Good News for GDPR Enforcement against Cookie Walls, but Also a Dangerous Legal Challenge from WhatsApp
As most people know from bitter personal experience, one of the most tiresome aspects of moving around the web is the constant barrage of pop-ups, asking whether the user agrees to cookies. The companies running the websites like to blame this on the EU’s GDPR, which requires people to consent to cookies and the tracking they enable. But there’s no doubt that these “cookie walls” are often designed to push people into accepting maximal surveillance just to get rid of annoying obstacles on their screen. The use of “forced consent” — where users either agree to be tracked or are unable to use an online service — seems plainly against the intent of the GDPR. In order to test this in the courts, the privacy expert, Max Schrems, filed complaints against Google, Facebook, WhatsApp, and Instagram in 2018 — just minutes after enforcement of the GDPR began.
In 2019, the EU’s top court, the Court of Justice of the European Union (CJEU), ruled that pre-ticked checkboxes, used to encourage people to consent to the storage of and access to cookies, weren’t valid under the GDPR. Despite that, research the following year showed that many websites were still using “dark patterns” — online tricks to nudge visitors to accept privacy-hostile cookies.
In May 2021, Max Schrems sent out 500 draft complaints to companies using cookie walls that were unlawful according to his organization, noyb.eu. They were meant as a warning shot to encourage the companies to comply with the GDPR. At the same time, although independently, the French data protection body CNIL (Commission Nationale de l’Informatique et des Libertés) sent out 20 formal notices to leading online companies, ordering them to make refusing cookies on their sites as easy as accepting them. Two of the biggest companies — Google and Facebook — decided to ignore the request, and now CNIL has responded:
The restricted committee, the body of the CNIL responsible for issuing sanctions, has noted, following investigations, that the websites facebook.com, google.fr and youtube.com offer a button allowing the user to immediately accept cookies. However, they do not provide an equivalent solution (button or other) enabling the Internet user to easily refuse the deposit of these cookies. Several clicks are required to refuse all cookies, against a single one to accept them.
The restricted committee considered that this process affects the freedom of consent: since, on the Internet, the user expects to be able to quickly consult a website, the fact that they cannot refuse the cookies as easily as they can accept them influences their choice in favor of consent.
As a result, Google has been fined 150 million euros, and Facebook 60 million euros. Moreover, if the companies fail within three months to provide Internet users located in France with a way of refusing cookies as simple as accepting them, they will be hit with further fines of 100,000 euros for every day of non-compliance.
It’s not the first time that CNIL has fined Google: in January 2019, CNIL imposed a penalty of 50 million euros — also because of the difficulty of withdrawing consent from processing personal data for ads. The higher penalties imposed this time suggest that CNIL is losing patience; if Google or Facebook fails to comply, more fines are likely to be imposed, possibly even larger.
CNIL’s move is important because it confirms the ability of national data protection authorities to impose fines for privacy violations, even when a company’s EU headquarters lie outside the country in question. That’s an issue, because the GDPR generally assumes only the lead data protection authority — determined by where the main EU headquarters of a business are located — will act. The issue has become particularly relevant in the light of continuing complaints about the Irish Data Protection Commission (DPC), and its alleged failure to take action against the many online giants that are based in Ireland. Criticism has come from Max Schrems, who has been engaged in a long-running legal battle with the DPC, but also from other EU national data protection authorities, for example, the one in Germany.
Discontent with the Irish DPC came to a head recently, when the 30 to 50 million euro fine it wanted to impose on WhatsApp under the GDPR was regarded by many as insufficient, given the company’s multi-billion dollar revenues. Because the privacy issues concerned other EU citizens as well as Irish ones, the DPC needed to consult the other data protection authorities on the continent. Several raised formal objections, so the body that co-ordinates GDPR enforcement in the EU — the European Data Protection Board (EDPB) — became involved. After examining the case, it issued its binding decision in July 2021, which determined that an appropriate fine would be 225 million euros — considerably more than the DPC’s original suggestion.
This was something of a slap in the face for the DPC, but there was not much it could do about the EDPB decision. However, that did not apply to WhatsApp, also not best pleased. The latter has now brought a legal challenge to the EDPB ruling at the General Court of the CJEU, asking for the decision to be annulled.
What is concerning about the move is that it calls into question the role of the EDPB, alleging that, “the EDPB exceeded its competence under Article 65 of GDPR”, and that the EDPB’s interpretations of the GDPR are wrong. If WhatsApp wins its case, it could see the EDPB’s scope for increasing fines in future GDPR cases limited, which would be a problem for the law’s credibility and efficacy, despite the new CNIL decision.
Featured image by WhatsApp.