BVwG - W 108 2284491-1
From GDPRhub
| BVwG - W 108 2284491-1 | |
|---|---|
 | |
| Court: | BVwG (Austria) |
| Jurisdiction: | Austria |
| Relevant Law: | Article 5(1)(a) GDPR Article 6(1)(a) GDPR Article 7(3) GDPR Article 21 GDPR Article 5(3) ePrivacy Directive |
| Decided: | 31.07.2024 |
| Published: | |
| Parties: | |
| National Case Number/Name: | W 108 2284491-1 |
| European Case Law Identifier: | ECLI:AT:BVWG:2024:W108.2284491.1.00 |
| Appeal from: | DSB (Austria) D124.5045 2023-0.661.011 |
| Appeal to: | Unknown |
| Original Language(s): | German |
| Original Source: | Rechtsinformationssystem des Bundes (RIS) (in German) |
| Initial Contributor: | wp |
The court upheld the DPA’s decision that a cookie banner’s first layer needs to contain a visually equivalent option to reject cookies.
English Summary
Facts
The data subject visited a website operated by a media company (the controller). Upon opening the website a cookie banner showed up. This cookie banner was designed in such a way that a reject button was “hidden” in a second layer. The cookie banner’s first layer presented only an option to accept the cookies or to manage the options. The cookie manage option was presented as a link. When the data subject clicked on the accept button, they also agreed to pre-ticked options, visible only within the cookie management link. The reject button was a part of the second layer of the cookie banner (within the cookie management link).
The data subject lodged a complaint with the Austrian DPA (DSB), claiming the controller violated, inter alia, Article 5(1)(a) GDPR and Article 6(1)(a) GDPR. The data subject was represented by noyb.
The controller argued to the DPA that the website provided access to online newspaper articles. Because of that, the processing activities were carried for journalistic purposes and the DPA was not competent to hear the case.
In the meantime the controller updated the settings of the cookie banner and introduced a reject button on its first layer, next to the accept button. Also, the link to manage the cookie settings was redesigned as a button. Moreover, the controller added a floating icon, allowing the website users to withdraw the consent given at any time. If a website user rejected the cookies or withdrew the consent via the floating icon, the controller would interpret such a conduct to be an objection under Article 21 GDPR. Additionally, the controller informed they deleted the data concerning the data subject.
In response, the data subject emphasized that due to new settings of the website, the controller wrongly qualified certain cookies to be strictly necessary. In consequence, the controller installed the cookies before the website’s user interacted with the cookie banner, violating Article 5(3) ePrivacy Directive.
Although the controller announced that it would implement a completely new cookie banner, they later retracted from that plan. The controller changed the cookie banner and – after improving it initially – removed the reject button again. Eventually, updated cookie banner didn’t include a reject button on the first layer any longer.
The DPA issued a decision, ordering the controller to modify the cookie banner so that its first layer offered an option to close the cookie banner without giving consent. This option had to be visually equivalent to the accept button. The DPA rejected the applications of the data subject regarding the deletion of its data, an order to stop unlawful processing and establishing the violation of data confidentiality (“Recht auf Geheimhaltung”).
The controller appealed the DPA’s order to introduce an equivalent reject option in the first layer of its cookie banner to the Federal Administrative Court (Bundesverwaltungsgericht – BVwG). After hearing the parties and visiting the website itself the court issued its decision.
Holding
The court dismissed the appeal of the controller as unfounded.
No exemption from the GDPR through media privilege (“Medienprivileg”)
The controller’s processing activities didn’t fall within the scope of journalistic purposes. The court emphasised that the controller placed the cookies and processed the collected data for analytical and advertising purposes.
Need for an equivalent reject option in cookie banners
The court also upheld the interpretation of the DPA that the first layer of the cookie banner needs to contain a visually equivalent option to reject cookies.
According to the court Article 7(3) GDPR implies that refusing consent shall be as easy as giving consent. In particular, refusing consent shall not require more interactions than giving consent.
In the case at hand consenting required only one click, whereas rejecting consent required two clicks. Therefore no equivalence between the options was given. Furthermore, the different design of the options in the first layer – a button for consent on one hand and a link to access the second layer on the other – equally lead to the conclusion that the options cannot be considered equivalent.
A mere explanation in the first layer of the cookie banner on how to reject cookies does not change this assessment. Additionally, the cookie manage link at the bottom of the website is not an equivalent option either, since it is only available after an interaction with the cookie banner.
Hence, the DPA order was found to be correct. The court did not find that the controller had complied with this order in the meantime.
Comment
Share your comments here!
Further Resources
Share blogs or news articles here!
English Machine Translation of the Decision
The decision below is a machine translation of the German original. Please refer to the German original for more details.
Court
Federal Administrative Court
Document type
Decision text
Decision type
Finding
Reference number
W108 2284491-1
Decision date
July 31, 2024
Standard
B-VG Art133
Paragraph 4
DSG §1
GDPR Art4 Z1
GDPR Art4 Z11
GDPR Art4 Z2
GDPR Art4 Z7
GDPR Art58 Paragraph 1 litb
GDPR Art58 Paragraph 2 litd
GDPR Art7
VwGVG §28
Paragraph 2
B-VG Art. 133 today
B-VG Art. 133 valid from January 1, 2019 to May 24, 2018
last amended by BGBl. I No. 138/2017
B-VG Art. 133 valid from 01.01.2019
last amended by BGBl. I No. 22/2018
B-VG Art. 133 valid from 25.05.2018 to 31.12.2018
last amended by BGBl. I No. 22/2018
B-VG Art. 133 valid from 01.08.2014 to 24.05.2018
last amended by BGBl. I No. 164/2013
B-VG Art. 133 valid from 01.01.2014 to 31.07.2014
last amended by BGBl. I No. 51/2012
B-VG Art. 133 valid from 01.01.2004 to 12/31/2013
last amended by BGBl. I No. 100/2003
B-VG Art. 133 valid from 01/01/1975 to 12/31/2003
last amended by BGBl. No. 444/1974
B-VG Art. 133 valid from 12/25/1946 to 12/31/1974
last amended by BGBl. No. 211/1946
B-VG Art. 133 valid from 12/19/1945 to 12/24/1946
last amended by StGBl. No. 4/1945
B-VG Art. 133 valid from January 3, 1930 to June 30, 1934
DSG Art. 1 § 1 today
DSG Art. 1 § 1 valid from January 1, 2014
last amended by BGBl. I No. 51/2012
DSG Art. 1 § 1 valid from January 1, 2000 to December 31, 2013
VwGVG § 28 today
VwGVG § 28 valid from January 1, 2019
last amended by BGBl. I No. 138/2017
VwGVG § 28 valid from January 1, 2014 to December 31, 2018
Saying
W108 2284491-1/15E
IN THE NAME OF THE REPUBLIC!
The Federal Administrative Court, through Judge Mag. BRAUCHART as chairperson and the expert lay judge Mag. HAIDINGER, LL.M. and the expert lay judge Mag. SCHACHNER as assessors, has rightly ruled on the complaint of XXXX , represented by attorney Dr. Peter ZÖCHBAUER, against point 3 of the decision of the Data Protection Authority dated December 14, 2023, reference number D124.5045 2023-0.661.011, concerning a data protection matter (co-participant: XXXX , represented by noyb - European Center for Digital Rights):
A)
The complaint is dismissed as unfounded in accordance with Section 28 (2) VwGVG.
B)
The appeal is not admissible according to Art. 133 Para. 4 B-VG.
Text
Reasons for the decision:
I. Course of proceedings and facts:
1. In the data protection complaint addressed to the data protection authority (DSB, authority concerned before the Federal Administrative Court) pursuant to Art. 77 of the General Data Protection Regulation (GDPR) of August 10, 2021, the now co-participant, XXXX (former complainant in the proceedings before the authority concerned), asserted a violation of the right to erasure pursuant to Art. 17 GDPR and, related to this, a violation of the obligation to notify by the complaining party (former respondent in the proceedings before the authority concerned). The co-participant requested that the authority concerned instruct the controller to cease all "relevant processing activities", to delete all relevant personal data and to inform all recipients to whom the data had been disclosed of the deletion, and suggested that an effective, proportionate and deterrent fine be imposed on the complaining party.
In this regard, it was argued (as far as relevant to the proceedings) that the co-participant visited the website XXXX, for which the complaining party was responsible, on April 9, 2021 from 2:33:00 p.m. to 2:35:10 p.m. The website displayed a Consent Management Platform ("CMP") provided by XXXX in the form of a "banner". Due to the design of the cookie banner, several legal violations had occurred. While the banner provides a button to accept all relevant processing activities and a button that allows the data subject to access further options, the option to "reject" the relevant processing activities was intentionally hidden by the controller, even though a "reject" button is present in the CMP setup and can be turned on and off with a simple click. There is no logical, technical or ethical reason to hide the "reject" option other than to confuse the data subjects or make rejections more burdensome and unlikely. When confronted with the first level of the banner, all relevant processing activities are in fact preselected - albeit not visible to the co-participant, but hidden in the second level of the banner. When the co-participant accepted, the complaining party treated this as consent to all hidden preselected options on the second level of the banner. To reject the processing, the co-participant would have had to click on the button that leads to further options. With another click, the co-participant can then confirm the now deactivated options. The processing activity can then be accepted with one click, but two (or more) clicks are required to deactivate and reject the processing activities in question. Hiding a "reject" option on the first level and hiding the preselected options on the second level violates the principles of "processing in good faith" and "transparency" according to Art. 5 Para. 1 lit. a GDPR. Consent without knowledge of the possibility of rejecting processing on the second level can under no circumstances be regarded as "informed" and "for the specific case" within the meaning of Art. 4 Z 11 GDPR, so that Art. 6 Para. 1 lit. a GDPR is ineffective as a legal basis. Reference is also made, among other things, to the guidelines of the French data protection authority CNIL, which expressly stressed that a "reject all" option must or should be provided in the first level of the banners, and to the guidelines of the German supervisory authorities, according to which there must be an "easy way to reject". The Danish supervisory authority has also stated that the absence of a "reject" button violates the GDPR and has provided explicit guidelines on this matter. The Greek supervisory authority has stated that the number of clicks required to grant consent and to reject it must be the same, while the Finnish supervisory authority has stated that rejecting consent and withdrawing it must be as easy as giving it. In addition, a misleading link design is used, the button colors and contrast are misleading, the supposedly legitimate interests relied on by the complaining party do not exist and withdrawing consent is not as easy as giving consent. The complaining party could not rely on any legal basis within the meaning of Art. 6 GDPR for the "relevant processing activities", which would include in particular the setting and reading of cookies on the website and the disclosure of this data to recipients by the complaining party, in particular there was no effective consent and no legitimate interest.
Attached to the data protection complaint were screenshots of the website and the banner, a summary of all relevant settings within the XXXX configuration files in JSON format, a summary of all HTTP requests and responses between the browser and the various servers during the visit to the website and a summary of all cookie data.
2. The authority concerned sent the complaining party the data protection complaint of the co-participant by letter dated October 4, 2021 and asked them to comment on it within a period of four weeks. The statement should in particular state whether it is intended to adapt the cookie banner in accordance with the statements of the co-participant, which cookies would specifically be set after a website visitor makes the choice in the cookie banner to allow all cookies, whether personal data of the co-participant, such as their online identification features, would be stored, whether the co-participant's personal data would be deleted as requested, and if so, whether the complaining party would inform the recipients of the co-participant's personal data of this deletion.
3. At the request of the authority concerned, the complaining party submitted a statement on December 1, 2021, in which it was stated that the complaining party was a media company within the meaning of Section 1 Paragraph 1 Item 6 of the Media Act and media owner within the meaning of Section 1 Paragraph 1 Item 8 Letter a of the Media Act of the website relevant to the proceedings. This website keeps editorial articles related to current events ("online newspaper") available. The processing of personal data carried out in this context is carried out exclusively for journalistic purposes, and Section 9 Paragraph 1 of the Data Protection Act provides a total exception to the provisions of the GDPR. The authority concerned is therefore not responsible for dealing with the present complaint.
The legal representative of the co-participant contacted the complaining party in advance of the complaint in order to point out the topics of the complaint regarding the cookie banner. The complaining party then stopped the behavior pointed out by the legal representative of the co-participant - without prejudice to the factual and legal situation. The "Reject" button is now located on the first level of the cookie banner in the same conspicuousness and in the same design and with the same contrast directly next to the "Accept" button.The cookie settings are no longer designed as a link, but as a colored button. The revocation of consent already granted and the objection in accordance with Art. 21 GDPR are possible at any time via a permanently visible "floating" symbol with which users can return to their data protection settings and revoke the consent granted and/or exercise the objection. Users are expressly informed of this symbol in the first level of the cookie banner. If a user selects the "Reject button", this is noted as a non-granting of consent and considered an objection within the meaning of Art. 21 GDPR. If a user selects "Accept" or "Allow all" in the cookie banner, cookies that are strictly necessary for the website to function, performance cookies to count visits and traffic sources, functional cookies to provide enhanced functionality and personalization, cookies from advertising partners for marketing purposes, cookies for personalized ads and content, ad and content measurements, audience insights and product development, information on the user's device, location data, device characteristics for identification, cookies to ensure security, prevent fraud, troubleshoot, technically deliver ads or content, select personalized content to combine with offline data sources, link different devices and receive and use automatically sent device characteristics for identification will be set. The user will find a list of these cookies with a detailed explanation on the second level of the cookie banner if they click on the "Cookie Settings" button on the first level or return to their privacy settings using the permanently visible "floating" icon. In any case, the complaining party no longer stores the contested personal data of the co-participant and has in any case deleted it. The recipients are currently being informed about the deletion of the contested personal data of the co-participant.
The statement was accompanied by, among other things, an excerpt from the website's "cookie banner" dated December 1, 2021.
4. The co-participant replied to this - after the authority concerned had granted him a party's opinion on the results of the investigation - in his statement dated December 29, 2021, summarizing that the violations identified in the complaint - with the exception of the appeal to alleged legitimate interests - were considered to have been remedied. With regard to the new banner, it should be noted that certain cookies are now classified as absolutely necessary ("always active"). This is a wrong classification, in fact all of these processing operations and cookies use personal data and serve purposes that are obviously not "strictly necessary" within the meaning of Art. 5 Para. 3 ePrivacy Directive or, in common parlance, "strictly necessary" or "essential" under the GDPR. This classification also appears to have led to personal data being processed and information being stored and made accessible before the data subject had any interaction with the banner. Contrary to the complaining party's argument, the non-applicability of the GDPR due to the exception in Section 9 Para. 1 DSG is not an option. The "broad definition of journalism" adjudicated by the ECJ in no way has the consequence that any data processing on the website of a media company within the meaning of Section 1 Paragraph 1 Item 6 of the Media Act or of a media owner within the meaning of Section 1 Paragraph 1 Item 8 Letter a of the Media Act is to be qualified as processing for journalistic purposes within the meaning of Art. 85 of the GDPR. The data collection and transmissions challenged in the context of this complaint were in no way carried out with the "aim of disseminating information, opinions or ideas to the public" - rather, personal data were processed for other purposes, e.g. for personalized advertising. The GDPR and the DSG are fully applicable and the authority concerned is responsible for dealing with the complaint.
5. At the request of the authority concerned, the complaining party submitted a supplementary statement on February 3, 2022, in which it stated that it had not processed any personal data without consent. If the website visitor selects the "Reject button" on the first level of the cookie banner, the cookies listed on the second level would be deactivated. No data processing based on a "legitimate interest" takes place to this extent. The same applies to the cookies criticized in the statement of December 29, 2021, which are described as "always active". In fact, the complaining party did not process any personal data to this extent without consent. The note "always active" is therefore incorrect and has no technical impact on data processing. The note "always active" has not yet been removed by the complaining party for technical reasons only. The complaining party is in contact with the platform developer XXXX in this regard in order to have the name corrected. Furthermore, the complaining party collects data (IP address, length of stay, interests based on reading behavior as well as location data and browser type) as part of the reach survey for the website on the basis of its compelling, overriding legitimate interest within the meaning of Art. 6 (1) (f) GDPR, whereby this user data is anonymized before it is stored. For this purpose, the Austrian Web Analysis (ÖWA) uses cookies that are stored on the user's computer. The complaining party intends to introduce a completely new cookie banner that will (also) implement all of the co-participant's points of complaint. In this regard, the complaining party will provide the data protection authority with appropriate evidence after the new cookie banner has been introduced. Furthermore, the statement of December 29, 2021 does not claim that the co-participant's personal data was processed. Rather, there are only general statements about alleged violations, so that the co-participant has no standing to take action to this extent.
The complaining party also submitted the data processing directory pursuant to Art. 30 Para. 1 GDPR for the website in question.
6. In a submission dated December 30, 2022, the co-participant requested that it be determined pursuant to Section 24 Para. 2 No. 5 DSG in conjunction with Section 1 DSG that the complaining party had violated the provisions mentioned [in the data protection complaint] for each "type of violation".
7. The authority concerned sent the co-participant's statement to the complaining party in a letter dated June 20, 2023 and asked the latter to comment on whether a new cookie banner had been introduced for the website in question in the meantime and, if so, what changes had been made.
8. The complaining party submitted a statement on August 22, 2023, in which it was stated that the complaining party had ultimately decided against introducing a new cookie banner. The current cookie banner is designed in line with industry standards, as can be seen from the attached screenshots of the cookie banners of numerous other Austrian online media.
9. The co-participant replied to this - after the authority concerned had granted him the right to be heard on the results of the investigation - in his statement of September 13, 2023, summarizing that the complaining party was certainly aware that an industry-standard design was not a legal justification. Apart from that, various types of consent banners, ordinary consent banners or "pay-or-ok" solutions were visible in the screenshots submitted. There therefore seems to be more than just "one" standard. The consent banner of the complaining party, which in the past already contained a "Reject" button of the same color and size, unfortunately no longer has such an option. This means that the violations criticized in the complaint would also exist again. It should also be mentioned that the authority concerned requires a "Reject" option at the first level.
10.1. By decision of December 14, 2023, reference number D124.5045 2023-0.661.011, the authority concerned ruled on the data protection complaint of the co-participant regarding the right to erasure and the obligation to notify in connection with the erasure (A), the application for an order against the complaining party to stop the unlawful processing (B) and the application to establish an alleged violation of the right to confidentiality (C) as follows (formatting not reproduced 1:1):
"1) The complaint is dismissed with regard to points A) and B).
2) The complaint is dismissed with regard to point C).
3) The respondent [complainant party] is instructed to amend the data protection request for consent (the cookie banner) on the website XXXX (see factual findings C.6.) within a period of ten weeks in such a way that, in addition to the "Accept" option, a visually equivalent option is available on the first level of the cookie banner to close the cookie banner without giving consent."
10.2. After describing the course of the proceedings (essentially as described under points 1.-9.), the authority concerned made the following factual findings (as far as relevant to the proceedings):
C.1. Cookies can be used to collect information that has been generated by a website and stored via an Internet user's browser. It is a small file or text information that is placed by a website via an Internet user's browser on the hard drive of their computer or mobile device. A cookie allows the website to identify users, remember its customers' preferences, and enables users to complete tasks without having to re-enter information when they move to another page or visit the website again later. Most web browsers support cookies, but users can set their browsers to reject cookies. They can also delete cookies at any time. Cookies can also be used to collect information for targeted advertising and marketing based on online behavior. For example, companies use software to track user behavior and create personal profiles that allow users to be shown advertising tailored to their previous searches.
C.2. The complaining party is the operator of the website XXXX. It makes the decision under which conditions which cookies are set or read when the website is accessed.
C.3. The co-defendant visited the website at least on April 9, 2021.
The cookie banner was specifically designed as follows on April 9, 2021 (formatting not reproduced 1:1)
C.4. As a result of visiting the website XXXX, the following cookies, which contained a unique, randomly generated value (random number), were set and read on the co-participant's device at least on April 9, 2021.
...
The content of the cited attachment "cookies.json" (JSON file) was used as the basis for the findings of fact.
C.5. The complaining party is currently not storing any cookie values that were set and read on the co-participant's device as a result of the visit to XXXX on April 9, 2021.
In addition, the complaining party does not currently save the IP address of the co-participant's device, which was saved in its log files as a result of the same visit - at least for a short time.
The complaining party has also informed the recipients of the data transmission (specifically the providers of the services it has implemented on its website) of the deletion.
C.6. At the current time, the complaining party's cookie banner is as follows (formatting not reproduced 1:1):
If the option "Show purposes" is selected, the following button appears (formatting not reproduced 1:1):
When the website XXXX is accessed for the first time with an empty browser and without interacting with the cookie banner, the following cookies are set in the user's device or browser:
...
If the option "Accept" or "Allow all" is selected, several cookies are set in the user's device or browser. The cookies in question are the following:
...
Legally, the authority concerned (as far as relevant to the proceedings) stated that processing operations in a given case could be subject to both the provisions of Directive 2002/58/EC as amended (e-Privacy Directive) or the TKG 2021 and the GDPR. While the setting or reading of cookies is to be assessed in accordance with the requirements of Art. 5 (3) of the e-Privacy Directive, the subsequent data processing falls within the scope of the GDPR.
To the extent that the complaining party relies on the applicability of Section 9 (1) DSG, it should be pointed out that the national legislature restricts the so-called media privilege under Art. 85 GDPR in conjunction with Section 9 (1) DSG by making the privilege accessible only to media companies or media services if personal data is processed for journalistic purposes by media owners, publishers and media employees or employees of a media company or media service. The extent to which the data processing subject to the complaint pursued a "journalistic purpose" within the meaning of the ECJ's case law was not apparent and was not explained in a comprehensible manner. As is clear from the facts and stated by the complaining party in its statement of December 1, 2021, cookies are used in particular for analysis, marketing and advertising purposes. Apart from that, due to the implementation of cookies on a website, third-party providers receive data from users such as the co-participant, which in turn can be processed for their own purposes. Advertising cookies for displaying personalized advertising on a media company's website or the management of a database by a media company for the purpose of sending print advertising are not subject to the media privilege. Since the requirements of Section 9 (1) DSG are not met, the media privilege does not apply to the data processing subject to the complaint. The authority concerned is therefore responsible for the complaint in question because data (at least IP addresses and cookie values) have been passed on as a result of cookies being set or read.
The material scope of application of the GDPR is also fulfilled. In the Google Analytics case, the authority concerned has already stated - in accordance with the case law of the European Data Protection Supervisor (EDPS) - that cookies that contain a unique, randomly generated value (random number) and that are set with the purpose of individualizing and separating people meet the definition of Art. 4 Z 1 GDPR. In particular, it can never be ruled out that the cookie values and the IP address of a person's end device are combined with additional information at some point in the processing chain, e.g. when the person concerned registers on a website with their email address or real name. These considerations could be applied to the present case, since as a result of the visit to the website XXXX on April 9, 2021, cookies with unique, randomly generated values were set and read on the co-participant's device. Subsequently, the cookie values and IP address of the co-participant's device were also transmitted to the servers of the respective providers, such as Google, Trade Desk and Salesforce DMP.
The authority concerned has remedial powers pursuant to Art. 58 (2) lit. d GDPR, which allow it, among other things, to instruct a controller to change or carry out processing operations in a certain way and within a certain period of time. It is permissible for the authority concerned to make official use of its powers stipulated in Art. 58 (2) GDPR in the complaint procedure. This is also in line with the case law of the ECJ, according to which a supervisory authority is obliged to make use of its remedial powers in the event of identified deficiencies. Although the complaint in question was ultimately rejected because, among other things, the data of the co-participant had been deleted in the meantime, this does not change the fact that, in the opinion of the authority concerned, the cookie banner in question (or more specifically: the request for consent under data protection law) does not comply with the requirements of the GDPR.
To assess how the cookie banner and the interaction options should be understood, the figure of an averagely informed, attentive and intelligent consumer should be used.
With regard to the design of the request for consent, it should be noted that giving consent for cookies must be just as easy as revoking it in accordance with Art. 7 (3) GDPR and the case law of the ECJ. In general, not giving consent (or closing the cookie banner and continuing to surf without consent) should be just as easy as giving consent. Not giving consent (or closing the cookie banner and continuing to surf without consent) should therefore not require more interactions with the cookie banner than giving consent. In the present case, a cookie banner is used as a request for consent for the use of cookies (and the associated processing of personal data). Specifically, data subjects - such as the co-participant - can give their consent by selecting the green "Accept" button; to not give their consent, the (bare) "Show purposes" link and, in a second step, the "Reject all" button must be selected. However, data subjects cannot be required to decide not to give consent at a second or third level when asked for consent (a cookie banner), as this cannot be assumed to be an unambiguous expression of intent within the meaning of Art. 4(11) GDPR. In particular, it cannot be ruled out that data subjects chose the "Accept" option simply because, in their view, there was no immediate option to "Reject" or because, due to the design, they did not even realize that a "Reject" option was available. According to the case law of the ECJ, the complaining party also bears the burden of proof for the validity of each consent. In addition, it should be taken into account that a procedure in which data subjects are required to carry out significantly more interactions in order not to give their consent than in order to give their consent cannot correspond to the principle of data processing in good faith ("fairly processed") pursuant to Art. 5 Para. 1 lit. a GDPR or the principle of data protection through technology design ("privacy by design") pursuant to Art. 25 Para. 1 leg. cit. This view ultimately also corresponds to the view of the EDSA. In addition, a requirement for a "reject" option - or any other option - at the first level is that it is designed to be visually equivalent to the "accept" option. This means in particular that both options must be equally easy to perceive. However, the "equivalent option" mentioned in point 3 does not necessarily have to be the implementation of a "reject" option at the first level.
