Legal Watch No. 86 – August 2025. 

 

Cookies and internet user targeting: current state of affairs.

On September 1st, the CNIL imposed a fine of 325 million euros on Google and 150 million euros on the Irish subsidiary of the Shein group, two amounts which will significantly raise the average of the sanctions decided by the CNIL in recent months.

Google was sanctioned for displaying advertisements inserted between Gmail users' emails and for placing cookies when creating Google accounts, without the valid consent of French users.

The CNIL also requires Google to remove this display of advertisements within six months and to obtain valid consent from users for the placement of advertising cookies when creating a Google account, under penalty of a fine of 100,000 euros per day. 

The fine imposed on Shein also relates to non-compliance with the rules applicable to cookies, placed here on the devices of users visiting the website "shein.com".

These significant fines are part of the various measures taken by the Commission to regulate the tracking and targeting of internet users, and published on its website in 2019.

The CNIL had already fined Google 150 million euros in December 2021 for violating cookie regulations and 50 million euros for the lack of transparency and clarity of its privacy policy and the lack of a legal basis for personalized advertising.

It also recently sanctioned the company Orange for similar practices of sending advertisements in the form of emails.

These decisions give us the opportunity to review internet user targeting practices and the legal framework.

The rules applicable to specific cases are specific: the Commission recalls that operations related to the use of trackers and electronic prospecting fall under not the GDPR but other rules: the "ePrivacy" directive, transposed into article 82 of the Data Protection Act for trackers, and L. 34-5 of the CPCE for commercial prospecting by electronic means.

Practices considered non-compliant mainly concern the placement of trackers without the user's consent, but also the growing practice of using "cookie walls" which condition the user's access to a service on their acceptance of the placement of trackers on their terminal.

The CNIL does not consider this practice to be illegal in itself, unlike some of its European counterparts.

However, she emphasizes that consent must be freely given and that the alternatives offered to the user must be presented in a balanced way, without encouraging them to use one option rather than another (for example, by making one choice more complex than the other).

It is also necessary that consent be informed, meaning that people have a full and clear understanding of the consequences of their choices.

These CNIL decisions are also the culmination of complaints filed by the NGO noyb more than two years ago with numerous data protection authorities (DPAs) in Europe, mainly concerning the phenomenon of cookie walls or pay or okay and the issue of transparency in data collection.

Thus, in mid-August, the Austrian Federal Administrative Court followed the opinion of the Austrian Data Protection Authority and considered that the existence of several purposes for the placement of cookies requires separate consent.

According to the court, grouping different processing purposes would infringe on freedom of decision and render consent invalid.

"This granularity is closely linked to the requirement that consent must be given for a specific purpose," states the explanatory memorandum of the judgment.

These recent developments confirm the position of the supervisory authorities that the legal framework, and in particular the ePrivacy Directive, applies strictly to consent, especially for non-essential cookies.

The authorities no longer tolerate “default” consents or vague information interfaces.

       

He was questioned by the Senate this summer, Anton Carniaux, director of public and legal affairs at Microsoft France, admitted that he could not "guarantee" that the data of French citizens hosted in Europe would never be transmitted to the American government. under the Cloud Act, even though "this has never happened".

In this context of dependence on American giants, the Danish government has announced the official launch of an initiative to assess the integration of open-source solutions within its public services.

On September 9, the DGE and the DGCCRF published the draft designation of the national authorities in charge of implementing the European regulation on AI.

The document includes a diagram showing the – numerous – competent authorities according to the relevant articles of the regulation and the purposes of the AI processing.

Thanks to the work of the deputy head of the DINUM legal mission, it is now possible to consult the map of CNIL controls by year and sector of activity.

The mapping focuses on these controls and does not include all the actions of the CNIL such as awareness-raising on the ground, formal notices, sanctions, etc.

It is based on the data that the CNIL publishes on data.gouv.

 

European institutions and bodies

European news is busy at this time of year, due to the activity of the institutions and in particular the Court of Justice of the European Union (CJEU).

