APD/GBA (Belgium) - 131/2024: Difference between revisions

From GDPRhub
(Created page with "{{DPAdecisionBOX |Jurisdiction=Belgium |DPA-BG-Color= |DPAlogo=LogoBE.png |DPA_Abbrevation=APD/GBA |DPA_With_Country=APD/GBA (Belgium) |Case_Number_Name=131/2024 |ECLI= |Original_Source_Name_1=APD-GBA |Original_Source_Link_1=https://www.gegevensbeschermingsautoriteit.be/publications/beslissing-ten-gronde-nr.-131-2024.pdf |Original_Source_Language_1=French |Original_Source_Language__Code_1=FR |Original_Source_Name_2= |Original_Source_Link_2= |Original_Source_Language_2...")
 
No edit summary
Line 74: Line 74:


=== Facts ===
=== Facts ===
On 10 February 2023 the data subject, a trainee working at noyb – European Center for Digital Rights, visited the website of the controller, a Belgian media company.
On 10 February 2023 the data subject, a trainee working at ''noyb'' – European Center for Digital Rights, visited the website of the controller, a Belgian media company.


The data subject noticed that the cookie banner of this website had a “Accept all” and a “Know more” button. The data subject believed that this cookie banner was unlawful under the GDPR. Therefore, under [[Article 80 GDPR#1|Article 80(1) GDPR]], she mandated noyb to file a complaint with the DPA on her behalf.
The data subject noticed that the cookie banner of this website had an “Accept all” and a “Know more” button. The data subject believed that this cookie banner was unlawful under the GDPR. Therefore, under [[Article 80 GDPR#1|Article 80(1) GDPR]], she mandated ''noyb'' to file a complaint with the DPA on her behalf.


More specifically, the data subject pointed out the following violations:
More specifically, the data subject pointed out the following violations:
the fact that the cookie banner did not have a “Reject all” button violates Articles 5(1)(a), 6(1)(a) and 7(1) GDPR and Article 5(3) ePrivacy Directive 2002/58/EC as implemented by Article 10/2 of the Belgian Data Protection Code (Loi relative à la protection des personnes physiques à l'égard des traitements de données à caractère personnel - Loi-cadre);


the usage of a vivid colour for the “Accept all” button misleads data subjects and violates Articles 5(1)(a), 6(1)(a) and 7(1) GDPR and Article 5(3) ePrivacy Directive 2002/58/EC as implemented by Article 10/2 Loi-cadre;
* the fact that the cookie banner did not have a “Reject all” button violates [[Article 5 GDPR#1a|Articles 5(1)(a)]], [[Article 6 GDPR#1a|6(1)(a)]] and [[Article 7 GDPR#1|7(1) GDPR]] and [https://eur-lex.europa.eu/legal-content/EN/TXT/?uri=celex%3A32002L0058 Article 5(3) ePrivacy Directive 2002/58/EC] as implemented by [https://www.ejustice.just.fgov.be/cgi_loi/change_lg.pl?language=fr&la=F&cn=2018073046&table_name=loi#Art.%2010/2. Article 10/2 of the Belgian Data Protection Code] (''Loi relative à la protection des personnes physiques à l'égard des traitements de données à caractère personnel - Loi-cadre'');
* the usage of a vivid colour for the “Accept all” button misleads data subjects and violates [[Article 5 GDPR#1a|Articles 5(1)(a)]], [[Article 6 GDPR#1a|6(1)(a)]] and [[Article 7 GDPR#1|7(1) GDPR]] and [https://eur-lex.europa.eu/legal-content/EN/TXT/?uri=celex%3A32002L0058 Article 5(3) ePrivacy Directive 2002/58/EC] as implemented by [https://www.ejustice.just.fgov.be/cgi_loi/change_lg.pl?language=fr&la=F&cn=2018073046&table_name=loi#Art.%2010/2. Article 10/2 Loi-cadre];
* the fact that the banner does not allow to withdraw consent as easily as it is possible to give that consent is a violation of [[Article 5 GDPR#1a|Articles 5(1)(a)]] and [[Article 17 GDPR#1b|17(1)(b) GDPR]] and [https://eur-lex.europa.eu/legal-content/EN/TXT/?uri=celex%3A32002L0058 Article 5(3) ePrivacy Directive 2002/58/EC] as implemented by [https://www.ejustice.just.fgov.be/cgi_loi/change_lg.pl?language=fr&la=F&cn=2018073046&table_name=loi#Art.%2010/2. Article 10/2 Loi-cadre].


the fact that the banner does not allow to withdraw consent as easily as it is possible to give that consent is a violation of Articles 5(1)(a) and 17(1)(b) GDPR and Article 5(3) ePrivacy Directive 2002/58/EC as implemented by Article 10/2 Loi-cadre.


First of all, the controller argued that noyb cannot represent the data subject since, when she filed the complaint, she was volunteering as a trainee for that organisation.
First of all, the controller argued that ''noyb'' cannot represent the data subject since, when she filed the complaint, she was volunteering as a trainee for that organisation.


Furthermore, it argued that the GDPR does not require websites to have a “reject all” button, nor the “accept” button to have a specific colour.
Furthermore, it argued that the GDPR does not require websites to have a “reject all” button, nor the “accept” button to have a specific colour.


=== Holding ===
=== Holding ===
First, the DPA held that noyb can represent the data subject. It pointed out that the representation agreement between the former and the latter is valid under [[Article 80 GDPR#1|Article 80(1) GDPR]].  
''<u>On the representation agreement under Article 80(1) GDPR</u>''
 
First, the DPA held that ''noyb'' can represent the data subject. It pointed out that the representation agreement between the former and the latter is valid under [[Article 80 GDPR#1|Article 80(1) GDPR]].  


Moreover, it noted that the data subject decided on her own to visit the website and that nothing opposes to the fact that an organisation under [[Article 80 GDPR|Article 80 GDPR]] can represent one of its employees or volunteers.
Moreover, it noted that the data subject decided on her own to visit the website and that nothing opposes to the fact that an organisation under [[Article 80 GDPR|Article 80 GDPR]] can represent one of its employees or volunteers.


Furthermore, the DPA held that the fact that noyb has provide technical and legal assistance to the data subject is not a problem. On the contrary, according to the DPA, this represent a good practice.
Furthermore, the DPA held that the fact that noyb has provide technical and legal assistance to the data subject is not a problem. On the contrary, according to the DPA, this represent a good practice.
''<u>On the merits</u>''


On the merits, the DPA noted that, according to [[Article 4 GDPR#11|Article 4(11) GDPR]], consent must be freely given. In a cookie banner, this means that accepting should be as easy as refusing the installation of the cookies.  
On the merits, the DPA noted that, according to [[Article 4 GDPR#11|Article 4(11) GDPR]], consent must be freely given. In a cookie banner, this means that accepting should be as easy as refusing the installation of the cookies.  


Therefore, the cookie banner should have, all on the first layer, both an “Accept all” and a “Refuse all” button. On these grounds, the DPA found a violation of [[Article 6 GDPR#1a|Article 6(1)(a) GDPR]] and of Article 10(2) Loi-cadre.
Therefore, the cookie banner should have, all on the first layer, both an “Accept all” and a “Refuse all” button. On these grounds, the DPA found a violation of [[Article 6 GDPR#1a|Article 6(1)(a) GDPR]] and of [https://www.ejustice.just.fgov.be/cgi_loi/change_lg.pl?language=fr&la=F&cn=2018073046&table_name=loi#Art.%2010/2. Article 10/2 Loi-cadre].


As for the button colours, the DPA is of the opinion that the colours used by the controller are able to manifestly induce the data subject to click on the “accept all” button, since the latter, having a bright colour, stands out from the resto of the banner. Therefore, the DPA found a violation of Articles 5(1)(a) and 6(1)(a) GDPR and Article 10(2) Loi-cadre.
As for the button colours, the DPA is of the opinion that the colours used by the controller are able to manifestly induce the data subject to click on the “accept all” button, since the latter, having a bright colour, stands out from the resto of the banner. Therefore, the DPA found a violation of [[Article 5 GDPR#1a|Articles 5(1)(a)]] and [[Article 6 GDPR#1a|6(1)(a) GDPR]] and [https://www.ejustice.just.fgov.be/cgi_loi/change_lg.pl?language=fr&la=F&cn=2018073046&table_name=loi#Art.%2010/2. Article 10/2 Loi-cadre].


Finally, as for the options to withdraw consent, the DPA noted that the controller placed a button that allows to manage the cookies at the bottom of each page of its website. The DPA considered this solution enough to comply with the requirement set by [[Article 7 GDPR#3|Article 7(3) GDPR]] and, therefore, rejected this point of the complaint.
Finally, as for the options to withdraw consent, the DPA noted that the controller placed a button that allows to manage the cookies at the bottom of each page of its website. The DPA considered this solution enough to comply with the requirement set by [[Article 7 GDPR#3|Article 7(3) GDPR]] and, therefore, rejected this point of the complaint.

