APD/GBA (Belgium) - 131/2024: Difference between revisions
No edit summary |
No edit summary |
||
Line 69: | Line 69: | ||
}} | }} | ||
The DPA reprimanded a media company since the cookie banner of one of its websites was not displaying a "reject all" button and | The DPA reprimanded a media company since the cookie banner of one of its websites was not displaying a "reject all" button and was inducing data subjects to click on the "accept all" button through a catchy colour. | ||
== English Summary == | == English Summary == |
Revision as of 13:33, 14 October 2024
APD/GBA - 131/2024 | |
---|---|
Authority: | APD/GBA (Belgium) |
Jurisdiction: | Belgium |
Relevant Law: | Article 4(11) GDPR Article 5(1)(a) GDPR Article 6(1)(a) GDPR Article 5(3) ePrivacy Directive 2002/58/EC Art. 10/2 Loi relative à la protection des personnes physiques à l'égard des traitements de données à caractère personnel |
Type: | Complaint |
Outcome: | Partly Upheld |
Started: | 19.07.2023 |
Decided: | 11.10.2024 |
Published: | |
Fine: | n/a |
Parties: | RTL Belgium SA |
National Case Number/Name: | 131/2024 |
European Case Law Identifier: | n/a |
Appeal: | Unknown |
Original Language(s): | French |
Original Source: | APD-GBA (in FR) |
Initial Contributor: | fb |
The DPA reprimanded a media company since the cookie banner of one of its websites was not displaying a "reject all" button and was inducing data subjects to click on the "accept all" button through a catchy colour.
English Summary
Facts
On 10 February 2023 the data subject, a trainee working at noyb – European Center for Digital Rights, visited the website of the controller, a Belgian media company.
The data subject noticed that the cookie banner of this website had an “Accept all” and a “Know more” button. The data subject believed that this cookie banner was unlawful under the GDPR. Therefore, under Article 80(1) GDPR, she mandated noyb to file a complaint with the DPA on her behalf.
More specifically, the data subject pointed out the following violations:
- the fact that the cookie banner did not have a “Reject all” button violates Articles 5(1)(a), 6(1)(a) and 7(1) GDPR and Article 5(3) ePrivacy Directive 2002/58/EC as implemented by Article 10/2 of the Belgian Data Protection Code (Loi relative à la protection des personnes physiques à l'égard des traitements de données à caractère personnel - Loi-cadre);
- the usage of a vivid colour for the “Accept all” button misleads data subjects and violates Articles 5(1)(a), 6(1)(a) and 7(1) GDPR and Article 5(3) ePrivacy Directive 2002/58/EC as implemented by Article 10/2 Loi-cadre;
- the fact that the banner does not allow to withdraw consent as easily as it is possible to give that consent is a violation of Articles 5(1)(a) and 17(1)(b) GDPR and Article 5(3) ePrivacy Directive 2002/58/EC as implemented by Article 10/2 Loi-cadre.
First of all, the controller argued that noyb cannot represent the data subject since, when she filed the complaint, she was volunteering as a trainee for that organisation.
Furthermore, it argued that the GDPR does not require websites to have a “reject all” button, nor the “accept” button to have a specific colour.
Holding
On the representation agreement under Article 80(1) GDPR
First, the DPA held that noyb can represent the data subject. It pointed out that the representation agreement between the former and the latter is valid under Article 80(1) GDPR.
Moreover, it noted that the data subject decided on her own to visit the website and that nothing opposes to the fact that an organisation under Article 80 GDPR can represent one of its employees or volunteers.
Furthermore, the DPA held that the fact that noyb has provide technical and legal assistance to the data subject is not a problem. On the contrary, according to the DPA, this represent a good practice.
On the merits
On the merits, the DPA noted that, according to Article 4(11) GDPR, consent must be freely given. In a cookie banner, this means that accepting should be as easy as refusing the installation of the cookies.
Therefore, the cookie banner should have, all on the first layer, both an “Accept all” and a “Refuse all” button. On these grounds, the DPA found a violation of Article 6(1)(a) GDPR and of Article 10/2 Loi-cadre.
As for the button colours, the DPA is of the opinion that the colours used by the controller are able to manifestly induce the data subject to click on the “accept all” button, since the latter, having a bright colour, stands out from the resto of the banner. Therefore, the DPA found a violation of Articles 5(1)(a) and 6(1)(a) GDPR and Article 10/2 Loi-cadre.
Finally, as for the options to withdraw consent, the DPA noted that the controller placed a button that allows to manage the cookies at the bottom of each page of its website. The DPA considered this solution enough to comply with the requirement set by Article 7(3) GDPR and, therefore, rejected this point of the complaint.
On these grounds, the DPA reprimanded the controller and ordered it to implement a GDPR-compliant cookie banner.
Comment
Share your comments here!
Further Resources
Share blogs or news articles here!
English Machine Translation of the Decision
The decision below is a machine translation of the French original. Please refer to the French original for more details.
1/33 Litigation Chamber Decision on the merits 131/2024 of 11 October 2024 File number: DOS-2023-03283 Subject: Complaint relating to the cookie banner on the RTL Belgium website The Litigation Chamber of the Data Protection Authority, consisting of Mr. Hielke H IJMANS, President, and Messrs. Christophe Boeraeve and Jelle Stassijns, members; Having regard to Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation), hereinafter "GDPR"; Having regard to the Law of 3 December 2017 establishing the Data Protection Authority (hereinafter "LCA"); Having regard to the internal regulations as approved by the Chamber of Representatives on 20 December 2018 and published in the Belgian Official Journal on 15 January 2019; 1 Having regard to the documents in the file; Has taken the following decision regarding: The complainant: X, represented by noyb – European Center for Digital Rights, located at Goldschlagstraße 172/4/3/2, 1140 – Vienna (AT), registered in Austria under company number ZVR 1354838270, hereinafter “the complainant” The defendant: RTLBelgium, whose registered office is established at Avenue Jacques Georgin, 2–1030 Schaerbeek, registered under company number 0428.201.847, represented by Laurence Vandenbrouck, hereinafter “the defendant” 1The new internal regulations of the DPA, following the amendments made by the Law of 25 December 2023 amending the Law of 3 December 2017 establishing the Data Protection Authority (LCA) have entered into force in force on 01/06/2024. In accordance with Article 56 of the Law of 25 December 2023, it only applies to complaints, mediation files, requests, inspections and procedures before the Litigation Chamber initiated from this date: https://www.autoriteprotectiondonnees.be/publications/reglement-d-ordre-interieur-de-l-autorite-de-protection-des- donnees.pdf. Files initiated before 01/06/2024, as in this case, are subject to the provisions of the LCA not amended by the Law of 25 December 2023 and the internal regulations as they existed before this date. Decision on the merits 131/2024 — 2/33 I. Facts and procedure 1. On 19 July 2023, the complainant filed a complaint with the Data Protection Authority against the defendant. The Litigation Chamber takes into account the fact that the complaint form is dated 18 July 2023, but it was filed with the DPA on the night of 18 July 2023 to 19 July 2023, and therefore it is this latter date that must be taken as the date of the formal filing of the complaint. 2. The subject of the complaint concerns several elements relating to the cookie banner present on the defendant's website. These allegedly contravene the principles of the GDPR and the Framework Law. 3. On 10 February 2023, the complainant visited the defendant's website as part of a project initiated with one of her colleagues during her internship at noyb. She stated that she took this initiative in order to check whether certain websites – including the defendant's – belonging to large Belgian press groups that had previously been the subject of a transaction with the DPA were GDPR compliant. During this visit, the complainant and her colleague identified potential GDPR violations. Following this observation, the complainant took a HAR file to document these potential violations. In the meantime, she mandated noyb, mainly to obtain technical assistance, as she was not able to prepare the HAR file herself. Subsequently, the complainant prepares a complaint, whose grievances, identical to the arguments raised in her conclusions, will be developed in point 16. As part of its mandate, noyb rereads and corrects the complaint prepared by the complainant. It is appropriate to note a certain ambiguity in the complainant's statements concerning the preparation of the complaint, the latter having also mentioned that noyb had prepared the complaint and that she had simply drafted part of it and reread the rest. 4. On August 4, 2023, the Front Line Service (hereinafter the "FLS") asks noyb to inform it of the complainant's interest in acting. 5. On 25 August 2023, the complaint was declared admissible by the SPL on the basis of Articles 58 and 60 of the LCA and the complaint was forwarded to the Litigation Chamber pursuant to Article 62, § 1 of the LCA. 6. On 1 September 2023, noyb responded to the SPL that the complainant demonstrated an interest in acting since she was a data subject, her personal data having been processed after having consented to the deposit of cookies on the defendant's website. Since the processing of this data was considered by herself and noyb to be unlawful, the complainant considered that her rights had been affected. In this regard, it relies on annexes. In any event, noyb declares that the demonstration of an interest in acting on the part of the complainant does not constitute a condition of admissibility of the complaint. Decision on the merits 131/2024 — 3/33 7. On 20 October 2023, the Litigation Chamber proposed a settlement – previously communicated to the complainant – to the defendant. 