The proposal for a regulation on the control of communications (“Chat control”), aimed at preventing and combating sexual abuse committed against children, is once again on the agenda of the European Council of 12 September 2025 under the Danish Presidency.

The revised proposal provides for the possibility of scanning communications on the user's terminal before they are sent and constitutes, in the eyes of many scientists and civil society, a step backwards compared to the text of the Polish presidency.

A new open letter (the fourth on this subject) signed by more than 600 scientists from 34 countries was published on September 8.

She emphasizes the inefficiency and risks of this proposal in terms of encryption and mentions possible alternatives.

On September 4, the European Commission launched the process to adopt a data protection adequacy decision with Brazil.

Once adopted, this decision will be the first adequacy decision for Latin America since those concerning Argentina on June 3, 2003 and Uruguay on August 21, 2012.

Brazilian authorities have also initiated a process aimed at adopting an equivalent decision to allow the free flow of Brazilian data to the EU.

The next steps will involve submitting the draft decision for review to the European Data Protection Board (EDPB) and to the Council of Ministers representing the EU Member States.

The European Parliament will also examine the proposal.

On September 5th, The European Commission has announced it will fine Google 2.95 billion euros for breaching EU antitrust rules by distorting competition in the advertising technology sector (“adtech”).

Google allegedly favored its own online advertising technology services at the expense of competing advertising technology service providers, advertisers, and online publishers.

The Commission ordered Google to end these self-preference practices and implement measures to eliminate the conflicts of interest inherent in its adtech supply chain.

Google now has 60 days to inform the Commission how it intends to proceed.

This sanction prompted an immediate reaction from the United States, with Donald Trump indicating his intention to take retaliatory measures against the EU.

On September 3, in its decision T-553/23 | Latombe v Commission, the The Court of Justice of the European Union has rejected the action brought by MEP Philippe Latombe seeking to annul the third version of the agreement on data transfers between the EU and the United States. the Data Protection Framework (DPF), considering that the United States "guaranteed an adequate level of protection of personal data".

Mr. emphasized in particular that the American appeals body, the "Data Protection Review Court" (DPRC), is not impartial and depends on the executive branch.

He also pointed to the practice of intelligence services collecting mass amounts of personal data transiting from the European Union, without the prior authorization of a judge or an independent administrative authority, and therefore without sufficiently clear and precise guidelines.

The Court rejects the application for annulment.

He stresses that the DPRC's operation is subject to a series of safeguards, that the European Commission monitors the application of the DPF, and considers it sufficient that intelligence activities carried out by American agencies are subject to ex post judicial review by the DPRC.

The decision of the Court of Justice of the EU can be appealed to the CJEU, and MP Philippe Latombe has already expressed his intention to bring such an appeal.

On September 4, in an important ruling (Case C-413/23 P | EDPB/CRU), the CJEU overturned a decision of the EU court relating to the concept of personal data.

It is ruling on the appeal by the European Data Protection Supervisor (EDPS) concerning the ruling by the EU court that annulled its 2020 decision.

In this decision, the EDPS concluded that the European Single Resolution Board (SRB) had breached the GDPR of European institutions by communicating to an accounting firm the comments of creditors and shareholders on the bankruptcy proceedings of a Spanish bank.

The CJEU considers that individuals' personal opinions constitute personal information and that the Court should have treated them as such.

It also believes that the risk of re-identification related to the processing and transfer of personal data must be assessed on a case-by-case basis at the time of collection, and that the Court erred in annulling the initial decision of the EDPB, in part because it had not determined whether the content of the pseudonymized comments actually contained personal information.

However, the CJEU sided with the CRU on the question of under what conditions pseudonymized data can also be considered personal data, writing in its decision that "Pseudonymized data should not be considered as constituting, in all cases and for each person, personal data for the purposes of the application (of the GDPR) insofar as pseudonymization can, depending on the circumstances of the case, effectively prevent persons other than the controller from identifying the data subject in such a way that, for them, the data subject is not or is no longer identifiable.

