APD/GBA (Belgium) - 131/2024
APD/GBA - 131/2024 | |
---|---|
Authority: | APD/GBA (Belgium) |
Jurisdiction: | Belgium |
Relevant Law: | Article 4(11) GDPR Article 5(1)(a) GDPR Article 6(1)(a) GDPR Article 5(3) ePrivacy Directive 2002/58/EC Art. 10/2 Loi relative à la protection des personnes physiques à l'égard des traitements de données à caractère personnel |
Type: | Complaint |
Outcome: | Partly Upheld |
Started: | 19.07.2023 |
Decided: | 11.10.2024 |
Published: | |
Fine: | n/a |
Parties: | RTL Belgium SA |
National Case Number/Name: | 131/2024 |
European Case Law Identifier: | n/a |
Appeal: | Unknown |
Original Language(s): | French |
Original Source: | APD-GBA (in FR) |
Initial Contributor: | fb |
The DPA reprimanded a media company for failing to implement an option to reject cookies on the first layer of the cookie banner on one of its websites. Also, the option to accept all cookies was unlawfully highlighted in a catchy colour.
English Summary
Facts
On 10 February 2023 the data subject, a trainee working at noyb – European Center for Digital Rights, visited the website of the controller, a Belgian media company.
The data subject noticed that the cookie banner of this website had an “Accept all” and a “Know more” button. The data subject believed that this cookie banner was unlawful under the GDPR. Therefore, under Article 80(1) GDPR, she mandated noyb to file a complaint with the DPA on her behalf.
More specifically, the data subject pointed out the following violations:
- the fact that the cookie banner did not have a “Reject all” button violates Articles 5(1)(a), 6(1)(a) and 7(1) GDPR and Article 5(3) ePrivacy Directive 2002/58/EC as implemented by Article 10/2 of the Belgian Data Protection Code (Loi relative à la protection des personnes physiques à l'égard des traitements de données à caractère personnel - Loi-cadre);
- the usage of a vivid colour for the “Accept all” button misleads data subjects and violates Articles 5(1)(a), 6(1)(a) and 7(1) GDPR and Article 5(3) ePrivacy Directive 2002/58/EC as implemented by Article 10/2 Loi-cadre;
- the fact that the banner does not allow to withdraw consent as easily as it is possible to give that consent is a violation of Articles 5(1)(a) and 17(1)(b) GDPR and Article 5(3) ePrivacy Directive 2002/58/EC as implemented by Article 10/2 Loi-cadre.
First of all, the controller argued that noyb cannot represent the data subject since, when she filed the complaint, she was volunteering as a trainee for that organisation.
Furthermore, the controller noted that the GDPR does not require websites to have a “Reject all” button, nor the “Accept” button to have a specific colour.
Holding
On the representation agreement under Article 80(1) GDPR
First, the DPA held that noyb can represent the data subject. It pointed out that the representation agreement between the former and the latter is valid under Article 80(1) GDPR.
Moreover, it noted that the data subject decided on her own to visit the website and that nothing opposes to the fact that an organisation under Article 80 GDPR can represent one of its employees or volunteers.
Furthermore, the DPA held that the fact that noyb has provide technical and legal assistance to the data subject is not a problem. On the contrary, according to the DPA, this represent a good practice.
On the merits
On the merits, the DPA noted that, according to Article 4(11) GDPR, consent must be freely given. In a cookie banner, this means that accepting should be as easy as refusing the installation of the cookies.
Therefore, the cookie banner should have, all on the first layer, both an “Accept all” and a “Refuse all” button. On these grounds, the DPA found a violation of Article 6(1)(a) GDPR and of Article 10/2 Loi-cadre.
As for the button colours, the DPA is of the opinion that the colours used by the controller are able to manifestly induce the data subject to click on the “accept all” button, since the latter, having a bright colour, stands out from the resto of the banner. Therefore, the DPA found a violation of Articles 5(1)(a) and 6(1)(a) GDPR and Article 10/2 Loi-cadre.
Finally, as for the options to withdraw consent, the DPA noted that the controller placed a button that allows to manage the cookies at the bottom of each page of its website. The DPA considered this solution enough to comply with the requirement set by Article 7(3) GDPR and, therefore, rejected this point of the complaint.
On these grounds, the DPA reprimanded the controller and ordered it to implement a GDPR-compliant cookie banner.
Comment
Share your comments here!