8. On 27 November 2023, the defendant did not consider the terms of the settlement acceptable, and therefore requested a reassessment of the latter. It did not express opposition to a new settlement proposal. er 9. On 1 December 2023, the Litigation Chamber responds that it will withdraw the settlement proposal unless decisive elements are provided before 6 December 2023. 10. On 18 December 2023, the Litigation Chamber formally withdraws the settlement proposal. 11. On 5 February 2024, the Litigation Chamber decides, pursuant to Article 95, §1, 1° and Article 98 of the LCA, that the case may be dealt with on the merits. On the same date, the parties concerned are informed by registered mail of the provisions as set out in Article 95, §2 and Article 98 of the LCA. They are also informed, pursuant to Article 99 of the LCA, of the deadlines for submitting their submissions. The deadline for receipt of the respondent's submissions in response was set at 18 March 2024, that for the complainant's submissions in reply at 8 April 2024 and that for the respondent's submissions in rejoinder at 29 April 2024. 12. On 8 February 2024, the respondent agreed to receive all communications relating to the case electronically, and expressed its intention to use the possibility of being heard, in accordance with Article 98 of the LCA. She requests by the same email a copy of the file (art. 95, §2, 3° LCA), which is sent to her on 19 February 2024. 13. On 9 February 2024, the complainant agrees to receive all communications relating to the case electronically. She requests by the same email a copy of the file (art. 95, §2, 3° LCA), which is sent to her on 19 February 2024. She also requests that the procedure continue in Dutch. 14. On 19 February 2024, the Litigation Chamber decided to maintain the language of the proceedings in French, since the complaint was filed in French, the website of the defendant against whom the complaints are directed is French-speaking and the complainant does not provide any other evidence in favour of a change of language for the continuation of the proceedings. Furthermore, in view of the time taken to communicate the administrative file to the parties, the Litigation Chamber decided to extend the deadlines for the exchange of submissions. The new deadline for receipt of the respondent's submissions in response is now set at 25 March 2024, that for the complainant's submissions in reply at 15 April 2024 and that for the respondent's submissions in rejoinder at 6 May 2024. Decision on the merits 131/2024 — 4/33 15. On 25 March 2024, the Litigation Chamber received the submissions in response from the defendant. The defendant having filed additional and summary submissions, the content of the submissions in response is summarized in point 17. 16. On April 15, 2024, the Litigation Chamber received the submissions in reply from the complainant, their content can be summarized as follows: • Concerning the admissibility and admissibility of the complaint, the complainant concludes as follows: o Article 220, §2, 1° of the Law of July 30, 2018 on the protection of natural persons with regard to the processing of personal data (hereinafter the "Framework Law") must be set aside by the DPA since it violates Article 80.1 of the GDPR.The complainant considers that Article 26, §4 of the Special Law of 6 January 1989 on the Constitutional Court (hereinafter “the Special Law”) is not applicable in this case, given that the DPA is not a court of the judicial system, and that it should therefore not submit a preliminary question before setting aside the aforementioned provision of the Framework Law. Furthermore, it adds that even if Article 26, §4 of the Special Law were applicable in the present proceedings, this would still not constitute an obstacle to setting aside Article 220, §2, 1° of the Framework Law, given that the primacy of European law is absolute. In this regard, it relies on judgments of the Court of Justice of the European Union (hereinafter “CJEU”); o The mandate cannot be criticized for not being specific enough in that, on the one hand, the terms of the mandate make it possible to determine what one is authorized to act for, and, on the other hand, Article 1984 of the Civil Code does not require that a mandate be drafted in more specific terms than the mandate in the case in point; o The complaint is admissible on the understanding that it was signed by the chairman of the board of directors denoyb in accordance with Article 58 of the LCA. In this regard, the complainant argues that the aforementioned article does not specify that the complaint must be signed specifically by the complainant, and therefore leaves the possibility for a complainant’s representative to sign it. In addition, the complainant notes that the signature of the complaint does not constitute a ground for admissibility within the meaning of Article 60 of the LCA and that its absence cannot therefore lead to the inadmissibility or rejection of the complaint; o The complainant is validly represented by noyb within the meaning of Article 80.1 of the GDPR. The fact that the complainant has completed an internship within noyb does not alter this finding. The complainant relies in particular on a judgment of the CJEU in which the latter recognizes that a complainant, who nevertheless had a relationship of subordination with noyb, is validly represented by the latter. • On the merits of the case, the complainant concludes as follows: o Type 1 violation: the defendant has failed to comply with Articles 5.1.a), 6.1.a) and 7.1 of the GDPR, as well as Article 5.3 of the ePrivacy Directive and Article 10/2 of the Framework Law by not presenting the “Accept all” and “Reject all” options at the same level of information on its cookie banner. The cookie banner has an “Accept and close” button, and a “Learn more” button. However, there is no button to refuse the installation of all cookies. The requirement for the buttons to accept or refuse cookies to appear at the same level of information arises in particular from the EDPB guidelines and the opinion of the majority of supervisory authorities; o Type 2 Violation: the defendant was guilty of a breach of Articles 5.1.a), 6.1.a) and 7.1 of the GDPR, as well as Article 5.3 of the ePrivacy Directive and Article 10/2 of the Framework Law by making misleading use of the colours of its buttons in its cookie banner. The button to accept the installation of cookies is in a striking colour, while the “More information” button is the same colour as the background of the cookie banner o Type 3 violation: the defendant has failed to comply with Articles 5.1.a), 17.1.b) of the GDPR, as well as Article 5.3 of the ePrivacy Directive and Article 10/2 of the Framework Law in that it does not allow for a withdrawal of consent as simple as its granting regarding the deposit of cookies. While granting consent requires only one click – or two if necessary –, the same is not true for withdrawing consent, which requires more. In addition, withdrawing consent requires going to a specific section of the RTL website. 17. On 6 May 2024, the Litigation Chamber received the additional and summary submissions from the defendant. Their content can be summarised as follows: • Concerning the admissibility and admissibility of the complaint, the defendant concludes as follows: o The complaint is not admissible on the understanding that noyb, mandated by the complainant, would not be validly constituted under Article 220, §2, 1° of the Framework Law sincenoyb would not be a non-profit body or association Decision on the merits 131/2024 — 6/33 validly constituted in accordance with Belgian law. Aware of the doubts that remain as to the compatibility between this provision and Article 80.1, it nevertheless states that the Belgian provision cannot be set aside without the Constitutional Court having expressed itself on this subject after having been seized of a preliminary ruling (Art. 26, §4 of the Special Law). Therefore, if the Contentious Chamber intends to set aside Article 220, §2, 1° of the Framework Law, it must submit a preliminary ruling question to the Constitutional Court under Article 26, §4 of the Special Law. In this regard, the defendant points out that the aforementioned provision of the Special Law does indeed apply to the Contentious Chamber; o The plaintiff’s mandate is invalid in that it is not defined with sufficient precision. The defendant relies in particular on a ruling of the Court of Cassation in which a mandate – similar to that in the present case according to the defendant – was sanctioned for lack of precision. The defendant also highlights contradictions, such as the fact that the signatory of the mandate is not the same as the one of the complaint, the fact that the mandate does not refer to Article 80.1 of the GDPR, and the fact that the mandate indicates that noyb is mandated to act before the DPA, but that it can also unilaterally decide on the judicial and extrajudicial actions it deems appropriate; o It considers that the complaint must be declared inadmissible on the understanding that it was not signed by the complainant, but by the chairman of the board of directors of noyb. The defendant points out that above the signature of the chairman of the board of directors of noyb is the wording “For noyb”. This indicates, according to the defendant, that the complaint is thus filed in the name and on behalf of noyb, whereas it should have been done in the name and on behalf of the complainant. Although it