Revision as of 13:32, 14 October 2024

APD/GBA - 131/2024
LogoBE.png
Authority: APD/GBA (Belgium)
Jurisdiction: Belgium
Relevant Law: Article 4(11) GDPR
Article 5(1)(a) GDPR
Article 6(1)(a) GDPR
Article 5(3) ePrivacy Directive 2002/58/EC
Art. 10/2 Loi relative à la protection des personnes physiques à l'égard des traitements de données à caractère personnel
Type: Complaint
Outcome: Partly Upheld
Started: 19.07.2023
Decided: 11.10.2024
Published:
Fine: n/a
Parties: RTL Belgium SA
National Case Number/Name: 131/2024
European Case Law Identifier: n/a
Appeal: Unknown
Original Language(s): French
Original Source: APD-GBA (in FR)
Initial Contributor: fb

The DPA reprimanded a media company since the cookie banner of one of its websites was not displaying a "reject all" button and had induced data subject to click on the "accept all" button.

English Summary

Facts

On 10 February 2023 the data subject, a trainee working at noyb – European Center for Digital Rights, visited the website of the controller, a Belgian media company.

The data subject noticed that the cookie banner of this website had an “Accept all” and a “Know more” button. The data subject believed that this cookie banner was unlawful under the GDPR. Therefore, under Article 80(1) GDPR, she mandated noyb to file a complaint with the DPA on her behalf.

More specifically, the data subject pointed out the following violations:


First of all, the controller argued that noyb cannot represent the data subject since, when she filed the complaint, she was volunteering as a trainee for that organisation.

Furthermore, it argued that the GDPR does not require websites to have a “reject all” button, nor the “accept” button to have a specific colour.

Holding

On the representation agreement under Article 80(1) GDPR

First, the DPA held that noyb can represent the data subject. It pointed out that the representation agreement between the former and the latter is valid under Article 80(1) GDPR.

Moreover, it noted that the data subject decided on her own to visit the website and that nothing opposes to the fact that an organisation under Article 80 GDPR can represent one of its employees or volunteers.

Furthermore, the DPA held that the fact that noyb has provide technical and legal assistance to the data subject is not a problem. On the contrary, according to the DPA, this represent a good practice.

On the merits

On the merits, the DPA noted that, according to Article 4(11) GDPR, consent must be freely given. In a cookie banner, this means that accepting should be as easy as refusing the installation of the cookies.

Therefore, the cookie banner should have, all on the first layer, both an “Accept all” and a “Refuse all” button. On these grounds, the DPA found a violation of Article 6(1)(a) GDPR and of Article 10/2 Loi-cadre.

As for the button colours, the DPA is of the opinion that the colours used by the controller are able to manifestly induce the data subject to click on the “accept all” button, since the latter, having a bright colour, stands out from the resto of the banner. Therefore, the DPA found a violation of Articles 5(1)(a) and 6(1)(a) GDPR and Article 10/2 Loi-cadre.

Finally, as for the options to withdraw consent, the DPA noted that the controller placed a button that allows to manage the cookies at the bottom of each page of its website. The DPA considered this solution enough to comply with the requirement set by Article 7(3) GDPR and, therefore, rejected this point of the complaint.

On these grounds, the DPA reprimanded the controller and ordered it to implement a GDPR-compliant cookie banner.

Comment

Share your comments here!

Further Resources

Share blogs or news articles here!

English Machine Translation of the Decision

The decision below is a machine translation of the French original. Please refer to the French original for more details.

1/33

Litigation Chamber

Decision on the merits 131/2024 of 11 October 2024

File number: DOS-2023-03283

Subject: Complaint relating to the cookie banner on the RTL Belgium website

The Litigation Chamber of the Data Protection Authority, consisting of Mr.

Hielke H IJMANS, President, and Messrs. Christophe Boeraeve and Jelle Stassijns, members;

Having regard to Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the

protection of natural persons with regard to the processing of personal data and on the

free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation), hereinafter "GDPR";

Having regard to the Law of 3 December 2017 establishing the Data Protection Authority (hereinafter

"LCA");

Having regard to the internal regulations as approved by the Chamber of Representatives on

20 December 2018 and published in the Belgian Official Journal on 15 January 2019; 1

Having regard to the documents in the file;

Has taken the following decision regarding:

The complainant: X, represented by noyb – European Center for Digital Rights, located at

Goldschlagstraße 172/4/3/2, 1140 – Vienna (AT), registered in Austria under

company number ZVR 1354838270, hereinafter “the complainant”

The defendant: RTLBelgium, whose registered office is established at Avenue Jacques Georgin, 2–1030

Schaerbeek, registered under company number 0428.201.847, represented

by Laurence Vandenbrouck, hereinafter “the defendant”

1The new internal regulations of the DPA, following the amendments made by the Law of 25 December 2023
amending the Law of 3 December 2017 establishing the Data Protection Authority (LCA) have entered into force in force on
01/06/2024.

In accordance with Article 56 of the Law of 25 December 2023, it only applies to complaints, mediation files,
requests, inspections and procedures before the Litigation Chamber initiated from this date:
https://www.autoriteprotectiondonnees.be/publications/reglement-d-ordre-interieur-de-l-autorite-de-protection-des-
donnees.pdf.

Files initiated before 01/06/2024, as in this case, are subject to the provisions of the LCA not amended by the Law of 25 December 2023 and the internal regulations as they existed before this date. Decision on the merits 131/2024 — 2/33

I. Facts and procedure

1. On 19 July 2023, the complainant filed a complaint with the Data Protection Authority

against the defendant. The Litigation Chamber takes into account the fact that the

complaint form is dated 18 July 2023, but it was filed with the DPA

on the night of 18 July 2023 to 19 July 2023, and therefore it is this latter date that

must be taken as the date of the formal filing of the complaint.

2. The subject of the complaint concerns several elements relating to the cookie banner

present on the defendant's website. These allegedly contravene the principles of the GDPR and

the Framework Law.

3. On 10 February 2023, the complainant visited the defendant's website as part of a

project initiated with one of her colleagues during her internship at noyb. She stated that she

took this initiative in order to check whether certain websites – including the defendant's –

belonging to large Belgian press groups that had previously been the subject of a

transaction with the DPA were GDPR compliant. During this visit, the complainant and her

colleague identified potential GDPR violations. Following this observation, the complainant

took a HAR file to document these potential violations. In the meantime, she

mandated noyb, mainly to obtain technical assistance, as she was not

able to prepare the HAR file herself. Subsequently, the complainant prepares a complaint,

whose grievances, identical to the arguments raised in her conclusions, will be developed

in point 16. As part of its mandate, noyb rereads and corrects the complaint prepared by the

complainant. It is appropriate to note a certain ambiguity in the complainant's statements

concerning the preparation of the complaint, the latter having also mentioned that noyb had
prepared the complaint and that she had simply drafted part of it and reread the rest.

4. On August 4, 2023, the Front Line Service (hereinafter the "FLS") asks noyb to

inform it of the complainant's interest in acting.

5. On 25 August 2023, the complaint was declared admissible by the SPL on the basis of Articles 58 and

60 of the LCA and the complaint was forwarded to the Litigation Chamber pursuant to Article 62, §

1 of the LCA.

6. On 1 September 2023, noyb responded to the SPL that the complainant demonstrated an interest in acting

since she was a data subject, her personal data having been

processed after having consented to the deposit of cookies on the defendant's website. Since the

processing of this data was considered by herself and noyb to be unlawful, the

complainant considered that her rights had been affected. In this regard, it relies on

annexes. In any event, noyb declares that the demonstration of an interest in acting on the

part of the complainant does not constitute a condition of admissibility of the complaint. Decision on the merits 131/2024 — 3/33

7. On 20 October 2023, the Litigation Chamber proposed a settlement – previously

communicated to the complainant – to the defendant.

8. On 27 November 2023, the defendant did not consider the terms of the

settlement acceptable, and therefore requested a reassessment of the latter. It did not express opposition to

a new settlement proposal.

er
9. On 1 December 2023, the Litigation Chamber responds that it will withdraw the

settlement proposal unless decisive elements are provided before 6 December
2023.

10. On 18 December 2023, the Litigation Chamber formally withdraws the

settlement proposal.

11. On 5 February 2024, the Litigation Chamber decides, pursuant to Article 95, §1, 1° and

Article 98 of the LCA, that the case may be dealt with on the merits.

On the same date, the parties concerned are informed by registered mail of the
provisions as set out in Article 95, §2 and Article 98 of the LCA. They are

also informed, pursuant to Article 99 of the LCA, of the deadlines for submitting their

submissions. The deadline for receipt of the respondent's submissions in

response was set at 18 March 2024, that for the complainant's submissions in reply at 8 April

2024 and that for the respondent's submissions in rejoinder at 29 April 2024.

12. On 8 February 2024, the respondent agreed to receive all communications relating

to the case electronically, and expressed its intention to use the possibility of being

heard, in accordance with Article 98 of the LCA. She requests by the same email a

copy of the file (art. 95, §2, 3° LCA), which is sent to her on 19 February 2024.

13. On 9 February 2024, the complainant agrees to receive all communications relating

to the case electronically. She requests by the same email a copy of the file (art. 95,

§2, 3° LCA), which is sent to her on 19 February 2024. She also requests that the

procedure continue in Dutch.

