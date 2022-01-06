



Chalk another for decentralized enforcement: French data protection watchdogs have been fined to grab headlines on Facebook and Google for not respecting local (and pan-EU) cookie consent rules. did.

Today, CNIL has investigated how to offer tracking options to users of google.fr, youtube.com and facebook.com, and found that it violated French law on Google 150M (~ $ 170M) and Facebook 60M (~ $ 170M). Announced that it has fined $ 68M).

Regulators said they were acting after receiving many complaints.

Due to a clear violation of EU and French law, this pair does not offer an option to reject non-essential cookies as easily as the option that users provide to accept all tracking. I found out.

That is, the tech giant used a manipulative dark pattern to try to enforce consent.

This is an exemplary excerpt from a CNIL press release:

…… The information provided by the company is not clear as Internet users must click the button titled “Accept Cookies” that appears in the second window in order to refuse to save cookies. .. I thought that such titles were inevitably confusing and users might find it impossible to refuse cookie deposits and there was no way to manage them.

The restricted committee has determined that the method of collecting the consent proposed to the user and the lack of clarity of the information provided to the user constitute a breach of Article 82 of the French Data Protection Act. “

Under EU law, there are strict standards that must be complied with if consent is the alleged legal basis for processing people’s data. In order to obtain it legally, you must notify the consent and specifically give it freely.

Long-term complaints to Facebook and Google regarding similarly problematic consent issues can be filed at the Irish Data Protection Commission (DPC) desk under the EU’s General Data Protection Regulation (GDPR) One Stop Shop (OSS). I’m still suffering. ) Mechanism is a semi-centralized enforcer for most big tech.

As OSS encourages forum shopping, the DPC has been accused of stepping into GDPR surveillance of tech giants and creating bottlenecks for effective regulation enforcement. Regulatory oversight.

In particular, CNIL is taking steps against Facebook and Google under the EU’s early law, ePrivacy Directive. This directive empowers national institutions within their territory. As a result, France continues to look for creative ways to apply the GDPR data protection standards nationwide, even though the OSS and Ireland’s GDPR are blocked.

Ironically here, Google and Facebook have been involved in community lobbying to delay planned updates to ePrivacy Directive. This should have been replaced by regulation, as previously reported.

Despite being proposed in 2017, e-privacy regulations have not yet been adopted. This creates a contradiction between EU law. However, Member State-level regulators such as CNIL retain decentralized authority to sanction Big Tech at home under the e-Privacy Directive and are free to enforce e-privacy rules within their jurisdiction. increase. So, uh, oops! This is a pretty expensive mistake, at least for Facebook and Google in France.

French regulators are particularly busy in this regard. In December 2020, Google 100M was fined for removing the tracking cookie without consent. At the same time, I stabbed Amazon 35M with the same problem.

Previously, CNIL was able to impose an early GDPR fine on Google. This was before the company noticed legal exposure and switched the legal entity that processes data for EU users from the United States to Ireland and moved to a regional business. Corresponds to DPC’s “less muscle” monitoring.

So far, Google has not faced a single sanction under the GDPR from Ireland. In response, a number of very substantive and very long-term complaints have been filed, including compulsory consent. Processing of position data. And its ad tech.

There have been numerous complaints against tech giants over systematic violations of EU data protection laws, against DPCs, embarrassingly thin records of enforcement, and allegations of corruption in recent accusations against Ireland. I’m continuing. The Commission itself, which has been accused of failing to monitor the enforcement of the GDPR at the Member State level.

My reply to Didier Lendels, European Justice Commissioner on 14 December, is now open to the public. The Commission must act to uphold the Data Protection Act. His recent letter to MEP covered by @vmanancourt is embarrassing. https://t.co/kt2nkfV8Se

— Johnny Ryan (@johnnyryan) January 5, 2022

The European Commission verbally intervened at the end of last year, directly warning data protection agencies that the enforcement of the GPDR needs to be “effective” quickly. Otherwise, in support of the EU’s centralized enforcement, he suggested that the DPA would face such deprivation of authority. Executive.

At the same time, Google and Facebook were also blown up by a committee accusing the Adtech giant of choosing legal tricks over true adherence to Block’s privacy standards, and Commissioner Bella Jurov warned: did. Seriously data. I want to see full compliance, not legal tricks. It’s time to tackle the task head-on instead of hiding behind a small type.

However, despite firing some potshots, the Commission seems reluctant to actually intervene and sanction Ireland. Therefore, member states like France are left to raise the issue in another way. That is, by having the institution explain what is happening as well as being enforceable.

(See, for example, that the French competition watchdog is taking harsh action against Google.)

In addition to the fine to grab today’s headline, CNIL has ordered Facebook and Google to change the way they present cookie choices to French users. This pair is given for three months to provide local users with a way to deny cookies as easily as existing means. Accepting them — “to guarantee their freedom of consent”.

Failure to comply with the order will result in an additional 100,000 delay penalty per day.

CNIL has been focusing on cookie consent for some time.

Regulators have set a website deadline of March 31, 2021 to comply with the updated cookie guidance published in October 2020. ) It is related to the violation of the law regarding cookies.

Ireland has also released cookie guidance updated in April 2020. This stipulates that websites and data administrators will comply for six months before taking enforcement measures.

However, the DPC is again all mouth, indicating that there are no pants. No official sanctions could be taken in connection with the breach of cookie consent to commercial organizations (and nothing against Facebook or Google in this regard).

DPC’s decision on Facebook-owned WhatsApp, published late last year, focused on transparency breaches.

Its final penalty for WhatsApp ($ 267 million) has also grown significantly after intervention by other EU DPA and European Data Protection Commissions. The Irish decision only offered fines of up to 50 million. Facebook, on the other hand, is trying to avoid sanctions by opposing them. )

A Meta / Facebook spokesperson solicited comments on CNIL’s dishonest cookie consent.

“We are considering the decision of the authorities and are continuing to work with relevant authorities. Our cookie consent control allows users to revisit their decisions at any time, including the new settings menu on Facebook and Instagram. And give you more control over your data, including manageability. We continue to develop and improve these controls.

The tech giant also pointed out an announcement about a local “cookie control” update last September. This gives Europeans “more control over the choice of cookies. They use different types of cookies, including information received from other apps and websites.”

“This work is part of an ongoing effort to enable people to have more control over their privacy and meet evolving privacy requirements such as the General Data Protection Regulation (GDPR) and the ePrivacy Directive (ePD).” I added at that time.

Whatever the particular fiddle Facebook made at the time, the change doesn’t seem to impress the French.

At the time of this writing, Google did not respond to requests for comment on CNIL’s sanctions, but we will update this report, if any.

Update: A Google spokesperson said:

“People trust that we respect our right to privacy and keep it safe. We understand our responsibility to protect that trust and in the light of this decision under the e-Privacy Directive, We are working on further changes and proactive efforts with CNIL. “

