Google LLC – Court Ruling (France, 2021)

On December, 7 2020, the French DPA imposed a financial penalty of 60 Million euros fine against Google LLC and a 40 million euros against Google Ireland Limited in accordance with the General Data Protection Regulation (GDPR) and ePrivacy Directive, for lack of transparency, inadequate information and lack of valid consent regarding for violating the regulation on cookies while operating the website [https://google.fr google.fr]. The sanction was accompanied by an order to comply with [https://www.legifrance.gouv.fr/loda/article_lc/LEGIARTI000037813978 article 82 of the French Law on data protection] (Law Informatique et Libertés), under three months on penalty of a €100000 fine per day of delay. The companies appealed to the Conseil d’État in interim procedure against the CNIL's decision, arguing that the French DPA was not the competent authority because it was not the lead supervisory authority for Google LLC or Google Ireland Limited. Is the CNIL territorially competent to investigate and sanction a company for violating the information principle when depositing cookies if it is not the lead supervisory authority of the company? The CNIL considered that Google does have EU headquarters in Ireland, but that this Irish entity ‘did not have a decision making power’ in relation to the relevant cross-border data processing activities to which the complaints related. For that reason the CNIL decided that the One Stop Shop mechanism did not apply and that the CNIL, like any other European supervisory authority, was therefore competent to make a decision. The Conseil d’État rejected the request made by Google and ruled that the French DPA was territorially competent on this matter even though it is not the lead supervisory authority. The court stated that Article 82 of the Law Informatique et Libertés was a transposition of article 5(3) of the Directive 2002/58/CE into French Law when dealing with cookies and that the CNIL is charged with enforcing this Directive.