The CNIL sanctions, a salty end of the year!
With the new guidelines and recommendations published by the CNIL on 1 October 2020 applicable as of March 31, 2021, zero tolerance is required!
There is a growing number of examples of companies being sanctioned.
The culprit: failure to comply with the French Data Protection Act (Loi Informatique et Libertés) and GDPR.
International companies
The Google case
On December 7, 2020, the French CNIL fined Google LLC and Google Ireland Limited a total of 100 million euros, for non-compliance with the legislation on the deposit of tracers on the computers of Internet users and lack of information on the processing of personal data collected.
Sad record for the American giant!
What are they accused of?
Three violations of Article 82 of the French Data Protection Act:
- The deposit of cookies without prior consent
When a user accessed the google.fr page, cookies for advertising purposes were automatically deposited on his computer, without him having accepted or refused this action.
- Lack of information for users
When accessing the google.co.uk page, the "Google Privacy Policy Reminder" banner had two buttons privacy policy" had two buttons "Remind me later" and "View now". now" buttons. No information indicated to the user the automatic deposit of No information was provided to the user about the automatic placement of advertising cookies upon arrival on the site, either on the banner or in the "Check Now" tab.
- Partial failure of the opposition mechanism
When ad personalization was disabled by the user via the "View Now" button, an ad cookie remained on the user's computer and continued to read content to the server to which it was linked. ad cookie remained stored on the user's computer and continued to read content to the server to which it was linked.
What's next?
The CNIL noted that an update had been made in September 2020, and that advertising cookies were no longer automatically deposited on Internet users' computers.
However, according to the institution, the changes made to the information notice are not sufficient and still do not allow Internet users to be aware of the usefulness of the cookies deposited on their computer and the possibility of refusing them.
Therefore, the Google Group had to comply within three months of the notification, or else be fined €100,000 per day of delay.
However, the latter attacked the CNIL in summary proceedings before the Council of State to request the suspension of the execution of this deliberation of 7 December 2020. During the hearing that took place on Thursday, February 11, 2021, Google defended the urgent nature of its request. It criticized the CNIL in particular for a double discourse: on the one hand, asserting that its request for compliance is part of a known framework, and on the other hand, delaying to give its opinion on the proposals of Google, sent on December 18. The CNIL had promised a response by February 15, within the three-month deadline set by the deliberation for compliance, after which the daily penalty of 100,000 euros will be applied.
In an order dated March 4, 2021, the Conseil d'Etat's interim relief judge ruled on Google's request. He began by analyzing the point that Google was contesting the CNIL's jurisdiction over this case, arguing that it fell within the scope of the "one-stop shop" mechanism provided for by GDPR and therefore the Irish data protection authority. The judge rejected this point. Consequently, he did not even analyze the other arguments relating to the urgent nature of the request.
The Amazon case
The e-commerce giant was fined 35 million euros by the CNIL on December 7, 2020, for failing to comply with the legislation on cookies and providing insufficient information about the purposes of the trackers.
What is he accused of?
Two violations of Article 82 of the French Data Protection Act:
- The deposit of cookies without prior consent
When a user accessed the amazon.co.uk page, advertising cookies were automatically placed on his or her computer, without the user having accepted or refused this action. without the user having accepted or refused this action.
- Lack of information for users
When accessing the amazon.co.uk page, the information banner with the words "By using this site, you agree to our use of cookies to provide and improve our services. Learn more" did not give the user precise and explicit information about the purpose of the cookies placed on his computer. The CNIL also also noted that no information was given concerning the possibility of refusing the deposit of cookies.
What's next?
After taking into account the recent changes made to the amazon.fr site, particularly the non-automatic deposit of advertising cookies, the CNIL nevertheless considered that the new information banner still did not allow Internet users residing in France to understand that the cookies were intended for advertising purposes and that the possibility of refusing these cookies was not made explicit either.
Therefore, in addition to the administrative fine, the restricted panel also adopted an injunction under penalty to require the company to inform individuals in accordance with Article 82 of the Data Protection Act within three months of notification of the decision. If it fails to do so, the company will be liable to pay a fine of 100,000 euros per day of delay.
French companies
The cases of Carrefour France and Carrefour Banque
Carrefour France and Carrefour Banque were fined €2,250,000 and €800,000 respectively, following several complaints to the CNIL for non-compliance with GDPR.
What are they accused of?
1 - Failure to comply with article 13 of the GDPR
Clear information for users
Access to information on the processing of personal data was found to be very difficult to access and understand by consumers.
Information on data retention, transfer outside the European Union and the legal basis for processing was incomplete.
2 - Infringement of Article 82 of the French Data Protection Act
The deposit of cookies without prior consent
When a user accessed the Carrefour.fr page, advertising cookies were automatically placed on his or her computer, without the user having accepted or refused this action.
3 - Failure to comply with article 5.1.e of the GDPR
The time limit for data retention
Carrefour France did not comply with the data retention periods set for information sent to consumers. The data of almost 29 million consumers, inactive for more than 5 years, were still in the company's databases.
4 - Failure to comply with article 12 of the GDPR
The obligation to facilitate the exercise of rights
For any request to exercise a right, Carrefour France required proof of identity from consumers.
Several requests to exercise rights had also not been processed within the regulatory deadlines.
5 - Breach of articles 15, 17 and 21 of GDPR and L34-5 of the French Post and Electronic Communications Code
Respect for rights
Some requests from consumers for access to their personal data and others for deletion of data or to exercise their right to object were not followed up.
6 - Failure to comply with article 5 of the GDPR
Fair processing of data
When subscribing to the Pass card via Carrefour Banque, if the consumer also wished to join the loyalty programme, he or she had to tick a box indicating that his or her surname, first name and e-mail address could be sent to Carrefour France. However, the CNIL found that other data such as postal address and telephone number were also transferred.
What's next?
During the sanction procedure, the Carrefour group has committed significant resources to bring its entire customer journey into compliance in terms of consent to the processing of personal data.
The little ones also pay the bill!
The PerformeClic case
On December 31, 2020, the CNIL made public the penalty of €7,300 imposed on the company PerformeClic, for sending unwanted canvassing emails without prior consent.
What are they accused of?
1 - Failure to comply with Article 34-5 of the French Post and Electronic Communications Code
The obligation to obtain consent
The company PerformeClic was not able to provide proof of the collection of consent of the persons prospected.
2 - Failure to comply with article 5.1.c of the GDPR
Data minimization
Some data, not necessary for commercial prospecting by e-mail, have been kept by the company.
3 - Failure to comply with article 5.1.e of the GDPR
The time limit for data retention
Simply after the opening of the prospecting e-mail, without any action having been taken, the data of the Internet users was kept for more than three years.
4 - Failure to comply with article 14 of the GDPR
Information for Internet users
No information was given to Internet users concerning the retention of their data, or even the procedure to follow to request their deletion.
5 - Failure to comply with article 21 of the GDPR
The right to object
No solution was offered to the Internet user to refuse the processing of his personal data.
6 - Failure to comply with article 28 of the GDPR
The relationship contract with a subcontractor
No mandatory clause was indicated in the contract between PerformeClic and its host.
What's next?
The CNIL asked the company to comply within two months, otherwise it would have to pay €1,000 per day of delay.