14. On 19 February 2024, the Litigation Chamber decided to maintain the language of the proceedings

in French, since the complaint was filed in French, the website of the

defendant against whom the complaints are directed is French-speaking and the

complainant does not provide any other evidence in favour of a change of language for the

continuation of the proceedings. Furthermore, in view of the time taken to communicate the

administrative file to the parties, the Litigation Chamber decided to extend the deadlines for the

exchange of submissions.

The new deadline for receipt of the respondent's submissions in response is now set at 25 March 2024, that for the complainant's submissions in reply at 15 April 2024 and that for the respondent's submissions in rejoinder at 6 May 2024. Decision on the merits 131/2024 — 4/33

15. On 25 March 2024, the Litigation Chamber received the submissions in response from the

defendant. The defendant having filed additional and summary submissions, the content of the submissions in response is summarized in point 17.

16. On April 15, 2024, the Litigation Chamber received the submissions in reply from the

complainant, their content can be summarized as follows:

• Concerning the admissibility and admissibility of the complaint, the complainant concludes
as follows:

o Article 220, §2, 1° of the Law of July 30, 2018 on the protection of

natural persons with regard to the processing of personal data (hereinafter the

"Framework Law") must be set aside by the DPA since it violates
Article 80.1 of the GDPR.The complainant considers that Article 26, §4 of the Special Law of 6 January 1989 on the Constitutional Court (hereinafter “the Special Law”) is not applicable in this case, given that the DPA is not a court of the judicial system, and that it should therefore not submit a preliminary question before setting aside the aforementioned provision of the Framework Law. Furthermore, it adds that even if Article 26, §4 of the Special Law were applicable in the present proceedings, this would still not constitute an obstacle to setting aside Article 220, §2, 1° of the Framework Law, given that the primacy of European law is absolute. In this regard, it relies on judgments of the Court of Justice of the European Union (hereinafter “CJEU”); o The mandate cannot be criticized for not being specific enough in that,

on the one hand, the terms of the mandate make it possible to determine what

one is authorized to act for, and, on the other hand, Article 1984 of the Civil Code does not require

that a mandate be drafted in more specific terms than the mandate in the
case in point;

o The complaint is admissible on the understanding that it was signed by the chairman

of the board of directors denoyb in accordance with Article 58 of the LCA. In

this regard, the complainant argues that the aforementioned article does not

specify that the complaint must be signed specifically by the complainant, and

therefore leaves the possibility for a complainant’s representative to sign it. In

addition, the complainant notes that the signature of the complaint does not constitute a ground

for admissibility within the meaning of Article 60 of the LCA and that its absence cannot

therefore lead to the inadmissibility or rejection of the complaint;

o The complainant is validly represented by noyb within the meaning of Article 80.1

of the GDPR. The fact that the complainant has completed an internship within noyb does not alter this finding. The complainant relies in particular on a judgment of the CJEU

in which the latter recognizes that a complainant, who nevertheless had a

relationship of subordination with noyb, is validly represented by the latter.

• On the merits of the case, the complainant concludes as follows:

o Type 1 violation: the defendant has failed to comply

with Articles 5.1.a), 6.1.a) and 7.1 of the GDPR, as well as Article 5.3 of the

ePrivacy Directive and Article 10/2 of the Framework Law by not presenting the

“Accept all” and “Reject all” options at the same level of information on its

cookie banner. The cookie banner has an “Accept and close” button, and a

“Learn more” button. However, there is no button to refuse the installation of all cookies. The requirement for

the buttons to accept or refuse cookies to appear at the same level of information

arises in particular from the EDPB guidelines and the opinion of the majority of supervisory authorities;

o Type 2 Violation: the defendant was guilty of a breach

of Articles 5.1.a), 6.1.a) and 7.1 of the GDPR, as well as Article 5.3 of the
ePrivacy Directive and Article 10/2 of the Framework Law by making misleading use of the

colours of its buttons in its cookie banner. The button

to accept the installation of cookies is in a striking colour, while the “More information” button is

the same colour as the background of the cookie banner

o Type 3 violation: the defendant has failed to comply

with Articles 5.1.a), 17.1.b) of the GDPR, as well as Article 5.3 of the

ePrivacy Directive and Article 10/2 of the Framework Law in that it does not

allow for a withdrawal of consent as simple as its granting regarding the

deposit of cookies. While granting consent requires only one click – or

two if necessary –, the same is not true for withdrawing consent, which

requires more. In addition, withdrawing consent requires going to a specific section of the

RTL website.

17. On 6 May 2024, the Litigation Chamber received the additional and summary submissions from the defendant. Their content can be summarised as follows:

• Concerning the admissibility and admissibility of the complaint, the defendant concludes

as follows:

o The complaint is not admissible on the understanding that noyb, mandated by the

complainant, would not be validly constituted under Article 220, §2,

1° of the Framework Law sincenoyb would not be a non-profit body or association Decision on the merits 131/2024 — 6/33

validly constituted in accordance with Belgian law.

Aware of the doubts that remain as to the compatibility between this

provision and Article 80.1, it nevertheless states that the Belgian

provision cannot be set aside without the Constitutional Court having

expressed itself on this subject after having been seized of a preliminary

ruling (Art. 26, §4 of the Special

Law). Therefore, if the Contentious Chamber intends to set aside Article

220, §2, 1° of the Framework Law, it must submit a

preliminary ruling question to the Constitutional Court under Article 26, §4 of the

Special Law. In this regard, the defendant

points out that the aforementioned provision of the Special

Law does indeed apply to the Contentious Chamber;

o The plaintiff’s mandate is invalid in that it is not

defined with sufficient precision. The defendant relies in particular on a

ruling of the Court of Cassation in which a mandate – similar to that in

the present case according to the defendant – was sanctioned for lack of

precision. The defendant also highlights contradictions, such as the fact that

the signatory of the mandate is not the same as the one of the complaint, the fact

that the mandate does not refer to Article 80.1 of the GDPR, and the fact

that the mandate indicates that noyb is mandated to act before the DPA, but

that it can also unilaterally decide on the judicial and extrajudicial

actions it deems appropriate;

o It considers that the complaint must be declared inadmissible on the understanding

that it was not signed by the complainant, but by the chairman of the board

of directors of noyb. The defendant points out that above the

signature of the chairman of the board of directors of noyb is the

wording “For noyb”. This indicates, according to the defendant, that the

complaint is thus filed in the name and on behalf of noyb, whereas it

should have been done in the name and on behalf of the complainant. Although it

acknowledges that a third party can file a complaint on behalf of a

complainant, it notes that it is still necessary to demonstrate a

sufficient interest in acting, which noyb fails to do according to it. In any event, it considers the

signature, unlike the complainant, to be a condition of admissibility

it being understood that Article 58 of the LCA, which enshrines it, is presented in

the law under the section “Referral and admissibility of a complaint or a

application”;

o The defendant considers that noyb acts as a complainant and not as

an agent. noyb does not demonstrate a sufficient interest in acting since its claims, in the context of the case, do not seek to defend the

concrete interests of the complainant, but rather join the defense of its public

interests. The defendant adds that noyb makes very little reference to the

complainant, and that hiring interns to actively seek out GDPR

infringements is part of its business model.

• On the merits of the case, the defendant concludes as follows:

o Type 1 violation: the defendant has not been guilty of the alleged

breaches. First, neither the GDPR nor the Framework Law require

the implementation of a button to refuse all cookies at the

first information level of the cookie banner. Second, the guidelines of the

European Data Protection Board (hereinafter “EDPB”) and the opinions of the

supervisory authorities constitute soft law, and are therefore not

binding. Also, the defendant alleges that its cookie banner

presents the “Accept all” and “Reject all” buttons on the same level.

o Type 2 violation: the defendant has not been guilty of the alleged

breaches. First of all, neither the GDPR nor the Framework Law require

that the buttons to accept or refuse cookies be of the same

colour. Furthermore, the colours chosen in this case are only the

expression of an artistic freedom, reflecting the visual

identity of the brand. In addition, the colours chosen allow for a more coherent and aesthetically pleasing

experience for users. It also considers that the use of distinct colours can

in particular improve the readability and accessibility of information for

people with visual difficulties. Finally, it considers that noyb

does not explain to what extent the colours used by itself

can “manifestly mislead” users when they are

confronted with the cookie banner.

o Type 3 violation: the defendant has not been guilty of the alleged

breaches, it being understood that through the “Manage

cookies” section on its website, the user can at any time

withdraw his or her consent to the deposit of cookies. In this regard, it cites

an extract from decision 36/2024 of the Litigation Chamber as follows:

“In addition, the cookie banner can easily be recalled in order to

change the cookie settings, by means of a URL address at the bottom

of the page, entitled “Manage cookies””. Finally, it states that it is not aware of

any supervisory authority recommending the procedure described by noyb Decision on the merits 131/2024 — 8/33

which would consist of the installation of a floating button, permanently

visible, and allowing consent to be withdrawn at any time.

18. On 20 June 2024, the parties are informed that the hearing will take place on 1 July 2024.

19. On 1 July 2024, the parties are heard by the Litigation Chamber.

20. On 8 July 2024, the minutes of the hearing are submitted to the parties.

21. On 12 July 2024, the Litigation Chamber receives from the complainant

some comments on the minutes, which are annexed thereto

in accordance with Article 54, paragraph 2 of the Rules of Procedure.

