France spanks Google $170M, Facebook $68M over cookie ...
文章推薦指數: 80 %
Notably, the CNIL is taking action against Facebook and Google under an ... (GDPR) and the ePrivacy Directive (ePD),” it added at the time. Chalkanotheroneupfordecentralizedenforcement:France’sdataprotectionwatchdoghasslappedheadline-grabbingfinesonFacebookandGoogleforfailingtorespectlocal(andpan-EU)cookieconsentrules. Today,theCNILsaidit’sfinedGoogle€150M(~$170M)andFacebook€60M(~$68M)forbreachingFrenchlaw,followinginvestigationsofhowtheypresenttrackingchoicestousersofgoogle.fr,youtube.comandfacebook.com. Theregulatorsaiditwasactingafterreceivinganumberofcomplaints. InaclearbreachofEUandFrenchlaw,itfoundthepairdonotofferanoptionforuserstorejectnon-essentialcookiesaseasilyastheoptiontheyofferforthemtoacceptalltracking. So,inshort,thetechgiantswereusingmanipulativedarkpatternstotrytoforceconsent. Here’sanillustrativesnippetfromtheCNIL’spressrelease: ”…theinformationgivenbythecompanyisnotclearsince,inordertorefusethedepositofcookies,Internetusersmustclickonabuttonentitled“Acceptcookies”,displayedinthesecondwindow.Itconsideredthatsuchatitlenecessarilygeneratesconfusionandthattheusermayhavethefeelingthatitisnotpossibletorefusethedepositofcookiesandthattheyhavenowaytomanageit. Therestrictedcommitteejudgedthatthemethodsofcollectingconsentproposedtousers,aswellasthelackofclarityofinformationprovidedtothem,constituteviolationsofArticle82oftheFrenchDataProtectionAct.” UnderEUlaw,ifconsentisthelegalbasisbeingclaimedforprocessingpeople’sdatatherearestrictstandardsthatmustbeadheredto—consentmustbeinformed,specificandfreelygiveninorderforittobeobtainedlegally. LongrunningcomplaintsagainstFacebookandGoogleoversimilarlyproblematicconsentissuescontinuetolanguishonthedeskoftheIrishDataProtectionCommission(DPC),meanwhile—whichundertheEU’sGeneralDataProtectionRegulation(GDPR)’sone-stop-shop(OSS)mechanismisaquasicentralizedenforcerformostofbigtech. TheDPChasbeenaccusedofdraggingitsfeetonGDPRoversightoftechgiantsandcreatingabottleneckforeffectiveenforcementoftheregulation,astheOSSencouragesforumshopping—andIreland’slowcorporatetaxeconomyappearsonlytoohappytoobligeclientcorporateswithlowresolutionregulatoryoversighttoo. Notably,theCNIListakingactionagainstFacebookandGoogleunderanearlierpieceofEUlegislation—theePrivacyDirective—whichgivescompetencetonationalagenciesintheirownterritories.SotheFrenchcontinuetofindcreativewaystoapplyGDPRdataprotectionstandardsnationally,despitetheOSSandIrishGDPRblockage. There’saparticularironyhere,inthatGoogleandFacebookinvolvedthemselvesinregionallobbyingeffortstodelayaplannedupdatetotheePrivacyDirective—whichwouldhavereplaceditwitharegulation,aswe’vereportedbefore. DiggingintoGoogle’spushtofreezeePrivacy TheePrivacyRegulationstillhasn’tbeenadopted—despitebeingproposedbackin2017!WhichcreatesinconsistenciesbetweenEUlaw.ButdoesalsoleavesMemberState-levelregulatorssuchasCNILfreetoenforceePrivacyruleswithintheirownjurisdictions,retainingdecentralizedpowertosanctionbigtechonitshometurfundertheePrivacyDirective.So,er,oopsy!That’sturnedintoafairlyexpensivemistakeforFacebookandGoogleinFranceatleast. France’sregulatorhasbeenespeciallybusyonthisfront—finingGoogle€100MbackinDecember2020fordroppingtrackingcookieswithoutconsent.AtthesametimeitalsostungAmazon€35Moverthesameissue. Earlier,theCNILevenmanagedtogetanearlyGDPRfineinagainstGoogle—allthewaybackin2019—beforethecompanyrealizeditslegalexposureandswitchedthelegalentityhandlingEUusers’datafromtheUStoIrelandsothatitsregionalbusinesswouldfallundertheDPC’s‘lessmuscular’oversight. Todate,GooglehasnotfacedasinglesanctionunderGDPRoutofIreland—despiteanumberofverysubstantialandverylongrunningcomplaintsfiledagainstit,includingoverforcedconsent;itshandlingoflocationdata;anditsadtech. ComplaintsarenotonlycontinuingtostackupagainsttechgiantsoversystemicbreachesofEUdataprotectionlawandagainsttheDPCforitsembarrassinglythinrecordonenforcement—andevenforallegedcorruption,inamorerecentchargeagainstIreland—butalsoagainsttheEuropeanCommissionitselfwhichstandsaccusedoffailinginitsdutytomonitorGDPRenforcementataMemberStatelevel. MyreplytoDidierReynders,EuropeanJusticeCommissioner,on14Decemberisnowpublic.TheCommissionmustacttoupholddataprotectionlaw.HisrecentlettertoMEPs,coveredby@vmanancourt,isperplexing.https://t.co/kt2nkfV8Se —JohnnyRyan(@johnnyryan)January5,2022 