In December 2020, the French Data Protection Authority (Commission nationale de l’informatique et des libertés or the “CNIL”) imposed significant fines of EUR 60 million for Google LLC and EUR 40 million for Google Ireland Limited, as well as of EUR 35 million for Amazon Europe Core.
Google LLC and Google Ireland
Amazon Europe Core
Amazon Europe Core tried to argue (among other arguments) the CNIL jurisdiction by pointing out that the competent authority should be Luxembourgian data protection authority, keeping in mind that the seat of Amazon Group in Europe is set in Luxemburg, which argument did not pass.
Breach of the French Data Protection Act
According to the CNIL, the mentioned companies did not provide users with information regarding the cookies that were already set on their device. Furthermore, the CNIL found that: a) the information provided to users does not enable them to understand the type of content and ads that may be personalized based on their behavior, and b) Google and Amazon also failed to provide clear information about how the online trackers would be used, and how visitors to the French websites could refuse the cookies.
In both cases, the CNIL took into account the seriousness of the breaches of the French Data Protection Act and the high number of users affected by those breaches. Furthermore, the CNIL wanted to enforce their ruling by ordering a periodic penalty payment of EUR 100,000 for each day of delay in complying with the injection.
The mentioned companies have four months to appeal the respective decision before France’s highest administrative court. Hence, this legal battle is still ongoing.
This text is for informational purposes only and should not be considered legal advice. Should you require any additional information, feel free to contact us.
By Katarina Zivkovic, Senior Associate, and Katarina Askic, Junior Associate, Samardzic, Oreski & Grbovic