acknowledges that a third party can file a complaint on behalf of a complainant, it notes that it is still necessary to demonstrate a sufficient interest in acting, which noyb fails to do according to it. In any event, it considers the signature, unlike the complainant, to be a condition of admissibility it being understood that Article 58 of the LCA, which enshrines it, is presented in the law under the section “Referral and admissibility of a complaint or a application”; o The defendant considers that noyb acts as a complainant and not as an agent. noyb does not demonstrate a sufficient interest in acting since its claims, in the context of the case, do not seek to defend the concrete interests of the complainant, but rather join the defense of its public interests. The defendant adds that noyb makes very little reference to the complainant, and that hiring interns to actively seek out GDPR infringements is part of its business model. • On the merits of the case, the defendant concludes as follows: o Type 1 violation: the defendant has not been guilty of the alleged breaches. First, neither the GDPR nor the Framework Law require the implementation of a button to refuse all cookies at the first information level of the cookie banner. Second, the guidelines of the European Data Protection Board (hereinafter “EDPB”) and the opinions of the supervisory authorities constitute soft law, and are therefore not binding. Also, the defendant alleges that its cookie banner presents the “Accept all” and “Reject all” buttons on the same level. o Type 2 violation: the defendant has not been guilty of the alleged breaches. First of all, neither the GDPR nor the Framework Law require that the buttons to accept or refuse cookies be of the same colour. Furthermore, the colours chosen in this case are only the expression of an artistic freedom, reflecting the visual identity of the brand. In addition, the colours chosen allow for a more coherent and aesthetically pleasing experience for users. It also considers that the use of distinct colours can in particular improve the readability and accessibility of information for people with visual difficulties. Finally, it considers that noyb does not explain to what extent the colours used by itself can “manifestly mislead” users when they are confronted with the cookie banner. o Type 3 violation: the defendant has not been guilty of the alleged breaches, it being understood that through the “Manage cookies” section on its website, the user can at any time withdraw his or her consent to the deposit of cookies. In this regard, it cites an extract from decision 36/2024 of the Litigation Chamber as follows: “In addition, the cookie banner can easily be recalled in order to change the cookie settings, by means of a URL address at the bottom of the page, entitled “Manage cookies””. Finally, it states that it is not aware of any supervisory authority recommending the procedure described by noyb Decision on the merits 131/2024 — 8/33 which would consist of the installation of a floating button, permanently visible, and allowing consent to be withdrawn at any time. 18. On 20 June 2024, the parties are informed that the hearing will take place on 1 July 2024. 19. On 1 July 2024, the parties are heard by the Litigation Chamber. 20. On 8 July 2024, the minutes of the hearing are submitted to the parties. 21. On 12 July 2024, the Litigation Chamber receives from the complainant some comments on the minutes, which are annexed thereto in accordance with Article 54, paragraph 2 of the Rules of Procedure. 22. On 17 July 2024, the Litigation Chamber receives from the defendant some comments on the minutes, which are annexed thereto in accordance with Article 54, paragraph 2 of the Rules of Procedure. II. Motivation II.1. As to the procedure er 23. During the hearing held on 1 July 2024, the defendant made two preliminary remarks to which it is necessary to respond. It raises with the Litigation Chamber (i) that a procedure sharing some similarities with the present case is pending before the Market Court. In this procedure, a settlement proposal had been submitted to a data controller, which was unilaterally withdrawn by the Litigation Chamber. The data controller therefore appealed to the Market Court, thus contesting the unilateral withdrawal of the settlement proposal by the Litigation Chamber. The defendant therefore asks whether it would not be appropriate to suspend the present procedure until the Market Court delivers its judgment. (ii) Furthermore, the defendant points out to the Litigation Chamber that the complainant practiced as a lawyer in the law firm that represented the APD before the Market Court in the case cited above. It considers that this could suggest a possible conflict of interest or a possible breach of the principle of impartiality – both in its subjective and objective dimension. (i) As for the remark relating to the proceedings pending before the Market Court 24. The Litigation Chamber, as it had responded at the time of the hearing, stresses that the proceedings pending before the Market Court are not comparable to the present case. Indeed, while the procedure before the Market Court to which the defendant 2The Market Court has since delivered its judgment, see in this regard Judgment of the Brussels Court of Appeal (Market Court section) Decision on the merits 131/2024 — 9/33 refers concerns a settlement proposal that was unilaterally withdrawn by the Litigation Chamber and that was contested by the party to whom the proposal had been submitted, it should be noted that in the present case the defendant rejected the terms of the settlement proposal that was proposed to it. When the Litigation Chamber informed the defendant that it would withdraw the proposal, the defendant did not object. Consequently, there is formally no longer a settlement proposal in the present case, and the procedure is validly continuing with an examination of the merits of the file. (ii) As for the possible conflict of interest or the possible breach of the principle of impartiality 25. Although the principle of impartiality applies to administrative authorities, including the Contentious Chamber, it should be noted that according to a consistent case law of the Council of State: "the general principle of impartiality must be applied to any body of the active administration. It is sufficient that an appearance of bias could have given rise to legitimate doubts in the applicant as to the ability to approach his case with complete impartiality. However, this principle only applies to the extent that it is consistent with the specific nature, and in particular with the structure of the active administration. Furthermore, the impartiality of a collegiate body can only be called into question if, on the one hand, specific facts which raise suspicions of bias on the part of one or more members of the college can be legally established and, on the other hand, it is clear from the circumstances that the bias of this or these members could have influenced the entire college. It is up to the person who alleges that the authority did not act with independence, impartiality and thoroughness to provide proof of this." 26. It is therefore up to the party invoking the breach of the principle of impartiality to provide proof of specific facts from which it should be concluded that the principle of impartiality has been breached. 27. A distinction is made between objective impartiality and subjective impartiality. 28. The Litigation Chamber underlines, firstly, that the law firm concerned was selected following a public procurement contract (in tempore non suspecto), and must therefore respect the principles of equality, non-discrimination, transparency and proportionality with regard to all bidders, as well as rely on objective award criteria. Furthermore, the complainant is acting as a data subject, and this without any connection with her profession as a lawyer, formerly practiced for the law firm concerned. Since the defendant has not provided any further evidence to demonstrate that the Litigation Chamber gave the appearance of bias, the Litigation Chamber cannot conclude that it has breached the principle of objective impartiality. 3C.E., 30 November 2022, 255.145, Lemaire and Loslever; see also C.E., 19 January 2022, 252.684, XXX. Decision on the merits 131/2024 — 10/33 29. Next, the Litigation Chamber notes that the defendant does not provide any evidence expressing how it could have acted with bias, or that it could have, for example, intervened in the context of these proceedings in a manner that undermined the objectivity of the proceedings. Ultimately, the defendant does not provide any evidence of the concrete actions of the Litigation Chamber that would allow it to be concluded that the latter acted with bias. 30. By way of conclusion, the Litigation Chamber considers that there is no risk of conflict of interest in the present case and that it has not failed to comply with the principle of impartiality, whether in its objective or subjective dimension. II.2. As to the admissibility and admissibility of the complaint II.2.1. As for the constitution of noyb 31. Article 80.1 of the GDPR provides that "the data subject shall have the right to mandate a non-profit body, organisation or association, which has been validly constituted in accordance with the law of a Member State, whose statutory objectives are of public interest and is active in the field of the protection of the rights and freedoms of data subjects within the framework of the protection of personal data concerning, to lodge a complaint on his or her behalf, to exercise on his or her behalf the rights referred to in Articles 77, 78 and 79 and to exercise on his or her behalf the right to obtain compensation referred to in Article 82 where 5 the law of a Member State so provides." . 