22. On 17 July 2024, the Litigation Chamber receives from the defendant

some comments on the minutes, which are annexed thereto in accordance

with Article 54, paragraph 2 of the Rules of Procedure.

II. Motivation

II.1. As to the procedure

er
23. During the hearing held on 1 July 2024, the defendant made two preliminary

remarks to which it is necessary to respond. It raises with the

Litigation Chamber (i) that a procedure sharing some similarities with the

present case is pending before the Market Court. In this procedure, a

settlement proposal had been submitted to a data controller, which was unilaterally

withdrawn by the Litigation Chamber. The data controller therefore appealed

to the Market Court, thus contesting the unilateral withdrawal of the

settlement proposal by the Litigation Chamber. The defendant therefore asks whether it would

not be appropriate to suspend the present procedure until the

Market Court delivers its judgment. (ii) Furthermore, the defendant points out to the Litigation Chamber that the

complainant practiced as a lawyer in the law firm that represented the APD

before the Market Court in the case cited above. It considers that this

could suggest a possible conflict of interest or a possible breach of the principle

of impartiality – both in its subjective and objective dimension.

(i) As for the remark relating to the proceedings pending before the Market Court

24. The Litigation Chamber, as it had responded at the time of the hearing, stresses that the

proceedings pending before the Market Court are not comparable to the present

case. Indeed, while the procedure before the Market Court to which the defendant

2The Market Court has since delivered its judgment, see in this regard Judgment of the Brussels Court of Appeal (Market Court section) Decision on the merits 131/2024 — 9/33

refers concerns a settlement proposal that was unilaterally withdrawn by

the Litigation Chamber and that was contested by the party to whom the proposal had been

submitted, it should be noted that in the present case the defendant rejected the

terms of the settlement proposal that was proposed to it. When the Litigation

Chamber informed the defendant that it would withdraw the proposal, the defendant did not object.

Consequently, there is formally no longer a settlement proposal in the present case, and the procedure is validly continuing with an examination

of the merits of the file.

(ii) As for the possible conflict of interest or the possible breach of the principle of impartiality

25. Although the principle of impartiality applies to administrative authorities, including

the Contentious Chamber, it should be noted that according to a consistent case law of the

Council of State: "the general principle of impartiality must be applied to any body of

the active administration. It is sufficient that an appearance of bias could have given rise to

legitimate doubts in the applicant as to the ability to approach his case with complete impartiality.

However, this principle only applies to the extent that it is consistent with the

specific nature, and in particular with the structure of the active administration. Furthermore,

the impartiality of a collegiate body can only be called into question if, on the one hand, specific facts

which raise suspicions of bias on the part of one or more members of the

college can be legally established and, on the other hand, it is clear from the

circumstances that the bias of this or these members could have influenced

the entire college. It is up to the person

who alleges that the authority did not act with independence, impartiality and

thoroughness to provide proof of this." 

26. It is therefore up to the party invoking the breach of the principle of impartiality

to provide proof of specific facts from which it should be concluded that the

principle of impartiality has been breached. 

27. A distinction is made between objective impartiality and subjective impartiality.

28. The Litigation Chamber underlines, firstly, that the law firm concerned was

selected following a public procurement contract (in tempore non suspecto), and must therefore

respect the principles of equality, non-discrimination, transparency and proportionality

with regard to all bidders, as well as rely on objective award criteria.

Furthermore, the complainant is acting as a data subject, and this without

any connection with her profession as a lawyer, formerly practiced for the law firm concerned.

Since the defendant has not provided any further evidence to demonstrate

that the Litigation Chamber gave the appearance of bias, the Litigation

Chamber cannot conclude that it has breached the principle of objective impartiality.

3C.E., 30 November 2022, 255.145, Lemaire and Loslever; see also C.E., 19 January 2022, 252.684, XXX. Decision on the merits 131/2024 — 10/33

29. Next, the Litigation Chamber notes that the defendant does not provide any evidence

expressing how it could have acted with bias, or that it could have, for

example, intervened in the context of these proceedings in a manner that undermined

the objectivity of the proceedings. Ultimately, the defendant does not provide any evidence of

the concrete actions of the Litigation Chamber that would allow it to be concluded

that the latter acted with bias.

30. By way of conclusion, the Litigation Chamber considers that there is no risk of conflict

of interest in the present case and that it has not failed to comply with the principle of impartiality, whether

in its objective or subjective dimension.

II.2. As to the admissibility and admissibility of the complaint

II.2.1. As for the constitution of noyb

31. Article 80.1 of the GDPR provides that "the data subject shall have the right to mandate a

non-profit body, organisation or association, which has been validly

constituted in accordance with the law of a Member State, whose statutory objectives are

of public interest and is active in the field of the protection of the rights and freedoms of

data subjects within the framework of the protection of personal data

concerning, to lodge a complaint on his or her behalf, to exercise on his or her

behalf the rights referred to in Articles 77, 78 and 79 and to exercise on his or her

behalf the right to obtain compensation referred to in Article 82 where

5
the law of a Member State so provides." .

32. Article 220, §2 of the Framework Law specifies that:

Ҥ 2. In the disputes provided for in paragraph 1, a body, an organization or

a non-profit association must:

1° be validly constituted in accordance with Belgian law;

2° have legal personality;

3° have statutory objectives of public interest;

4C.E., 26 January 2018, Viaene and the Belgian State, 240.585.
5
It is the Litigation Chamber which emphasizes. See. also the first part of recital 142 of the GDPR: (142):
Where a data subject considers that his or her rights under this Regulation are infringed, he or she should have the
right to request a non-profit body, organisation or association, established in accordance with
Member State law, whose statutory objectives are of public interest and which is active in the field of personal data
protection, to lodge a complaint on his or her behalf with a supervisory authority, to exercise the right to
a judicial remedy on behalf of the data subject or, where provided for by Member State law, to exercise the right
to obtain redress on behalf of data subjects.
6
The preparatory work of the LTD mentions that the 3-year condition applies both to the existence of legal personality and to the exercise of activities in the field of data protection. See House of Representatives, Draft Law on the Protection of Individuals with regard to the Processing of Personal Data, Doc. Parl.,
DOC 54 31/26/001 (article-by-article commentary – Article 220). Decision on the substance 131/2024 — 11/33

4° be active in the field of protection of the rights and freedoms of

data subjects in the context of the protection of personal data for at least three years.

§ 3. The non-profit body, organisation or association provides proof,

by presenting its activity reports or any other document, that its

activity has been effective for at least three years, that it corresponds to its

corporate purpose and that this activity is related to the protection of personal

data.

33. The Litigation Chamber has already had the opportunity to express doubts as to the

compatibility of certain aspects of the Belgian provision with that of the GDPR. 7

34. The primacy of European law implies the exclusion of any national provision that

cannot be interpreted in accordance with a standard of European law – this

exclusion constituting a duty for all State organs, including the judicial and

administrative authorities responsible for applying European law within the framework of their

respective competences. 8

35. If there are reasons to believe that a law – within the meaning of Article 22 of the

Constitution – would violate “a fundamental right guaranteed in a totally or partially analogous

manner by a provision of Title II of the Constitution as well as by a provision of

European law […]”, it is then for the court before which this situation arises

to refer a preliminary question to the Constitutional Court.

36. The CJEU has held 10 that an incidental procedure for reviewing the

constitutionality of national laws complies with EU law, provided that this procedure

complies with 4 conditions, which follow:

- The other national courts remain free “to refer to the Court, at any stage of the

procedure which they consider appropriate, and even at the end of the incidental procedure

for review of constitutionality, any preliminary question which they

consider necessary”;

- Other national courts remain free to “adopt any measure

necessary to ensure the provisional judicial protection of the rights

conferred by the legal order of the Union”;

7See Decision of the Contentious Chamber 39/2024 of 22 February 2024, paragraph 30; Decision of the Contentious

Chamber 22/2024 of 24 January 2024, paragraph 32.

8 CJEU, 4 December 2018, C-378/17, Minister for Justice and Equality and Commissioner of the Garda Síochána,
ECLI:EU:C:2018:979, paragraphs 37 and 38.
9Article 26, §4, Special Law of 6 January 1989 on the Constitutional Court, Official Journal, 7 January 1989, p. 315.

10CJEU, 22 June 2010, C-188/10, Melki, ECLI:EU:C:2010:363. Decision on the merits 131/2024 — 12/33

- The other national courts remain free “to disapply, at the end of

such incidental proceedings, the national legislative provision in question if

they consider it to be contrary to Union law”;

- “It is for the referring court to verify whether the

national legislation at issue in the main proceedings can be interpreted in

accordance with these requirements of Union law”.

37. The Contentious Chamber notes that the special legislator has limited the scope of

Article 26, §4 of the Special Law to ordinary and administrative courts only.

38. However, the Contentious Chamber is not within the jurisdiction of the judiciary – it is in fact an

administrative authority.2

39. Consequently, Article 26, §4 of the Special Law does not apply to the

Contentious Chamber, and the latter is not obliged or able to submit a

preliminary question to the Constitutional Court.

40. Given that there is no other incidental procedure for reviewing

constitutionality, the Contentious Chamber must directly do everything

necessary to give full effect to the standards of European law that it

must apply within the scope of its powers – namely Article 80.1 of the

GDPR in relation to the present case.

