BVwG - W252 2282050-1/12E: Difference between revisions

From GDPRhub
m (Added links)
mNo edit summary
 
(4 intermediate revisions by 2 users not shown)
Line 62: Line 62:
}}
}}


A court rejected a controller’s appeal disputing the fact that a cookie banner must show equal design for the accept and reject buttons.
A court held that a cookie banner that nudges users to accept cookies by using a more prominent "Accept" option violates the transparency principle and is insufficient to obtain users’ consent.


== English Summary ==
== English Summary ==


=== Facts ===
=== Facts ===
On the 09 August 2022, the data subject filed a complaint with the Austrian DPA (''[[DSB (Austria)|Datenschutzbehörde – DSB]]'') alleging that the controller unlawfully processed their personal data without the data subjects consent. Due to the use of dark patterns by the controller, the data subject alleged that the controller had violated the principle of transparency and that the withdrawal of consent was not as easy as its issuance and requested the erasure of their personal data.  
On the 09 August 2022, a data subject, represented by noyb, filed a complaint with the Austrian DPA (''[[DSB (Austria)|Datenschutzbehörde – DSB]]'') alleging that the controller unlawfully processed their personal data without the data subjects valid consent. The data subject alleged that, due to the use of dark patterns by the controller, the principle of transparency was violated and that the withdrawal of consent was not as easy as its issuance. Therefore, the data subject requested the erasure of their personal data.  


The option to reject cookies was a link, which was only identifiable as a link when hovering over it with the mouse.  The accept button was strongly highlighted by being placed in the middle of the banner and in a colour with strong contrast to the background.  
The option to reject cookies was a link, which was only identifiable as a link when hovering over it with the mouse.  The accept button on the other hand was strongly highlighted by being placed in the middle of the banner and in a colour with strong contrast to the background.  


On the 22 September 2023, the DSB issued a decision on the following three points:   
On the 22 September 2023, the DSB issued a decision on the following three points:   


Point 1: The data subject’s right to erasure had been violated under [[Article 17 GDPR]].  
<u>Point 1:</u> The data subject’s right to erasure had been violated under [[Article 17 GDPR]].  


Point 2: The data subject’s right to privacy had <u>not</u> been violated.   
Point 2: The data subject’s right to privacy had <u>not</u> been violated under [https://www.ris.bka.gv.at/GeltendeFassung.wxe?Abfrage=Bundesnormen&Gesetzesnummer=10001597&FassungVom=04-11-2022 §1(1) of the Austrian Data Protection Act] (''Datenschutzgesetz - DSG'').   


Point 3.a: The DSB ordered the controller to alter its cookie banner to make the “reject all cookies” appear in equal format to the “accept all cookies” option.   
<u>Point 3.a:</u> The DSB ordered the controller to alter its cookie banner to make the “reject all cookies” appear in equal format to the “accept all cookies” option.   


Appeal point 3.b: The controller must implement a function, which makes the revocation of consent just as simple as its declaration.  
<u>Point 3.b:</u> The controller must implement a function, which makes the revocation of consent just as simple as its declaration.  


The controller appealed points 1, 3a and 3b of the decision to the Austrian Federal Administrative Court (''[[:Category:BVwG (Austria)|Bundesverwaltungsgericht – BVwG]]''). The controller posited that the GDPR does not require the “accept” and “reject” buttons to be displayed in an equal format. Further, it added that the revocation of consent was available through a footer link on the website which lead to the cookie settings.
The controller appealed points 1, 3a and 3b of the decision to the Austrian Federal Administrative Court (''[[:Category:BVwG (Austria)|Bundesverwaltungsgericht – BVwG]]''). The controller posited that the GDPR does not require the “accept” and “reject” buttons to be displayed in an equal format. Further, it added that the revocation of consent was available through a footer link on the website which lead to the cookie settings.
Line 86: Line 86:
The court rejected the controller’s appeal.  
The court rejected the controller’s appeal.  


Point 1:  
<u>Point 1:</u>


The data of the data subject, at the latest, had to be deleted when the complaint was filed as it clearly showed a revocation of consent to the data processing under [[Article 17 GDPR#1b|Article 17(1)(b) GDPR]].  
The data of the data subject, at the latest, had to be deleted when the complaint was filed as it clearly showed a revocation of consent to the data processing under [[Article 17 GDPR#1b|Article 17(1)(b) GDPR]].  


Point 3.a:  
<u>Point 3.a:</u>
 
The court acknowledged that the cookie banner impairs users because of its size and they would quickly click on the highlighted accept option. In particular, they will not have understood the implications of the data processing.
 
Furthermore, consent is not unambiguous as users are clearly nudged by the design. This is also contrary to the principle of transparency, as it points users towards the more invasive data processing option.
 
In addition, the cookie banner creates a situation "where the proliferation of actors and the technological complexity of practice make it difficult for the data subject to know and understand whether, by whom and for what purpose personal data relating to him or her are being collected" (Recital 58 GDPR).


