France’s top administrative court has overruled the country’s data authority regarding “cookie walls”, stating that as an agency that only offers guidelines – so-called flexible laws – the authority cannot prohibit their use.
But the Council of State ruled last Friday that with its interpretation of the GDPR regarding consent, CNIL had gone beyond what is “legally possible” through the use of guidelines, which are an instrument of “flexible law”.
The French data authority said in a statement that it has “take[n] note of this decision and will adjust its guidelines and its future recommendations accordingly to comply with it”. The adjusted guidelines should come into effect after September 2020, CNIL said.
The ePrivacy Directive has always required consent for cookies as they are considered communications with a terminal – the device from which users view a website – but the GDPR’s updated definition of consent meant that it has become a more prominent issue since 2018.
Last Friday’s decision followed an appeal against the guidelines by a host of adtech and e-commerce bodies, which objected to the regulator’s strict stance. On 12 June an advisor to the Council of State said in a non-binding opinion that the country’s data watchdog was wrong to ban the use of cookie walls.
Claude Armingaud, a partner at K&L Gates in Paris, told GDR that the decision is a “victory for the claimants” – although the bulk of the authority’s cookie guidelines remain in force.
Armingaud said that while these professional bodies used “all the [tools] at their disposal” to reverse CNIL’s position, they are only at the beginning of their “stand-off with the data protection regulator”. Armingaud said it is unlikely that they will refrain from implementing cookie walls, and will likely wait for CNIL to investigate the sector and increase their lobbying efforts on the ePrivacy Regulation.
Armingaud said the European Data Protection Board’s (EDPB) updated guidelines on consent, published on 4 May, explain how cookie walls divorce consent from its “freely given” requirement. “The rationale behind the EDPB’s position bears not only an authoritative value, but it is also a question of principle as to what the data protection framework in Europe ought to be,” Armingaud said.
CNIL’s guidelines, which were published prior to the EDPB’s, came to the same conclusion, Armingaud said, but went a step further in its general prohibition of cookie walls. The Council of State’s decision “was not that cookie walls were legal or not, but only that the CNIL could not generally prohibit their use”, Armingaud said.
This is, therefore, a “very mitigated success for the professional associations”, Armingaud said – adding that the consequence of the ruling will, therefore, be “fairly limited”. And last month’s EDPB guidelines “serve as a strong warning which, while not binding, will orient the reflection of the EU member state regulators,” Armingaud said.
Armingaud said that in the absence of an adopted ePrivacy Directive, “more investigations, possibly more fines and definitely more litigation are to be expected”.
First published: Global Data Review, with Alex Pugh