[{"data":1,"prerenderedAt":-1},["ShallowReactive",2],{"$fMESd-IlV84vaXvTJQfr5mSBKT9CmvyOwMV9RW4_hKtQ":3},{"article":4,"iocs":46},{"id":5,"title":6,"slug":7,"summary":8,"ai_summary":9,"brief":10,"full_text":11,"url":12,"image_url":13,"published_at":14,"ingested_at":15,"relevance_score":16,"entities":17,"category_id":25,"category":26,"article_tags":30},"90d1980a-6e41-44c2-b723-6346941349fc","CNIL (France) - SAN-2021-023","cnil-france-san-2021-023-9e5cbf","Standardized name and link ← Older revision Revision as of 11:06, 17 July 2026 Line 26: Line 26: |GDPR_Article_Link_1=Article 56 GDPR |GDPR_Article_Link_1=Article 56 GDPR |EU_Law_Name_1=Article 2(f) Directive 2002\u002F58\u002FEC ('E-Privacy Directive') |EU_Law_Name_1=Article 2(f) ePrivacy Directive 2002\u002F58\u002FEC |EU_Law_Link_1=https:\u002F\u002Feur-lex.europa.eu\u002Flegal-content\u002FEN\u002FTXT\u002FHTML\u002F?uri=CELEX:32002L0058&from=EN |EU_Law_Link_1=https:\u002F\u002Feur-lex.europa.eu\u002Feli\u002Fdir\u002F2002\u002F58\u002Foj |National_Law_Name_1=Loi \"Informatique et Libertés\" |National_Law_Name_1=Loi \"Informatique et Libertés\"","The French Data Protection Authority (CNIL) issued a €150M fine against Google LLC (€90M) and Google Ireland Limited (€60M) for violating Article 82 of the French Data Protection Act by failing to provide French users with a cookie refusal mechanism as simple as the acceptance mechanism. The decision, issued on 31 December 2021, required Google to modify google.fr and youtube.com to ensure balanced consent options.","CNIL fines Google €150M for cookie consent violations on google.fr and youtube.com","Help CNIL (France) - SAN-2021-023: Difference between revisions From GDPRhub Jump to:navigation, search ← Older editVisualWikitext Revision as of 09:00, 6 April 2022 view source165.225.16.115 (talk) Tag: Visual edit← Older edit Latest revision as of 11:06, 17 July 2026 view source Sfl (talk | contribs)Bureaucrats, Interface administrators, noContributionReport, Administrators479 editsm Tag: Visual edit Line 26: Line 26: |GDPR_Article_Link_1=Article 56 GDPR|GDPR_Article_Link_1=Article 56 GDPR |EU_Law_Name_1=Article 2(f) Directive 2002\u002F58\u002FEC ('E-Privacy Directive')|EU_Law_Name_1=Article 2(f) ePrivacy Directive 2002\u002F58\u002FEC |EU_Law_Link_1=https:\u002F\u002Feur-lex.europa.eu\u002Flegal-content\u002FEN\u002FTXT\u002FHTML\u002F?uri=CELEX:32002L0058&from=EN|EU_Law_Link_1=https:\u002F\u002Feur-lex.europa.eu\u002Feli\u002Fdir\u002F2002\u002F58\u002Foj |National_Law_Name_1=Loi \"Informatique et Libertés\"|National_Law_Name_1=Loi \"Informatique et Libertés\" Latest revision as of 11:06, 17 July 2026 CNIL (France) - SAN-2021-023 Authority: CNIL (France) Jurisdiction: France Relevant Law: Article 56 GDPR Article 2(f) ePrivacy Directive 2002\u002F58\u002FECLoi \"Informatique et Libertés\" Type: Investigation Outcome: Violation Found Started: Decided: 31.12.2021 Published: 06.01.2022 Fine: 150,000,000 EUR Parties: Google LLC Google Ireland Limited National Case Number\u002FName: SAN-2021-023 European Case Law Identifier: n\u002Fa Appeal: Unknown Original Language(s): French Original Source: CNIL (in FR) Initial Contributor: Frederick Antonovics The French DPA fined Google LLC €90,000,000 and Google Ireland Limited €60,000,000 for failing to comply with Article 82 of the French Data Protection Act, and ordered the companies to modify the websites \"google.fr\" and \"youtube.com\" to offer French users a means of refusing to give consent that is as simple as the mechanism provided for their acceptance. Contents 1 English Summary 1.1 Facts 1.2 Holding 1.2.1 On the request for a stay of proceedings 1.2.2 On the complaint alleging breach of the ne bis in idem principle 1.2.3 On the competence of the CNIL 1.2.3.1 The material competence of the CNIL and the non-application of the \"one-stop shop\" mechanism provided for by the GDPR 1.2.3.2 On the territorial jurisdiction of the CNIL 1.2.4 The determination of the controller 1.2.5 On the failure to comply with the obligations relating to cookies 2 Comment 3 Further Resources 4 English Machine Translation of the Decision English Summary Facts Google LLC is a subsidiary owned wholly by Alphabet Inc. Google Ireland Limited ('GIL') \"presents itself\" as the headquarters for the Google group's operations in the EEA and Switzerland. In March 2020 the French DPA (CNIL) carried out an online inspection of the website \"google.fr\" in the context of a previous procedure against Google LLC and GIL. The purpose of this inspection was to verify their compliance with the Loi 'Informatique et Libertés', and in particular with Article 82 thereof. This resulted in this decision, that Google appealed. Following this decision, the CNIL received more complaints about the methods of refusing cookies from the website \"google.fr\". It therefore reopened the case and launched a new investigation. Holding On the request for a stay of proceedings First, the companies requested that per Article 66 of the CNIL's rules of procedure, the CNIL stay these proceedings pending the decision to be handed down by the Council of State in the appeal against its first decision against Google and pending the conclusions of the new EDPB working group on cookies. The CNIL rejected this request, as it considered that there were no acceptable