonia Cissé, counsel and head of the technology, media and telecommunications team of law firm Linklaters in Paris, says the decisions are “clearly a warning.” “It is certain that Amazon’s and Google’s practices were not restricted to France. Other regulators might want to follow CNIL’s lead just to let companies know that compliance is required all over Europe.

“These sanctions clearly show that stakeholders should, as soon as possible, start implementing all requirements applicable to cookies if they don’t want to be caught with their hand in the cookie jar.”