In the wake of the collapse of the EU-US Privacy Shield Agreement, France’s privacy watchdog CNIL (Commission nationale de l’informatique et des libertés) announced last month that it was imposing a fine of 100 million Euros on Google’s parent company Alphabet, and 35 million Euros on Amazon for breaching rules regarding cookies used for online advertising tracking.

The French language sites of both companies failed to seek the prior consent of users before storing advertising cookies (small bits of data stored on a users device when browsing the web) on users devices.

Breach of Regulations

The EU in general has implemented far more stringent privacy requirements than the US, and it was at least in part the failure of US firms to follow the necessary requirements of the EU-US Privacy Shield (meant to provide inter-continental privacy compatibility) which led to the demise of the agreement.

As well as the lack of consent, the CNIL said that both companies failed to provide clear information on how these cookies were used, and how they could be refused by users. Both companies have argued that the fines were invalid due to both companies having European bases of operations, (Google in Ireland, and Amazon in Luxembourg, both countries with relaxed regulations for foreign / international tech firms, particularly in terms of tax), which the privacy body rejected.

They ruled that 60% of Google’s fine should be paid by its US “parent” entity, Google LLC, and the remaining 40% by Google Ireland Limited. Amazon’s fine was to be paid in its entirety by it’s Luxembourg-based operation.

A failure to comply within 3 months would result in additional fines of 100,000 Euros per day, until such time as the fine was paid.

Record Penalty

The 100 million Euro fine against Google is the biggest fine ever issued by the CNIL, the previous record of 50 million Euros also being levied against Google for breaching EU data privacy rules.

In a statement, Google stood by their “record of providing upfront information and clear controls, strong internal data governance, secure infrastructure, and above all, helpful products.” They suggested that the judgement overlooked these efforts, and did not account for the uncertain and constantly changing French rules.

Amazon responded by disagreeing with CNIL’s decision, saying that they “continuously update our privacy practices to ensure that we meet the evolving needs and expectations of customers and regulators and fully comply with all applicable laws in every country in which we operate.”

Some commentators have suggested in the past that the penalties for breaching these regulations are counted as part of the cost of doing business, and that it’s easier and more cost effective for huge tech firms to simply pay the fines.  It’s possible that this latest judgement however, may begin increasing that cost until it passes the point of “loss leadership” as it were. Time will tell.