41. In line with what was stated in point 33, the Litigation Chamber states

that Article 220, §2, 1° of the Framework Law is contrary to the aforementioned provision of the GDPR,

it being understood that it restricts the scope of application of the latter, so that they are

irreconcilable.

42. Consequently, the application of Article 220, §2, 1° of the Framework Law should be excluded.

II.2.2. Validity of the mandate

43. Concerning the mandate of representation, the Litigation Chamber notes that it

mentions the data of the principal and the agent, and that the former mandates the

latter to represent her before the APD and to take any action

necessary to ensure that her rights are respected regarding the collection and processing of her data on the
defendant’s website. The Litigation Chamber adds that, in the annexes to

the 1 Special Bill of 15 January 2014 amending the Special Law of 6 January 1989 on the Constitutional Court,
Explanatory Memorandum, 2013-2014 Ordnance Session, No. 53-2438/1, p. 6.
12
Draft law of 23 August 2017 establishing the Data Protection Authority, Explanatory Memorandum, Parl. Doc., Repr. Ch., Ord. Sess. 2016-2017, No. 54-2648/1, p. 8; See also the Procurement Court, judgment of 31 October 2023, No. 2023/AR/821.
13The DPA has full authority to submit a preliminary question to the Constitutional Court through the Brussels Court of Appeal (Procurement Court section) in a case to which the DPA is a party, for example. Decision on the merits 131/2024 — 13/33

complaint form, the mandate is entitled as follows: “Exhibit 1 – Representation agreement

pursuant to Article 80(1) GDPR”.

44. First of all, concerning this last element, the Litigation Chamber cannot agree

with the defendant’s reasoning when the latter claims that noyb attempted to

“hide” the absence of a reference to Article 80.1 of the GDPR in the body of the mandate. On the one hand,

noyb claims that this reference was already included when the mandate was signed. On the other hand,

the Litigation Chamber notes that the validity of the mandate must, where appropriate, be

examined at the time of filing the complaint. Therefore, it does not appear likely that

noyb sought to “camouflage” the absence of a reference to Article 80.1 of the GDPR – to the

strict extent that the absence of a reference to Article 80.1 of the GDPR would render the mandate invalid –
it being understood that it would have been sufficient to redo the mandate. Consequently, the mandate should be read

in light of its title as an annex. Read in this way, there is no doubt that the

mandate was concluded within the framework of Article 80.1 of the GDPR.

45. Next, with regard to the possible contradictions in the mandate that the

defendant is subject to, the Litigation Chamber recalls that it could not assess the mandate too

restrictively. As an administrative authority, the Litigation Chamber monitors the proper

implementation of the GDPR. In this capacity, it is empowered to adopt one or more of the sanctions

listed in Articles 95, §1 or 100, §1 of the LCA – and this in order, in particular, to protect

the fundamental rights of the persons concerned. The mandate, as it appears in the

documents in the file, makes it possible to determine the parties to this contract, the data controller

against whom the complainant addresses her grievances, the supervisory authority to

which it is planned to file a complaint and a reference to Article 80.1 of the

GDPR within the framework of which the mandate is adopted. These elements make it possible to justify the actions that noyb

undertakes in the name and on behalf of the complainant with the DPA. The imposition of

more conditions on the mandate would undermine the duty of control incumbent on the

Litigation Chamber, but also the rights of the persons concerned. For all intents and purposes, the Litigation Chamber specifies that the elements of the mandate cited above cannot be interpreted as setting any minimum threshold.

46. Finally, and in any event, the Litigation Chamber notes that Article 17 of the Judicial Code does not apply to the Litigation Chamber, the latter being an administrative authority as set out in point 38.

II.2.3. Failure to sign the complaint

47. Article 58 of the LCA provides that "Any person may file a written, dated and signed complaint or request with the Data Protection Authority." Decision on the merits 131/2024 — 14/33

48. Article 60 of the same Law provides that, when examining the admissibility of

complaints it receives, the SPL verifies that the complaint is “drafted in one of the

national languages”, that it “contains a statement of the facts and the

necessary information to identify the processing to which it relates”, and that the

complaint “falls within the competence of the Data Protection Authority”.

49. Contrary to what noyb maintains, these two provisions should not be read separately,

but together. Thus, the formal requirements prescribed by Article 58 of the LCA

must also be taken into account in the admissibility examination referred to in Article 60 of the

same Law.

50. The Litigation Chamber notes that the complaint form was signed by the chairman of the

board of directors of noyb, with the following statement: "For noyb".

51. In this regard, the Belgian legislature has specified that the signature must come from "the person
14
competent in the matter", but not necessarily from the complainant. Thus, it must be

understood that at least the agent may sign the complaint form. This also follows from Article 80.1 of the GDPR, which provides that the data subject has the right to

mandate “a non-profit body, organisation or association […] to

lodge a complaint on his or her behalf, to exercise on his or her behalf the rights referred to in Articles 77,

78 and 79 [of the GDPR]”.

52. As a legal entity, noyb must be represented by one of its members in the
acts it performs. Thus, the chairman of the board of directors of noyb signed the

complaint form – in the exercise of this function, which authorises him or her to such acts.

53. It cannot be inferred from the statement "For noyb" that noyb is acting as a complainant, since

this statement is specifically intended to engage the liability of noyb, and not that of the

chairman of the board of directors of noyb in his capacity as a natural person.

II.2.4. Interest in bringing proceedings

54. The Litigation Chamber is not unaware of the content of its decision 22/2024, however it is

necessary to note the differences that distinguish the facts arising from the above-mentioned

decision from the facts arising from this decision.

55. Although the complainants share, in both decisions, the fact of having completed an
internship at noyb, and, in this context, of having consulted websites which subsequently

motivated the filing of a complaint with the DPA, it should not be ignored that at the origin of the facts

examined in Decision 22/2024, noyb had put in place a large-scale plan with a view to

filing dozens of complaints against multiple data controllers

14Draft Law of 23 August 2017 establishing the Data Protection Authority, Explanatory Memorandum, Parl. Doc., Repr. Ch.,
Ord. Session 2016-2017, No. 54-2648/1, p. 40 Decision on the merits 131/2024 — 15/33

with various supervisory authorities – including the DPA. In addition, the complainant had

explicitly acknowledged having been assigned various files, including the website

of the defendant of the aforementioned decision. These elements – combined with others –

led the Litigation Chamber to consider that the mandate concluded between the complainant and

noyb was then fictitious. However, such a conclusion cannot be reached in the present

case. The complainant – French-speaking – in fact consulted the website – French-speaking – of

the defendant on the basis of a personal initiative, which does not fall within the framework

of noyb’s other coordinated projects. There is nothing in principle to prevent noyb from

representing one of its employees or trainees.

56. Furthermore, no link can be established between the present complaint and the complaints filed

against the 15 Belgian websites referred to in the press release of July 2023

by noyb. While it is certainly clear that there was clear coordination to a certain

extent in this case, it has not been established that this coordination took place

before the complainant’s complaints arose. In any event, the evidence in this

case does not establish that noyb exerted any pressure on the

complainant.

57. Therefore, there is no reason to claim that the mandate is fictitious.6

58. In the present case, the relationship between the complainant and noyb could be schematised as

follows:

15See https://noyb.eu/en/belgian-dpa-let-news-outlets-buy-themselves-free-gdpr-compliance.

16In this regard, see Decision on the merits 113/2024 of the Litigation Chamber of 6 September 2024 in which the
same scenario occurs. Decision on the merits 131/2024 — 17/33

64. Also, concerning the collection and granting of consent online, we note that a binary reading cannot be

satisfied. The Litigation Chamber understands that each situation should be examined on a case-by-case basis, based on the material methods of collecting and granting consent. In addition, the Litigation Chamber emphasizes that collecting and granting consent online has certain specific features. The Internet has significantly changed practices and takes up the time of the majority of citizens, particularly young people. This has led to the establishment of a form of consent that could be described as routine. Internet users browse from website to website, from page to page, and are therefore confronted with a large number of cookie banners. In doing so, the warning effect of the cookie banner diminishes, and the persons concerned may grant their consent by default, due to the weariness this causes. This 17

observation is made worse when we include the fact that data controllers sometimes

implement a design that encourages Internet users to accept the deposit of cookies.

65. These reasons then impose on the Litigation Chamber the duty to examine this case with the

utmost sensitivity.

II.3.1. As to the articulation of the GDPR and the Framework Law with the Guidelines

66. The Litigation Chamber intends to respond to the arguments formulated by the

defendant with regard to infringement of type 1 (see points 72 to 80, “As to the absence of a “Reject all”

button at the first level of the cookie banner”) and 2 (see points 81 to 95, “As to the

misleading use of button colours”), by which the defendant argues that neither the

GDPR nor the Framework Law require the implementation of a “Reject all” button at the

first level of the cookie banner or the use of “buttons and characters of identical

size, importance and colours”. The defendant adds that the guidelines of the EDPB and the

supervisory authorities have no binding force since they constitute

soft law.

67. To begin with, the Litigation Chamber recalls that the GDPR, as a European Regulation, is a legal act directly applicable in all Member States.