32. Article 220, §2 of the Framework Law specifies that: “§ 2. In the disputes provided for in paragraph 1, a body, an organization or a non-profit association must: 1° be validly constituted in accordance with Belgian law; 2° have legal personality; 3° have statutory objectives of public interest; 4C.E., 26 January 2018, Viaene and the Belgian State, 240.585. 5 It is the Litigation Chamber which emphasizes. See. also the first part of recital 142 of the GDPR: (142): Where a data subject considers that his or her rights under this Regulation are infringed, he or she should have the right to request a non-profit body, organisation or association, established in accordance with Member State law, whose statutory objectives are of public interest and which is active in the field of personal data protection, to lodge a complaint on his or her behalf with a supervisory authority, to exercise the right to a judicial remedy on behalf of the data subject or, where provided for by Member State law, to exercise the right to obtain redress on behalf of data subjects. 6 The preparatory work of the LTD mentions that the 3-year condition applies both to the existence of legal personality and to the exercise of activities in the field of data protection. See House of Representatives, Draft Law on the Protection of Individuals with regard to the Processing of Personal Data, Doc. Parl., DOC 54 31/26/001 (article-by-article commentary – Article 220). Decision on the substance 131/2024 — 11/33 4° be active in the field of protection of the rights and freedoms of data subjects in the context of the protection of personal data for at least three years. § 3. The non-profit body, organisation or association provides proof, by presenting its activity reports or any other document, that its activity has been effective for at least three years, that it corresponds to its corporate purpose and that this activity is related to the protection of personal data. 33. The Litigation Chamber has already had the opportunity to express doubts as to the compatibility of certain aspects of the Belgian provision with that of the GDPR. 7 34. The primacy of European law implies the exclusion of any national provision that cannot be interpreted in accordance with a standard of European law – this exclusion constituting a duty for all State organs, including the judicial and administrative authorities responsible for applying European law within the framework of their respective competences. 8 35. If there are reasons to believe that a law – within the meaning of Article 22 of the Constitution – would violate “a fundamental right guaranteed in a totally or partially analogous manner by a provision of Title II of the Constitution as well as by a provision of European law […]”, it is then for the court before which this situation arises to refer a preliminary question to the Constitutional Court. 36. The CJEU has held 10 that an incidental procedure for reviewing the constitutionality of national laws complies with EU law, provided that this procedure complies with 4 conditions, which follow: - The other national courts remain free “to refer to the Court, at any stage of the procedure which they consider appropriate, and even at the end of the incidental procedure for review of constitutionality, any preliminary question which they consider necessary”; - Other national courts remain free to “adopt any measure necessary to ensure the provisional judicial protection of the rights conferred by the legal order of the Union”; 7See Decision of the Contentious Chamber 39/2024 of 22 February 2024, paragraph 30; Decision of the Contentious Chamber 22/2024 of 24 January 2024, paragraph 32. 8 CJEU, 4 December 2018, C-378/17, Minister for Justice and Equality and Commissioner of the Garda Síochána, ECLI:EU:C:2018:979, paragraphs 37 and 38. 9Article 26, §4, Special Law of 6 January 1989 on the Constitutional Court, Official Journal, 7 January 1989, p. 315. 10CJEU, 22 June 2010, C-188/10, Melki, ECLI:EU:C:2010:363. Decision on the merits 131/2024 — 12/33 - The other national courts remain free “to disapply, at the end of such incidental proceedings, the national legislative provision in question if they consider it to be contrary to Union law”; - “It is for the referring court to verify whether the national legislation at issue in the main proceedings can be interpreted in accordance with these requirements of Union law”. 37. The Contentious Chamber notes that the special legislator has limited the scope of Article 26, §4 of the Special Law to ordinary and administrative courts only. 38. However, the Contentious Chamber is not within the jurisdiction of the judiciary – it is in fact an administrative authority.2 39. Consequently, Article 26, §4 of the Special Law does not apply to the Contentious Chamber, and the latter is not obliged or able to submit a preliminary question to the Constitutional Court. 40. Given that there is no other incidental procedure for reviewing constitutionality, the Contentious Chamber must directly do everything necessary to give full effect to the standards of European law that it must apply within the scope of its powers – namely Article 80.1 of the GDPR in relation to the present case. 41. In line with what was stated in point 33, the Litigation Chamber states that Article 220, §2, 1° of the Framework Law is contrary to the aforementioned provision of the GDPR, it being understood that it restricts the scope of application of the latter, so that they are irreconcilable. 42. Consequently, the application of Article 220, §2, 1° of the Framework Law should be excluded. II.2.2. Validity of the mandate 43. Concerning the mandate of representation, the Litigation Chamber notes that it mentions the data of the principal and the agent, and that the former mandates the latter to represent her before the APD and to take any action necessary to ensure that her rights are respected regarding the collection and processing of her data on the defendant’s website. The Litigation Chamber adds that, in the annexes to the 1 Special Bill of 15 January 2014 amending the Special Law of 6 January 1989 on the Constitutional Court, Explanatory Memorandum, 2013-2014 Ordnance Session, No. 53-2438/1, p. 6. 12 Draft law of 23 August 2017 establishing the Data Protection Authority, Explanatory Memorandum, Parl. Doc., Repr. Ch., Ord. Sess. 2016-2017, No. 54-2648/1, p. 8; See also the Procurement Court, judgment of 31 October 2023, No. 2023/AR/821. 13The DPA has full authority to submit a preliminary question to the Constitutional Court through the Brussels Court of Appeal (Procurement Court section) in a case to which the DPA is a party, for example. Decision on the merits 131/2024 — 13/33 complaint form, the mandate is entitled as follows: “Exhibit 1 – Representation agreement pursuant to Article 80(1) GDPR”. 44. First of all, concerning this last element, the Litigation Chamber cannot agree with the defendant’s reasoning when the latter claims that noyb attempted to “hide” the absence of a reference to Article 80.1 of the GDPR in the body of the mandate. On the one hand, noyb claims that this reference was already included when the mandate was signed. On the other hand, the Litigation Chamber notes that the validity of the mandate must, where appropriate, be examined at the time of filing the complaint. Therefore, it does not appear likely that noyb sought to “camouflage” the absence of a reference to Article 80.1 of the GDPR – to the strict extent that the absence of a reference to Article 80.1 of the GDPR would render the mandate invalid – it being understood that it would have been sufficient to redo the mandate. Consequently, the mandate should be read in light of its title as an annex. Read in this way, there is no doubt that the mandate was concluded within the framework of Article 80.1 of the GDPR. 45. Next, with regard to the possible contradictions in the mandate that the defendant is subject to, the Litigation Chamber recalls that it could not assess the mandate too restrictively. As an administrative authority, the Litigation Chamber monitors the proper implementation of the GDPR. In this capacity, it is empowered to adopt one or more of the sanctions listed in Articles 95, §1 or 100, §1 of the LCA – and this in order, in particular, to protect the fundamental rights of the persons concerned. The mandate, as it appears in the documents in the file, makes it possible to determine the parties to this contract, the data controller against whom the complainant addresses her grievances, the supervisory authority to which it is planned to file a complaint and a reference to Article 80.1 of the GDPR within the framework of which the mandate is adopted. These elements make it possible to justify the actions that noyb undertakes in the name and on behalf of the complainant with the DPA. The imposition of more conditions on the mandate would undermine the duty of control incumbent on the Litigation Chamber, but also the rights of the persons concerned. For all intents and purposes, the Litigation Chamber specifies that the elements of the mandate cited above cannot be interpreted as setting any minimum threshold. 46. Finally, and in any event, the Litigation Chamber notes that Article 17 of the Judicial Code does not apply to the Litigation Chamber, the latter being an administrative authority as set out in point 38. II.2.3. Failure to sign the complaint 47. Article 58 of the LCA provides that "Any person may file a written, dated and signed complaint or request with the Data Protection Authority." Decision on the merits 131/2024 — 14/33 48. Article 60 of the same Law provides that, when examining the admissibility of complaints it receives, the SPL verifies that the complaint is “drafted in one of the national languages”, that it “contains a statement of the facts and the necessary information to identify the processing to which it relates”, and that the complaint “falls within the competence of the Data Protection Authority”. 