Further Resources
Share blogs or news articles here!
English Machine Translation of the Decision
The decision below is a machine translation of the French original. Please refer to the French original for more details.
# Contentious Chamber Decision on the Merits 131/2024 Date: October 11, 2024 Case Number: DOS-2023-03283 Subject: Complaint regarding the cookie banner on RTL Belgium's website The Contentious Chamber of the Data Protection Authority, composed of Mr. Hielke Hijmans, President, and Messrs Christophe Boeraeve and Jelle Stassijns, members; Considering: - Regulation (EU) 2016/679 of the European Parliament and of the Council of April 27, 2016, on the protection of natural persons with regard to the processing of personal data and the free movement of such data, repealing Directive 95/46/EC (General Data Protection Regulation), hereinafter referred to as the "GDPR"; - The Law of December 3, 2017, establishing the Data Protection Authority (hereinafter "LCA"); - The Internal Regulations approved by the House of Representatives on December 20, 2018, and published in the Belgian Official Gazette on January 15, 2019; - The documents in the file; Has made the following decision regarding: - Complainant: X, represented by noyb – European Center for Digital Rights, located at Goldschlagstraße 172/4/3/2, 1140 – Vienna (AT), registered in Austria under the company number ZVR 1354838270, hereinafter "the complainant". - Defendant: RTL Belgium, with its registered office at Avenue Jacques Georgin, 2 – 1030 Schaerbeek, registered under the company number 0428.201.847, represented by Laurence Vandenbrouck, hereinafter "the defendant". 1. On July 19, 2023, the complainant filed a complaint with the Data Protection Authority against the defendant. The Contentious Chamber notes that the complaint form is dated July 18, 2023; however, it was submitted to the DPA during the night of July 18 to 19, 2023. Therefore, the latter date should be retained as the formal filing date of the complaint. 2. The subject of the complaint concerns several aspects related to the cookie banner on the defendant's website, which allegedly contravene the principles of the GDPR and the LCA. 3. On February 10, 2023, the complainant visited the defendant's website as part of a project initiated with a colleague during her internship at noyb. She explained that she took this initiative to verify if certain websites, including that of the defendant, belonging to major Belgian media groups that had previously entered into transactions with the DPA, complied with the GDPR. During this visit, the complainant and her colleague identified potential GDPR violations. Following this observation, the complainant created a HAR file to document these potential violations. In the meantime, she mandated noyb, mainly to obtain technical assistance, as she was unable to prepare the HAR file herself. Subsequently, the complainant prepared a complaint, the grievances of which, identical to the arguments raised in her conclusions, will be developed in point 16. Within the scope of her mandate, noyb reviewed and corrected the complaint prepared by the complainant. It should be noted that there is some ambiguity in the complainant's statements regarding the preparation of the complaint, as she also mentioned that noyb had prepared the complaint, and that she had only written part of it and reviewed the rest. 4. On August 4, 2023, the First-Line Service (hereinafter "SPL") requested noyb to provide information on the complainant's interest in acting. 5. On August 25, 2023, the SPL declared the complaint admissible based on Articles 58 and 60 of the LCA and forwarded it to the Contentious Chamber in accordance with Article 62, §1 of the LCA. 6. On September 1, 2023, noyb responded to the SPL that the complainant demonstrates an interest in acting, as she is a concerned person whose personal data was processed after she consented to the deposit of cookies on the defendant's website. Since the processing of these data is considered unlawful by both her and noyb, the complainant believes her rights have been affected. In this regard, she relies on annexes. In any event, noyb states that demonstrating an interest in acting on the complainant’s behalf is not a condition for the admissibility of the complaint. 7. On October 20, 2023, the Contentious Chamber proposed a settlement – previously communicated to the complainant – to the defendant. 8. On November 27, 2023, the defendant did not consider the terms of the settlement acceptable and, therefore, requested a re-evaluation. However, it did not oppose a new settlement proposal. 9. On December 1, 2023, the Contentious Chamber replied that it would withdraw the settlement proposal unless decisive elements were presented before December 6, 2023. 10. On December 18, 2023, the Contentious Chamber formally withdrew the settlement proposal. 11. On February 5, 2024, the Contentious Chamber decided, under Article 95, §1, 1° and Article 98 of the LCA, that the case could be examined on the merits. On that date, the concerned parties were informed by registered mail of the provisions as outlined in Article 95, §2 and Article 98 of the LCA. They were also informed, under Article 99 of the LCA, of the deadlines for submitting their conclusions. The deadline for the defendant’s response was set for March 18, 2024, the complainant’s reply for April 8, 2024, and the defendant’s rejoinder for April 29, 2024. 12. On February 8, 2024, the defendant accepted electronic communication for all case-related matters and expressed its intention to exercise the option to be heard, in accordance with Article 98 of the LCA. It also requested a copy of the file (Article 95, §2, 3° LCA), which was provided on February 19, 2024. 13. On February 9, 2024, the complainant agreed to receive all communications electronically and also requested a copy of the file (Article 95, §2, 3° LCA), which was provided on February 19, 2024. She also requested that the procedure continue in Dutch. 14. On February 19, 2024, the Contentious Chamber decided to maintain French as the language of the procedure, as the complaint was filed in French, and the website of the defendant against which the grievances are directed is in French. The complainant did not provide any other justification for changing the language for the continuation of the procedure. Moreover, given the time taken to communicate the administrative file to the parties, the Contentious Chamber decided to extend the deadlines for submitting conclusions. The new deadline for the defendant’s response is now set for March 25, 2024, the complainant’s reply for April 15, 2024, and the defendant’s rejoinder for May 6, 2024. 15. On March 25, 2024, the Contentious Chamber received the defendant’s response. The defendant’s additional and summary submissions are summarized in point 17. 16. On April 15, 2024, the Contentious Chamber received the complainant's reply, which can be summarized as follows: - Regarding the admissibility and admissibility of the complaint: - Article 220, §2, 1° of the Law of July 30, 2018, should be disregarded as it violates Article 80.1 of the GDPR. The complainant argues that Article 26, §4 of the Special Law of January 6, 1989, on the Constitutional Court, does not apply since the DPA is not a judicial body, and therefore, it should not pose a preliminary question before disregarding the provision mentioned. Furthermore, even if Article 26, §4 of the Special Law were applicable, this would not prevent the provision from being disregarded due to the absolute primacy of European law. The complainant supports this with judgments from the Court of Justice of the European Union (CJEU). - The mandate is sufficiently precise as the terms of the mandate specify what noyb is authorized to do. Article 1984 of the Civil Code does not require more specificity than what is provided in this case. - The complaint is admissible as it was signed by the chairman of noyb’s board under Article 58 of the LCA. The complainant argues that the article does not require the complainant’s personal signature but allows a representative’s signature. Moreover, the absence of a signature is not grounds for inadmissibility or rejection under Article 60 of the LCA. - The complainant is validly represented by noyb under Article 80.1 of the GDPR, and the fact that the complainant interned at noyb does not affect this conclusion. The complainant references a CJEU judgment affirming valid representation by noyb despite a subordinate relationship. --- Footnotes: 1. The new internal regulations of the DPA, following the amendments by the Law of December 25, 2023, came into force on June 1, 2024. They apply only to complaints, mediation files, requests, inspections, and procedures initiated after this date. --- ### II. Motivation #### II.1. Regarding the Procedure 23. During the hearing held on July 1, 2024, the defendant raised two preliminary remarks that must be addressed. The defendant brought to the attention of the Contentious Chamber that (i) a procedure with some similarities to the present case is pending before the Court of Markets. In that case, a settlement proposal was submitted to a data controller, which was unilaterally withdrawn by the Contentious Chamber. The data controller then appealed to the Court of Markets, contesting the unilateral withdrawal of the settlement proposal by the Contentious Chamber. The defendant thus asks whether it would be appropriate to suspend the present proceedings until the Court of Markets delivers its judgment. (ii) Furthermore, the defendant pointed out that the complainant previously worked as a lawyer at the law firm that represented the DPA before the Court of Markets in the aforementioned case. The defendant considers that this could suggest a potential conflict of interest or a possible breach of the principle of impartiality—both in its subjective and objective dimensions. (i) Regarding the Remark Related to the Pending Procedure before the Court of Markets 24. As the Contentious Chamber stated during the hearing, the procedure pending before the Court of Markets is not comparable to the present case. While the procedure before the Court of Markets referred to by the defendant concerns a settlement proposal unilaterally withdrawn by the Contentious Chamber, which was contested by the party to whom the proposal was submitted, it should be noted that in the present case, the defendant refused the terms of the proposed settlement. When the Contentious Chamber informed the defendant that it would withdraw the proposal, the defendant did not object. Therefore, there is no longer a settlement proposal in the present case, and the procedure continues validly with a substantive examination of the file. (ii) Regarding the Potential Conflict of Interest or Breach of the Principle of Impartiality 25. Although the principle of impartiality applies to administrative authorities, including the Contentious Chamber, it should be noted, according to established jurisprudence of the Council of State: "the general principle of impartiality must be applied to any active administrative body. It is sufficient that an appearance of partiality could have raised a legitimate doubt in the applicant's mind about the ability to address their case impartially. However, this principle only applies insofar as it aligns with the specific nature, and particularly the structure, of the active administration. Furthermore, the impartiality of a collegial body can only be challenged if, on the one hand, specific facts that cast doubt on one or more members of that body can be legally established and, on the other hand, if it is evident from the circumstances that the bias of that member(s) could influence the entire body. It is up to the person alleging that the authority has not acted with independence, impartiality, and care to provide evidence." (C.E., November 30, 2022, 255.145, Lemaire and Loslever; see also C.E., January 19, 2022, 252.684, XXX). 26. It is therefore up to the party alleging a breach of the principle of impartiality to provide evidence of specific facts that would indicate that the principle of impartiality has been violated. 27. A distinction is made between objective and subjective impartiality. 28. The Contentious Chamber emphasizes, firstly, that the law firm in question was selected following a public procurement process (at a time not suspect), and must therefore respect the principles of equality, non-discrimination, transparency, and proportionality with regard to all bidders, and must be based on objective award criteria. Furthermore, the complainant acts as a concerned person, outside of any link with her former profession as a lawyer at the concerned law firm. As the defendant has not provided further evidence demonstrating that the Contentious Chamber has given the appearance of bias, the Contentious Chamber cannot conclude that it has breached the principle of objective impartiality. 29. Furthermore, the Contentious Chamber notes that the defendant has not provided any evidence indicating that it may have acted with bias or intervened in the present proceedings in a manner that compromised the objectivity of the debates. In the end, the defendant has not provided proof of any concrete actions by the Contentious Chamber that would allow the conclusion that it acted with partiality. 30. Consequently, the Contentious Chamber considers that there is no risk of a conflict of interest in this case and that it has not breached the principle of impartiality, whether in its objective or subjective dimension. #### II.2. Regarding the Admissibility and Receivability of the Complaint ##### II.2.1. Regarding the Constitution of noyb 31. Article 80.1 of the GDPR states: "The data subject shall have the right to mandate a not-for-profit body, organization, or association, which has been properly constituted in accordance with the law of a Member State, has statutory objectives which are in the public interest, and is active in the field of the protection of the rights and freedoms of data subjects with regard to the protection of their personal data, to lodge the complaint on his or her behalf, to exercise the rights referred to in Articles 77, 78, and 79 and to exercise the right to receive compensation referred to in Article 82 where provided for by the law of the Member State." 32. Article 220, §2 of the LCA specifies: "§ 2. In disputes provided for in paragraph 1, a body, organization, or non-profit association must: - 1° be properly constituted in accordance with Belgian law; - 2° have legal personality; - 3° have statutory objectives of public interest; - 4° have been active in the field of protecting the rights and freedoms of data subjects with regard to the protection of their personal data for at least three years." 33. The Contentious Chamber has previously expressed doubts about the compatibility of certain aspects of the Belgian provision with the GDPR. 34. The primacy of European law requires the disregard of any national provision that cannot be interpreted in accordance with a European legal standard—such disregard being a duty for all state bodies, including judicial and administrative authorities tasked with applying European law within their respective competencies. 35. If there are reasons to believe that a law—understood within the meaning of Article 22 of the Constitution—violates "a fundamental right guaranteed in whole or in part similarly by a provision of Title II of the Constitution as well as by a provision of European law […]" it is up to the court before which this situation arises to refer a preliminary question to the Constitutional Court. 36. The CJEU has ruled that an incidental procedure for reviewing the constitutionality of national laws complies with Union law, provided that this procedure respects four conditions: - Other national courts remain free "to refer to the Court of Justice at any stage of the procedure, even after the incidental review procedure, any preliminary question they deem necessary"; - Other national courts remain free "to adopt any measures necessary to ensure the provisional judicial protection of the rights conferred by the Union legal order"; - Other national courts remain free "to disregard, following such an incidental procedure, the national legislative provision in question if they find it contrary to Union law"; - "It is up to the referring court to verify whether the national legislation in question can be interpreted in accordance with these requirements of Union law." 37. The Contentious Chamber notes that the special legislator has limited the scope of Article 26, §4 of the Special Law to ordinary and administrative courts only. 38. The Contentious Chamber, however, is not part of the judiciary—it is an administrative authority. 