In so doing, the GDPR has a general scope. The European legislator cannot be expected to

define in detail the specific modalities of all practices relating to this act. On the contrary, it has established general and

abstract rules with which the persons and entities concerned must comply. The supervisory

authorities, in particular, must apply these principles and rules to specific cases, these

taking place in the digital society, whose technological developments

17
In English, it is customary to speak of “Click fatigue”; in this regard see EDPB, Guidelines 5/2020 on
consent within the meaning of Regulation (EU) 2016/679 of 4 May 2020, point 87, available at:
https://www.edpb.europa.eu/sites/default/files/files/file1/edpb guidelines 202005 consent en.pdf.
18Summary of the defendant’s submissions, p. 22. Decision on the substance 131/2024 — 18/33

within it are very rapid. It is in this context that supervisory authorities must

adopt decisions that are adequate and proportionate. The decision-making practice of

authorities can – and must – in fact evolve in the light of legal and

technological developments. The fact that an authority is required to change its decision-making practice

does not in any way constitute an obstacle to the imposition of sanctions, such as administrative fines

for example.

68. Similarly, in adopting the Framework Law, the Belgian legislator did not intend to

define specific modalities for all practices relating to this law.

69. In this regard, the GDPR, in its Article 70.1.e, specifically delegates to the EDPB the mission “to
publish guidelines, recommendations and good practices” on any

question relating to its application, with a view to promoting its consistent application.

The importance of this consistency is also recalled in Articles 57.1.g and 70.1.u of the

GDPR. It should also be noted that Article 57.1.d of the GDPR gives the supervisory authorities the task of

encouraging awareness among controllers and processors of their obligations under the

GDPR. 70. In this way, while it is certainly correct to say that the guidelines thus

published are not binding in nature in that they constitute soft law, it would be

conversely wrong to deny them any legal effect. This denial ultimately and

implicitly amounts to challenging the authority of the EDPB and the supervisory

authorities who nevertheless have the appropriate expertise to carry out the tasks incumbent on them and

which have been recalled in the previous paragraph – although this does not mean that the

parties to a case cannot challenge the legal interpretation of the GDPR made by the EDPB or

a supervisory authority.

71. By way of conclusion, the Litigation Chamber recalls that the guidelines of the EDPB

and the supervisory authorities specify the provisions of the GDPR, but that it is the violation

of the latter – which are the subject of a concrete application to a specific case – which

justifies the imposition of corrective measures or a sanction.

II.3.2. As for the absence of a “Refuse all” button at the first level of the

cookie banner

72. Article 4.11 of the GDPR defines consent as “any freely given, specific, informed and unambiguous indication of the data

subject’s wishes by which he or she signifies agreement, by a

statement or by a clear affirmative action, to the processing of personal data

concerning him or her”. Recital 42 of the GDPR states that “consent

19Draft Law of 11 June 2018 on the protection of natural persons with regard to the processing of personal data,
Explanatory Memorandum, Parl. Doc., Repr. Ch., Ord. Sess. 2017-2018, No. 54-3126/1, p. 21. Decision on the substance 131/2024 — 19/33

should not be considered to have been freely given if the data subject

does not have a genuine freedom of choice or is unable to refuse or
withdraw consent without suffering detriment.”

73. Article 5.1.a) of the GDPR provides that personal data must be processed

“lawfully, fairly and transparently.” To be lawful, the processing must be based on

the consent of the data subject or any other basis of lawfulness set out in Article

6.1 of the GDPR.

74. By applying these provisions, it must be concluded that for each cookie banner it

must be as simple to consent to the deposit of cookies as it is to refuse them. Therefore,

the button for accepting the deposit of cookies and the button for refusing the deposit of cookies must appear

together, at each level of the cookie banner

in which the button for accepting the deposit of cookies appears. Otherwise, the

consent then collected could not be considered as having been given

freely and unequivocally.

75. The Litigation Chamber notes in the present case that by not presenting the

“Accept all” and “Reject all” buttons at the first level of the cookie banner – the

first button being the only one present – the defendant not only makes the possibility of refusing the deposit of cookies less visible

to the persons concerned, but also makes it materially more difficult for them to refuse, given that a greater number

of actions are required. In this sense, the persons concerned – such as the complainant – are

encouraged to accept the deposit of cookies.

76. The EDPB 20 considers that an incentive is not necessarily contrary to the GDPR. He cites as an example the case where a data controller, granting general discounts

on the purchase of clothing and fashion accessories, requests the consent of the person

concerned to deposit cookies in order to better target their preferences. The incentive in this case

is then authorized on the understanding that the person concerned would not suffer any harm if

they were led to withdraw their consent.

77. In the present case, however, the incentive cannot be considered as authorized

or valid. Unlike the incentive presented in the example above, it does not offer

any advantage to the person concerned. However, a free choice implies that the button

allowing the refusal of the deposit of all cookies is offered at a level at least equal

to that allowing the acceptance of their deposit. Furthermore, it should be noted that the

cookie banner requires users to make a choice. This constitutes a practice

20
EDPB, Guidelines 5/2020 on consent within the meaning of Regulation (EU) 2016/679 of 4 May 2020, point 50,
available at: https://www.edpb.europa.eu/sites/default/files/files/file1/edpb guidelines 202005 consent en.pdf.
21EDPB, Guidelines 5/2020 on consent within the meaning of Regulation (EU) 2016/679 of 4 May 2020, point 13,
available at:https://www.edpb.europa.eu/sites/default/files/files/file1/edpb guidelines 202005 cEnsent en.pdf.
in particular, the following excerpt: “The adjective ‘free’ implies a choice and real control for the data subjects. […]”. Decision on the merits 131/2024 — 20/33

22
“cookie wall” issue. Consequently, the consent granted to the deposit of

cookies on the defendant’s website was not freely given.

78. Furthermore, the consent given by the data subject cannot

be considered to have been given unequivocally. Indeed, by not informing the

complainant of the possibility of rejecting the deposit of cookies, it cannot

be considered that the latter was able to consent by a clear positive act to the deposit of

cookies.

79. The findings made in the above paragraphs, relating to the first level of the

cookie banner, are not altered by the fact that at other levels of the

defendant’s website the “Accept all” and “Reject all” buttons are

presented together.

Requiring a data controller to make it as easy to refuse the deposit of

cookies as it is to accept them constitutes a concrete application of the conditions of

validity of consent as defined by Article 6.1.a) of the GDPR. The verification of the

validity of consent must then be carried out at the time when consent is

actually granted – or not. Given that the complainant consented to the deposit of

cookies at the first level of the cookie banner, the validity of the consent

collected must in fact only be retained at this level. This is all the more true since, by definition, the

data subjects are first confronted with the first level of the cookie banner.

In addition, the Litigation Chamber recalls that it is the responsibility of the data

controller to demonstrate that they have obtained the data subject’s consent under

Article 7.1 of the GDPR.

80. By way of conclusion, the Litigation Chamber notes that the defendant has violated

Article 6.1.a) of the GDPR, as well as Article 10/2 of the Framework Law.

II.3.3. As for the misleading use of button colours

81. Regarding the defendant’s first argument, concerning the fact that neither the GDPR nor

the Framework Law require data controllers to “use buttons and characters of identical size, importance and colour”, the Litigation Chamber notes that

the defendant is wrong to think that the complainant would support this idea. The complaint

in this regard claims that the cookie banner is in a form that encourages data subjects

to click on the "Accept and close" button, so that consent

22EDPB, Guidelines 5/2020 on consent under Regulation (EU) 2016/679, 4 May 2020, point 39, available
at: https://www.edpb.europa.eu/sites/default/files/files/file1/edpb guidelines 202005 consent fr.pdf.

23The Litigation Chamber recalls that a person whose data has not been processed precisely because
they have refused to consent to processing that presumably constitutes a practice violating their rights, and who, in doing so, has not been able to access a benefit or service, has the right to lodge a complaint with a supervisory authority under Article 77 of the GDPR, as set out in the judgment of 7 October 2021 of the Court of Cassation, accessible via :
https://juportal.be/content/ECLI:BE:CASS:2021:ARR.20211007.1N.4/FR?HiLi=eNpLtDK2qs60MrAutjI2sFJKT01PLUvNK05KL
U7OSC3KzcxLL04sLckvyixJzSxRss60MoSqdHd1dw1z9Qt2cg129nAN8vX0cw92DA3xD/IMcfUMAak0gqkkYGYtAFHdLHE=. Decision on the merits 131/2024 — 21/33

granted does not meet the conditions provided for by the GDPR. Moreover, the Litigation Chamber refers the parties to points 66 to 80.

82. Then, the Litigation Chamber notes that on the defendant’s cookie banner

(see below) three colours appear. The text uses a white font colour,

and the background of the banner is dark blue. The “Learn more” button, which

ultimately allows you to refuse the deposit of cookies, is the same blue as the background, but is

separated from it by white borders. The “Accept and close” button is a striking orange

colour.

83. As set out in point 72, consent must have been given freely, specifically,

informed and unequivocally. Following on from what was developed in point 71, the fact

of requiring a data controller that the button colours used are not of a nature

likely to clearly direct users towards the choice of consenting to the deposit of

cookies constitutes a requirement to respect the free and unequivocal nature that

consent must have, understood within the meaning of Article 6.1 of the GDPR.

