Back to Feed
GDPRJul 9, 2026

CE - 451423

Amazon fined €35M by French DPA for unlawful cookie use.

Summary

The French DPA fined Amazon Europe Core €35 million for unlawfully using cookies on its websites. The DPA found that Amazon failed to obtain prior consent and inform users about data processing, violating Article 82 of the French Data Protection Act, which implements the ePrivacy directive. Amazon appealed the decision, but the Conseil d'Etat upheld the sanction.

Full text

Help CE - 451423: Difference between revisions From GDPRhub Jump to:navigation, search ← Older editVisualWikitext Revision as of 17:33, 11 January 2023 view sourceKv (talk | contribs)Bureaucrats, Interface administrators, noContributionReport, Administrators942 editsTag: Visual edit← Older edit Latest revision as of 11:15, 9 July 2026 view source Sfl (talk | contribs)Bureaucrats, Interface administrators, noContributionReport, Administrators435 editsm Tag: Visual edit Line 37: Line 37: |EU_Law_Name_1=Article 49 TFEU|EU_Law_Name_1=Article 49 TFEU |EU_Law_Link_1=|EU_Law_Link_1=https://eur-lex.europa.eu/legal-content/EN/TXT/?uri=celex%3A12016ME%2FTXT |EU_Law_Name_2=Article 50 Charter of Fundamental Rights|EU_Law_Name_2=Article 50 Charter of Fundamental Rights |EU_Law_Link_2=|EU_Law_Link_2=https://eur-lex.europa.eu/eli/treaty/char_2012/oj/eng |EU_Law_Name_3=Article 56 TFEU|EU_Law_Name_3=Article 56 TFEU |EU_Law_Link_3=|EU_Law_Link_3=https://eur-lex.europa.eu/legal-content/EN/TXT/?uri=celex%3A12016ME%2FTXT |EU_Law_Name_4=Directive 2002/58/CE|EU_Law_Name_4=Directive 2002/58/CE |EU_Law_Link_4=https://eur-lex.europa.eu/legal-content/FR/TXT/?uri=celex%253A32002L0058|EU_Law_Link_4=https://eur-lex.europa.eu/legal-content/FR/TXT/?uri=celex%253A32002L0058 Latest revision as of 11:15, 9 July 2026 CE - 451423 Court: CE (France) Jurisdiction: France Relevant Law: Article 55(1) GDPR Article 56 GDPR Article 83 GDPR Article 49 TFEUArticle 50 Charter of Fundamental RightsArticle 56 TFEUDirective 2002/58/CERegulation 2016/679Code de justice administrativeDécret n° 2019-536 du 29 mai 2019Loi n° 78-17 du 6 janvier 1978 Decided: 27.06.2022 Published: 27.06.2022 Parties: Amazon Europe Core CNIL National Case Number/Name: 451423 European Case Law Identifier: ECLI:FR:CECHR:2022:451423.20220627 Appeal from: CNIL (France)SAN-2020-013 Appeal to: Not appealed Original Language(s): French Original Source: Conseil d'etat Website (in French) Initial Contributor: Julie Houillon-Leonis The Conseil d'Etat confirmed a prior sanction by the French DPA. In this prior decision, the French DPA fined Amazon Europe Core €35,000,000 for the unlawful use of cookies on its websites. Contents 1 English Summary 1.1 Facts 1.2 Holding 2 Comment 3 Further Resources 4 English Machine Translation of the Decision English Summary Facts The French DPA had received a complaint on 28 May 2018 regarding the lawfulness of processing by Amazon Europe Core ('Provider' or 'The company'). The French DPA had forwarded this complaint to the Luxembourg DPA under the 'one stop shop' mechanism of Article 56 GDPR. The luxembourg DPA started an investigation regarding Amazon's use of cookies and its compliance with the GDPR and the ePrivacy directive. However, the French DPA started its own investigation into Amazon's compliance with Article 82 of the French Data protection act, a national implementation of Article 5(3) of the ePrivacy directive. (directive 2002/58/EC). This investigation regarding Article 82 had resulted in decision SAN-2020-013. In this decision, the French DPA fined Amazon €35,000,000 for the failure to obtain prior consent and the failure to inform users of their rights with regards to the processing of their data, which was mandatory under Article 82 of the Data Protection Act. The DPA found that when a user visited the "Amazon.fr" site, a large number of cookies with advertising purposes were automatically placed on the data subjects computer. Because this type of cookie was not essential to the service provided by the controller, the DPA considered that the controller had not complied with the obligation to obtain the consent of Internet users before depositing the cookies. Amazon appealed this decision at the Conseil d'Etat, the French Supreme