Rb. Amsterdam - C/13/747646 / KG ZA 24-191
| Rb. Amsterdam - C/13/747646 / KG ZA 24-191 | |
|---|---|
 | |
| Court: | Rb. Amsterdam (Netherlands) |
| Jurisdiction: | Netherlands |
| Relevant Law: | Article 5(1)(a) GDPR Article 6(1) GDPR |
| Decided: | 22.04.2024 |
| Published: | 01.07.2024 |
| Parties: | Criteo |
| National Case Number/Name: | C/13/747646 / KG ZA 24-191 |
| European Case Law Identifier: | ECLI:NL:RBAMS:2024:3095 |
| Appeal from: | |
| Appeal to: | |
| Original Language(s): | Dutch |
| Original Source: | Rechtspraak.nl (in Dutch) |
| Initial Contributor: | ec |
A court imposed a new penalty of €500 per day against Criteo until stops placing tracking cookies on the data subject’s devices. The court held that the fact that the controller can only comply with the prohibition by not placing tracking cookies at all, does not relieve the controller from its obligation to comply.
English Summary
Facts
The controller is Criteo SA, a worldwide operating technology company in media and entertainment that does consultancy, software and services in relation to digital marketing, media advertising and real time ads bidding. The controller places via third party websites tracking cookies on computers and mobile devices for targeted advertising. The controller uses the Real Time Bidding (RTB) System to recognise a user within seconds and to show personalised ads.
On 15 June 2023 the French DPA ("CNIL") fined the controller €40.000.000 for violating the GDPR.
On 8 August, the lawyer of the data subject wrote to the controller that they were placing tracking cookies via third party websites on the data subject’s devices without the data subject’s consent, violating Article 11.7a(1) Dutch telecommunications law (“Telecommunicatiewet – TW”) and Articles 5(1)(a), 6(1), 7, 13 and 14 GDPR.
The controller responded that it is the responsibility of the third party websites to obtain consent.
The data subject filed an urgency procedure (“kort geding”) at the Amsterdam District Court (“Rechtbank Amsterdam”) against the controller and the Dutch company Criteo B.V. The court prohibited the controller from placing tracking cookies on the devices of the data subject and imposed a penalty of €250 for every day (with a maximum of €25.000) they fail to comply with the decision.
The controller appealed this decision on 30 October 2023. The Court of Amsterdam (“Gerechtshof Amsterdam”) held that the Dutch company Criteo B.V. was not a controller. However, it did find that tracking cookies were placed and that the subject’s personal data was processed in violation with the GDPR. The court therefore prohibited the controller Criteo SA from placing tracking cookies and upheld the imposed penalty of the District Court after service of the judgement.
In January 2024, the controller voluntarily complied with the penalty of €25.000 before the judgement was handed down.
On 17 April 2024, the controller initiated proceedings on the merits at the Amsterdam District Court, because it disagreed with the judgement of the urgency procedure.
The controller argued that it did not place the cookies themselves, but that they were placed by third party websites. The controller argued that it did not have factual control or power over the way these websites design their websites and how they ask for consent. They can only contractually obligate these websites to obtain consent. If it appears these third party websites do not obtain consent, the controller can give a written warning. The controller also argued it is factually impossible to comply with the prohibition of the court as it cannot single out the devices of the data subject to stop placing tracking cookies.
As the unlawful processing continued, the data subject requested the court to impose a penalty of €1.500 per violation or €5.000 per day the controller continues to place tracking cookies. By complying with the maximum amount of the penalty, the data subject argued that it appears that the business model of the controller is that lucrative that the imposed penalty is an insufficient financial incentive to stop the unlawful processing. Also the fine of 40 million by the French DPA did not change the behaviour of the controller.
Holding
The court held that the current penalty expired as the controller already complied with the maximum penalty amount and because it does not withhold the controller from complying with the prohibition,
The court further held that it is the responsibility of the controller to check whether it complies with the prohibition. Although the controller made steps in the right direction by writing warnings and ending contracts with websites that did not comply, the prohibition is still not complied with.
By complying with the maximum penalty amount, the court held that the controller also knew it was not complying with the imposed prohibition. Therefore, the imposed penalty is an insufficient financial incentive to comply with the prohibition and there are sufficient arguments to impose a new higher penalty.
The court also dismissed the argument of the controller that it cannot prevent that tracking cookies are placed on the devices of the data subject and can only comply with the prohibition by not placing tracking cookies at all on any device. The court held that this argument cannot relieve the controller from its obligation to comply with the judgement.
Thus, the court imposed a penalty of €500 per day (with a maximum of €50.000) against the controller until it complies with the prohibition of placing tracking cookies.
Comment
Share your comments here!
Further Resources
Share blogs or news articles here!
English Machine Translation of the Decision
The decision below is a machine translation of the Dutch original. Please refer to the Dutch original for more details.