84. In this case, the Litigation Chamber is of the opinion that the use of colours made by the

defendant is of a nature likely to clearly encourage users to click on the

"Accept and close" button, in that the button stands out

particularly from the rest of the cookie banner, and that it is therefore on this button that the

users' attention will mainly gravitate.Therefore, the plaintiff’s consent obtained by the defendant

regarding the deposit of cookies is not valid. Decision on the merits 131/2024 — 22/33

85. First of all, the European Court of Human Rights defines freedom of artistic

expression as that which “enables participation in the public exchange of cultural,

political and social information and ideas of all kinds (see, mutatis mutandis, the

judgment in Müller and Others v. Switzerland of 24 May 1988, Series A no. 133, p. 19, § 27). Those who create, perform,

disseminate or exhibit a work of art contribute to the exchange of ideas and opinions

essential to a democratic society […]” . 24

86. Next, the Litigation Chamber recalls that the right to data protection is a

fundamental right. The European legislator has implemented this fundamental right, in particular

in the GDPR and the ePrivacy Directive. The choice that the legislator has made, including
regarding the conditions of the consent that it has submitted in the legislative texts, indicate the

threshold of requirement that data controllers must respect before they can

use this consent for the placement of cookies and subsequent processing (Art. 6.1.a

of the GDPR and 10/2 of the Framework Law). The data controller has a certain margin of

maneuver in the implementation of the conditions implemented in the legislative bases mentioned

above; however, the controller cannot choose the conditions of the consent. It is the duty of the DPA to enforce the

application of the GDPR and the ePrivacy Directive.

87. Concerning the freedom of artistic expression relied on by the defendant, the Litigation Chamber notes that Article 85.1 of the GDPR provides that: "Member States shall reconcile,

by law, the right to the protection of personal data under this Regulation and the right to freedom of expression and information, including processing for journalistic purposes and for the purposes of academic, artistic or literary expression.".

88. Recital 153 of the same Regulation specifies in this regard that such a reconciliation must take place when it proves necessary. It also specifies that the concepts related to this freedom should be interpreted broadly in the light of the importance of the right to freedom of expression.

89. The Belgian legislator has provided in Article 24 of the Framework Law for exceptions to the application of

certain provisions of the GDPR for processing for journalistic purposes and for

academic, artistic or literary expression, as follows:

Ҥ 1. Processing of personal data for journalistic purposes

means the preparation, collection, drafting, production, dissemination

or archiving for the purpose of informing the public, using any media and

where the controller is subject to rules of journalistic ethics.

24 Eur. Court HR (Grand Chamber), judgment in Karatas v. Turkey, 8 July 1999, paragraph 49,

accessible via: https://hudoc.echr.coe.int/eng?i=001-62826. Decision on the merits 131/2024 — 23/33

§ 2. Articles 7 to 10, 11.2, 13 to 16, 18 to 20 and 21.1 of the Regulation do not

apply to the processing of personal data carried out for journalistic purposes and for

purposes of academic, artistic or literary expression.

§ 3. Articles 30.4, 31, 33 and 36 of the Regulation do not apply to

processing for journalistic purposes and for purposes of academic, artistic or

literary expression when their application would compromise a planned

publication or would constitute a control measure prior to the publication of

an article.

§ 4. Articles 44 to 50 of the Regulation shall not apply to transfers of

personal data carried out for journalistic purposes and for the purposes of academic, artistic or literary

expression to third countries or to international organisations to the extent that this is

necessary to reconcile the right to the protection of personal data and freedom

of expression and information.

§ 5. Article 58 of the Regulation shall not apply to the processing of personal

data carried out for journalistic purposes and for the purposes of academic, artistic or literary

expression where its application would provide indications on the sources of information or constitute a

control measure prior to the publication of an article. »

90. First, it should be noted that Articles 5.1.a and 6.1 of the GDPR are not subject to

an exemption concerning processing carried out for the purposes referred to in point 87.

91. Next, the Litigation Chamber notes that it is clear from the report on the work undertaken

by the Cookie Banner TaskForce that, concerning colours [and contrasts], no general

banner model could be imposed on data controllers. The same report

further states that the validity of the cookie banner must then be examined on a case-by-case basis, in order to verify

whether the colours or contrasts used do not blatantly direct users towards a choice that does not

correspond to their preferences regarding the sharing of personal data. 25

92. This means that controllers, whose compliance with the GDPR must be

assessed on a case-by-case basis, have considerable leeway in the choice of

colours [and contrasts] in their cookie banners. They can therefore be

creative, in particular to reflect their brand identity. This leeway also

allows controllers to comply with both the

25EDPB, Report of the work undertaken by the Cookie Banner Taskforce, available at (in English only):

https://www.edpb.europa.eu/system/files/2023-01/edpb 20230118 report cookie banner taskforce en.pdf. Decision on the substance 131/2024 — 24/33

requirements incumbent on them under the GDPR and compliance with the

principles of inclusive design, for example.

93. Going even further, the Litigation Chamber emphasises that in this case the defendant

could quite easily maintain the same colours used in its cookie banner, provided

that it reverses the colour used for the button allowing the acceptance of the deposit of cookies,

and that used for the button allowing, ultimately, to refuse them. As has been explained

in point 83, data controllers must ensure that the use of a colour

does not clearly encourage users to consent to the deposit of cookies on their

browser. On the other hand, there is nothing to prevent data controllers from using

a button colour that would similarly encourage users to refuse the

deposit of cookies.

94. Ultimately, the defendant wrongly claims that the requirements to which the choice of

colours used in its cookie banner is subject would infringe its freedom of artistic

expression, and the coherent and aesthetically pleasing experience that it

wishes to provide to its users, including persons with

visual impairments.

95. For the reasons set out above, the Litigation Chamber concludes that the

defendant has violated Articles 5.1.a) and 6.1.a) of the GDPR, as well as Article 10/2 of the Framework

Law.

II.3.4. As to the terms of withdrawal of consent

96. Article 7.3 of the GDPR provides that “The data subject has the right to withdraw

his or her consent at any time. The withdrawal of consent shall not compromise the lawfulness

of processing based on consent given before its withdrawal. The data subject

shall be informed thereof before giving his or her consent. It is as easy to withdraw as it is to

give consent. ».

97. The EDPB specifies that the violation of Article 7.3 of the GDPR results in the non-compliance of the
26
consent mechanism of the data controller.

98. It emerges from the report on the work undertaken by the Cookie Banner Taskforce that a

specific model for withdrawing consent cannot be imposed on data controllers,

including the solution of a floating banner or button (or

"hovering solution"). It also emerges from the same report that a link located in a visible and

standardized place constitutes a solution adapted to compliance with Article 7.3 of the GDPR.

26
EDPB, Guidelines 5/2020 on consent within the meaning of Regulation (EU) 2016/679 of 4 May 2020, point 116,
available at: https://www.edpb.europa.eu/sites/default/files/files/file1/edpb guidelines 202005 consent en.pdf.
27EDPB, Report on the work undertaken by the Cookie Banner Taskforce of 17 January 2023, point 35, available via (in English only): https://www.edpb.europa.eu/system/files/2023-01/edpb 20230118 report cookie banner taskforce en.pdf. Decision on the merits 131/2024 — 25/33

99. The Litigation Chamber adds that the duty to give data subjects the opportunity

to withdraw their consent as simply as the manner in which they grant it must be balanced against the comfort of use of the data subjects. This

duty should therefore not make the browsing experience on a data controller’s website

painful for users – if this were the case, it would then prove unreasonable.

100. In this case, the Litigation Chamber notes that the defendant’s website provides

users with a “Manage Cookies” button at the bottom of each of its

navigation pages. In this regard, the Litigation Chamber notes that this button is

reasonably accessible to users.

101. Furthermore, among the options presented in the “Manage Cookies”

button, there are “Accept all” and “Reject all” buttons. Users therefore have the

possibility of withdrawing their consent using a single button.

102. The fact that the withdrawal of consent is not carried out in the same way

as for its collection is not a problem here, since otherwise the interests of

users (and of the complainant more specifically) would themselves be affected.

103. Consequently, the Litigation Chamber decides to dismiss this complaint without further action.

III. Corrective and provisional measures

104. Under Article 100 of the LCA, the Litigation Chamber has the power to:

1° dismiss the complaint;

2° order that there be no case to answer;

3° order a suspension of the decision;

4° propose a transaction;

5° issue warnings and reprimands;

6° order compliance with the requests of the person concerned to exercise their rights

;

7° order that the person concerned be informed of the security problem;

8° order the freezing, limitation or temporary or permanent prohibition of the processing;

9° order the processing to be brought into compliance;

10° order the rectification, restriction or erasure of data and the notification of
these to the recipients of the data;

11° order the withdrawal of the accreditation of certification bodies;

12° impose periodic penalty payments;

13° impose administrative fines; Decision on the merits 131/2024 — 26/33

14° order the suspension of transborder data flows to another State or an

international body;

15° forward the file to the Public Prosecutor's Office of the Brussels

King's Prosecutor, who shall inform him of the follow-up given to the file;

16° decide on a case-by-case basis to publish its decisions on the website of the

Data Protection Authority.

III.1. Compliance order

105. The Litigation Chamber considers it appropriate to impose two compliance injunctions on the defendant,

based on the breaches noted.

