The French data protection authority ('CNIL') announced, on 28 June 2022, that the Conseil d'Etat had confirmed, on 27 June 2022, CNIL's decision from December 2020, whereby it imposed a fine of €35 million on Amazon Europe Core Sarl for violations of Article 82 of the Act No.78-17 of 6 January 1978 on Data Processing, Data Files and Individual Liberties (as amended to implement the GDPR) ('the Act').

Background to the case

In particular, CNIL had found two violations of Article 82 of the Act, related to the placement of cookies on user devices without prior consent and failure to meet information provision obligations regarding the same.

Findings of the Conseil d'Etat

Within its decision, the Conseil d'Etat deemed CNIL competent to impose sanctions in relation to cookies outside of the one-stop-shop mechanism under the General Data Protection Regulation (Regulation (EU) 2016/679) ('GDPR'), recalling that CNIL could sanction breaches of Article 82 of the Act even in cases where the data controller is not established within France but carries out activities within France, which in this case pertains to marketing and advertising tools sold by Amazon Online France.

Outcomes

Consequently, the Conseil d'Etat confirmed that Amazon had carried out both violations of Article 82 of the Act and considered that the fine imposed was not disproportionate with regard to the severity of the breaches, the scope of the processing activities, and the financial state of Amazon.

You can read CNIL's press release here and the Conseil d'Etat decision here, both only available in French.