The ongoing legal fight between Google & Amazon, and the French regulatory body, the CNIL contains some interesting insights, especially as it looks as if the standard on cookies could be adopted elsewhere.
The case centres around the use of cookie walls and whether they are allowed under EU data protection laws.
The latest deliberation on the of 7 December, was the first opportunity for the CNIL to enforce its new “cookie Guidelines”. Google and Amazon were both given penalties after the CNIL seemed to suggest that the two big tech companies create “de facto” cookie-walls that are unlawful.
In short, the CNIL argued that the whole informational architecture of the two big tech companies for cookie collection is not based on a transparent opt-in system, but on an opaque opt-out system, which is an obstacle for ordinary people to do.
Other regulators across Europe are also taking serious steps in limiting the power of big tech in terms of cookies, but in softer ways. For example the Italian “Garante” open consultation about cookie policies, or the interlocutory dialogue between the UK Data Protection Authority – the ICO – and Google, in the case from 2013.”
So how soon does he think will we see pressure to change, given the US companies always appeal?
“I think pressure on this topic will stay high, as recent proceedings for similar situations, for example in the European Parliament, have suggested, and, even if Google and Amazon do have successful appeals, the message is clear: cookies should only be collected upon unambiguous, free and informed consent.”
“I think the IT industry should quickly take notice and comply with the highest standards in terms of cookie policies across the EU (which at the moment seems to be the French standard).
In the initial version of its Guidelines, the CNIL pointed oout that measures and sanctions under Article 82 of the French Data Protection Act, are independent of the GDPR’s cooperation and consistency mechanisms, because the French cookie rules are based on the EU ePrivacy Directive and *not* the GDPR. Unsurprisingly, therefore, the CNIL rejected the arguments of Google and Amazon, considering that the EU ePrivacy Directive provides for its own mechanism, designed to implement and control its application. Accordingly, the CNIL concluded that the one-stop-shop mechanism of the GDPR does not apply to the enforcement of the provisions of the EU ePrivacy Directive, as implemented under French law.