France’s DPA fines Google €100 million and Amazon €35 million for breach of cookie rules



The CNIL, France’s Data Protection Authority, has imposed a €60 million fine on Google LLC, €40 million on Google Ireland Ltd, and €35 million on Amazon.

The fines, announced today, relate in particular to the placing of advertising cookies on users’ computers without prior consent when using google.fr search engine, or visiting amazon.fr. The regulator says that in both cases there was also lack of information provided to the users of the search engine google.fr and on the website amazon.fr.

Regarding Google, while Google LLC is established in California, it develops the search engine Google Search. Google has based its European headquarters in Ireland, and Google France is the establishment of Google LCC in France.

The CNIL says it is materially competent to control and sanction cookies placed by the companies on the computers of users living in France. The GDPR cooperation mechanism did not apply here as the operations related to cookies fall under the e-Privacy Directive, transposed in Article 82 of France’s Data Protection Act.

The CNIL’s committee, responsible for imposing sanctions, says that the CNIL is also territorially competent, because the use of cookies is carried out within the "framework of the activities" of Google France, which is the “establishment” of the companies Google LLC and Google Ireland Ltd on French territory and which promotes their products and services.

It also considered that Google LLC and Google Ireland are jointly responsible since they both determine the purposes and means related to the use of cookies.
The CNIL is on a year-end enforcement spree; at the end of November, it fined Carrefour France €2,250,000 and Carrefour Banque €800,000 euros for GDPR infringements.

See: