France: CNIL fines Google €150M for inadequately facilitating refusal of cookies
Background to the case
CNIL outlined that following an online check carried out on the google.fr and youtube.com websites on 1 June 2021, it made various observations regarding the cookie banners, privacy policies, and terms of services of the websites in question, which it sent on to Google in the form of a report requesting further information on each of the cookies mentioned in the said report, their purposes, and the number of daily unique visitors to each website over the last twelve months from France. CNIL further outlined that Google responded to that request on 9 July 2021, putting forward that the provision of its response was without prejudice to its rights under the General Data Protection Regulation (Regulation (EU) 2016/679) ('GDPR'), in particular the one-stop-shop mechanism, and the Irish Data Protection Commission's ('DPC') role as lead supervisroy authority in investigations.
In addition, CNIL noted that following its subsequent notification of its intention to fine Google for violations identified in the aforementioned online check, Google had put forth a number of arguments in its defence, notbaly arguing that CNIL's previous fine against Google for cookie violations, issued on 7 December 2020, is still pending in the Conseil d'Etat, and that this decision should therefore be suspended, whilst also alleging a breach of the principle of non bis in idem (i.e. that CNIL cannot rule on the same facts as those addressed in its previous enforcement actions against Google). CNIL rejected both of the arguments put forward by Google regarding suspension and admissibility of the decision, firstly highlighting that the pending nature of the Conseil d'Etat's decision does not affect the President of CNIL's competence to initiate a sanctioning procedure, and secondly that the facts of the present case are not identical to those of the previous decision. In particular, CNIL noted that the the previous decision related to information of users on the purposes of cookies subject to consent and on the means of refusing cookies, whereas the present case relates to the modalities of refusing consent itself, as opposed to information related to the same.
Findings of CNIL
In terms of responsibility for the identified unlawful processing in question, CNIL identified Google Ireland Limited, which Google itself identified as the relevant data controller, and Google LLC, whose controllership Google disputed, as joint controllers, notably citing, among other things, Google's own assertion that Google LLC 'designs and builds the technology of Google products and that with regard to cookies deposited and read when using the search engine Google Search, there is no difference in technology between the cookies deposited from the different versions of the search engine' to come to the conclusion that Google LLC determines the means of processing and plays a fundamental role in the entire decision-making process relating to the processing in question.
In view of the above, and taking into account the respective responsibilities of the two entities and their financial situations, CNIL decided to impose a fine of €90 million on Google LLC and a fine of €60 million on Google Ireland Limited. In addition to the lump sum financial penalties, CNIL also ordered Google to bring their operations into compliance with the identified violated rules within three months, also providing that additional fines of €100,000 per day would be imposed for non-compliance following the end of such period.