France is going after the pesky online trackers known as cookies — and showing the world it’s not afraid to flex its muscles against Big Tech.
By announcing fines of €150 million for Google and €60 million for Facebook early on Thursday, the French privacy watchdog CNIL went much further than other EU watchdogs have gone to rein in the trackers, which allow advertisers to target people with tailored ads as they move around the internet.
The fines — first reported by POLITICO and levied for failing to allow French users to easily refuse cookies — come after the CNIL made tackling the tracking technology a key priority in early 2021. Cookies, the tracking tools responsible for irritating consent pop-ups and ads that follow you around the internet, are regularly decried as the scourge of the web, one that Paris has vowed to stamp out.
Blocked by Europe’s flagship General Data Protection Regulation from acting directly against some of the internet’s biggest players because of that rulebook’s enforcement mechanism, the French watchdog has chosen to use another set of EU privacy rules to rein in widespread cookie practices.
Under the e-Privacy Directive, the CNIL is free to take direct action against companies that otherwise would be overseen by the Irish Data Protection Commission, because the GDPR gives prime enforcement power to the country where the company is legally established. Many tech companies have their EU bases in Dublin.
“This topic is really a priority of our control policy this year, and if necessary these controls could be followed by formal notices, public or not, and financial penalties, public or not,” CNIL boss Marie-Laure Denis said in an interview last year.
As part of that drive, the watchdog has already imposed almost €350 million in financial penalties against Big Tech (it fined Google, again, and Amazon in late 2020), and warned more than 90 companies about their lack of compliance with cookie rules. So far, that trumps Ireland’s total of just over €225 million in fines against Big Tech, meted out in penalties for Twitter and WhatsApp for GDPR failures.
The French regulator has so far zoned in on two key violations: failing to allow users to refuse cookies as easily as it is to accept them, and automatically placing cookies on people’s devices before they even have a chance to accept or refuse them. These are widespread violations across the web, but so far only the CNIL seems serious about tackling them.
The CNIL’s forceful action is turning heads.
“I think the CNIL is demonstrating leadership on this matter by taking action against bigger tech companies,” said Pat Walshe, a cookies expert.
He added that the regulator is sending a message that “change is necessary now” and nudging companies to do better.
Similarly, Floor Terra, a privacy consultant who used to work at the Dutch privacy regulator, said France is “clearly ahead” on enforcement of cookie rules.
Unequal powers
To be fair to other European data protection authorities, not all have been given the same powers as the French when it comes to cookies.
While the GDPR gives European data protection agencies nearly identical enforcement powers, the e-Privacy Directive, which the CNIL is using to crack down on cookies, is enforced differently across the bloc because it has yet to be updated to bring it in line with the GDPR.
Spain, for instance, has also embarked on an impressive crackdown on cookies, but its data protection agency can’t hope to match France’s headline-grabbing action: The maximum fine it can deliver is a fraction of the punishment the CNIL can mete out.
Ireland’s Data Protection Commission — which is tasked with enforcing the GDPR against the majority of big tech companies, including Facebook, Google and Apple — is even further hamstrung by its version of the e-Privacy rules.
The Dublin regulator can’t issue fines directly. It can only issue an enforcement notice which must be taken up by a court before it can be translated into a fine. France’s CNIL was able to act directly against Google and Facebook precisely because it has strong fining powers under France’s transposition of the e-Privacy rules. Had the case been brought under the GDPR, Paris would have had to pass enforcement to Dublin due to the one-stop-shop mechanism.
In some jurisdictions, the data protection authority can’t enforce cookie rules at all since e-Privacy is handled by a different regulator, like the telecoms agency.
For Walshe, the fractured approach to cookies across the bloc shows the need to update e-Privacy rules. An e-Privacy Regulation was meant to come online in 2018 in tandem with the GDPR, but has been blocked in the EU rulemaking machine due to persistent disagreements between MEPs and national capitals on key aspects of the file.
In private, some EU officials say that an updated e-Privacy regulation may never see the light of day, now that other digital rulebooks are seen as a bigger priority.
France, which now has the rotating presidency of the EU, is not pressing to bring e-Privacy over the line. Officials have said the law isn’t a priority and is unlikely to be finalized during the six-month presidency.
“This demonstrates the need for a regulation. [e-Privacy] is now in trialogue, and the French now have the presidency for the next six months. They should get it agreed,” Walshe said.
Want more analysis from POLITICO? POLITICO Pro is our premium intelligence service for professionals. From financial services to trade, technology, cybersecurity and more, Pro delivers real time intelligence, deep insight and breaking scoops you need to keep one step ahead. Email pro@politico.eu to request a complimentary trial.
Source: Politico