One-Stop-Shop: the Conseil d’Etat rules in favour of the CNIL’s ability to impose sanctions

The Conseil d’état, France’s highest public court has confirmed that the Commission nationale de l'informatique et des libertés, (the “CNIL”) was valid in its sanction of Amazon in 2020 for cookies violations. In doing so, the Conseil d’état has confirmed that the CNIL is able to apply sanctions outside of the one-stop-shop principle, following on from its earlier decision for Google in January 2020.

Background

In December 2020, the CNIL had fined Amazon Europe Core with a penalty of €35 million for violating Article 82 of “Loi n° 78-17 relative à l’informatique, aux fichiers et aux libertés” (the “French DPA”). Amazon had been found to have been implementing cookies on users’ computers without prior consent or providing them with satisfactory information. Several of these cookies were used for advertising purposes.

The Privacy and Electronic Communications Directive 2002/58/EC, also known as the “ePrivacy Directive” has been transposed into FR national law. Article 82 of the French DPA provides that users "must be informed in a clear and comprehensive manner” of the processing purpose and the right to oppose it. In this way, Article 82 imposes an obligation to obtain the consent of users before any use of cookies or other trackers.

 

The CNIL pointed out several issues regarding the practices of Amazon:

  • a substantial number of cookies were automatically deposed on users’ computers when visiting the “Amazon.fr” website, but the cookies were not essential to the service offered and users did not provide their consent.

  • the information banner “by using this website, you accept our use of cookies allowing to offer and improve our services. Read More.” is not sufficient. This banner did not adequately inform the users residing in France about the cookies, the purposes of cookies and the possibility to refuse them. The information disclosed about the purposes was only vague and approximate.

  • the same cookies were deposed without the existence of prior consent when users visited the “Amazon.fr” after clicking on an ad published on another website, which also constitutes a breach of the regulations.

The issue with the CNIL’s fine, however, was that Amazon believed this went outside of the scope of the one-stop-shop principle.

What is the principle of the “one-stop shop: mechanism?

The one-stop shop mechanism was introduced by the General Data Protection Regulation (EU 2016/679) (the GDPR"). This rule means that organisations that carry out cross-border personal data processing activities will be regulated by one supervisory authority, called the ‘lead supervisory authority’, usually based on  where their main establishment is located. The objective of the mechanism is to allow for consistency: organisations with several establishments throughout the European Union (EU) should not be faced with inconsistent decisions made by different local supervisory authorities, which would make it harder to put in place compliant procedures.

It is essential to consider the definition of “cross-border processing” under the GDPR in order to better understand the concept of one-stop shop mechanism. Article 4(23) of the GPDR defines two types of processing:

  • the processing of personal data, by a controller or a processor, that occurs within the activities of establishments in more than one Member State of the EU. This individual has to be established in more than one EU Member State.

  • the processing of personal data, by a controller or a processor, that takes place in the context of activities of a single establishment. This processing has to substantially affect or is likely to substantially affect data in more than one EU Member State.

Effectively, organisations dealing with these processing activities will have to determine the location of their main establishment in the EU to benefit from the one-stop shop mechanism, by complying with that Member State’s regulations. It is recommended that companies make an overview of their different establishments to determine which Member State’s “shop” has power regarding the purposes and means of the personal data processing. However, a mere representative of the organisation in an EU Member State is not sufficient to benefit from the “one-stop shop mechanism”. Also, a non-EEA based controller-processor subject to the GDPR cannot apply the principle to their organisation.

The lead supervisory authority is in charge of dealing with the cross-border processing activities of that specific organisation.  For example, it will answer any complaints made by a data subject on the processing of its personal data and conduct the potential investigation into the activities of the business.

What was the opinion of the Conseil d’État?

By a ruling of 27 June 2022, the Conseil d’État confirmed the decision made by the CNIL regarding the data protection law breaches. In addition, the Conseil d’État gave its approval on the amount of the fine, stating that it was proportionate to the seriousness of the breaches, the scope of the processing and the financial means of the company. 

Therefore, in line with its previous decision for Google in Jan 2021, the Conseil d’État confirmed that the CNIL is competent to sanction cookies outside the so-called “one-stop shop mechanism” established by the GDPR. Although the lead supervisory authority of Amazon is not in France, the company must modify its policy on cookies to respect Article 82 of the French DPA.

What are the consequences of these decisions in France?

The CNIL is now able to take action on the grounds of Article 82 of the French DPA, even if the data controller is not established in France but has an establishment on French territory, in relation to processing activities. In the case of Amazon, the CNIL analysed the activities of promotion and commercialisation of advertising tools.

From this, a fine can be imposed on a data controller that has an establishment in France which doesn’t comply with the French DPA, in particular the duty to inform users about an action to obtain information.

The CNIL have commented that it is important to remember the French DPA and its regulations existed before the GPDR.  Potentially explaining its mission to impose them and sanction Amazon, creating a precedent, in order to maintain its national law.

Contact us at info@gerrishlegal.com if you have any questions regarding your business’ international frameworks!

Article by Ophélie Lejeune, Legal Intern at Gerrish Legal.

Previous
Previous

Data Tranfers: Are your SCCs ready ? 

Next
Next

Part 2: Digital Markets Act: establishing a level playing field