France

Subscribe to France via RSS
Close up of a broswer address bar

The French Data Protection Authority has imposed a €40 million fine for GDPR infringements.

By Myria Saarinen and Charlotte Guerin

On 15 June 2023 the French Data Protection Authority (the CNIL), acting as Lead Supervisory Authority pursuant to the cooperation procedure under Article 60 GDPR, handed down a decision against the French adtech company Criteo SA (Criteo). The CNIL imposed a €40 million fine for five infringements of the GDPR, in particular for failing to verify that data subjects had consented to the processing of their personal data for the purpose of targeted advertising.

Founded in 2005 and headquartered in France, Criteo specializes in behavioral retargeting, which involves tracking browsing patterns through cookies placed on users’ devices to facilitate personalized advertisements. Criteo collects browsing data tied to a cookie that is being placed when users visit certain partner websites (the Criteo cookie), and then uses the data to generate personalized online ads. Criteo will then show these ads to users when they visit other partner or customer websites. According to its corporate website, Criteo serves 5 billion ads per day and partners with more than 19,000 customers.

The guidance provides general requirements for obtaining valid consent and details conditions under which audience management cookies may be exempt.

By Myria Saarinen and Camille Dorval

On 4 July 2019, one day after the UK Information Commissioner’s Office (ICO) published new guidance on cookies, the French Data Protection Authority (CNIL) released its own new guidance (Guidance). A corrective version followed on 19 July 2019.

The Guidance clarifies “consent” under Article 82 of the French Data Protection Act (Article 82). Article 82 implements the ePrivacy Directive’s cookies rule and constitutes the foundation of the French rules requiring organizations placing non-essential cookies to provide “clear and complete” information to users and to obtain their consent to the use of cookies.

The CNIL decision handed down on 21 January 2019, which cites violations of several GDPR obligations, provides important insights for groups wishing to benefit from the “one-stop-shop mechanism”.

By Gail E. Crawford, Myria Saarinen, Camille Dorval, and Laura Holden

The Complaints

Not more than a week after the General Data Protection Regulation 2016/679 (GDPR) came into force on 25 May 2018, the French data protection authority (CNIL) received separate complaints about Google LLC (Google) from two non-profit organisations —La Quadrature du Net’ and ‘None Of Your Business’, the latter founded by activist lawyer Max Schrems. The complaints, made by the organisations on behalf of nearly 10,000 individuals, can be summarised as follows:

  • None Of Your Business claimed that users of Android mobile devices had no choice but to accept Google’s privacy policy and terms of use, which included having to consent to the use of their data for targeted behavioural advertising, if they wanted to be able to use the devices.
  • La Quadrature du Net claimed that Google processed personal data for targeted advertising without a valid legal basis.