The court acknowledged that the cookie banner impairs users because of its size and they would quickly click on the highlighted accept option. In particular, they will not have understood the implications of the data processing.
Furthermore, consent is not unambiguous as users are clearly nudged by the design. This is also contrary to the principle of transparency, as it points users towards the more invasive data processing option.
In addition, the cookie banner creates a situation "where the proliferation of actors and the technological complexity of practice make it difficult for the data subject to know and understand whether, by whom and for what purpose personal data relating to him or her are being collected" (Recital 58 GDPR).
The court concluded that the controller could not prove that the data subject gave unambiguous consent as per [[Article 7 GDPR]].  
The court concluded that the controller could not prove that the data subject gave unambiguous consent as per [[Article 7 GDPR]].  


Point 3b:  
<u>Point 3b:</u>
 
The court highlighted that under [[Article 7 GDPR#3|Article 7(3) GDPR]], withdrawing consent should be as easy as giving consent meaning that the action required to revoke consent must be just as simple as the action for agreeing to the data processing. 


The court highlighted that under [[Article 7 GDPR#3|Article 7(3) GDPR]], withdrawing consent should be as easy as giving consent meaning that the action required to revoke consent must be just as simple as the action for agreeing to the data processing.
The court agreed with the DSB stating that it is not clear where exactly consent can be withdrawn based on the information provided in the cookie banner.  
The court agreed with the DSB stating that it is not clear where exactly consent can be withdrawn based on the information provided in the cookie banner.  



Latest revision as of 15:05, 4 December 2024

BVwG - W252 2282050-1/12E
Courts logo1.png
Court: BVwG (Austria)
Jurisdiction: Austria
Relevant Law: Article 7 GDPR
Article 17 GDPR
Decided: 25.11.2024
Published:
Parties:
National Case Number/Name: W252 2282050-1/12E
European Case Law Identifier:
Appeal from: DSB (AT)
Appeal to:
Original Language(s): German
Original Source: GDPRhub (in German)
Initial Contributor: ao

A court held that a cookie banner that nudges users to accept cookies by using a more prominent "Accept" option violates the transparency principle and is insufficient to obtain users’ consent.

English Summary

Facts

On the 09 August 2022, a data subject, represented by noyb, filed a complaint with the Austrian DPA (Datenschutzbehörde – DSB) alleging that the controller unlawfully processed their personal data without the data subjects valid consent. The data subject alleged that, due to the use of dark patterns by the controller, the principle of transparency was violated and that the withdrawal of consent was not as easy as its issuance. Therefore, the data subject requested the erasure of their personal data.

The option to reject cookies was a link, which was only identifiable as a link when hovering over it with the mouse. The accept button on the other hand was strongly highlighted by being placed in the middle of the banner and in a colour with strong contrast to the background.

On the 22 September 2023, the DSB issued a decision on the following three points:

Point 1: The data subject’s right to erasure had been violated under Article 17 GDPR.

Point 2: The data subject’s right to privacy had not been violated under §1(1) of the Austrian Data Protection Act (Datenschutzgesetz - DSG).

Point 3.a: The DSB ordered the controller to alter its cookie banner to make the “reject all cookies” appear in equal format to the “accept all cookies” option.

Point 3.b: The controller must implement a function, which makes the revocation of consent just as simple as its declaration.

The controller appealed points 1, 3a and 3b of the decision to the Austrian Federal Administrative Court (Bundesverwaltungsgericht – BVwG). The controller posited that the GDPR does not require the “accept” and “reject” buttons to be displayed in an equal format. Further, it added that the revocation of consent was available through a footer link on the website which lead to the cookie settings.

Holding

The court rejected the controller’s appeal.

Point 1:

The data of the data subject, at the latest, had to be deleted when the complaint was filed as it clearly showed a revocation of consent to the data processing under Article 17(1)(b) GDPR.

Point 3.a:

The court acknowledged that the cookie banner impairs users because of its size and they would quickly click on the highlighted accept option. In particular, they will not have understood the implications of the data processing.

Furthermore, consent is not unambiguous as users are clearly nudged by the design. This is also contrary to the principle of transparency, as it points users towards the more invasive data processing option.

In addition, the cookie banner creates a situation "where the proliferation of actors and the technological complexity of practice make it difficult for the data subject to know and understand whether, by whom and for what purpose personal data relating to him or her are being collected" (Recital 58 GDPR).

The court concluded that the controller could not prove that the data subject gave unambiguous consent as per Article 7 GDPR.

Point 3b:

The court highlighted that under Article 7(3) GDPR, withdrawing consent should be as easy as giving consent meaning that the action required to revoke consent must be just as simple as the action for agreeing to the data processing.

The court agreed with the DSB stating that it is not clear where exactly consent can be withdrawn based on the information provided in the cookie banner.

The court considered that a floating icon is not necessary to withdraw consent because otherwise the option to withdraw consent would constantly block a big part of the screen.

Comment

Share your comments here!

Further Resources

Share blogs or news articles here!

English Machine Translation of the Decision

The decision below is a machine translation of the German original. Please refer to the German original for more details.