Criteo – Court Ruling (France, 2026)

In 2023, the French Data Protection Authority (CNIL) fined Criteo, an advertising company (the controller), €40,000,000 for breaches of the GDPR related to the processing of browsing data through cookies for the purpose of placing personalised advertisements. The decision followed complaints lodged by Privacy International and noyb. The DPA found violations of Article 26(1) GDPR and Article 26(2) GDPR based on the lack of a joint controllers' agreement with its partners, Article 7(1) GDPR by processing user data without consent, Article 7(3) GDPR and Article 17 GDPR by failing to erase data subjects’ personal data based on their requests, and Article 12 GDPR, Article 13 GDPR, and Article 15 GDPR by failing to inform data subjects of the processing of their personal data. The controller appealed the decision asking for its annulment or, alternatively, the reduction of the fine. First, the Council of State (the court) held that the controller processed personal data since the identification of individuals would not be technically impossible based on the very large amount of information, sometimes very precise, collected and cross-referenced for a given identifier assigned to each data subject. Secondly, the court noted that the controller did not contest the DPA’s findings regarding the lack of a joint controllers' agreement. Thirdly, it found that the DPA’s conclusion regarding the violation of Article 7(1) GDPR did not disregard the principles of legality of offenses, presumption of innocence and exclusion of liability for others in criminal matters. Fourthly, it dismissed the argument that the contested decision was based on error of fact and assessment regarding the information provided to data subjects on the purposes for which their data were processed. Finally, the court noted that the controller could not rely on legitimate interest for continuing to process the data of data subjects who requested their erasure. Therefore, the court dismissed the cont