grounds for staying the proceedings. On the complaint alleging breach of the ne bis in idem principle Second, the companies argued that the restricted formation cannot rule again on the same facts as those concerned by deliberations No. SAN-2020-012 and No. SAN-2021-004, without violating the ne bis in idem principle, as it considered the parties and material facts in those case to be identical. The CNIL responded that the two procedures do not concern the same facts, as these cases included an injunction relating to the information of users on the purposes of cookies subject to consent and on the means available to refuse cookies, whereas the one at hand concerned the refusal methods themselves, and not only the information. It also highlighted that this procedure concerned both the websites \"google.fr\" and \"youtube.com\", whereas the previous procedure concerned only the website \"google.fr\". As such, the CNIL rejected the complaint based on the violation of the ne bis in idem principle. On the competence of the CNIL The material competence of the CNIL and the non-application of the \"one-stop shop\" mechanism provided for by the GDPR The processing operations investigated by the CNIL in this case were carried out in the context of the provision of publicly available electronic communications services via a public electronic communications network offered within the European Union. As such, it considered they fell within the material scope of the ePrivacy Directive. Article 5(3) of that directive was transposed into domestic law through Article 82 of the French Data Protection Act. The CNIL therefore considered itself materially competent under these provisions to monitor and sanction the access or registration of information by companies in the terminals of users of the \"google.fr\" and \"youtube.com\" websites in France. The companies contested the jurisdiction of the CNIL. They argued they should be subject to the procedural framework provided for by the GDPR, or the 'one-stop shop' mechanism, under which the Irish DPA (DPC) would be the lead supervisory authority (LSA). They considered that the absence of specific rules on determining the competence of the supervisory authority in the case of cross-border processing operations falling within the scope of the ePrivacy Directive should be replaced by the application of the procedural framework provided for by the GDPR. Interestingly, the companies further argued that the EDPB's announcement regarding the creation of a working group on cookie banners in response to the significant number of complaints recently filed with supervisory authorities by noyb was evidence that the EDPB considers that cookie-related breaches fall directly within the scope of the GDPR and, therefore, the 'one-stop shop' mechanism. First, the CNIL responded that a distinction should be made between, on the one hand, the operations consisting in depositing and reading a cookie on a user's terminal and, on the other hand, the subsequent use that is made of the data generated by these cookies (\"subsequent\u002Ffurther processing\"). The former are governed by special rules, set by the ePrivacy Directive - in this case, by its Article 5(3) - and transposed into national law, the latter is governed by the GDPR and, as such, may be subject to the \"one-stop-shop\" mechanism in the event that they are cross-border. This case only concerned the read and write operations carried out on the terminal of the user located in France visiting the Google Search and YouTube search engines. Second, it held that where a processing operation may fall within both the material scope of the ePrivacy Directive and the material scope of the GDPR, reference should be made to the relevant provisions of the two texts which provide for their articulation. The rule laid down in Article 5(3) of the ePrivacy Directive, according to which reading and\u002For writing operations must systematically be subject to the prior consent of the user, after having been informed, constitutes a special rule with regard to the GDPR, since it prohibits the legal bases mentioned in Article 6 GDPR from being invoked in order to be able to lawfully carry them out. The control of this rule is therefore a matter for the special control and sanction mechanism provided for by the ePrivacy Directive, and not for the data protection authorities and the EDPB under the GDPR. It stat","https:\u002F\u002Fgdprhub.eu\u002Findex.php?title=CNIL_(France)_-_SAN-2021-023&diff=52371&oldid=25131","https:\u002F\u002Fgdprhub.eu\u002Fimages\u002Fthumb\u002F0\u002F0f\u002FLogoFR.png\u002F1200px-LogoFR.png","2026-07-17T11:06:24+00:00","2026-07-17T12:00:12.428371+00:00",8,[18,21,23],{"name":19,"type":20},"Google LLC","vendor",{"name":22,"type":20},"Google Ireland Limited",{"name":24,"type":20},"Alphabet Inc.","3f0f8451-91df-4b6c-9a73-ef3b2509b7f1",{"id":25,"icon":27,"name":28,"slug":29},null,"GDPR","gdpr",[31,36,41],{"category":32},{"id":33,"icon":27,"name":34,"slug":35},"53f9c4b6-8bc6-4964-9169-d09e5cd41d72","Compliance","compliance",{"category":37},{"id":38,"icon":27,"name":39,"slug":40},"c5c77cdb-f7d7-4990-9436-c81dcbff1163","Policy","policy",{"category":42},{"id":43,"icon":27,"name":44,"slug":45},"d95477d7-eb04-4fad-a2dc-be1428040ce7","Privacy Fines","privacy-fines",[]]