106. Injunction 1: the Litigation Chamber requires the defendant to add a button

clearly allowing the refusal of the deposit of cookies with a single click, and this at the same level

as the button allowing the acceptance of the deposit of cookies at each level of the

cookie banner in which the button allowing the acceptance of the deposit of cookies appears.

107. Injunction 2: the Litigation Chamber requires the defendant to use colours and

contrasts that are not manifestly misleading. The button clearly allowing the

refusal of the deposit of cookies must therefore be displayed at least

equivalent to the one allowing the acceptance of it. The Litigation Chamber specifies that the defendant has

however the possibility of retaining the colours currently used in its cookie banner

provided that it reverses the colour used for the button for refusing the

deposit of cookies with that for accepting them; it refers it in this regard to point

94.

108. As examples, the Litigation Chamber inserts below an illustration from its

Cookies checklist 28 and constituting good practice. However, the implementation of these

injunctions is the sole responsibility of the defendant.

28https://www.autoriteprotectiondonnees.be/publications/checklist-cookies.pdf. Decision on the merits 131/2024 — 27/33

109. Each of these two injunctions must be complied with no later than the 45th day following

notification to the defendant of this decision. Within the same period, the defendant

will communicate to the Litigation Chamber and to the plaintiff a document reflecting the

manner in which it has complied with the two injunctions issued.

110. In the event of inaction – even apparent – after the 45th day following the notification to the

defendant of this decision, the Litigation Chamber shall notify the defendant.

As of this notification, the penalty payment is implemented. It will only end

as of the notification of the Litigation Chamber by which the latter recognizes

that the defendant has fully complied with the injunctions in this case.

III.2. Ancillary sanction: the penalty payment

III.2.1. Preliminary considerations

111. The penalty payment is special in that it is fully conditional. The amount to be paid

is indeed uncertain. The defendant first has a period of time to comply

with or appeal the decision. Only in the event of non-compliance on its part

after a period of 45 days from notification of this decision will the penalty payment Decision on the merits 131/2024 — 28/33

be implemented. Consequently, the amount of the penalty payment is variable, and may even be zero,

where applicable.

112. The penalty payment is thus distinguished from the administrative fine in that it constitutes an indirect

means of enforcement of the main sanction(s) in order to comply

with the law in force, whereas the administrative fine is of a punitive nature.

The penalty payment therefore also has an ancillary nature. The penalty payment and the administrative fine

are thus different both in their nature and in the objectives they pursue.

113. In a judgment of 19 February 2020, the Market Court considered the following:

“Before a sanction is imposed on him, the offender must be informed

of the nature of the sanction envisaged and its amount (in the case where a

fine is envisaged). The offender must be warned (in order to avoid

unnecessary sanctions) and have the opportunity to defend himself on the amount

of the fine proposed by the Litigation Chamber before the sanction is

actually imposed and implemented”.

114. Following this judgment, the President of the Litigation Division then considered that sending

a sanction form was also required when the Litigation Division was considering

imposing a penalty payment.

115. The position of the Litigation Division in this regard is now completely different, and considers

that it should not inform the defendant of its intention to impose a penalty

payment, for the following two reasons:

a) The obligation to send a sanction form to the defendant before the

decision is taken is based on the case law of the Market Court.

It is therefore an obligation in addition to the existing legal framework. This step, which

is added to the Litigation Division’s procedure, makes it more cumbersome and stretches it out over

time. While the Litigation Chamber recognises all the advantages, it nevertheless notes that this strictly national obligation may hinder the consistent application of the GDPR between the various supervisory authorities. In this way, the Litigation Chamber considers that this obligation should be interpreted restrictively, favouring an interpretation that does not contradict

29
Free translation of the judgment of the Brussels Court of Appeal (Chamber 19A, Market Court section) of 19 February 2020,
2019/AR/1600. The original version of the translated extract follows as follows: "The inbreukpleger must voordat hem a sanctie wordt
opgelegd kennis krijgen van de aard van sanctie die overwogen wordt en van de omvang ervan (in geval een geldboete
overwogen wordt). De inbreukpleger moet gewaarschuwd worden (met als doel het nodeloos sanctioneren te vermijden) en de gelegenheid krijgenzich teverdedigen omtrent de doordeGeschillenkamer voorgesteldebedragenvan van deboete, voordat de sanctie effectiveef wordt opgelegd en uitgevoerd. ".
30 See the On-call Policy of the Litigation Chamber of December 23, 2020, https://www.autoriteprotectiondonnees.be/publications/politique-en-matiere-d-astreinte.pdf.                                                                          Decision on the merits 131/2024 — 29/33 with the objectives that the legislator pursued in conferring their powers to the supervisory authorities;


          (b) As explained in point 112, the nature of the penalty payment differs

fundamentally from that of the administrative fine. The penalty payment is in fact an

ancillary sanction, also intended to encourage the defendant to comply with the

main sanction. In this sense, it is widely recognised in legal doctrine that

the penalty payment is not of a criminal nature. In conclusion, the choice to impose a

penalty payment is a matter for the strictest discretion of the Litigation Chamber, and

therefore cannot be contested by a party to the case. The Belgian legislator

deliberately chose to confer this power to impose penalty payments on the

APD; the will of the Belgian legislator must therefore be recognised and

respected.

116. Furthermore, the Litigation Division recalls that its decisions have no precedent value. The Litigation Division’s policies, for their part, have no binding value. The Litigation Division recognises that the publication of these policies

establishes a certain trust with the public, and in any event strives to communicate

transparently with the public. However, this cannot constitute

an obstacle to the development of the Litigation Division’s practices and the

legal framework implemented, which are essential.

117. In light of the reasons set out above, the Litigation Division exercises its prerogative

to impose periodic penalty payments on the defendant in this case, and does not consider

that it must inform the defendant in advance by means of a penalty form.

III.2.2. Practical arrangements for the penalty payment

118. In order to give the defendant the time necessary to comply with the injunctions

issued in this decision, the penalty payment will not be implemented directly

following notification of this decision to the defendant.

31
K. WAGNER, Dwangsom, Brussels, Story-Scientia, 2003, §7. Extract in the original language: “Zij [de dwangsom] is as prikkel tot
nakoming nooit bedoeld om daadwerkelijk te worden verbeurd…”. Free translation as follows: “It [the penalty payment] was never
intended to, in that it constitutes an incentive to performance…”. The Litigation Chamber specifies here that although
the penalty payment referred to in the aforementioned work refers to that used in civil law, and that it is therefore to be distinguished from the administrative penalty payment referred to by the LCA, it nevertheless considers it relevant to refer to it in order to better legally frame
the administrative penalty payment referred to by the LCA.

32Ibid., §20.
33
In this sense, see, mutatis mutandisAGNER, op. cit., §.6. Extract in the original language: “Het doel van de dwangsom is de
lechtstreekse uitvoering van de verbintenissen te waarborgen . . .”. Free translation as follows: “The penalty payment aims
to ensure the execution of obligations…”. Decision on the merits 131/2024 — 30/33

119. In this case, the Litigation Chamber considers that a period of 45 days from the

notification of this decision is sufficient to allow the defendant to comply

with the said injunctions.

120. The period runs from the day on which the defendant receives the

registered letter notifying it of this decision or from the day of expiry of the period during which the

defendant is, where applicable, required to collect the said registered

letter from the post office.

121. The day after the expiry of this period, the Litigation Chamber notifies the defendant:

1) That the latter has fully complied with the injunctions issued in

this decision; or

2) That the defendant has partially complied with the injunctions issued in

this decision; or

3) That the defendant has not complied with the injunctions issued in

this decision.

The Litigation Chamber shall initiate the enforcement of the penalty payment on the same day as this notification

in the second and third cases.

122. The amount of the penalty payments is as follows:

a) Injunction 1: the defendant must pay EUR 20,000 per day of delay from the day

on which the Litigation Chamber notifies it that it has partially or not at all

complied with the injunctions issued in this decision;

b) Injunction 2: the defendant must pay EUR 20,000 per day of delay from the day

on which the Litigation Chamber notifies it that it has partially or not at all

complied with the injunctions issued in this decision.

If the defendant fails to comply with both injunctions, it must then pay

EUR 40,000 per day of delay from the day on which the Litigation Chamber notifies it that it

has partially or not at all complied with the injunctions issued in this

decision.

123. The Litigation Chamber recalls, as it did in point 112, that the penalty payment is

not punitive in nature. The injunctions are each accompanied by a penalty payment in order to

ensure their proper execution. The amount of the penalty payments is reasonable in view of

the infringement that the defendant has caused to the rights of the complainant, and of

users more generally, but also in view of the financial capacity 34 of the defendant and the

benefit that it can derive from the non-execution of the injunctions in question.

34During the 2023 tax year, the defendant achieved a turnover of EUR 225,063,613. See in this regard
https://consult.cbso.nbb.be/consult-enterprise. Decision on the merits 131/2024 — 33/33

36
filed with the registry of the Market Court in accordance with Article 1034quinquies of the Judicial Code, or

via the e-Deposit information system of the Ministry of Justice (Article 32ter of the Judicial Code).

(sé). Hielke H IJMANS

President of the Litigation Chamber

36The application, accompanied by its annex, shall be sent, in as many copies as there are parties involved, by registered letter
to the clerk of the court or filed with the registry.