39. Therefore, Article 26, §4 of the Special Law does not apply to the Contentious Chamber, and it neither has the obligation nor the possibility to refer a preliminary question to the Constitutional Court. 40. Given that there is no other incidental procedure for constitutional review, the Contentious Chamber must directly ensure that it gives full effect to the European legal standards it must apply within its competence—namely, Article 80.1 of the GDPR in this case. 41. Following what was stated in point 33, the Contentious Chamber asserts that Article 220, §2, 1° of the LCA contradicts the aforementioned provision of the GDPR as it restricts the scope of the latter, rendering them incompatible. 42. Consequently, Article 220, §2, 1° of the LCA must be disregarded. ##### II.2.2. Validity of the Mandate 43. Regarding the representation mandate, the Contentious Chamber notes that it includes the details of the principal and the agent, and the former mandates the latter to represent her before the DPA and to take any necessary actions to uphold her rights regarding the collection and processing of her data on the defendant’s website. The Contentious Chamber adds that, in the annexes to the complaint form, the mandate is titled as follows: "Exhibit 1 – Representation Agreement under Article 80(1) GDPR." 44. Regarding this element, the Contentious Chamber cannot agree with the defendant's argument that noyb attempted to "cover up" the absence of a reference to Article 80.1 of the GDPR in the body of the mandate. On the one hand, noyb claims that this reference was already present at the time of signing. On the other hand, the Contentious Chamber points out that the validity of the mandate should be assessed at the time of the complaint’s filing. Therefore, it does not seem plausible that noyb sought to "cover up" the absence of a reference to Article 80.1 of the GDPR—since the absence would render the mandate invalid—considering it would have been enough to redo the mandate. Therefore, the mandate should be read in light of its title as an annex . Read in this way, it is clear that the mandate was concluded under Article 80.1 of the GDPR. 45. Regarding the alleged contradictions in the mandate raised by the defendant, the Contentious Chamber recalls that it cannot interpret the mandate too restrictively. As an administrative authority, the Contentious Chamber oversees the correct application of the GDPR. In this capacity, it is authorized to impose one or several sanctions listed in Articles 95, §1, or 100, §1 of the LCA to protect the fundamental rights of data subjects. The mandate, as it appears in the file, allows for the identification of the parties to the contract, the data controller against whom the complainant addresses her grievances, the supervisory authority where the complaint is filed, and a reference to Article 80.1 of the GDPR under which the mandate was granted. These elements justify the actions that noyb undertakes on behalf of the complainant before the DPA. Imposing further conditions on the mandate would compromise the oversight responsibility of the Contentious Chamber and the rights of data subjects. The Contentious Chamber clarifies that the elements mentioned above should not be interpreted as setting any minimum threshold. 46. Finally, in any case, the Contentious Chamber notes that Article 17 of the Judicial Code does not apply to the Contentious Chamber, as it is an administrative authority, as stated in point 38. ##### II.2.3. Lack of Signature on the Complaint 47. Article 58 of the LCA states: "Any person may submit a written, dated, and signed complaint or request to the Data Protection Authority." 48. Article 60 of the same law stipulates that, in assessing the admissibility of complaints it receives, the SPL verifies that the complaint is "written in one of the national languages," "contains a statement of facts and the necessary details to identify the processing to which it relates," and that the complaint "falls within the competence of the Data Protection Authority." 49. Contrary to what noyb claims, these two provisions should not be read separately but rather together. Thus, the formal requirements prescribed by Article 58 of the LCA must also be taken into account when assessing admissibility under Article 60 of the same law. 50. The Contentious Chamber notes that the complaint form was signed by the chairman of noyb's board of directors with the following mention: "For noyb." 51. In this regard, the Belgian legislator specified that the signature must come from "the competent person in the matter," but not necessarily from the complainant. Therefore, it must be understood that at least the representative may sign the complaint form. This also follows from Article 80.1 of the GDPR, which provides that the data subject has the right to mandate "a body, organization, or non-profit association […] to lodge a complaint on his or her behalf, to exercise the rights referred to in Articles 77, 78, and 79 [of the GDPR]." 