InfoBytes Blog
French Council of State confirms €100 million fine against tech company
On January 28, the French Council of State confirmed the French data protection agency Commission Nationale de l’Informatique et des Libertés’s (CNIL) jurisdiction to impose sanctions on a multinational technology company and its Irish affiliate related to the companies’ process for managing cookies. The judgment follows an appeal by the companies against a 100 million euro fine imposed by CNIL in December 2020, for failure to obtain users’ consent and provide adequate information before depositing advertising cookies on users’ computers. The 2020 decision cited three violations of Article 82 of the French Data Protection Act (the Act). In confirming the 2020 decision, the Council of State recognized that it is within CNIL’s jurisdiction “to issue sanctions regarding cookies outside the ‘one-stop-shop’ mechanism provided for in the GDPR and therefore confirmed the sanction imposed by the CNIL on the companies[.]” Specifically, the Council of State concluded that the GDPR’s “one-stop-shop” mechanism does not apply to the deposit of cookies, which is covered by the Act. Additionally, because the cookies in question are implemented in the context of the companies’ activities in France, the Council of State determined CNIL had jurisdiction pursuant to the Act, and consequently, did not have to forward the case to the Irish Data Protection Authority (the lead supervisory authority for these companies under the GDPR). Moreover, the Council of State held that the fines imposed by CNIL were “not disproportionate in view of the seriousness [of] the violations, the scope of the processing and the financial capabilities of the companies.”