France Fines Google, Facebook for Privacy Violations

The penalties are the latest salvo from European regulators against big tech companies. In September, Ireland’s privacy authority fined Meta’s WhatsApp chat service 225 million euros, equivalent to about $266 million at the time, for failing to inform users about how it handles their data. In 2019, the French regulator fined Google €50 million, or about $57 million at the time, for failing to obtain sufficient consent from individuals for collecting data used to target ads.

Meta is reviewing CNIL’s decision and remains committed to working with regulators, a representative said, adding, “Our cookie consent controls provide people with greater control over their data, including a new settings menu on Facebook and Instagram where people can revisit and manage their decisions at any time, and we continue to develop and improve these controls.”

A representative for Google didn’t immediately respond to a request for comment.

Some of the fines by European regulators, including the penalty against WhatsApp, were issued under the European Union’s 2018 General Data Protection Regulation.

But the French watchdog used an older EU law, known as the ePrivacy directive, to fine Google and Facebook, allowing the regulator to avoid negotiating with its counterparts in other countries.

Under the ePrivacy rules, in effect since 2002, a regulator in one of the 27 EU countries can fine any company that does business in its jurisdiction. Under the GDPR, a regulator can fine only companies that have their European headquarters in that country.

If a GDPR case affects people in more than one EU nation, the regulator overseeing it must submit a draft decision to their counterparts in other countries. If other regulators raise objections to the penalty, they can trigger a dispute-resolution process, giving them more time to deliberate.

The Irish data-protection commissioner oversees Alphabet, Meta and other tech giants because those companies’ European headquarters are in Ireland. The Irish watchdog has faced criticism from activists and other European privacy regulators for the length of its investigations.

By choosing to fine Google and Facebook under the ePrivacy law, the French regulator avoided the frustrations of the GDPR’s power-sharing system, said Rafi Azim-Khan, partner and head of the data-privacy practice in the London office of law firm Pillsbury Winthrop Shaw Pittman LLP.

Tensions among regulators over how to enforce the bloc’s privacy rules have grown in recent months. Some regulators and privacy experts have called for changes to the EU’s regulatory system that would allow national officials to more easily intervene in each others’ investigations. Before the Irish regulator publicly disclosed its fine against WhatsApp in September, the decision was held up for several months while officials from the 27 EU countries resolved a dispute about the violation.

France’s CNIL used the ePrivacy rules in 2020 to fine Google €100 million and Amazon.com Inc. €35 million for collecting data from advertising trackers without asking users’ consent and without explaining how website cookies worked.

The most recent fines against Google and Facebook are a wake-up call to businesses that use cookies to track users’ web-browsing activity, Mr. Azim-Khan said. Many companies have used cookies and pop-up banners that don’t appear to comply with regulators’ strict requirements or use unclear language explaining how they collect data, he said. European regulators have warned companies for months that they would enforce rules requiring they obtain consent to use cookies.

Regulators’ intensified focus on how companies collect user information from website traffic could force some businesses to re-evaluate how they use data. “If you’re going into a situation where it’s going to be more difficult to do that, that may have a ripple effect on the business,” he said.

Write to Catherine Stupp at [email protected]