PARIS — French data regulator the CNIL is set to fine Google €150 million and Facebook €60 million for violating EU privacy rules.
According to a document seen by POLITICO, the CNIL will fine Google’s United States and Irish operations €90 million and €60 million respectively, and Facebook’s Irish arm €60 million for failing to allow French users to easily reject cookie tracking technology.
Google and Facebook also face a daily penalty of €100,000 if they do not fix their practices within three months of the CNIL issuing the decision, which applies to the Google-owned google.fr and youtube.fr websites, as well as Facebook’s French platform.
“We are reviewing the authority’s decision and remain committed to working with relevant authorities,” a spokesperson for Facebook’s holding company Meta said. “Our cookie consent controls provide people with greater control over their data, including a new settings menu on Facebook and Instagram where people can revisit and manage their decisions at any time, and we continue to develop and improve these controls,” they added.
Google did not immediately respond to a request for comment, and the CNIL said it would not comment before the decision has been made public on its website.
It is not the first time that the French privacy regulator has used EU’s e-Privacy rules to target Big Tech.
In December 2020, the CNIL fined Amazon and Google €35 million and €100 million for cookie violations under the e-Privacy rules. The agency also fined Google €50 million under the General Data Protection Regulation (GDPR).
Under the GDPR, only the privacy agency in the country where a company is established in the EU can take direct enforcement action against that company. For Facebook and Google, that would be the Irish Data Protection Commission (DPC), since both are legally based in Dublin.
But the French regulator is able to act directly against the U.S. multinationals this time since the violations are covered by the e-Privacy Directive, which governs the privacy of communications rather than the GDPR.
Google is still fighting the earlier case before the Council of State, the highest court in France for cases involving public administration. A person directly involved in the matter said the company is likely to oppose these new fines and go to the French top court again.
The latest enforcement action will be read as a shot across the bows of the Irish DPC, which has faced intense criticism for its handling of investigations into Big Tech.
The Irish DPC is not aware of the impending action by the French, a spokesperson for the agency said.
While the Dublin agency has a €225 million fine against WhatsApp under its belt, that high figure was only reached after other EU regulators forced the Irish to bump up the €50 million fine that was initially proposed.
The Irish data regulator has been angering its European colleagues for some time.
In its official objection to a major draft decision on Facebook, the Norwegian data protection regulator said in December that the Irish interpretation of data protection law would render the GDPR “pointless” — echoing revelations the same month that European regulators shot down Ireland’s attempt to push for social media-friendly privacy guidelines.
Additional reporting by Vincent Manancourt.