49. Contrary to what noyb maintains, these two provisions should not be read separately, but together. Thus, the formal requirements prescribed by Article 58 of the LCA must also be taken into account in the admissibility examination referred to in Article 60 of the same Law. 50. The Litigation Chamber notes that the complaint form was signed by the chairman of the board of directors of noyb, with the following statement: "For noyb". 51. In this regard, the Belgian legislature has specified that the signature must come from "the person 14 competent in the matter", but not necessarily from the complainant. Thus, it must be understood that at least the agent may sign the complaint form. This also follows from Article 80.1 of the GDPR, which provides that the data subject has the right to mandate “a non-profit body, organisation or association […] to lodge a complaint on his or her behalf, to exercise on his or her behalf the rights referred to in Articles 77, 78 and 79 [of the GDPR]”. 52. As a legal entity, noyb must be represented by one of its members in the acts it performs. Thus, the chairman of the board of directors of noyb signed the complaint form – in the exercise of this function, which authorises him or her to such acts. 53. It cannot be inferred from the statement "For noyb" that noyb is acting as a complainant, since this statement is specifically intended to engage the liability of noyb, and not that of the chairman of the board of directors of noyb in his capacity as a natural person. II.2.4. Interest in bringing proceedings 54. The Litigation Chamber is not unaware of the content of its decision 22/2024, however it is necessary to note the differences that distinguish the facts arising from the above-mentioned decision from the facts arising from this decision. 55. Although the complainants share, in both decisions, the fact of having completed an internship at noyb, and, in this context, of having consulted websites which subsequently motivated the filing of a complaint with the DPA, it should not be ignored that at the origin of the facts examined in Decision 22/2024, noyb had put in place a large-scale plan with a view to filing dozens of complaints against multiple data controllers 14Draft Law of 23 August 2017 establishing the Data Protection Authority, Explanatory Memorandum, Parl. Doc., Repr. Ch., Ord. Session 2016-2017, No. 54-2648/1, p. 40 Decision on the merits 131/2024 — 15/33 with various supervisory authorities – including the DPA. In addition, the complainant had explicitly acknowledged having been assigned various files, including the website of the defendant of the aforementioned decision. These elements – combined with others – led the Litigation Chamber to consider that the mandate concluded between the complainant and noyb was then fictitious. However, such a conclusion cannot be reached in the present case. The complainant – French-speaking – in fact consulted the website – French-speaking – of the defendant on the basis of a personal initiative, which does not fall within the framework of noyb’s other coordinated projects. There is nothing in principle to prevent noyb from representing one of its employees or trainees. 56. Furthermore, no link can be established between the present complaint and the complaints filed against the 15 Belgian websites referred to in the press release of July 2023 by noyb. While it is certainly clear that there was clear coordination to a certain extent in this case, it has not been established that this coordination took place before the complainant’s complaints arose. In any event, the evidence in this case does not establish that noyb exerted any pressure on the complainant. 57. Therefore, there is no reason to claim that the mandate is fictitious.6 58. In the present case, the relationship between the complainant and noyb could be schematised as follows: 15See https://noyb.eu/en/belgian-dpa-let-news-outlets-buy-themselves-free-gdpr-compliance. 16In this regard, see Decision on the merits 113/2024 of the Litigation Chamber of 6 September 2024 in which the same scenario occurs. Decision on the merits 131/2024 — 17/33 64. Also, concerning the collection and granting of consent online, we note that a binary reading cannot be satisfied. The Litigation Chamber understands that each situation should be examined on a case-by-case basis, based on the material methods of collecting and granting consent. In addition, the Litigation Chamber emphasizes that collecting and granting consent online has certain specific features. The Internet has significantly changed practices and takes up the time of the majority of citizens, particularly young people. This has led to the establishment of a form of consent that could be described as routine. Internet users browse from website to website, from page to page, and are therefore confronted with a large number of cookie banners. In doing so, the warning effect of the cookie banner diminishes, and the persons concerned may grant their consent by default, due to the weariness this causes. This 17 observation is made worse when we include the fact that data controllers sometimes implement a design that encourages Internet users to accept the deposit of cookies. 65. These reasons then impose on the Litigation Chamber the duty to examine this case with the utmost sensitivity. II.3.1. As to the articulation of the GDPR and the Framework Law with the Guidelines 66. The Litigation Chamber intends to respond to the arguments formulated by the defendant with regard to infringement of type 1 (see points 72 to 80, “As to the absence of a “Reject all” button at the first level of the cookie banner”) and 2 (see points 81 to 95, “As to the misleading use of button colours”), by which the defendant argues that neither the GDPR nor the Framework Law require the implementation of a “Reject all” button at the first level of the cookie banner or the use of “buttons and characters of identical size, importance and colours”. The defendant adds that the guidelines of the EDPB and the supervisory authorities have no binding force since they constitute soft law. 67. To begin with, the Litigation Chamber recalls that the GDPR, as a European Regulation, is a legal act directly applicable in all Member States. In so doing, the GDPR has a general scope. The European legislator cannot be expected to define in detail the specific modalities of all practices relating to this act. On the contrary, it has established general and abstract rules with which the persons and entities concerned must comply. The supervisory authorities, in particular, must apply these principles and rules to specific cases, these taking place in the digital society, whose technological developments 17 In English, it is customary to speak of “Click fatigue”; in this regard see EDPB, Guidelines 5/2020 on consent within the meaning of Regulation (EU) 2016/679 of 4 May 2020, point 87, available at: https://www.edpb.europa.eu/sites/default/files/files/file1/edpb guidelines 202005 consent en.pdf. 18Summary of the defendant’s submissions, p. 22. Decision on the substance 131/2024 — 18/33 within it are very rapid. It is in this context that supervisory authorities must adopt decisions that are adequate and proportionate. The decision-making practice of authorities can – and must – in fact evolve in the light of legal and technological developments. The fact that an authority is required to change its decision-making practice does not in any way constitute an obstacle to the imposition of sanctions, such as administrative fines for example. 68. Similarly, in adopting the Framework Law, the Belgian legislator did not intend to define specific modalities for all practices relating to this law. 69. In this regard, the GDPR, in its Article 70.1.e, specifically delegates to the EDPB the mission “to publish guidelines, recommendations and good practices” on any question relating to its application, with a view to promoting its consistent application. The importance of this consistency is also recalled in Articles 57.1.g and 70.1.u of the GDPR. It should also be noted that Article 57.1.d of the GDPR gives the supervisory authorities the task of encouraging awareness among controllers and processors of their obligations under the GDPR. 70. In this way, while it is certainly correct to say that the guidelines thus published are not binding in nature in that they constitute soft law, it would be conversely wrong to deny them any legal effect. This denial ultimately and implicitly amounts to challenging the authority of the EDPB and the supervisory authorities who nevertheless have the appropriate expertise to carry out the tasks incumbent on them and which have been recalled in the previous paragraph – although this does not mean that the parties to a case cannot challenge the legal interpretation of the GDPR made by the EDPB or a supervisory authority. 71. By way of conclusion, the Litigation Chamber recalls that the guidelines of the EDPB and the supervisory authorities specify the provisions of the GDPR, but that it is the violation of the latter – which are the subject of a concrete application to a specific case – which justifies the imposition of corrective measures or a sanction. II.3.2. As for the absence of a “Refuse all” button at the first level of the cookie banner 72. Article 4.11 of the GDPR defines consent as “any freely given, specific, informed and unambiguous indication of the data subject’s wishes by which he or she signifies agreement, by a statement or by a clear affirmative action, to the processing of personal data concerning him or her”. Recital 42 of the GDPR states that “consent 19Draft Law of 11 June 2018 on the protection of natural persons with regard to the processing of personal data, Explanatory Memorandum, Parl. Doc., Repr. Ch., Ord. Sess. 2017-2018, No. 54-3126/1, p. 21. Decision on the substance 131/2024 — 19/33 should not be considered to have been freely given if the data subject does not have a genuine freedom of choice or is unable to refuse or withdraw consent without suffering detriment.” 