52. As a legal entity, noyb must be represented by one of its members in the actions it takes. Accordingly, the chairman of noyb's board of directors signed the complaint form—in the exercise of this function, which authorizes him to take such actions. 53. It cannot be inferred from the mention "For noyb" that noyb acts as the complainant, as this note is precisely intended to engage noyb’s responsibility and not that of its chairman in his capacity as a natural person. ### II.2.4. The Interest to Act 54. The Contentious Chamber acknowledges the content of its decision 22/2024; however, it is necessary to highlight the differences that distinguish the facts of the aforementioned decision from those in the present decision. 55. Although the complainants share the fact of having interned at noyb and, in this context, consulted websites that subsequently motivated the filing of a complaint with the DPA in both decisions, it must be noted that in the facts examined in decision 22/2024, noyb had implemented a large-scale plan aimed at filing dozens of complaints against multiple data controllers with various supervisory authorities—including the DPA. Moreover, the complainant had explicitly acknowledged being assigned various files, including the defendant’s website from the aforementioned decision. These elements—along with others—led the Contentious Chamber to consider the mandate concluded between the complainant and noyb as fictitious at that time. However, such a conclusion cannot be drawn in the present case. The complainant—a French speaker—consulted the French-language website of the defendant based on a personal initiative, which does not fall within the framework of other coordinated noyb projects. In principle, there is nothing to prevent noyb from representing one of its employees or interns. 56. Furthermore, no link can be established between the present complaint and the complaints filed against the 15 Belgian websites mentioned in noyb’s July 2023 press release. Although there is indeed evidence of some coordination in the present case, it is not established that this coordination occurred before the complainant’s grievances emerged. In any event, the elements of the present case do not establish that noyb exerted any pressure on the complainant. 57. Therefore, there is no basis for asserting that the mandate is fictitious. 58. In this case, the relationship between the complainant and noyb can be summarized as follows: Relationship Master Intern NOYB -• -• -• Absence of evidence of instructions \ Complainant Suffers violations Files a complaint with the DPA 59. The fact that noyb provided technical and legal assistance to the complainant does not alter this finding. On the contrary, this constitutes good practice that one could reasonably expect from an entity with which a person is interning. 60. Therefore, the complainant's interest to act does not need to be demonstrated, as she is a concerned person—her personal data having been processed by the defendant. ### II.3. Regarding the Substance of the Case 61. As a preliminary point, the Contentious Chamber recalls that the right to the protection of personal data is a fundamental right guaranteed by Article 8 of the Charter of Fundamental Rights of the European Union. 62. With this in mind, all complaints should be examined, especially those concerning the consent of the data subject. 63. The GDPR indeed provides several lawful bases—which are recalled in point 73—among which is the consent of the data subject. 64. Regarding the collection and granting of consent online, a binary reading cannot suffice. The Contentious Chamber understands that each situation must be examined on a case-by-case basis, based on the material modalities of the collection and granting of consent. Furthermore, the Contentious Chamber emphasizes that the collection and granting of online consent have certain particularities. The internet has significantly changed practices and occupies most citizens' time, especially young people. Thus, what could be termed a routine consent has emerged. Internet users navigate from website to website, from page to page, and are therefore confronted with numerous cookie banners. As a result, the warning effect of the cookie banner diminishes, and the data subjects may give their consent by default due to the fatigue thus caused. This issue is compounded when data controllers design cookie banners that encourage users to accept cookies. 65. These reasons compel the Contentious Chamber to examine the present case with the utmost sensitivity. #### II.3.1. On the Interaction Between the GDPR and the LCA with the Guidelines 66. The Contentious Chamber addresses the arguments made by the defendant regarding Type 1 (see points 72 to 80, "On the absence of a 'Reject All' button at the first level of the cookie banner") and Type 2 (see points 81 to 95, "On the misleading use of button colors") violations, wherein the defendant claims that neither the GDPR nor the LCA require the implementation of a "Reject All" button at the first level of the cookie banner or the use of "buttons and characters of the same size, importance, and color." The defendant adds that the guidelines from the EDPB and supervisory authorities are not binding as they constitute soft law. 67. Firstly, the Contentious Chamber recalls that the GDPR, as a European Regulation, is directly applicable in all Member States. As such, the GDPR has a general scope. It cannot be expected that the European legislator intended to define in detail the specific modalities of all practices related to this act when adopting this Regulation. On the contrary, it established general and abstract rules that must be adhered to by the entities concerned. Supervisory authorities, in particular, must apply these principles and rules to specific cases within the rapidly evolving digital society. It is in this context that the supervisory authorities must adopt appropriate and proportionate decisions. The decision-making practice of the authorities can—and must—evolve in light of legal and technological developments. The fact that an authority is required to adapt its decision-making practice does not constitute an obstacle to the imposition of sanctions, such as administrative fines. 