France: CNIL is competent to impose fine outside of the GDPR One-Stop-Shop

France's Council of State has confirmed that France's DPA has competence to impose sanctions on cookies outside of the so called One-Stop-Shop under the EU GDPR.

In a case concerning Amazon Online France, the Council said that the CNIL is competent even in cases where the data controller is not established in France, but has an establishment on French territory that is processing personal data of individuals residing in France.

Amazon Europe Core was fined €35 million in 2020 for depositing cookies on users' computers without their prior consent.
The Council of State considers that the amount of the fine imposed by the CNIL is not disproportionate to the seriousness of the breaches, the scope of the processing and the financial capacity of the company.

See CNIL - Cookies: the Council of State confirms the 2020 sanction imposed by the CNIL against Amazon

Winds of Change, Privacy Laws & Business International Conference, 4-6 July, discusses issues around GDPR enforcement. Sessions include:

A national regulator’s perspective: Enforcement actions of the CNIL on EU/US data transfers, including cloud service providers
Speaker: Emilie Brunet, Legal Advisor, International Service, CNIL, France.