73. Article 5.1.a) of the GDPR provides that personal data must be processed “lawfully, fairly and transparently.” To be lawful, the processing must be based on the consent of the data subject or any other basis of lawfulness set out in Article 6.1 of the GDPR. 74. By applying these provisions, it must be concluded that for each cookie banner it must be as simple to consent to the deposit of cookies as it is to refuse them. Therefore, the button for accepting the deposit of cookies and the button for refusing the deposit of cookies must appear together, at each level of the cookie banner in which the button for accepting the deposit of cookies appears. Otherwise, the consent then collected could not be considered as having been given freely and unequivocally. 75. The Litigation Chamber notes in the present case that by not presenting the “Accept all” and “Reject all” buttons at the first level of the cookie banner – the first button being the only one present – the defendant not only makes the possibility of refusing the deposit of cookies less visible to the persons concerned, but also makes it materially more difficult for them to refuse, given that a greater number of actions are required. In this sense, the persons concerned – such as the complainant – are encouraged to accept the deposit of cookies. 76. The EDPB 20 considers that an incentive is not necessarily contrary to the GDPR. He cites as an example the case where a data controller, granting general discounts on the purchase of clothing and fashion accessories, requests the consent of the person concerned to deposit cookies in order to better target their preferences. The incentive in this case is then authorized on the understanding that the person concerned would not suffer any harm if they were led to withdraw their consent. 77. In the present case, however, the incentive cannot be considered as authorized or valid. Unlike the incentive presented in the example above, it does not offer any advantage to the person concerned. However, a free choice implies that the button allowing the refusal of the deposit of all cookies is offered at a level at least equal to that allowing the acceptance of their deposit. Furthermore, it should be noted that the cookie banner requires users to make a choice. This constitutes a practice 20 EDPB, Guidelines 5/2020 on consent within the meaning of Regulation (EU) 2016/679 of 4 May 2020, point 50, available at: https://www.edpb.europa.eu/sites/default/files/files/file1/edpb guidelines 202005 consent en.pdf. 21EDPB, Guidelines 5/2020 on consent within the meaning of Regulation (EU) 2016/679 of 4 May 2020, point 13, available at:https://www.edpb.europa.eu/sites/default/files/files/file1/edpb guidelines 202005 cEnsent en.pdf. in particular, the following excerpt: “The adjective ‘free’ implies a choice and real control for the data subjects. […]”. Decision on the merits 131/2024 — 20/33 22 “cookie wall” issue. Consequently, the consent granted to the deposit of cookies on the defendant’s website was not freely given. 78. Furthermore, the consent given by the data subject cannot be considered to have been given unequivocally. Indeed, by not informing the complainant of the possibility of rejecting the deposit of cookies, it cannot be considered that the latter was able to consent by a clear positive act to the deposit of cookies. 79. The findings made in the above paragraphs, relating to the first level of the cookie banner, are not altered by the fact that at other levels of the defendant’s website the “Accept all” and “Reject all” buttons are presented together. Requiring a data controller to make it as easy to refuse the deposit of cookies as it is to accept them constitutes a concrete application of the conditions of validity of consent as defined by Article 6.1.a) of the GDPR. The verification of the validity of consent must then be carried out at the time when consent is actually granted – or not. Given that the complainant consented to the deposit of cookies at the first level of the cookie banner, the validity of the consent collected must in fact only be retained at this level. This is all the more true since, by definition, the data subjects are first confronted with the first level of the cookie banner. In addition, the Litigation Chamber recalls that it is the responsibility of the data controller to demonstrate that they have obtained the data subject’s consent under Article 7.1 of the GDPR. 80. By way of conclusion, the Litigation Chamber notes that the defendant has violated Article 6.1.a) of the GDPR, as well as Article 10/2 of the Framework Law. II.3.3. As for the misleading use of button colours 81. Regarding the defendant’s first argument, concerning the fact that neither the GDPR nor the Framework Law require data controllers to “use buttons and characters of identical size, importance and colour”, the Litigation Chamber notes that the defendant is wrong to think that the complainant would support this idea. The complaint in this regard claims that the cookie banner is in a form that encourages data subjects to click on the "Accept and close" button, so that consent 22EDPB, Guidelines 5/2020 on consent under Regulation (EU) 2016/679, 4 May 2020, point 39, available at: https://www.edpb.europa.eu/sites/default/files/files/file1/edpb guidelines 202005 consent fr.pdf. 23The Litigation Chamber recalls that a person whose data has not been processed precisely because they have refused to consent to processing that presumably constitutes a practice violating their rights, and who, in doing so, has not been able to access a benefit or service, has the right to lodge a complaint with a supervisory authority under Article 77 of the GDPR, as set out in the judgment of 7 October 2021 of the Court of Cassation, accessible via : https://juportal.be/content/ECLI:BE:CASS:2021:ARR.20211007.1N.4/FR?HiLi=eNpLtDK2qs60MrAutjI2sFJKT01PLUvNK05KL U7OSC3KzcxLL04sLckvyixJzSxRss60MoSqdHd1dw1z9Qt2cg129nAN8vX0cw92DA3xD/IMcfUMAak0gqkkYGYtAFHdLHE=. Decision on the merits 131/2024 — 21/33 granted does not meet the conditions provided for by the GDPR. Moreover, the Litigation Chamber refers the parties to points 66 to 80. 82. Then, the Litigation Chamber notes that on the defendant’s cookie banner (see below) three colours appear. The text uses a white font colour, and the background of the banner is dark blue. The “Learn more” button, which ultimately allows you to refuse the deposit of cookies, is the same blue as the background, but is separated from it by white borders. The “Accept and close” button is a striking orange colour. 83. As set out in point 72, consent must have been given freely, specifically, informed and unequivocally. Following on from what was developed in point 71, the fact of requiring a data controller that the button colours used are not of a nature likely to clearly direct users towards the choice of consenting to the deposit of cookies constitutes a requirement to respect the free and unequivocal nature that consent must have, understood within the meaning of Article 6.1 of the GDPR. 84. In this case, the Litigation Chamber is of the opinion that the use of colours made by the defendant is of a nature likely to clearly encourage users to click on the "Accept and close" button, in that the button stands out particularly from the rest of the cookie banner, and that it is therefore on this button that the users' attention will mainly gravitate.Therefore, the plaintiff’s consent obtained by the defendant regarding the deposit of cookies is not valid. Decision on the merits 131/2024 — 22/33 85. First of all, the European Court of Human Rights defines freedom of artistic expression as that which “enables participation in the public exchange of cultural, political and social information and ideas of all kinds (see, mutatis mutandis, the judgment in Müller and Others v. Switzerland of 24 May 1988, Series A no. 133, p. 19, § 27). Those who create, perform, disseminate or exhibit a work of art contribute to the exchange of ideas and opinions essential to a democratic society […]” . 24 86. Next, the Litigation Chamber recalls that the right to data protection is a fundamental right. The European legislator has implemented this fundamental right, in particular in the GDPR and the ePrivacy Directive. The choice that the legislator has made, including regarding the conditions of the consent that it has submitted in the legislative texts, indicate the threshold of requirement that data controllers must respect before they can use this consent for the placement of cookies and subsequent processing (Art. 6.1.a of the GDPR and 10/2 of the Framework Law). The data controller has a certain margin of maneuver in the implementation of the conditions implemented in the legislative bases mentioned above; however, the controller cannot choose the conditions of the consent. It is the duty of the DPA to enforce the application of the GDPR and the ePrivacy Directive. 87. Concerning the freedom of artistic expression relied on by the defendant, the Litigation Chamber notes that Article 85.1 of the GDPR provides that: "Member States shall reconcile, by law, the right to the protection of personal data under this Regulation and the right to freedom of expression and information, including processing for journalistic purposes and for the purposes of academic, artistic or literary expression.". 88. Recital 153 of the same Regulation specifies in this regard that such a reconciliation must take place when it proves necessary. It also specifies that the concepts related to this freedom should be interpreted broadly in the light of the importance of the right to freedom of expression. 