11. The complaining party lodged a timely complaint against point 3 of this decision to the Federal Administrative Court pursuant to Art. 130 Paragraph 1 Item 1 B-VG (party complaint), in which it submitted the following:
The revocation of consent already granted (as well as the objection pursuant to Art. 21 GDPR) is possible at any time on the website via a permanently visible "floating icon" with which users can return to their data protection settings and easily revoke the consent granted and/or exercise objection. Users are expressly informed of this symbol and the possibility of not granting consent, revoking consent granted at any time and the possibility of objection, already in the first level of the cookie banner; this information - like the "floating icon" - is not hidden, but rather clearly visible. As the authority itself explains, the "equivalent option" mentioned in point 3 does not necessarily have to be the implementation of a "reject" option on the first level. In order not to give consent, either the link "Show purposes" on the first level of the cookie banner must be selected on the website and the button "Reject all" must be selected in the second step, or the permanently visible "floating icon" must be clicked and then the button "Reject all" must be selected in the banner that appears. The statements made by the authority concerned that data subjects cannot be required "to only make the decision not to give consent on a second or third level when asked for consent (a cookie banner)" are therefore incomprehensible. In addition, a correct legal assessment must take into account that the cookie banner is designed in accordance with industry standard. The requirements of Art. 6 Para. 1 lit. a and Art. 7 Para. 3 GDPR are fully met by the complaining party, so that the order given by the authority concerned in point 3 of the ruling must be omitted if the legal assessment is correct.The authority concerned is also to be accused of an incorrect legal assessment in connection with the "media privilege". According to the case law of the ECJ, a broad understanding of the term "journalistic purposes" must be assumed. Based on this broad understanding of the term, the processing of personal data carried out in this context by the complaining party was carried out exclusively for "journalistic purposes". The complaint in question to the authority concerned within the meaning of Art. 77 GDPR would correctly have been excluded due to the "media privilege". Especially since, among other things, the authority concerned's powers to issue orders and impose sanctions (Chapter VI) are not applicable to data processing by media companies for journalistic purposes, the authority concerned is therefore not competent for the proceedings in question if the legal assessment is correct, and should therefore have denied its competence. The authority concerned had also failed to hold an oral hearing, although the complaining party had already repeatedly requested summons and oral testimony in the statement of December 1, 2021 and subsequently in numerous other written submissions. An oral hearing would have been necessary in any case. The incorrect failure to hold an oral hearing resulted in a procedural defect, and even an unconstitutionality with regard to Art. 6 ECHR.
12. The authority concerned did not make use of the possibility of a preliminary decision on the complaint, submitted the complaint together with the relevant files of the administrative procedure to the Federal Administrative Court for a decision and issued a statement in which it defended the contested decision and additionally referred to a document published by the EDSA in the meantime, according to which there must be an option to refuse consent at the first level of the cookie banner. Contrary to the complaining party's opinion, its (current) cookie banner does not meet these requirements. Regarding the lack of a hearing, it should be noted that the facts are undisputed, the XXXX website is also publicly accessible and verifiable, and it is only a matter of law. The complaining party has also not explained to what extent holding a hearing would have changed the outcome of the proceedings.
13. The Federal Administrative Court sent the complaint to the co-participant by means of a complaint notification and sent the complaining party the statement made by the authority concerned when submitting the file in accordance with Section 10 VwGVG for information and comment.
14. The complaining party submitted a reply in a written submission dated February 8, 2024, in which it referred to its statements in the party complaint and added that the EDSA document mentioned by the authority concerned in its statement emphasizes that a case-by-case examination is necessary to assess the conformity of a banner. In the present case, the case-by-case examination leads to the conclusion that the design of the cookie banner in question (or more specifically: "the data protection request for consent") complies with the requirements of the GDPR.
15. The co-participant issued a statement on February 14, 2024, in which he stated that the European legislator had already assumed in 2009 in Directive 2009/136/EC (which amended the ePrivacy Directive) in Recital 66 on the installation of cookies and similar technologies that the opt-out option should be designed to be "as user-friendly as possible". However, it is obvious that a opt-out option hidden in the second level of the consent banner is not "as user-friendly as possible", since a opt-out option on the first level would clearly be more user-friendly. This is also confirmed by figures: not even 3% of all Internet users access the second level of consent banners. If the first level of a consent banner neither clearly states nor otherwise indicates that consent can be refused, there is on the one hand a lack of information and on the other hand it is made to seem that only consent is possible. Average users are practically pressured to give consent. Such consent means neither "informed" nor "voluntary" within the meaning of Art. 4 Z 11 GDPR. A look at the recommendations of other data protection authorities also leaves no doubt that a consent banner must contain a rejection option on the first level. In the contested decision, the authority concerned states that the "equivalent option" does not necessarily have to be a rejection option. It alludes to the possibility of so-called "pay or okay" or "consent or pay" systems. This follows from the ECJ case law it cites. This approach is highly controversial because it makes non-consent (and consequently the fundamental right to data protection) subject to payment and thus turns it into a luxury item. In any case, this mode was not implemented by the complaining party. The service contract of the authority concerned is therefore justified.
The media privilege according to Section 9 Para. 1 DSG does not apply in this case. Firstly, the complaining party tried to obtain consent through its banner. If the complaining party actually assumed that the media privilege according to Section 9 Para. 1 DSG was applicable in this case, it would not request consent within the meaning of Art. 6 Para. 1 lit. a GDPR. Secondly, the media privilege only covers the journalistic work of a medium. This means those activities that pursue the goal of "disseminating information, opinions or ideas to the public". In contrast, the data that was collected via the consent banner is not used for the content preparation of journalistic information. Rather, this (unlawful) processing of personal data serves advertising and financing purposes. Such data processing takes place independently of any possible dissemination of the content of this information to the public, which is why it does not serve any journalistic purposes.
With regard to the alleged procedural defect, it should be noted that holding an oral hearing is a matter of discretion. According to the case law of the Administrative Court, there is no subjective right to an oral hearing under Section 39 Paragraph 2 AVG. The complaining party does not explain why an oral hearing would have been necessary, or why the authority concerned could rightly have refrained from holding an oral hearing. The consent banner in question is publicly available on the XXXX website, and an oral hearing would not have brought any further clarification of the material truth, i.e. the visual design of the consent banner. The design is otherwise undisputed, and the complaining party was heard several times during the hearing of the parties. There is therefore no procedural defect.
16.1. The Federal Administrative Court informed the parties in a letter dated May 13, 2024 of the results of the official research carried out on the XXXX website regarding the current design of the cookies banner and gave them the opportunity to submit a written statement on this.
16.2. The co-participant submitted a statement on May 27, 2024, in which he essentially referred to his previous statements.
16.3. The complaining party submitted a statement in a written submission dated June 6, 2024, in which it was stated (as far as relevant to the proceedings) that the cookie banner on the XXXX website had been changed in the meantime. The first level of the cookie banner explicitly explains how all cookies can be rejected. The following text passage can be found on the first level of the cookie banner: "If you click on "Show purposes", you will be taken to the advanced settings where you can reject all cookies." If you then click on the button with the text "Show purposes" at the very bottom of the first level of the cookie banner, which is underlined and thus visually highlighted, you will be taken to the second level. There you can reject all cookies by clicking on the green button "Reject all" and thus close the cookie banner without giving your consent. There is therefore undoubtedly a solution, as requested by the authority concerned, in which it is already clear in the cookie banner where the consent can be revoked. It is also pointed out that the link "Cookie settings and revocation" can be found at the end of the page (in the "footer"), clearly visible and accessible from every page. If you click on this link, you will be taken to the second level of the cookie banner and can immediately click on "Reject all" and thus revoke your consent. 16.4. On June 11, 2024, the authority concerned issued a statement in which it referred to the statements in the contested decision and additionally (again) referred to an opinion of the EDPB that had been issued in the meantime in response to a request from the Commission on the subject of data protection and cookies ("EDPB reply to the Commission's Initiative for a voluntary business pledge to simplify the management by consumers of cookies and personalised advertising choices"). This statement (with further evidence) explains that valid consent requires that two equivalent options are available at the same level of a request for consent (i.e. a cookie banner).16.5. The co-participant stated in a written submission dated July 1, 2024 that the evidence taken by the Federal Administrative Court on May 7, 2024 and May 13, 2024 clearly showed that there was no reject option in the first level of the consent banner that was visually equivalent to the "Accept" button. As far as can be seen, there was no reject option at all in the first level of the consent banner at that time either. The complaining party had therefore not complied with the order of the authority concerned to implement a reject option. It was noted that the authority concerned had not only demanded the implementation of a reject option in the first level of a consent banner, but had also instructed the complaining party that this had to be visually equivalent. The informative adjustments now made by the complaining party would not change the fact that there is still no option to refuse consent in the first level of the consent banner - in particular no equivalent option.
II. The Federal Administrative Court considered:
1. Findings:
With regard to the course of the proceedings (the administrative process), the complaining party, the co-participants and the technical functioning of cookies, the statements above under point I., in particular the findings/considerations of the authority concerned in the contested decision, are used as a basis.
With regard to the current design of the cookie banner, the following is stated, contrary to the findings of the authority concerned:
The cookie banner currently looks as follows when accessing the XXXX website:
By clicking on the "Show purposes" link, the user reaches the "second level" of the cookie banner, which currently looks as follows:
A "floating icon" with which a user can return to the cookie settings and revoke their consent and/or exercise an objection is not currently implemented on the complaining party's website. In order to be able to access the cookie settings again and revoke their consent and/or exercise an objection, the user must click on a link with the text "Cookie settings and revocation" in the "footer" at the end of the page:
After clicking on the "Cookie settings and revocation" link, the user reaches the second level of the cookie banner, where consent can be revoked by clicking on the "Reject all" button. 2. Assessment of evidence:
The findings are derived from the administrative and court files. The relevant investigation results and documents are contained in the files mentioned.
The authority concerned carried out a flawless, proper investigation procedure and in the justification of the contested decision correctly established the relevant facts in accordance with the files and in a conclusive assessment of the evidence. With regard to the findings made on the cookie banner, it referred to its official research on the XXXX website and to the fact that the Evidence Collector website, available at https://edps.europa.eu/edps-inspection-software_en, was also used to check the website. This is an open source tool from the European Data Protection Supervisor and contains generally accessible information on the question of which cookies are set when a website is accessed.
The complaining party did not substantively object to the facts established by the authority concerned and its assessment of the evidence in the complaint against the decision. However, the official findings regarding the current design of the cookies banner proved to be out of date during the official searches carried out on the XXXX website on May 7, 2024, May 13, 2024 and July 22, 2024. The now adapted findings result from the result of these searches or searches carried out at the time of the decision and the written submissions received after the parties were granted a hearing from the complaining party on June 6, 2024, the co-participant on May 27, 2024 and July 1, 2024 and the authority concerned on June 11, 2024.
The facts essential to the decision have thus been established. There is therefore no need for further clarification of the facts by taking further evidence and holding an oral hearing. The complaining party has not shown which aspects of the facts still need to be supplemented, and this has not come to light elsewhere either. In this case, only legal questions need to be clarified.
The Federal Administrative Court cannot find that the authority concerned committed a procedural defect in the investigation by not scheduling or holding an oral hearing. According to Section 39 Paragraph 2 AVG, the authority can hold an oral hearing, in particular, ex officio or upon request. As the authority concerned and the co-participant correctly point out, the complaining party has not specifically explained why an oral hearing would have been necessary to clarify the facts, especially since the website in question, including the cookie banner, is publicly accessible on the XXXX website, the authority concerned accessed the website ex officio and determined the design of the banner in the contested decision. An oral hearing or the witness interviews requested by the complaining party were therefore not necessary to clarify the facts.
3. Legal assessment:
Re A)
3.1. According to Article 130, Paragraph 1, Item 1 of the Federal Constitutional Court Act, the administrative courts decide on complaints against the decision of an administrative authority on the grounds of illegality.
According to Section 6 of the Federal Administrative Court Act, the Federal Administrative Court decides by a single judge, unless federal or state laws provide for a decision by a senate. According to Section 27 of the Data Protection Act (DSG) as amended, the Federal Administrative Court decides on complaints against decisions due to violation of the duty to inform pursuant to Section 24, Paragraph 7 and the duty of the data protection authority to make a decision by a senate. The senate consists of a chairman and one expert lay judge each from the circle of employers and from the circle of employees.
The procedure of the administrative courts, with the exception of the Federal Finance Court, is regulated by the VwGVG,
BGBl. I 2013/33
as amended by
BGBl. I 2013/122
(§ 1 leg.cit.). According to § 58 para. 2 VwGVG, conflicting provisions that were already published at the time this federal law came into force remain in force.
According to Section 17 VwGVG, unless otherwise provided in this federal law, the provisions of the AVG with the exception of Sections 1 to 5 and Part IV, the provisions of the Federal Tax Code - BAO,
BGBl. No. 194/1961
, the Agricultural Procedure Act - AgrVG,
BGBl. No. 173/1950
, and the Civil Service Procedure Act 1984 - DVG,
BGBl. No. 29/1984
, and in addition those procedural provisions in federal or state laws that the authority applied or should have applied in the proceedings preceding the proceedings before the administrative court, shall apply mutatis mutandis to the procedure for complaints pursuant to Article 130 Paragraph 1 B-VG.
According to Section 28 Paragraph 2 VwGVG, the administrative court must decide on the merits of complaints pursuant to Article 130 Paragraph 1 Item 1 B-VG if (1.) the relevant facts are established or (2.) the establishment of the relevant facts by the administrative court itself is in the interest of speed or is associated with significant cost savings.
3.2. On the procedural requirements:
The complaint was filed within the time limit pursuant to Section 7 Paragraph 4 VwGVG and the other procedural requirements are also met.
