Fraud Management & Cybercrime , Governance & Risk Management , Privacy
Google, Facebook Fined by French Data Protection Agency
Tech Giants Penalized by CNIL for Violation of Privacy RegulationsFrench data protection agency CNIL - the Commission Nationale Informatique and Libertés - has imposed fines of 150 million euros ($170 million) on Google and 60 million euros ($66 million) on Facebook for not complying with the country's data regulation norms.
See Also: Netskope FERPA Mapping Guide
Investigating user complaints about the big tech firms' privacy policies around cookies, CNIL found that the websites facebook.com, google.fr and youtube.com enabled users to accept cookies with the click of a button, but did not provide a similarly easy option to opt out of cookies. YouTube is owned by Google.
In its notification, CNIL gives Google and Facebook three months to provide users in the country a "means to refuse cookies that is as simple as the existing means of accepting them." Failure to adhere to the deadline will result in a penalty of 100,000 euros ($113,000) per day of delay, it says.
Case Against the Tech Giants
The main contention here is that while a user can enable cookies by simply clicking on the pop-up "accept cookies" option, disabling them is a comparatively lengthy process.
For instance, if a user wishes to disable cookies on Google Chrome, they have to click on the three vertical dots on the top right corner of the browser, go to "settings," and under the "privacy and security" option on the left, choose the "site settings" option. This brings up the cookies section, in which the user can choose to enable all cookies, disable third-party cookies or implement a "do not track" request.
Facebook - now run by parent company Meta - tracks users even if they have logged out of the application. The social media giant, in its "cookies and other storage technologies" section, says that the cookies enable Meta to offer Meta products and that the website also collects information about the customer's use of other websites and apps, "whether or not a user is registered or logged in."
According to CNIL, Google, Facebook and YouTube infringe Article 82 of the French Data Protection Act, which implements both the EU Directive 2002/58/EC and the E.U General Data Protection Regulation, or GDPR.
Article 82 of the French Data Protection Act says that a user must be informed and have control over the information stored in electronic communications, and the EU Directive 2002/58/EC mandates that "the methods for giving information, offering a right to refuse or requesting consent be made as user-friendly as possible."
In March 2021, the U.S. Supreme Court turned down Facebook's bid to revoke a $15 billion class action lawsuit that held the company responsible for illegally tracking users' internet activities even when they are logged out of the social media platform, according to a Reuters report.
CNIL: A Tough Cookie
In a December 2020 crackdown, in addition to imposing a 100 million euro penalty on Google, CNIL imposed a 35 million euro fine on Jeff Bezos-founded e-commerce giant Amazon for violating cookie regulations under the EU's e-privacy rules, according to a report by news platform Politico.
In October 2008, Facebook set up its EMEA headquarters in Ireland, which imposes low rates of corporate tax. Google's European operations are run from the same country. This makes the Irish Data Protection Commission the resident watchdog in the EU for the big tech companies.
The Irish DPC, according to a separate Politico article, has been accused of being "too soft" on companies such as Google and Facebook. CNIL, in comparison, has imposed hefty penalties on big tech companies.
Fintech firm SlimPay was the latest on CNIL's target list. It received a fine of 130,000 euros ($147,000) last week over a data breach incident.
Bouquets and Brickbats
While several users and privacy practitioners expressed their support and solidarity with CNIL's crackdown on Google, Facebook and YouTube, some pointed out that the penalty amounts were just a fraction of those companies' annual turnover.
Christine Hennion, member of Parliament for Hauts-de-Seine, says in a tweet: "The digital giants must respect the freedom of consent of Internet users."
Aujourd'hui, la @CNIL a sanctionné lourdement #Google et #Facebook pour leur mauvais usage des modalités de refus des #cookies. Les géants du numérique doivent respecter la liberté du consentement des internautes.https://t.co/S54fRcaPCz
— Christine Hennion (@Ch_Hennion) January 6, 2022
Although CNIL has been tough on big tech in comparison to other countries, the high penalty imposed is "more of a hug than a whip," Agustín Allende, privacy lawyer and associate founder of law firm PrivacyVitas, tells Information Security Media Group.
"Faced with the privacy violations that have supported a business model, their penalties should be set based on a percentage of worldwide sales," he says.
UK-based GDPR and IP consultant Tara Taubman-Bassirian tells ISMG that she was among those who had filed a written complaint to CNIL regarding the big tech companies' privacy policies. She says CNIL was active only the first six months after the GDPR came into effect, and went "dormant" after Isabelle Falque-Pierrotin stepped down as president in February 2019.
"The recent penalties imposed on companies flouting privacy laws indicate that CNIL has finally woken up. Without enforcement, it’s hard to convince companies to invest in compliance," she says.
In a LinkedIn post, Jean Baptiste N, manager of data analytics at insurance firm AXA, says: "This is unfortunately extremely ridiculous when we know that these are companies that derive most of their income from advertising." He too is of the opinion that the fines and convictions must be proportionate to the turnover generated.
An article by U.S. news website CNet estimates that Facebook makes around $319.6 million per day in revenue. Google earns close to $495 million per day, according to data analysis platform Statista.