89. The Belgian legislator has provided in Article 24 of the Framework Law for exceptions to the application of certain provisions of the GDPR for processing for journalistic purposes and for academic, artistic or literary expression, as follows: “§ 1. Processing of personal data for journalistic purposes means the preparation, collection, drafting, production, dissemination or archiving for the purpose of informing the public, using any media and where the controller is subject to rules of journalistic ethics. 24 Eur. Court HR (Grand Chamber), judgment in Karatas v. Turkey, 8 July 1999, paragraph 49, accessible via: https://hudoc.echr.coe.int/eng?i=001-62826. Decision on the merits 131/2024 — 23/33 § 2. Articles 7 to 10, 11.2, 13 to 16, 18 to 20 and 21.1 of the Regulation do not apply to the processing of personal data carried out for journalistic purposes and for purposes of academic, artistic or literary expression. § 3. Articles 30.4, 31, 33 and 36 of the Regulation do not apply to processing for journalistic purposes and for purposes of academic, artistic or literary expression when their application would compromise a planned publication or would constitute a control measure prior to the publication of an article. § 4. Articles 44 to 50 of the Regulation shall not apply to transfers of personal data carried out for journalistic purposes and for the purposes of academic, artistic or literary expression to third countries or to international organisations to the extent that this is necessary to reconcile the right to the protection of personal data and freedom of expression and information. § 5. Article 58 of the Regulation shall not apply to the processing of personal data carried out for journalistic purposes and for the purposes of academic, artistic or literary expression where its application would provide indications on the sources of information or constitute a control measure prior to the publication of an article. » 90. First, it should be noted that Articles 5.1.a and 6.1 of the GDPR are not subject to an exemption concerning processing carried out for the purposes referred to in point 87. 91. Next, the Litigation Chamber notes that it is clear from the report on the work undertaken by the Cookie Banner TaskForce that, concerning colours [and contrasts], no general banner model could be imposed on data controllers. The same report further states that the validity of the cookie banner must then be examined on a case-by-case basis, in order to verify whether the colours or contrasts used do not blatantly direct users towards a choice that does not correspond to their preferences regarding the sharing of personal data. 25 92. This means that controllers, whose compliance with the GDPR must be assessed on a case-by-case basis, have considerable leeway in the choice of colours [and contrasts] in their cookie banners. They can therefore be creative, in particular to reflect their brand identity. This leeway also allows controllers to comply with both the 25EDPB, Report of the work undertaken by the Cookie Banner Taskforce, available at (in English only): https://www.edpb.europa.eu/system/files/2023-01/edpb 20230118 report cookie banner taskforce en.pdf. Decision on the substance 131/2024 — 24/33 requirements incumbent on them under the GDPR and compliance with the principles of inclusive design, for example. 93. Going even further, the Litigation Chamber emphasises that in this case the defendant could quite easily maintain the same colours used in its cookie banner, provided that it reverses the colour used for the button allowing the acceptance of the deposit of cookies, and that used for the button allowing, ultimately, to refuse them. As has been explained in point 83, data controllers must ensure that the use of a colour does not clearly encourage users to consent to the deposit of cookies on their browser. On the other hand, there is nothing to prevent data controllers from using a button colour that would similarly encourage users to refuse the deposit of cookies. 94. Ultimately, the defendant wrongly claims that the requirements to which the choice of colours used in its cookie banner is subject would infringe its freedom of artistic expression, and the coherent and aesthetically pleasing experience that it wishes to provide to its users, including persons with visual impairments. 95. For the reasons set out above, the Litigation Chamber concludes that the defendant has violated Articles 5.1.a) and 6.1.a) of the GDPR, as well as Article 10/2 of the Framework Law. II.3.4. As to the terms of withdrawal of consent 96. Article 7.3 of the GDPR provides that “The data subject has the right to withdraw his or her consent at any time. The withdrawal of consent shall not compromise the lawfulness of processing based on consent given before its withdrawal. The data subject shall be informed thereof before giving his or her consent. It is as easy to withdraw as it is to give consent. ». 97. The EDPB specifies that the violation of Article 7.3 of the GDPR results in the non-compliance of the 26 consent mechanism of the data controller. 98. It emerges from the report on the work undertaken by the Cookie Banner Taskforce that a specific model for withdrawing consent cannot be imposed on data controllers, including the solution of a floating banner or button (or "hovering solution"). It also emerges from the same report that a link located in a visible and standardized place constitutes a solution adapted to compliance with Article 7.3 of the GDPR. 26 EDPB, Guidelines 5/2020 on consent within the meaning of Regulation (EU) 2016/679 of 4 May 2020, point 116, available at: https://www.edpb.europa.eu/sites/default/files/files/file1/edpb guidelines 202005 consent en.pdf. 27EDPB, Report on the work undertaken by the Cookie Banner Taskforce of 17 January 2023, point 35, available via (in English only): https://www.edpb.europa.eu/system/files/2023-01/edpb 20230118 report cookie banner taskforce en.pdf. Decision on the merits 131/2024 — 25/33 99. The Litigation Chamber adds that the duty to give data subjects the opportunity to withdraw their consent as simply as the manner in which they grant it must be balanced against the comfort of use of the data subjects. This duty should therefore not make the browsing experience on a data controller’s website painful for users – if this were the case, it would then prove unreasonable. 100. In this case, the Litigation Chamber notes that the defendant’s website provides users with a “Manage Cookies” button at the bottom of each of its navigation pages. In this regard, the Litigation Chamber notes that this button is reasonably accessible to users. 101. Furthermore, among the options presented in the “Manage Cookies” button, there are “Accept all” and “Reject all” buttons. Users therefore have the possibility of withdrawing their consent using a single button. 102. The fact that the withdrawal of consent is not carried out in the same way as for its collection is not a problem here, since otherwise the interests of users (and of the complainant more specifically) would themselves be affected. 103. Consequently, the Litigation Chamber decides to dismiss this complaint without further action. III. Corrective and provisional measures 104. Under Article 100 of the LCA, the Litigation Chamber has the power to: 1° dismiss the complaint; 2° order that there be no case to answer; 3° order a suspension of the decision; 4° propose a transaction; 5° issue warnings and reprimands; 6° order compliance with the requests of the person concerned to exercise their rights ; 7° order that the person concerned be informed of the security problem; 8° order the freezing, limitation or temporary or permanent prohibition of the processing; 9° order the processing to be brought into compliance; 10° order the rectification, restriction or erasure of data and the notification of these to the recipients of the data; 11° order the withdrawal of the accreditation of certification bodies; 12° impose periodic penalty payments; 13° impose administrative fines; Decision on the merits 131/2024 — 26/33 14° order the suspension of transborder data flows to another State or an international body; 15° forward the file to the Public Prosecutor's Office of the Brussels King's Prosecutor, who shall inform him of the follow-up given to the file; 16° decide on a case-by-case basis to publish its decisions on the website of the Data Protection Authority. III.1. Compliance order 105. The Litigation Chamber considers it appropriate to impose two compliance injunctions on the defendant, based on the breaches noted. 106. Injunction 1: the Litigation Chamber requires the defendant to add a button clearly allowing the refusal of the deposit of cookies with a single click, and this at the same level as the button allowing the acceptance of the deposit of cookies at each level of the cookie banner in which the button allowing the acceptance of the deposit of cookies appears. 107. Injunction 2: the Litigation Chamber requires the defendant to use colours and contrasts that are not manifestly misleading. The button clearly allowing the refusal of the deposit of cookies must therefore be displayed at least equivalent to the one allowing the acceptance of it. The Litigation Chamber specifies that the defendant has however the possibility of retaining the colours currently used in its cookie banner provided that it reverses the colour used for the button for refusing the deposit of cookies with that for accepting them; it refers it in this regard to point 94. 108. As examples, the Litigation Chamber inserts below an illustration from its Cookies checklist 28 and constituting good practice. However, the implementation of these injunctions is the sole responsibility of the defendant. 