68. Similarly, when adopting the LCA, the Belgian legislator did not intend to define specific modalities for all practices related to this law. 69. In this regard, Article 70.1.e of the GDPR specifically delegates to the EDPB the task of "issuing guidelines, recommendations, and best practices" on any issue related to its application to promote consistent application. The importance of this consistency is also highlighted in Articles 57.1.g and 70.1.u of the GDPR. It should also be noted that Article 57.1.d of the GDPR assigns supervisory authorities the task of raising awareness among controllers and processors regarding their obligations under the GDPR. 70. Therefore, while it is accurate to state that the guidelines published by the EDPB do not have binding force as they constitute soft law, it would be incorrect to deny them any legal effect. This denial ultimately, and implicitly, challenges the authority of the EDPB and supervisory authorities, which possess the appropriate expertise to carry out their assigned tasks, as reiterated in the previous paragraph—although this does not mean that parties to a case cannot contest the legal interpretation of the GDPR by the EDPB or a supervisory authority. 71. In conclusion, the Contentious Chamber recalls that the guidelines of the EDPB and supervisory authorities clarify the provisions of the GDPR, but it is the violation of these provisions—applied concretely to a specific case—that justifies the imposition of corrective measures or sanctions. #### II.3.2. On the Absence of a "Reject All" Button at the First Level of the Cookie Banner 72. Article 4.11 of the GDPR defines consent as "any freely given, specific, informed, and unambiguous indication of the data subject's wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her." Recital 42 of the GDPR specifies that "consent should not be regarded as freely given if the data subject does not have a genuine or free choice or is unable to refuse or withdraw consent without detriment." 73. Article 5.1.a) of the GDPR states that personal data must be processed "lawfully, fairly, and transparently." For processing to be lawful, it must be based on the consent of the data subject or another lawful basis listed in Article 6.1 of the GDPR. 74. Applying these provisions, it must be concluded that for every cookie banner, it should be as easy to consent to cookies as to refuse them. Therefore, both the button allowing acceptance of cookies and the button allowing refusal must appear together at each level of the cookie banner where the acceptance button appears. Otherwise, the consent obtained cannot be considered freely and unambiguously given. 75. The Contentious Chamber notes that in the present case, by not presenting the "Accept All" and "Reject All" buttons at the first level of the cookie banner—the first button being the only one present—the defendant not only makes it less visible to the data subjects that they can refuse cookies, but also makes refusal materially more difficult as more actions are required. In this sense, the data subjects—like the complainant—are encouraged to accept cookies. 76. The EDPB considers that an incentive is not necessarily contrary to the GDPR. It cites as an example a situation where a controller offering general discounts on clothing and fashion accessories asks for the data subject's consent to place cookies to better target their preferences. The incentive in this case is permitted as the data subject would not suffer any detriment if they were to withdraw their consent. 77. In the present case, however, the incentive cannot be considered permitted or valid. Unlike the incentive presented in the example above, this one offers no advantage to the data subject. Free choice implies that the button allowing the refusal of all cookies should be offered at least on an equal level with the button allowing acceptance of cookies. Additionally, it should be noted that the cookie banner forces users to make a choice, constituting a problematic "cookie wall" practice. Consequently, the consent given for cookies on the defendant's website was not freely given. 78. Moreover, the consent given by the data subject cannot be considered unambiguous. Indeed, by not informing the complainant of the option to refuse cookies, it cannot be considered that the complainant gave a clear affirmative action for the cookies' placement. 