In another judgment also dated September 4 (Judgment C 655/23, IP v Quirin Privatbank AG), the Court ruled on the existence of a right of preventive injunction to refrain from processing against the controller, and on the extent of moral damage.

The Court considers that the GDPR does not offer a preventive judicial remedy against future unlawful processing, but that Member States may provide for this.

She also clarified that feelings such as humiliation or worry can be sufficient to establish moral damage, provided that proof is given.

She adds that the seriousness of the fault of the data controller or the obtaining of an injunction should not influence the amount of compensation, which remains exclusively compensatory.

 

News from the member countries of the European Union.

In Germany, the Federal Labour Court ruled that an employer had unlawfully processed an employee's health data by monitoring him to check whether he was faking his inability to work.

She also awarded the employee €1500 in non-material damages.

The Belgian Data Protection Authority (APD) has reprimanded a politician who collected someone's email address from a public source and sent them political messages, in violation of the GDPR's principles of lawfulness, purpose limitation and transparency.

In Spain, Loro Parque, a company managing a zoo and a water park, was fined €250,000 by the APD for collecting fingerprints without prior information or consent: the people concerned were required to provide their fingerprints if they had promotional tickets giving them access to both parks with a single ticket.

In addition, the APD fined the Spanish Chamber of Commerce 500,000 euros for transferring the tax identification numbers of self-employed workers to private companies without a legal basis.

In Italy, the APD fined an automotive company €50,000.

The latter had organised "return to work" interviews with its employees after their absence, resulting in an excessive collection of data, including sensitive data.

The APD also points to a violation of the principles of transparency and validity of employee consent.

The Lithuanian Data Protection Authority (DPA) has ordered Vinted to stop collecting its customers' phone numbers for account verification purposes.

She initially considered that the reasons invoked by Vinted, namely the verification of user accounts and the guarantee of the platform's security, did not constitute an essential aspect of the contract between the data controller and the data subject.

She also noted that the terms of use mentioned other possible means of verifying a user's identity, and that the processing of personal data therefore did not meet the necessity criterion set out in Article 6(1)(b) of the GDPR.

The Supreme Administrative Court of the Netherlands ruled that a mental health care facility was not required to comply with a request to erase data.

Data retention was necessary under the medical treatment contract and for the management of the facility's services.

In Poland, ING Bank Śląski was fined €4,300,000 for scanning identity documents without legitimate reason or risk assessment..

The APD found that the bank had processed sensitive data, including PESEL numbers and document details, unnecessarily, thereby breaching the risk-based approach required by anti-money laundering regulations.

 

China is strengthening its rules around data transfers abroad.

Dior's Shanghai branch is accused by Chinese public security authorities of illegally transferring customer data to the headquarters in France, without complying with mandatory security assessment, user notification and encryption rules.

The branch was subject to an administrative sanction.

In the United States, 44 attorneys general sent a letter to 13 AI companies, including OpenAI, CharacterAI, Replika and Meta, informing them that they would be held responsible if they caused harm to children.

The letter highlights recent revelations regarding Meta's technical guidelines for Meta AI and the chatbots of Facebook, WhatsApp, and Instagram.

This document, approved by the company's legal, political and technical teams, authorized chatbots to invite children to have romantic or seductive exchanges with the chatbot, including comments on the children's appearance as well as role-playing scenarios.

Microsoft's "Tech Community" blog announced at the end of August that the latest update of MS Word for Windows automatically saves users' Word files to its cloud (OneDrive) by default.

Microsoft presents this update as an improvement in security, access, teamwork, and the use of AI.

While it is possible to modify these settings in Word's preferences, the default uploading of documents to an American cloud raises questions related to the GDPR, concerning data confidentiality and the issue of the accessibility of this data by US public authorities.

The "Halo" smart glasses are raising concerns among AI experts.

L. Jarosvsky reports that these new glasses are always on, record everything and have no indicator to warn people that they are being recorded.

In an interview with TechCrunch, the founders of Halo reportedly disclaimed responsibility, stating that in US states where it is illegal to secretly record conversations without the other person's consent, it is up to the user to obtain that consent before using the glasses.