This case raises important legal issues in terms of a) territoriality of e-privacy rules; b) the interpretational relationship between the e-Privacy Directive and the GDPR (in particular on the notion of freedom of consent); c) the ambiguous lawfulness of “cookie walls” under the existing EU data protection legislation.
These two CNIL’s deliberations are just an additional episode to the long “saga” of the CNIL’s activity against big tech industries about cookie walls and data subjects’ freedom of consent. In January 2019, the CNIL had already imposed 50 millions euros penalties on Google for the lack of validity of consent for ads personalisation under the GDPR (not the e-Privacy Directive). In that case, the CNIL observed that Google, for processing data for marketing purposes, collected data subjects’ consent that was invalid under Article 7 GDPR for two reasons: that consent was not adequately informed (the relevant information about the data processing was accessible just after several steps and hyperlinks and was not clearly intelligible) and was not “specific and unambiguous”, because specific different purposes were not clarified and the data subject could decide about ads personalisation options just after different steps and clicks (and it was, however, a pre-ticked box).
For what concerns the specific issue of cookies and the respect of e-Privacy Directive, France has represented a central battlefield for the crucial question: are cookie-walls allowed under EU data protection law or not? Under the e-Privacy Directive and Article 82 of the French Law, the cookie-related data processing should be based on consent, but:
- for cookies that facilitate the electronic communication or are necessary for the provision of internet services, consent is not necessary;
- for other (e.g., ads-based) cookies, consent may result from appropriate parameters of her connection device or any other device placed under his control;
- recital 25 of that directive stated that “access to specific website content may still be made conditional on the well-informed acceptance of a cookie or similar device, if it is used for a legitimate purpose”.
This set of provisions seems compatible with cookie-walls, i.e. imposing cookies to the data subject in order to acess to a website. However, the approval of the GDPR in 2016 has given much more importance to the freedom of consent for data processing: if the provision of a service (including accessing to website content) is conditional to the data subject’s consent for unnecessary personal data, that consent is probably not free (Article 7(4)). In addition, withdrawing consent should never lead to adverse effects for the data subject (i.e., prohibiting the access to a website to subjects who deny their consent should not be permitted) (recital 43).
This conflict of norms (cookie walls formally permitted by the e-Privacy directive and substantially prohibited by the GDPR) has been addressed by the European Data Protection Board in different documents (see, lastly, Guidelines 5/2020) that emphasized that the new concept of freedom of consent (in the GDPR) should inspire a more restrictive interpretation of cookie-wall rules in the e-Privacy Directive: it is possible to make only specific contents of a website conditional to subject’s consent to cookies, but generalized cookie-walls seem to violate the notion of valid consent under the GDPR. At the same time, the CJEU in Planet49 Case (2019) affirms that the data subject’s consent for cookies is not validly constituted if based on a pre-checked checkbox which the user must deselect to refuse his or her consent.
These Solomonic interpretations have led national Data Protection Authorities to take more firm steps: the CNIL in July 2019 has declared any form of cookie-wall unlawful. This decision has been invalidated on June 2020 by the French Conseil d’Etat, who affirmed that the CNIL had abused its power. As a reaction, in September 2020, the CNIL has released new Guidelines affirming that cookie wall “is likely to infringe, in certain cases, the freedom of consent”. Thus, “if a “cookie wall” is set up, and subject to the lawfulness of this practice which must be assessed on a case-by-case basis, the information provided to the user should clearly indicate the consequences of her choices and in particular the inability to access content or service without consent” (italics added).
Thus, trying at the same time to conciliate the GDPR with the e-Privacy Directive, but also the EDPB’s Guidelines with the Conseil d’Etat’s admonishments, the CNIL adopted a case-by-case compromise on cookie-related data processing. However, while such a case-by-case approach might appear advantageous for data controllers (because it is not a strict prohibition of cookie-walls), there is another side of the moon: considering the circumstances of the case, in some specific contexts even “de facto” cookie-walls (i.e., informational architectures that make the refusal of cookies very difficult) might be abusive and unlawful. That is the case of the deliberation of 7 December 2020, which is also the first opportunity for the CNIL to enforce its new “cookie Guidelines” of 17 September 2020.
Why Google and Amazon were imposed penalties
The declared violations of the GDPR by Google and Amazon concern two aspects: information duties and lawfulness of cookies policies. What the CNIL seems to suggest is that the two big tech companies create some “de facto” cookie-walls that are unlawful.
In sum, the CNIL argues that the whole informational architecture of the two big tech industries for cookie collection is not based on a transparent opt-in system (which is the only acceptable one) but on an opaque opt-out system, which results in an obstacle race for data subjects.
The territorial scope of CNIL’s activity and of French Law applicability was also a topic of discussion: while Google affirmed that under the GDPR the cooperation mechanism imposes that the Data Protection Authority of the Member State where Google has its main establishment (Ireland) should take the lead of the infringement procedure (i.e. the Irish Data Protection Authority); Amazon claimed that since its main establishment is in Luxembourg, it respects Luxembourgish legal rules on cookies and should not be asked to respect French rules (which, by the way, are more restrictive and severe).
The CNIL rejected both the argument: cookie-related personal data are regulated by the e-Privacy Directive, where the cooperation mechanism indicated by the GDPR cannot apply. In addition, the e-Privacy Directive allows (at Article 15a) Member States to determine, under their national law, the procedures to enforce e-privacy rules. Accordingly, each Member State can follow its own national rules (implementing the EU directive). The applicability of French Law and the competence of the CNIL are evident since cookies are installed in the hardware devices of data subjects who are in France: the data processing happens in France and, thus, the territoriality principle of the French Loi Informatique et Liberté (Article 3) is respected.
These two CNIL decisions are important not only for the entity of the sanctions, but because they are the first important CNIL deliberations after the CJEU case Planet49, but also after the difficult sequence of CNIL Guidelines (of 2019 and 2020) against cookie walls.
Looking at the broader picture, this last episode of the long and vibrant saga about cookie rules in Europe clarifies the urgency of a reform of the e-Privacy Directive. The prohibition of cookie walls is not explicit in EU law (the e-Privacy Directive seems to tolerate them in conflict with the GDPR’s notion of consent – as interpreted by the EDPB–). In addition, it is not clear why the procedural rules of the GDPR (e.g., the cooperation mechanism) cannot be applied to the e-privacy rules too, which are instead fragmented in many different national rules (that are often incompatible each other). However, a EU reform of e-privacy rules seems still far to be approved.