28https://www.autoriteprotectiondonnees.be/publications/checklist-cookies.pdf. Decision on the merits 131/2024 — 27/33 109. Each of these two injunctions must be complied with no later than the 45th day following notification to the defendant of this decision. Within the same period, the defendant will communicate to the Litigation Chamber and to the plaintiff a document reflecting the manner in which it has complied with the two injunctions issued. 110. In the event of inaction – even apparent – after the 45th day following the notification to the defendant of this decision, the Litigation Chamber shall notify the defendant. As of this notification, the penalty payment is implemented. It will only end as of the notification of the Litigation Chamber by which the latter recognizes that the defendant has fully complied with the injunctions in this case. III.2. Ancillary sanction: the penalty payment III.2.1. Preliminary considerations 111. The penalty payment is special in that it is fully conditional. The amount to be paid is indeed uncertain. The defendant first has a period of time to comply with or appeal the decision. Only in the event of non-compliance on its part after a period of 45 days from notification of this decision will the penalty payment Decision on the merits 131/2024 — 28/33 be implemented. Consequently, the amount of the penalty payment is variable, and may even be zero, where applicable. 112. The penalty payment is thus distinguished from the administrative fine in that it constitutes an indirect means of enforcement of the main sanction(s) in order to comply with the law in force, whereas the administrative fine is of a punitive nature. The penalty payment therefore also has an ancillary nature. The penalty payment and the administrative fine are thus different both in their nature and in the objectives they pursue. 113. In a judgment of 19 February 2020, the Market Court considered the following: “Before a sanction is imposed on him, the offender must be informed of the nature of the sanction envisaged and its amount (in the case where a fine is envisaged). The offender must be warned (in order to avoid unnecessary sanctions) and have the opportunity to defend himself on the amount of the fine proposed by the Litigation Chamber before the sanction is actually imposed and implemented”. 114. Following this judgment, the President of the Litigation Division then considered that sending a sanction form was also required when the Litigation Division was considering imposing a penalty payment. 115. The position of the Litigation Division in this regard is now completely different, and considers that it should not inform the defendant of its intention to impose a penalty payment, for the following two reasons: a) The obligation to send a sanction form to the defendant before the decision is taken is based on the case law of the Market Court. It is therefore an obligation in addition to the existing legal framework. This step, which is added to the Litigation Division’s procedure, makes it more cumbersome and stretches it out over time. While the Litigation Chamber recognises all the advantages, it nevertheless notes that this strictly national obligation may hinder the consistent application of the GDPR between the various supervisory authorities. In this way, the Litigation Chamber considers that this obligation should be interpreted restrictively, favouring an interpretation that does not contradict 29 Free translation of the judgment of the Brussels Court of Appeal (Chamber 19A, Market Court section) of 19 February 2020, 2019/AR/1600. The original version of the translated extract follows as follows: "The inbreukpleger must voordat hem a sanctie wordt opgelegd kennis krijgen van de aard van sanctie die overwogen wordt en van de omvang ervan (in geval een geldboete overwogen wordt). De inbreukpleger moet gewaarschuwd worden (met als doel het nodeloos sanctioneren te vermijden) en de gelegenheid krijgenzich teverdedigen omtrent de doordeGeschillenkamer voorgesteldebedragenvan van deboete, voordat de sanctie effectiveef wordt opgelegd en uitgevoerd. ". 30 See the On-call Policy of the Litigation Chamber of December 23, 2020, https://www.autoriteprotectiondonnees.be/publications/politique-en-matiere-d-astreinte.pdf. Decision on the merits 131/2024 — 29/33 with the objectives that the legislator pursued in conferring their powers to the supervisory authorities; (b) As explained in point 112, the nature of the penalty payment differs fundamentally from that of the administrative fine. The penalty payment is in fact an ancillary sanction, also intended to encourage the defendant to comply with the main sanction. In this sense, it is widely recognised in legal doctrine that the penalty payment is not of a criminal nature. In conclusion, the choice to impose a penalty payment is a matter for the strictest discretion of the Litigation Chamber, and therefore cannot be contested by a party to the case. The Belgian legislator deliberately chose to confer this power to impose penalty payments on the APD; the will of the Belgian legislator must therefore be recognised and respected. 116. Furthermore, the Litigation Division recalls that its decisions have no precedent value. The Litigation Division’s policies, for their part, have no binding value. The Litigation Division recognises that the publication of these policies establishes a certain trust with the public, and in any event strives to communicate transparently with the public. However, this cannot constitute an obstacle to the development of the Litigation Division’s practices and the legal framework implemented, which are essential. 117. In light of the reasons set out above, the Litigation Division exercises its prerogative to impose periodic penalty payments on the defendant in this case, and does not consider that it must inform the defendant in advance by means of a penalty form. III.2.2. Practical arrangements for the penalty payment 118. In order to give the defendant the time necessary to comply with the injunctions issued in this decision, the penalty payment will not be implemented directly following notification of this decision to the defendant. 31 K. WAGNER, Dwangsom, Brussels, Story-Scientia, 2003, §7. Extract in the original language: “Zij [de dwangsom] is as prikkel tot nakoming nooit bedoeld om daadwerkelijk te worden verbeurd…”. Free translation as follows: “It [the penalty payment] was never intended to, in that it constitutes an incentive to performance…”. The Litigation Chamber specifies here that although the penalty payment referred to in the aforementioned work refers to that used in civil law, and that it is therefore to be distinguished from the administrative penalty payment referred to by the LCA, it nevertheless considers it relevant to refer to it in order to better legally frame the administrative penalty payment referred to by the LCA. 32Ibid., §20. 33 In this sense, see, mutatis mutandisAGNER, op. cit., §.6. Extract in the original language: “Het doel van de dwangsom is de lechtstreekse uitvoering van de verbintenissen te waarborgen . . .”. Free translation as follows: “The penalty payment aims to ensure the execution of obligations…”. Decision on the merits 131/2024 — 30/33 119. In this case, the Litigation Chamber considers that a period of 45 days from the notification of this decision is sufficient to allow the defendant to comply with the said injunctions. 120. The period runs from the day on which the defendant receives the registered letter notifying it of this decision or from the day of expiry of the period during which the defendant is, where applicable, required to collect the said registered letter from the post office. 121. The day after the expiry of this period, the Litigation Chamber notifies the defendant: 1) That the latter has fully complied with the injunctions issued in this decision; or 2) That the defendant has partially complied with the injunctions issued in this decision; or 3) That the defendant has not complied with the injunctions issued in this decision. The Litigation Chamber shall initiate the enforcement of the penalty payment on the same day as this notification in the second and third cases. 122. The amount of the penalty payments is as follows: a) Injunction 1: the defendant must pay EUR 20,000 per day of delay from the day on which the Litigation Chamber notifies it that it has partially or not at all complied with the injunctions issued in this decision; b) Injunction 2: the defendant must pay EUR 20,000 per day of delay from the day on which the Litigation Chamber notifies it that it has partially or not at all complied with the injunctions issued in this decision. If the defendant fails to comply with both injunctions, it must then pay EUR 40,000 per day of delay from the day on which the Litigation Chamber notifies it that it has partially or not at all complied with the injunctions issued in this decision. 123. The Litigation Chamber recalls, as it did in point 112, that the penalty payment is not punitive in nature. The injunctions are each accompanied by a penalty payment in order to ensure their proper execution. The amount of the penalty payments is reasonable in view of the infringement that the defendant has caused to the rights of the complainant, and of users more generally, but also in view of the financial capacity 34 of the defendant and the benefit that it can derive from the non-execution of the injunctions in question. 34During the 2023 tax year, the defendant achieved a turnover of EUR 225,063,613. See in this regard https://consult.cbso.nbb.be/consult-enterprise. Decision on the merits 131/2024 — 33/33 36 filed with the registry of the Market Court in accordance with Article 1034quinquies of the Judicial Code, or via the e-Deposit information system of the Ministry of Justice (Article 32ter of the Judicial Code). (sé). Hielke H IJMANS President of the Litigation Chamber 36The application, accompanied by its annex, shall be sent, in as many copies as there are parties involved, by registered letter to the clerk of the court or filed with the registry.