CNIL – Court Ruling (France, 2022)

On 7 December 2020, the French DPA (CNIL) imposed two fines totaling € 100 million on Google LLC and Google Ireland Ltd for violating Article 82 of the French Data Protection Act (which transposes the ePrivacy Directive). Google (1) had not obtained the user’s consent before depositing advertising cookies in the user’s terminal equipment, (2) had lacked to provide information, and (3) had not implemented a mechanism to refuse the cookies. Google did not agree with the CNIL’s decision and brought the issue before court. First, it claimed that, since there is cross-border processing, the Irish DPA (DPC) is the lead supervisory authority since Google’s main establishment in the EU is in Ireland, and the CNIL therefore did not have competence to rule on this matter according to the one-stop-shop mechanism. Second, it found the fine to be disproportionate. Hence, it requested the Council of State to annul the decision, and to refer two preliminary questions to the CJEU, asking: (1) whether the one-stop-shop mechanism provided for in Article 56 GDPR is excluded in the context of cross-border processing that falls within the scope of both the ePrivacy Directive and the GDPR, and (2) whether Article 15a ePrivacy Directive violates the right to data protection because does not provide an obligation, but rather an option, “for the competent national regulatory authorities to adopt measures to ensure effective cross-border cooperation in the enforcement of national laws adopted pursuant to the directive and to create harmonised conditions for the provision of services involving cross-border data flows”. The Council of State rejected Google’s appeal. First, according to the Council, the ePrivacy Directive, implemented in the French Data Protection Act, does not provide for the application of the one-stop-shop mechanism as mentioned in Article 56 GDPR. Although the requirements for consent are regulated by the GDPR the deposit of cookies is regulated by the ePrivacy Direct