France's big Google and Amazon fines bypass GDPR's creaking one-stop shop

With its weighty fines for Google and Amazon.com, France’s data-protection authority appears to have found a workaround to the General Data Protection Regulation’s clunky one-stop shop mechanism — assuming the sanctions aren’t annulled in court.

The Commission Nationale de l'Informatique et des Libertés today fined Google 100 million euros ($120 million) and Amazon 35 million euros for installing tracking cookies on the web browsers of visitors to their respective French websites.

European privacy regulators have struggled to hold US tech giants to account because of a provision in the GDPR that cross-border cases should be regulated by the country where the company in question has its EU headquarters.

For Google — along with Facebook, Twitter, Apple and many others — that’s Ireland. For Amazon, it’s Luxembourg. Neither of these regulators has issued any major GDPR fines since the EU rules came into force in  May 2018.

The CNIL previously got around the one-stop shop mechanism when it fined Google 50 million euros in January 2019. That was a pure loophole: Google had failed properly at that point to get itself registered in Ireland. France's highest administrative court upheld the fine in June 2020.

This time, the French regulator sidestepped the GDPR altogether, issuing the fines under another law: the EU’s 2002 e-privacy directive.

Legal question

That raises an interesting legal question. While the e-privacy directive governs the use of cookies — pieces of tracking software that websites install on visitors’ web browsers — it’s the GDPR that introduced strict requirements to get users’ consent before processing their data. A lack of consent was the basis of today’s fines.

The CNIL said that it was “materially competent” to investigate and sanction Google and Amazon because the cookies were “placed by companies on the computers of users residing in France.”

The authority added that it was also “territorially competent” because the use of cookies by the companies was within their “framework of activities” which constitutes an “establishment” on French territory.

Google and Amazon will no doubt contest these findings. In Google’s case, the company will argue that it was trying to comply with a moving target of cookie guidelines, MLex understands. The appeals may well reach the EU’s top court on questions of jurisdiction.

However the cases turn out, they also highlight how out of date the 18-year-old e-privacy legislation is. An update, proposed by the European Commission in January 2017 and intended to coincide with the GDPR the following year, has been held up by intractable disagreements between EU policymakers.

Until the law is updated, EU regulation of the Internet will remain mired in legal uncertainty, stuck between the strict but broad GDPR and the more specific but laxer e-privacy rules.

One-stop shop

The one-stop shop mechanism has been criticized by Ireland, its European counterparts and the commission as inefficient and lumbering.

Data-protection authorities that want to take action against Big Tech companies are frustrated because they can only forward complaints from users to Ireland or Luxembourg. While they can offer their assistance to the lead authority, they have no power to investigate data-processing complaints on their own.

The Irish Data Protection Authority, which is probing Google, Twitter and Facebook, hasn’t landed a single major punch on these companies. The probes are hampered by procedural difficulties and, in the case of Twitter, problems with getting decisions through the one-stop-mechanism.

The mechanism also leaves open the question of which regulator should deal with cases involving these companies in only one country: Should it be that country’s regulator, or should the case still go to the country of the company’s EU establishment? That very question is being considered by the EU’s top judges in a case between Facebook and Belgium.

Workaround

Given this background, it’s hardly surprising that the French regulator has sought to sidestep the GDPR.

The CNIL has been pursuing companies over their use of website cookies since the GDPR entered into force. Besides US tech companies, the French regulator has also pursued local heavyweights: Last month, it fined retail giant Carrefour about 3 million euros for various GDPR violations and the French rules governing the use of cookies.

It issued guidelines in 2019 on how companies should comply with the rules regarding cookies; these were revised in June 2020 after being partially overturned by the Council of State, France’s highest administrative court.

The final guidelines were issued in October this year, and companies were given a six-month grace period before enforcement. But the CNIL told companies today that it would “fully monitor compliance with other obligations” that weren’t part of the revised guidelines “and, if necessary, to adopt corrective measures to protect the privacy of individuals”.

In the case of Google and Amazon, these obligations weren’t part of the new guidelines issued in October and were therefore fair game for sanctions, the CNIL said.

Despite the GDPR’s limitations on national authorities to pursue Big Tech, the CNIL has shown that it’s capable and savvy enough to use all of its powers to get results. This power will surely be noticed by French citizens and in Silicon Valley boardrooms.