Over the past month, two significant decisions were issued by the French and Austrian data protection authorities ('DPAs') respectively. Although based on different aspects of data protection law, both decisions are particularly relevant to providers of online services across the European Union ('EU') and undoubtedly merit their attention.

French Data Protection Authority ('CNIL') – Cookies consent management

The CNIL has imposed fines totalling €210 million on Google and Facebook respectively, for breaching Article 82 of the French Data Protection Act transposing the provisions of the Privacy and Electronic Communications Directive ('ePrivacy Directive') relating to the use of cookies.

Following a number of complaints, the French regulator determined that the sites google.fr, youtube.com, and facebook.com do not provide users with an option to refuse cookies which is as simple as to accept them, that being through a one-click solution. In light of this, the CNIL considered that users would most likely accept all cookies out of mere convenience, rather than based on their free choice. This constitutes a violation of the freedom of consent.

Together with the fines, the CNIL issued an order on both Google and Facebook to rectify this breach within three months of being notified of the decision, under penalty of €100,000 per day of delay.

This decision should certainly serve as a wake-up call to all providers of online services who overlook the strict requirements for a valid consent under data protection law, especially with respect to their use of cookies.

It is key to understand that although cookies are primarily regulated by the ePrivacy Directive, the elements which constitute a valid consent are in fact those established under the General Data Protection Regulation ('GDPR'). Accordingly, when seeking to obtain cookie consent, those providing online services (including anyone operating a website) should ensure that consent is freely given, specific, unambiguous, informed, and withdrawable.

Austrian Data Protection Authority ('DSB') – Data transfers to the United States ('US')

In its ruling, the DSB affirmed that the use of Google Analytics by an Austrian website operator resulted in an unlawful transfer of user personal data from the European Union ('EU') to Google LLC in the US.

The Austrian regulator determined that as a US electronic communication service provider, Google LLC is subject to US surveillance laws which may lead to the disclosure of EU data subjects' personal data to US intelligence services. In this context, the safeguards put in place between the parties to the data transfer were deemed to be insufficient as they could not prevent such disclosure to US intelligence services. Accordingly, the transfer of data was deemed to be in breach of Chapter V of the GDPR.

This decision was triggered by one of 101 complaints filed by the non-governmental organisation 'NOYB' across different EU DPAs, regarding data transfers made by EU-based companies to Google LLC and Facebook Inc. in the US. These complaints were filed in the wake of the CJEU 'Schrems II Ruling' (CJEU - C-311/18) which invalidated the Privacy Shield that was in place between the EU and the US.

Following the Schrems II Ruling, it was widely understood that the standard contractual clauses issued by the European Commission should provide an appropriate level of protection to personal data that is transferred to the US. However, this decision by the DSB suggests that this is not necessarily the case, especially in relation to US surveillance laws.

This decision could have considerable and far-reaching implications. EU-based companies making use of Google Analytics (or any other US companies subject to the same surveillance laws) may need to re-assess whether the manner in which they use this tool is lawful.

Furthermore, this ruling may prompt US companies to consider other avenues through which to target the European market. At this stage, it will certainly be interesting to follow the outcome of the other 100 complaints filed by 'NOYB' across various EU member states.

Enforcement trends

Both the above-mentioned decisions relate to the operations of some of the largest tech companies in the world, which have already been subject to various enforcement measures over the past few years. While it is understandable that DPAs are primarily focused on these tech giants, many question whether the operations of smaller businesses are being scrutinised.

It is unlikely that national DPAs will ever have enough resources to proactively monitor all EU online businesses. Nevertheless, there is an increasing number of DPA decisions, as well as a surge of fines issued across the EU, reportedly exceeding a total of €1 billion in 2021 alone. Underestimating the possibility of a DPA investigation, whether in response to a customer complaint or otherwise would be short-sighted.

Apart from the notable efforts on the part of DPAs to strengthen their resources and enhance cross-border cooperation, increased enforcement may partly be a result of the general public's higher awareness of their data privacy rights, leading to more official complaints filed with DPAs, thereby triggering more investigations. DPAs are not as timid as they have sometimes been perceived to be in the past. They are clearly now far more willing to exercise their extensive discretionary powers when issuing fines under the GDPR, which fines may amount up to €20 million or 4% of a company's total annual worldwide turnover, whichever is higher.

In this context, it would be sensible even for operators of smaller online businesses to assess their current practices and learn from the shortcomings of the bigger industry players which are presently making headlines.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.