Administrative Court, and requested its annulment. Amazon also asked the Conseil to refer several questions to the CJEU for a preliminary ruling. Among other arguments, Amazon claimed that the French DPA had made an incorrect interpretation of the law regarding its competence and had disregarded its competence by imposing the contested sanction. The controller also stated that the involvement of the French DPA, when the Luxembourg DPA was already involved, constituted a violation of Article 50 of the Charter of Fundamental Rights. According to this article, the same person may not be prosecuted more than once for the same acts. Holding With regard to the application of the "one-stop shop" mechanism and the CNIL's jurisdiction: The Conseil ruled that the application and enforcement of the ePrivacy directive was the responsibility of national DPAs according to Article 15a of the directive. The "one-stop shop" mechanism did not apply in this case, even when there was a form of a cross-border processing. The Conseil also stated that the absence of a 'one-stop shop' mechanism did not imply any infringement of Article 50 of the Charter of Fundamental Rights, because the DPA only ruled on breaches of national law transposing EU law in the contested decision, and not on GDPR related violations. The Conseil also assessed the compatibility of Article 3 of the French Data protection Act with the ePrivacy Directive. The Conseil determined that Directive 2002/58/EC did not prevent the French DPA to apply the French data protection Act (including Article 82). The Directive would therefore also not prevent the French DPA from penalising the controller for supposed violations of Article 82 of the French data protection Act. Therefore, the Conseil established that the French DPA could enforce the French data protection act against any person or legal entity responsible for the processing of data who had an establishment in France, irrespective of the location of the principal establishment of the responsible entity. This enforcement by the DPA would also not constitute violations of articles 49 (Freedom of establishment) or 56 (Freedom to provide services) of the TFEU. With regard to the sanction imposed by the CNIL: The Conseil deemed that the applicant was sufficiently informed regarding the scope of the DPA's investigations, the facts and the legal grounds on which the sanction was based. Moreover, the Conseil considered that the applicant was given sufficient time to present its defence. The Conseil also ruled that the involvement of the French DPA, while the Luxembourg DPA was the lead supervisory authority, was not enough to constitute a breach of the equality of arms principle. Amazon had argued that the involvement of the French DPA in the procedure had enabled the French DPA to gain access to privileged and confidential information and had used this information as a basis for its own decision. The Conseil determined that Amazon did not provide enough proof for this argument and stated that Amazon was not able to prove that was the procedure contrary to Article 15a(4) of Directive 2002/58/EC. On a possible violation of Article 50 of the Charter of Fundamental Rights: The Conseil explained, based on the CJEU's case law (Aklagaren v Akerberg Fransson C-617/10, Powszechny Zaklad Ubezpieczen na Zycie SA of C-617/17 and bpost SA v Belgian Competition Authority C-117/20), that the principle invoked by the applicant, that the same person may not be the subject of several proceeding in respect of the same facts, was not violated by the French DPA. The Conseil stated that the principle could only be enforced when criminal proceedings had been definitively terminated. This was in particular the case when a criminal penalty had become final. The Conseil held that Amazon was not found to be the subject of a final sanction issued by the Luxembourg DPA for the facts that had resulted in the €35,000,000 fine in the contested decision. The Conseil rejected the applicant's claim for a reference for a preliminary ruling on the matter. Regarding the application of French Data Protection Act by the French DPA, Amazon had argued that the legal framework regarding cookies was not stable

Entities

Amazon (vendor)