France Fines Google and Facebook Over Cookie Concerns
France’s data protection watchdog has slapped headline-grabbing fines on Facebook and Google for failing to respect local and pan-EU cookie consent rules. Commission Nationale Informatique & Libertés (CNIL) said it’s fined Google €150M (~$170M) and Facebook €60M (~$68M) for breaching French law, following investigations of how they present tracking choices to users of google.fr, youtube.com and facebook.com.
The regulator said it was acting after receiving a number of complaints. In a clear breach of EU and French law, it found the pair do not offer an option for users to reject non-essential cookies as easily as the option they offer for them to accept all tracking. So, in short, the tech giants were using manipulative dark patterns to try to force consent.
Under EU law, if consent is the legal basis being claimed for processing people’s data there are strict standards that must be adhered to — consent must be informed, specific and freely given in order for it to be obtained legally.
Long running complaints against Facebook and Google over similarly problematic consent issues continue to languish on the desk of the Irish Data Protection Commission (DPC), meanwhile — which under the EU’s General Data Protection Regulation (GDPR)’s one-stop-shop (OSS) mechanism is a quasi-centralized enforcer for most of big tech.
The DPC has been accused of dragging its feet on GDPR oversight of tech giants and creating a bottleneck for effective enforcement of the regulation, as the OSS encourages forum shopping — and Ireland’s low corporate tax economy appears only too happy to oblige client corporates with low resolution regulatory oversight too.
Notably, the CNIL is taking action against Facebook and Google under an earlier piece of EU legislation — the ePrivacy Directive — which gives competence to national agencies in their own territories. So the French continue to find creative ways to apply GDPR data protection standards nationally, despite the OSS and Irish GDPR blockage.
The ePrivacy Regulation still hasn’t been adopted — despite being proposed back in 2017! Which creates inconsistencies between EU law. But does also leaves Member State-level regulators such as CNIL free to enforce ePrivacy rules within their own jurisdictions, retaining decentralized power to sanction big tech on its home turf under the ePrivacy Directive.
France’s regulator has been especially busy on this front — fining Google €100M back in December 2020 for dropping tracking cookies without consent. At the same time it also stung Amazon €35M over the same issue.
Earlier, the CNIL even managed to get an early GDPR fine in against Google — all the way back in 2019 — before the company realized its legal exposure and switched the legal entity handling EU users’ data from the US to Ireland so that its regional business would fall under the DPC’s ‘less muscular’ oversight.