The CNIL’s penalties on Google (€100 million) and Amazon (€35 million) of last December reaffirm that data subjects’ consent for cookies should be as free and informed as possible.
CNIL is the Commission Nationale de l’Informatique et des Libertes. It is an independent French administrative regulatory body whose mission is to ensure that data privacy law is applied to the collection, storage, and use of personal data.
In terms of ‘informed’ consent, says Prof. Dr. Gianclaudio Malgieri of EDHEC Augmented Law Institute, it is necessary that individuals know exactly and immediately what the options and the implications in terms of cookies are, before cookies are installed on their hardware devices.
This recalls the CJEU decision (Planet 49 Case) which found that even the average individual is not willing/able to read complex and long information notices. If cookies are installed before any clear cookie-alert is shown, they are illegal.
The GDPR and cookie walls
Looking at the GDPR (the EU’s General Data Protection Regulations) and the European Data Protection Board’s opinion, we know that cookie-walls (i.e., a no-choice banner about cookies, which data subjects can just ‘accept’ to continue exploring a website) are generally prohibited. With this new judgement, we can also say that de facto cookie walls (i.e., obscure banners where refusing cookies is much more difficult than accepting them), are prohibited.
Reform is vital
This CNIL’s decision stresses the importance of a reform of the e-Privacy directive and, therefore, the approval of new e-Privacy Regulations.
There are three reasons.
Firstly, because cookie-related privacy rules are still too based on national differences within the EU (the French CNIL has stricter rules and enforcement practices, while other Data Protection Authorities seem more lenient) and this could create the risk of “forum shopping”.
Secondly, because the e-privacy directive seems incompatible with the new stricter consent requirements of the GDPR and this ambiguity needs to be solved soon. For example, in the directive, a silent consent can be tolerated, while in the GDPR consent should be unambiguous, free and informed.
Thirdly, because the GDPR is an international mechanism of cooperation among different Member States Data Protection Authorities (in terms of sanctions, legal proceedings, etc.) that cannot be applied to the cookie-related issue at the moment, it would be extremely beneficial to have a higher legal certainty.
A digital single market
In this particular case, while Google was claiming that the Irish Data Protection Authority should have been responsible for the sanction proceedings (since Google’s European headquarters is in Ireland), Amazon was claiming that in its case only Luxembourgian rules about cookies should be considered (since the Amazon headquarters in Europe is in Ireland). This ambiguity is not beneficial to a clear and mature ‘digital single market’ in the European Union.
In sum, this latest episode of the battle between regulators and Big Tech shows that big companies cannot easily circumvent data protection rules about consent through obscure labyrinths that highly discourage even the most attentive internet user from refusing cookies.
In addition, this story teaches us that the enforcement of data protection is really dependent on the “legal activism” of each single National Data Protection Authority.
The author is Prof. Dr. Gianclaudio Malgieri of EDHEC Augmented Law Institute.
Follow us and Comment on Twitter @TheEE_io