La Quadrature du Net – Court Ruling (France, 2019)

In July 2018 the CNIL adopted a decision clarifying the new rules on consent for targeted advertisement under GDPR. It initiated a consultation process for the first quarter of 2020 to define the practical arrangements for obtaining consent. It determined a six-month adaptation period. Two associations requested to annul the decision of CNIL on grounds of excess of power and to instruct it to publish both on its website and on the pages of its press releases of 28 June and 18 July, a reference to the decision of the Conseil d'Etat which should indicate that "continued navigation" does not constitute a valid means of expressing consent for cookies and online tracking devices, while every day of delay would imply a penalty of 500 euros. The Council has to assess whether the CNIL had the power to initiate such a process. The Council found that the CNIL is an independent administrative authority with wide discretion in the exercise of its missions. In this sense, the CNIL can initiate such an action plan in order to achieve more effective compliance with the data protection law. The Council ruled that the six-month period of tolerance which the CNIL provided the stakeholders in order to fully comply with the rules is legal. Finally, the CNIL’s decision does not prevent the Commission from carrying out controls during the mentioned period and imposing sanctions for serious breaches of the new data protection framework.