3.3. On the merits:
3.3.1. Legal basis:
The provisions of Regulation (EU) 2016/679 (General Data Protection Regulation), GDPR, relevant to the complaint procedure in question are (excerpts, including heading):
Art. 4 Z 1, 2, 7 and 11 GDPR:
Definitions
Art. 4. For the purposes of this regulation, the following terms shall apply:
1. “personal data” means all information relating to an identified or identifiable natural person (hereinafter “data subject”); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more special characteristics that express the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person;
2. ‘processing’ means any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction;
7. ‘controller’ means the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of processing personal data; where the purposes and means of such processing are specified by Union or Member State law, the controller or the specific criteria for its nomination may be provided for by Union or Member State law;
11. ‘Consent’ of the data subject means any freely given, specific, informed and unambiguous indication of the data subject’s wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data concerning him or her;
Art. 7 GDPR:
Conditions for consent
(1) Where processing is based on consent, the controller must be able to demonstrate that the data subject has consented to the processing of his or her personal data.
(2) Where the consent of the data subject is given by a written statement which also covers other matters, the request for consent shall be made in an intelligible and easily accessible form, using clear and plain language, in such a way that it is clearly distinguishable from the other matters. Parts of the statement shall not be binding if they constitute an infringement of this Regulation.
(3) The data subject shall have the right to withdraw his or her consent at any time. 2The withdrawal of consent shall not affect the lawfulness of processing carried out on the basis of the consent until its withdrawal. The data subject shall be informed of this before consent is given. Withdrawing consent shall be as easy as giving consent.
(4) In assessing whether consent is freely given, utmost account shall be taken of whether, inter alia, the performance of a contract, including the provision of a service, depends on consent to the processing of personal data which are not necessary for the performance of the contract.
Art. 58 (1)(b) and (2)(d) GDPR:
Powers
(1) Each supervisory authority shall have all of the following investigative powers, which allow it to:
b) carry out investigations in the form of data protection audits
(2) Each supervisory authority shall have all of the following remedial powers, which allow it to:
d) instruct the controller or processor to bring processing operations into line with this Regulation, where appropriate, in a specific manner and within a specific period of time
3.3.2. Applied to the present case, this means the following:
3.3.2.1. Contrary to the statements of the complaining party, the media privilege of Section 9 (1) DSG does not apply.
According to Section 9 (1) DSG, the provisions of the GDPR and the DSG apply to the processing of personal data by media owners, publishers, media employees and employees of a media company or media service within the meaning of the Media Act - Media Act,
Federal Law Gazette No. 314/1981
, as well as by other persons who, on the basis of a contract, contribute journalistically to the content design of a medium or the content design of the communications of a media service in a media company or media service, for the journalistic purposes of the media company or media service with the provisions of items 1 to 13.
The provision therefore not only depends on who processes the personal data or whether the data processing is carried out by a media company, media service or its employees, but also on the purpose for which it is carried out. Of course, the provisions of the DSG and the GDPR remain fully applicable to processing activities for other purposes, such as for human resources management or marketing of media companies or media services (Thiele/Wagner, Practical Commentary on the Data Protection Act [DSG]2 § 9 Rz 16 [as of February 1, 2022, rdb.at]).
According to the case law of the ECJ, personal data is processed for journalistic purposes if the sole aim of the processing is to disseminate information, opinions or ideas to the public. The processing of personal data serves journalistic purposes if it aims to convey information and ideas on issues of public interest (cf. ECJ 16.12.2008, C-73/07 [Satakunnan Markkinapörssi and Satamedia] para. 61 = ECLI:EU:C:2008:727; ECJ 14.2.2019, C-345/17 [Buivids] para. 53 = ECLI:EU:C:2019:122). In order to take into account the importance of the right to freedom of expression in a democratic society, terms such as journalism, which refer to this freedom, must ultimately be interpreted broadly (Recital 153, last sentence, GDPR). Thus, data is generally always processed for journalistic purposes if the objective is publication for an indeterminate group of people (cf. Buchner/Tinnefeld in Kühling/Buchner Art. 85 para. 17). The ECHR's case law has developed relevant criteria that must be taken into account for the qualification as journalistic activity (ECJ 14.2.2019, C-345/17 [Buivids] para. 53 = ECLI:EU:C:2019:122): contribution to a debate of general interest, degree of fame of the person concerned, subject of the reporting, previous conduct of the person concerned, content, form and effects of the publication, manner and circumstances under which the information was obtained, accuracy (Thiele/Wagner, Practical Commentary on the Data Protection Act [DSG]2 § 9 para. 16 ff. [as of 1.2.2022, rdb.at]). Against the background of these statements, however, it becomes clear (also based on a broad understanding of the term) that - as the authority concerned has correctly recognized - the setting of cookies, in particular for analysis, marketing and advertising purposes, is in any case not a journalistic activity within the meaning of Section 9 Para. 1 DSG, especially since this activity is not aimed at conveying information and ideas on issues of public interest, and there is therefore no "substantive" activity by the press/media (see also VwGH October 31, 2023,
Ro 2020/04/0024
and BVwG April 26, 2024, W211 2281997-1/5E and March 12, 2019, W214 2223400-1/11E).
Since the media privilege does not apply in the present case, the authority concerned was responsible for dealing with the data protection complaint filed by the co-participant.
3.3.2.2. The complaining party no longer contested the legal assessment of the authority concerned in the contested decision regarding the existence of processing of personal data in its party complaint. Nor was it disputed that the complaining party is to be qualified as the controller within the meaning of Art. 4 Z 7 GDPR for data processing as a result of setting or reading cookies on its website. The Federal Administrative Court cannot find that the legal assessment of the authority concerned is incorrect with regard to these points.
3.3.2.3. Furthermore, it should be noted that according to Article 58 (2) (d) GDPR, each supervisory authority has all remedial powers that allow it to instruct the controller or processor to bring processing operations into compliance with this regulation, where appropriate, in a specific manner and within a specific period of time. Article 58 GDPR, paragraphs one to three, standardizes a comprehensive catalogue of investigative, remedial, approval and advisory powers. These powers arise directly from the GDPR and therefore did not have to be implemented separately by the Member States. The supervisory authority can act on its own initiative, at the request of the controller, processor or representative, in response to a complaint from a potentially affected person or at the request of another (supervisory) authority (cf. ECJ 14.03.2024, C-46/23, Újpesti Polgármesteri Hivatal, paras. 25 ff, 42, 46). In principle, any deviation from the GDPR can be grounds for an instruction. The instruction is not to be limited to violations that lead to the material inadmissibility of data processing (Zavadil in Knyrim, DatKomm Art. 58 GDPR Rz 2, 5, 34 [as of March 1, 2021, rdb.at]).
As the authority concerned correctly stated in the contested decision, it is permissible for the authority concerned to make official use of its powers stipulated in Art. 58 Para. 2 GDPR in a complaint procedure pursuant to Art. 77 GDPR (see also BVwG November 16, 2022, W274 2237056-1/8E). This power of the authority concerned was not disputed by the complaining party in its party complaint.
