Sun, Feb
59 New Articles

Dramatic Fines for Google and Amazon for Violating Cookie Rules

Dramatic Fines for Google and Amazon for Violating Cookie Rules

  • Smaller Small Medium Big Bigger
  • Default Helvetica Segoe Georgia Times

In December 2020, the French Data Protection Authority (Commission nationale de l’informatique et des libertés or the “CNIL”) imposed significant fines of EUR 60 million for Google LLC and EUR 40 million for Google Ireland Limited, as well as of EUR 35 million for Amazon Europe Core.

Google LLC and Google Ireland

The CNIL fined them due to: a) their negligence to obtain the consent of users of the French version of Google search engine (google.fr) before setting advertising cookies on users’ devices, b) the lack in providing users with adequate information about the use of cookies, and c) because of their alleged failure to implement a fully effective opt-out mechanism to enable users to refuse cookies. Precisely, the CNIL’s inspection of the google.fr website revealed that, when users visited that site, seven cookies were automatically set on their device. Four of these cookies were advertising cookies.

Google LLC argued that Google Ireland Limited is solely responsible for those operations because Google LLC is a processor. Following the CNIL’s investigation, the CNIL found that Google LLC exercises a decisive influence in those decision-making bodies and that Google LLC also participates in the determination of the means of processing (since Google LLC designs and builds the technology of cookies set on the European users’ devices). The CNIL concluded that Google LLC and Google Ireland Limited are joint controllers, and consequently, both Google LLC and Google Ireland Limited were deemed jointly responsible for the use of cookies as both were considered to exercise decision-making power in relation to data processing concerning users located in France.. 

Amazon Europe Core 

On the same date, the CNIL announced that the CNIL fined Amazon Europe Core under the same rules for its alleged failure to: a) obtain the consent of users of the amazon.fr site before setting advertising cookies on their devices, and b) provide adequate information about the use of cookies. Namely, the investigation revealed that, whenever users first visited the home page of the amazon.fr website or visited the site after they clicked on an ad published on another site, more than 40 advertising cookies were automatically set on their device. These cookies were not set with user consent and could not remove them entirely.

Amazon Europe Core tried to argue (among other arguments) the CNIL jurisdiction by pointing out that the competent authority should be Luxembourgian data protection authority, keeping in mind that the seat of Amazon Group in Europe is set in Luxemburg, which argument did not pass. 

Breach of the French Data Protection Act

According to the CNIL, the mentioned companies did not provide users with information regarding the cookies that were already set on their device. Furthermore, the CNIL found that: a) the information provided to users does not enable them to understand the type of content and ads that may be personalized based on their behavior, and b) Google and Amazon also failed to provide clear information about how the online trackers would be used, and how visitors to the French websites could refuse the cookies.

In both cases, the CNIL took into account the seriousness of the breaches of the French Data Protection Act and the high number of users affected by those breaches. Furthermore, the CNIL wanted to enforce their ruling by ordering a periodic penalty payment of EUR 100,000 for each day of delay in complying with the injection.

The mentioned companies have four months to appeal the respective decision before France’s highest administrative court. Hence, this legal battle is still ongoing.

This text is for informational purposes only and should not be considered legal advice. Should you require any additional information, feel free to contact us.

By Katarina Zivkovic, Senior Associate, and Katarina Askic, Junior Associate, Samardzic, Oreski & Grbovic

Serbia Knowledge Partner

The oldest full service commercial law firm in Serbia, founded in 1991, JPM with three decades of experience in assisting local and international businesses presence and growth not only in Serbia but throughout the SEE region.

We have accumulated a wealth of knowledge in every industrial and corporate sector, from energy to banking, transport, manufacturing and telecommunications, while remaining true to a pioneering spirit that has always drawn us to follow the latest trends and developments in providing of our services to clients. Today we use the latest legal tech available in serving our clients and are expanding our services to clients from growing industries such as renewable energy, IT and life sciences, by offering innovative solutions and a pro-active approach to broaching new grounds.

Our expertise, experience, and commitment to professional excellence mean we are routinely involved in landmark cases and transactions, while our high standing among clients and peers sees us ranked among the leading law firms by independent guides such as Chambers & Partners, Legal 500, and IFLR1000.

We are known for working closely with clients and treating their problems as our own. Our lawyers pride themselves on being team players, fast and available, specialised in terms of practice area and industry, but versatile and creative in their thinking. We believe our advice should be tailor-made and that even the thorniest issue has a legal solution.

Our membership of Lex Mundi (the world’s premiere network of independent law firms) and the TLA (a regional alliance of leading firms from Slovenia, Croatia, Bosnia and Herzegovina, Montenegro, North Macedonia, and Serbia) means we have close working relationships with first-rate firms throughout the region and around the world, enabling us to operate as the perfect hub for SEE and other multi-jurisdictional transactions.

Firm's website: http://jpm.rs/

Our Latest Issue