The fine is because they failed to allow French users to easily reject cookie tracking technology.
Google and Facebook parent company Meta Platforms are facing another big fine after France’s data watchdog found them guilty of violating European Union privacy rules. According to a report in POLITICO, the CNIL will fine Google’s United States and Irish operations €90 million and €60 million respectively.
They will also fine Facebook’s Irish arm €60 million for failing to allow French users to easily reject cookie tracking technology.
Google and Facebook also face a daily penalty of €100,000 if they do not fix their practices within three months of the CNIL issuing the decision, which applies to the Google-owned google.fr and youtube.fr websites, as well as Facebook’s French platform.
“We are reviewing the authority’s decision and remain committed to working with relevant authorities,” a spokesperson for Facebook’s holding company Meta said.
“People trust us to respect their right to privacy and keep them safe. We understand our responsibility to protect that trust and are committing to further changes and active work with the CNIL in light of this decision under the ePrivacy Directive,” a Google spokesperson said.
Europe looks to Ireland, while Ireland looks the other way
Under the GDPR, only the privacy agency in the country where a company is established in the EU can take direct enforcement action against that company. For Facebook and Google, that would be the Irish Data Protection Commission (DPC), since both are legally based in Dublin.
But the French regulator is able to act directly against the U.S. multinationals this time since the violations fall under the e-Privacy Directive, which governs the privacy of communications rather than the GDPR.
The latest enforcement action is a warning shot at the Irish DPC, which has faced intense criticism for its handling of investigations into Big Tech.
Indeed, the Irish data regulator has been angering its European colleagues, for some time. They say the DPC is “too easy” on the U.S. tech giants based in Ireland.
In December, European regulators shot down Ireland’s attempt to push for social media-friendly privacy guidelines. In fact, the Norwegian data protection regulator has said that the Irish interpretation of data protection law would render the GDPR “pointless”.