In a decision that’s been supported by both the French government and European authorities, France fined Google and Facebook for violating privacy laws. The fines are considered to be one of the highest in Europe so far. Critics say it does not go nearly far enough, with many saying this is a sign that more severe penalties may soon come about.,
A French regulator penalized Alphabet Inc.’s Google $169 million and Meta Platforms Inc.’s Facebook $67 million for making it too difficult for users to refuse cookies, which are used to monitor personal data.
According to France’s data-protection agency, the CNIL, Facebook and Google needed multiple steps to reject cookies used to follow users’ data on YouTube, Facebook, and Google, driving users to accept the technology since doing so took just one click. The regulator allowed the businesses three months to come up with a way to reject cookies that is as easy as accepting them.
Subscribe to our newsletter
Cybersecurity WSJ Pro
WSJ’s worldwide team of reporters and editors provide cybersecurity news, analysis, and insights.
The fines are the latest retaliation by European authorities against large digital firms. Meta’s WhatsApp messaging service was fined 225 million euros ($266 million at the time) by Ireland’s privacy watchdog in September for failing to tell users about how it manages their data. The French authority penalized Google €50 million, or approximately $57 million at the time, in 2019 for failing to gain necessary permission from people for data collection used to target adverts.
“Our cookie consent controls provide people with greater control over their data, including a new settings menu on Facebook and Instagram where people can revisit and manage their decisions at any time,” a representative said, adding that Meta is reviewing CNIL’s decision and remains committed to working with regulators.
A Google official did not reply to a request for comment right away.
The European Union’s 2018 General Data Protection Regulation was used to impose some of the sanctions, including the penalty against WhatsApp.
The CNIL in France fined Google and Facebook for violating the ePrivacy legislation.
Berzane Nasser/Zuma Press photo
However, the French regulator fined Google and Facebook on an earlier EU rule known as the ePrivacy directive, which allowed the regulator to forgo negotiating with peers in other countries.
A regulator in one of the 27 EU nations may penalise any corporation that conducts business in its territory under the ePrivacy laws, which have been in place since 2002. Only corporations with their European headquarters in that nation may be fined under the GDPR.
If a GDPR issue impacts citizens in more than one EU country, the supervisory authority is required to provide a draft ruling to their colleagues in other countries. If other regulators protest to the penalty, a dispute-resolution procedure will be initiated, giving them additional time to consider it.
Because Alphabet, Meta, and other digital firms have European headquarters in Ireland, the Irish data protection commissioner is in charge of them. Activists and other European privacy authorities have chastised the Irish watchdog for the duration of its investigations.
The French regulator avoided the pitfalls of the GDPR’s power-sharing system by fining Google and Facebook under the ePrivacy statute, according to Rafi Azim-Khan, partner and head of the data-privacy practice at law firm Pillsbury Winthrop Shaw Pittman LLP’s London office.
More from the Wall Street Journal’s Pro Cybersecurity section
In recent months, tensions among regulators have developed about how to implement the bloc’s privacy regulations. Some regulators and privacy experts have proposed reforms to the EU’s regulatory framework that would make it easier for national authorities to meddle in each other’s probes. The decision to punish WhatsApp was delayed for many months before the Irish regulator made it public in September, as officials from the 27 EU nations worked out a disagreement about the infraction.
In 2020, France’s CNIL fined Google €100 million and Amazon.com Inc. €35 million for gathering data from advertising trackers without requesting users’ permission and without clarifying how website cookies operated, according to the ePrivacy laws.
Mr. Azim-Khan believes that the recent sanctions against Google and Facebook should serve as a wake-up call to firms that employ cookies to monitor customers’ online browsing habits. According to him, many firms utilize cookies and pop-up banners that don’t seem to comply with regulators’ rigorous criteria or use ambiguous wording to describe how they gather data. Companies have been warned by European authorities for months that they would enforce regulations requiring them to acquire permission to use cookies.
The increased emphasis of regulators on how corporations obtain user information from website traffic may compel some organizations to reconsider how they utilize data. “If you’re moving into a position where it’s going to be more difficult to accomplish that,” he added, “that might have a rippling impact on the company.”
Catherine Stupp can be reached at [email protected]
Dow Jones & Company, Inc. All Rights Reserved. Copyright 2022 Dow Jones & Company, Inc. 87990cbe856818d5eddac44c7b1cdeb8