3.3.2.4. In the contested decision, the authority concerned instructed the complaining party to change the data protection request for consent (the cookie banner) on its website in such a way that, in addition to the "Accept" option, there is a visually equivalent option on the first level of the cookie banner to close the cookie banner without giving consent.
The complaining party ultimately counters the performance mandate of the authority concerned by saying that the "equivalent option" required by the authority concerned does not necessarily have to be the implementation of a "Reject" option on the first level. The first level of the cookie banner explicitly explains how all cookies can be rejected. If you click on the button with the text "Show purposes" at the very bottom of the first level of the cookie banner, which is underlined and thus visually highlighted, you get to the second level. There you can reject all cookies by clicking on the green button "Reject all" and thus close the cookie banner without giving your consent. There is therefore undoubtedly a solution, as requested by the authority concerned, in which it is already clear in the cookie banner where the consent can be revoked. In addition, a correct legal assessment must take into account that the cookie banner is designed in accordance with industry standards.
However, the following must be countered to the complaining party:
As the authority concerned correctly states (and was not disputed by the complaining party), the figure of an averagely informed, attentive and circumspect consumer must be used to assess how the cookie banner and the interaction options are to be understood (cf. ECJ 16.07.1998, C-210/96 [Gut Springenheide GmbH] para. 37; BVwG 13.12.2022, W214 2234934-1; Article 29 Data Protection Working Party, Guidelines on consent under Regulation 2016/67, WP259 rev.01, 17/DE, p. 16; Greve in Sydow, Commentary Art. 12 para. 11; Illibauer in Knyrim, DatKomm Art. 12 para. 39; with regard to the DSG 2000 also Jahnel, Handbook Rz 7/22 mwN).
With regard to the possibility of not giving consent in such a way that the link "Show purposes" must be selected on the first level of the "Cookie banner" and in the second step (on the second level) the button "Reject all", it should be noted that according to Art. 7 Para. 3 GDPR, the revocation of consent must be as easy as the granting of consent. This means - as the authority concerned correctly stated in the contested decision - that the non-giving of consent, as a counterpart to revocation, must also be as easy as the granting of consent. The authority concerned is also correct when it states that this means that not giving consent or closing the cookie banner without giving consent must not require more interactions with the cookie banner than giving consent. In the present case, however, only one click is required to give consent, whereas not giving consent requires at least two clicks, which means that such equivalence is not given, especially since an objective justification for the different treatment of the options has not been put forward by the complaining party and has not otherwise become apparent (see also the judgment of the Munich I Regional Court of November 29, 2022, GZ 33 I 13776/19). In addition, the different visual design (green "Accept" button and mere "Show purposes" link) also means that the options cannot be perceived as being of equal value. This is not changed by the fact that the body text of the cookie banner on the first level of the cookie banner now explains how all cookies can be rejected. The complaining party’s reliance on an “industry-standard” in the design of the cookie banner cannot eliminate the demonstrated illegality of the current design. The EDPB also recommends that the draft Commission initiative for a voluntary business pledge to simplify consumers' use of cookies and personalized advertising options explicitly state that individuals should have the option to reject all non-essential cookies on the first level of the banner or at least make it clear that if there is an "Accept" (or "Accept all") button on one level, a "Reject" (or "Reject all") button should be displayed on the same level, as this is an essential element for the validity of the consent (see the EDPB response to the Commission initiative for a voluntary business pledge to simplify consumers' use of cookies and personalized advertising offers, available at https://www.edpb.europa.eu/our-work-tools/our-documents/letters/edpb-reply-commissions-initiative-voluntary-business-pledge_en).
Regarding the option indicated by the complaining party of clicking on the link “Cookie settings and revocation” at the bottom of the page (in the “footer”), which is clearly visible and accessible from every page, which takes you to the second level of the cookie banner and there you can immediately click on “Reject all” and thus revoke your consent, it should be noted that when you visit the XXXX website, you can initially only interact with the first level of the cookie banner and a selection must be made before the user can access the entire website, so that the revocation option in the footer of the website is in any case only a “downstream” option for refusal and therefore not an equivalent option to being able to close the cookie banner without giving consent to granting consent.
3.3.2.5. In light of these statements, the service contract of the authority concerned, which is the subject of the complaint, cannot be criticized. It cannot be seen that the complaining party has complied with this service contract with the changes to its website in the meantime. As already explained, the complaining party's website does not have an optically equivalent option on the first level of the cookie banner in addition to the "Accept" option to close the cookie banner without giving consent.
3.3.3. The alleged illegality of the decision therefore does not exist. The proceedings also did not reveal that the decision was illegal for other reasons not asserted. Since the contested decision is therefore not illegal within the meaning of Art. 130 Para. 1 Z 1 B-VG, the complaint had to be dismissed.
3.4. According to Section 24 Para. 1 VwGVG, the administrative court must hold a public oral hearing upon request or, if it considers this necessary, ex officio.
According to Section 24 Paragraph 4 of the Administrative Court Act, the administrative court can - unless otherwise provided by federal or state law - refrain from holding a hearing regardless of a party's application if the files show that the oral discussion is unlikely to provide further clarification of the legal matter and neither Article 6 Paragraph 1 of the ECHR nor Article 47 of the Charter of Fundamental Rights preclude the omission of the hearing.
This is such a case: in the present case, the facts relevant to the decision are established and clarified based on the files. In the sense of the case law of the ECHR, an oral hearing is not required to resolve legal questions. The ECHR and the Charter of Fundamental Rights therefore do not preclude refraining from holding an oral hearing. For these reasons, it was also not necessary ex officio to hold a public oral hearing.
On B)
According to Section 25a Paragraph 1 VwGG, the administrative court must state in its ruling or decision whether the appeal is admissible in accordance with Article 133 Paragraph 4 B-VG. The ruling must be briefly justified.
The present decision does not depend on the resolution of a legal question that is of fundamental importance. There is neither a lack of case law from the Administrative Court nor does the decision in question deviate from the case law of the Administrative Court; furthermore, the present case law of the Administrative Court cannot be judged to be inconsistent. There are also no other indications of a fundamental importance of the legal questions to be resolved. The Federal Administrative Court can rely on a consistent case law of the Administrative Court or on a legal situation that is already clear in all significant legal questions. It is also not apparent that a legal question arises in the specific case that has significance beyond the (specific) individual case. Based on this, a legal question of fundamental importance cannot be answered in the affirmative. It was therefore necessary to declare that the appeal is not admissible in accordance with Article 133, Paragraph 4 of the Federal Constitutional Law.
Keywords
Cookies data protection data protection complaint data protection procedure data processing consent media privilege media company personal data consent - data use consent requirement
European Case Law Identifier (ECLI)
ECLI:AT:BVWG:2024:W108.2284491.1.00
In the RIS since
08/29/2024
Last updated on
08/29/2024
Document number
BVWGT_20240731_W108_2284491_1_00