TheCommissiondidinterveneverballylatelastyear—withadirectwarningtodataprotectionagenciesthatGPDRenforcementmustbecome“effective”fastorelseitsuggestedDPAswouldfacehavingsuchpowertakenoutoftheirhands—infavorofcentralizedenforcementbytheEUexecutive. Atthesametime,GoogleandFacebookwerealsoblastedbytheCommissionwhichaccusedadtechgiantsofchoosinglegaltricksovergenuinecompliancewiththebloc’sprivacystandards,withcommissionerVeraJourováwarning:“Itishightimeforthosecompaniestotakeprotectionofpersonaldataseriously.Iwanttoseefullcompliance,notlegaltricks.It’stimenottohidebehindsmallprint,buttacklethechallengesheadon.” Butdespitefiringafewpot-shots,theCommissionappearsreluctanttoactuallystepinandsanctionIreland,though.Soit’sbeenlefttoMemberStateslikeFrancetomakethepointinanotherway—i.e.byhavingitsagenciesillustratethatenforcementisnotonlypossiblebuthappening. (Seealso:France’scompetitionwatchdogtakingtoughactionagainstGoogle,forexample.) Googlefined$592MinFranceforbreachingantitrustordertonegotiatecopyrightfeesfornewssnippets Inadditiontotoday’sheadline-grabbingfines,theCNILhasorderedFacebookandGoogletochangehowtheypresentcookiechoicestousersinFrance—givingthepairthreemonthstoprovidelocaluserswithameansofrefusingcookiesthat’sassimpleastheexistingmeansofacceptingthem—“inordertoguaranteetheirfreedomofconsent”. Failuretocomplywiththeorderwillmeanthecompaniesfacefurtherpenalties—of€100,000perdayofdelay. TheCNILhasbeenfocusingitsoversightoncookieconsentsforsometime. TheregulatorsetadeadlineofMarch31,2021forwebsitestocomplywithupdatedcookieguidancewhichitpublishedbackinOctober2020.And,sincetheendofMarch,saysithasadoptednearly100“correctivemeasures”(aka,ordersandsanctions)relatedtonon-compliancewiththelegislationoncookies. Irelandalsopublishedupdatedcookieguidance,backinApril2020—whenitsaiditwouldgivewebsitesanddatacontrollerssixmonthstocomeintocompliancebeforetakinganyenforcementaction. HowevertheDPChasonceagainshownitselftobeallmouthandnotrousers:Failingtoissueanypublicsanctionsinrelationtocookieconsentviolationsagainstcommercialentities(andcertainlynothingagainstFacebookorGoogleonthisfront). ADPCdecisionagainstFacebook-ownedWhatsAppthatwasissuedlatelastyearfocusedontransparencybreaches. ThesizeofthateventualpenaltyforWhatsApp—$267M—wasalsosubstantiallyinflatedafterinterventionsbyotherEUDPAsandtheEuropeanDataProtectionBoard;Ireland’sdraftdecisionhadonlysuggestedafineofupto€50M.Facebook,meanwhile,isseekingtoevadethesanctionbyappealingagainstit.) ReachedforcommentontheCNIL’sspankfor disingenuouscookieconsents,aMeta/Facebookspokespersonsaid: “Wearereviewingtheauthority’sdecisionandremaincommittedtoworkingwithrelevantauthorities.Ourcookieconsentcontrolsprovidepeoplewithgreatercontrolovertheirdata,includinganewsettingsmenuonFacebookandInstagramwherepeoplecanrevisitandmanagetheirdecisionsatanytime,andwecontinuetodevelopandimprovethesecontrols.” Thetechgiantalsopointedtoanannouncement itmadeinSeptemberlastyearaboutanupdatetoitslocal“cookiecontrols”—whenitsaiditwouldbegivingpeopleinEurope“amoregranularlevelofcontrolovertheircookiechoicesandmoreinformationonwhatweusedifferentkindsofcookiesfor,includingwhatinformationwereceivefromotherappsandwebsites”. “Thisworkispartofourongoingeffortstogivepeoplegreatercontrolovertheirprivacyandalignwithevolvingprivacyrequirements,suchastheGeneralDataProtectionRegulations(GDPR)andtheePrivacyDirective(ePD),”itaddedatthetime. WhateverthespecificfiddlesFacebookmadebackthenthechangesdon’tseemtohaveimpressedtheFrench. AtthetimeofwritingGooglehadnotrespondedtoarequestforcommentonCNIL’ssanctionbutwe’llupdatethisreportifwegetone. Update: AGooglespokespersonsaid: “Peopletrustustorespecttheirrighttoprivacyandkeepthemsafe.Weunderstandourresponsibilitytoprotectthattrustandarecommittingtofurtherchangesandactiveworkwiththe CNIL inlightofthisdecisionundertheePrivacyDirective.” Europe’scookieconsentreckoningiscoming EUwarnsadtechgiantsover‘legaltricks’asitmootschangestocentralizeprivacyoversight Facebook’sleadEUprivacysupervisorhitwithcorruptioncomplaint
延伸文章資訊
- 1Updating Our Cookie Controls in Europe - Meta - Facebook
... Protection Regulations (GDPR) and the ePrivacy Directive (ePD). ... we've also created a new ...
- 2facebook share, like, comment disappeared again
Facebook Comments still works OK for all other regions. e.g. India, Asia, North America, South Am...
- 3主頁| 環境保護署
FacebookTwitterWeiboE-mail. 收緊建築漆料揮發性有機化合物含量限值. 為進一步減少揮發性有機化合物排放,政府將收緊受規管建築漆料的揮發性有機化合物含量限值。
- 4Facebook tweaks cookie consent controls in Europe to comply ...
The company has also created a new settings menu on FB and Instagram, ... (GDPR) and the ePrivacy...
- 5Facebook under pressure to resume scanning messages for ...
“We're committed to complying with the European commission's e-privacy directive (ePD) in the EU,...