Data Protection: Key Takeaways From Recent French DPA Decisions

Karine Disdier-Mikus and Pierre Nieuwyaer of Fiducial Legal By Lamy discuss how 2023 marked five years of application of the GDPR (General Data Protection Regulation). Enforcement actions are on the rise and lack of compliance continues to be sanctioned by the French data protection authority (DPA), the CNIL (Commission Nationale de l’Informatique et des Libertés). A few takeaways must be highlighted from recent French decisions, among which is the recent “Criteo” decision (15 June 2023) that illustrates well the diversity of the breaches under sanction and the potential significance of the resulting fine.

Published on 15 December 2023
Karine Disdier-Mikus

Ranked in Chambers Global: Intellectual Property: Trade Mark & Copyright

View profile
Pierre Nieuwyaer
View firm profile

The “Criteo” decision

Criteo is a French company whose main business is to provide retargeting advertising solutions. Through cookies that are placed on internet users’ devices when they visit one of Criteo’s partners’ sites, the browsing habits of the concerned individuals are tracked to offer “personalised” advertising solutions as a result of a real-time bidding process.

Before addressing the breaches tackled by this decision, here are some preliminary remarks.

  • This case relies, inter alia, on two complaints filed before the CNIL by two associations (Privacy International and None of Your Business – NOYB).
  • Since the main location of Criteo is in France, the CNIL conducted the proceedings as lead supervisory authority in accordance with Article 56 of the GDPR (the decision mentions that none of the other DPAs had raised any relevant and reasoned objections to the draft decision submitted by the CNIL).
  • The decision follows an advanced instruction of the case by the CNIL involving correspondence with the company, a meeting, a questionnaire sent by the DPA, on-site and online inspections, an additional request for terms of use and a recent sample of contracts with third parties, and further exchanges between the parties regarding the draft report.
  • While Criteo argued that it was processing “browsing activities” (pseudonymised technical data), the CNIL considered that in view of the number and diversity of the collected data and given that they were all linked to an identifier, Criteo was able to re-identify individuals so that personal data was at stake and the GDPR was applicable.

As to the breaches sanctioned by the French DPA, inter alia:

  • The CNIL considered that Criteo was unable to demonstrate having obtained prior consent from the users as a legal basis for the processing. The CNIL indicates that the company and the third-parties’ websites from which cookies were implemented into the users’ devices were joint controllers regarding cookie implementation and data collection through such cookies. According to the French DPA, although the collection of the consent for the implementation of the processing at stake belonged to Criteo’s partners, it does not preclude the company from being able to demonstrate that the individuals actually gave their consent, in accordance with Article 7 of the GDPR. The CNIL also raised that regarding the audited third-parties’ websites, one out of two were not compliant (lack of consent to cookies, lack of possibility to efficiently refuse, and implementation despite refusal).
  • The French DPA also identified breaches regarding information and transparency. Those breaches are related to a lack of comprehensive information as to the purposes of the processing and the legal basis on which the processing relied. Quite interestingly, the CNIL considered that Criteo was in the position of direct collection and thus Article 13 of the GDPR applied, as the collected data were directly transmitted to Criteo’s servers, without any transit through another controller.
  • The CNIL found an additional breach regarding the way Criteo answered requests for access by data subjects. According to the regulator, the information provided was not comprehensive since personal data was extracted from several tables but data from only three tables out of five was provided by Criteo. Moreover, the communication was not intelligible despite a short description of each table provided but with no explanations as to the purposes of each column of the tables and their content.
  • While the CNIL acknowledged that Criteo entered into joint-controller agreements, the regulator noticed that such agreements were not addressing all the obligations contemplated by the GDPR, in particular regarding the exercise of the rights of the data subjects, the notification of a data breach to the supervisory authority and to the data subjects and the implementation of a data protection impact assessment (DPIA). According to the CNIL, these gaps constituted a breach of Article 26 of the GDPR.

In the end, the CNIL issued an administrative fine of EUR40 million for breaches of Articles 7, 12, 13, 15, 17, and 26 of the GDPR. On this point, it should be noted that the rapporteur had requested a minimum amount of EUR60 million. As Criteo raised several objections regarding such amount, the French DPA referred to the large-scale processing and the massive and intrusive nature of the processing.

Controllers must use clear language that is unlikely to give rise to uncertainty and that enables the data subjects to understand the processing.

The CNIL also applied Article 83.2.k of the GDPR pursuant to which the “financial benefits gained” from the breach can be taken into account. On this point, the regulator especially recalled that Criteo’s business model is based exclusively on its ability to collect and process an immense amount of personal data, and that personal data collected and processed without the valid consent of individuals has enabled Criteo to unduly increase the number of people concerned by its processing, and therefore its financial income.

The CNIL finally indicated that even if this amount represented almost 2% of the worldwide turnover, (i) it remained below the 4% cap provided by the GDPR and the French data protection law, and (ii) the amount of the fine may exceed the profit generated insofar as this is necessary to ensure that the penalty has a dissuasive effect.

The CNIL also ordered the publication of the decision, in view of the seriousness of the breaches, the scope of the processing, and the number of persons concerned. According to the French DPA, such publicity could also be seen as a way to inform the data subjects of this unbeknown processing.

Overall key takeaways from the “Criteo” decision

  • Joint controllers must secure agreements with third parties and partners in order to at least stipulate that the party in charge of obtaining consent from the data subjects must provide proof of such consent, to be used by each party as the case may be. Such clause can be coupled with an audit clause. In addition, joint-controller agreements must comprehensively cover all the obligations contemplated by the GDPR.
  • Controllers must ensure understandable and comprehensive information of the data subjects. This implies to use clear language that is unlikely to give rise to uncertainty and that enables the data subjects to understand the processing. Vague and/or contradictory statements must be avoided.
  • Such requirements regarding information also apply to answers to be given to access requests from data subjects.
  • GDPR compliance must be holistic and comprehensive, or the relevant parties risk severe fines, in particular where large-scale processing is implemented and/or data-driven businesses are concerned.

Key takeaways from other notable recent decisions

  • The French entity in a group of companies that takes the initiative of (i) requesting a specific form regarding internal mobility within the group to the mother company based abroad (China) and (ii) circulating such form to its employees can be considered as the data controller for the resulting processing of personal data (CNIL, 18 September 2023, “SAF Logistics”).
  • When personal data is collected for marketing purposes on behalf of third-parties’ prospectors, the first-time collector must provide a comprehensive and up-to-date list of the partners to whom the data will be communicated (CNIL, 12 October 2023, “Canal+”).
  • On 7 November 2023, the CNIL indicated that over the past two months, the DPA has handed down ten new decisions under its new simplified sanction procedure, introduced in 2022. A total of EUR97,000 worth of fines was imposed on private and public entities for breaches such as failure to answer to requests from the CNIL, data minimisation (geolocation and continuous and permanent video surveillance of employees), failure to provide information on the processing carried out and its purposes, and the obligation to respect the rights of the data subjects (in particular the right to object).

Fiducial Legal By Lamy

1 ranked individual

Find out more about the firm's ranking in Chambers Global

View firm profile

Chambers In Focus Newsletter

Sign up for our newsletter and never miss out on thought leadership content from legal experts and the key stories driving the legal profession forward.
Sign up here