79. The findings established in the paragraphs above, concerning the first level of the cookie banner, are not altered by the fact that at other levels of the defendant's website, the "Accept All" and "Reject All" buttons are presented together. Requiring a controller to make it as easy to refuse cookies as to accept them is a concrete application of the validity conditions for consent as defined by Article 6.1.a) of the GDPR. The validity of consent must be assessed at the time when consent is effectively given—or not. Given that the complainant consented to cookies at the first level of the cookie banner, the validity of the consent collected must be assessed only at this level. This is especially true as, by definition, data subjects are first confronted with the first level of the cookie banner. Furthermore, the Contentious Chamber recalls that it is up to the controller to demonstrate that consent was obtained from the data subject under Article 7.1 of the GDPR. 80. In conclusion, the Contentious Chamber finds that the defendant violated Article 6.1.a) of the GDPR, as well as Article 10/2 of the LCA. ### II.3.3. On the Misleading Use of Button Colors 81. Regarding the defendant’s first argument that neither the GDPR nor the LCA requires controllers to "use buttons and characters of identical size, importance, and color," the Contentious Chamber finds that the defendant is mistaken in thinking that the complainant supports this idea. The grievance raised in this regard claims that the cookie banner is designed in a way that encourages data subjects to click on the "Accept and Close" button, making the consent obtained not compliant with the GDPR requirements. The Contentious Chamber refers the parties to points 66 to 80. 82. The Contentious Chamber observes that the defendant's cookie banner (see below) displays three colors. The text uses white font, and the banner background is dark blue. The "Learn More" button, which ultimately allows users to refuse cookies, is the same blue as the background but is separated by white borders. The "Accept and Close" button is in a striking orange color. 83. As stated in point 72, consent must be given freely, specifically, informed, and unambiguously. Following what was developed in point 71, requiring a controller to use button colors that do not clearly direct users to consent to the placement of cookies is necessary to ensure that the consent is free and unambiguous as defined under Article 6.1 of the GDPR. 84. In this case, the Contentious Chamber believes that the color scheme used by the defendant clearly encourages users to click on the "Accept and Close" button, as this button stands out prominently from the rest of the cookie banner, attracting users’ attention. Therefore, the consent obtained from the complainant by the defendant concerning the placement of cookies is invalid. ``` RTL info With your consent, our partners and we use cookies and similar technologies to store and access personal information like your visit on this site. You can withdraw your consent at any time by clicking on "Learn More" or in our cookie policy on this site. With our partners, we process the following data based on your consent: Essential cookies, precise geolocation data, and device identification analysis, personalized ads and content, ad and content performance measurement, audience data, and product development, social media, storage, and access to information on a device. LEARN MORE - ACCEPT & CLOSE ``` 85. Firstly, the European Court of Human Rights defines artistic freedom of expression as "allowing participation in the public exchange of cultural, political, and social information and ideas of all kinds" (see, mutatis mutandis, the judgment Müller and Others v. Switzerland of May 24, 1988, Series A No. 133, p. 19, § 27). Those who create, interpret, disseminate, or display a work of art contribute to the exchange of ideas and opinions essential to a democratic society. 86. The Contentious Chamber also recalls that the right to data protection is a fundamental right. The European legislator implemented this right, notably in the GDPR and the ePrivacy Directive. The choices made by the legislator, including the consent conditions stipulated in the legislative texts, indicate the threshold of requirements that controllers must meet before they can rely on this consent for cookie placement and subsequent processing (Article 6.1.a of the GDPR and Article 10/2 of the LCA). Controllers have some discretion in implementing the conditions provided in the legislative bases mentioned above; however, they cannot choose the conditions of consent. It is the DPA's duty to enforce the application of the GDPR and the ePrivacy Directive. 87. Regarding the artistic freedom of expression invoked by the defendant, the Contentious Chamber notes that Article 85.1 of the GDPR provides: "Member States shall reconcile, by law, the right to the protection of personal data under this Regulation with the right to freedom of expression and information, including processing for journalistic purposes and the purposes of academic, artistic, or literary expression." 88. Recital 153 of the same Regulation specifies that such reconciliation should take place when necessary. It also states that notions related to this freedom should be interpreted broadly, considering the importance of the right to freedom of expression. 89. The Belgian legislator has provided for exceptions in Article 24 of the LCA for the application of certain provisions of the GDPR for processing carried out for journalistic purposes and for academic, artistic, or literary expression, as follows: - § 1. Processing of personal data for journalistic purposes means the preparation, collection, writing, production, dissemination, or archiving for the purpose of informing the public using any media where the controller adheres to journalistic ethics. - § 2. Articles 7 to 10, 11.2, 13 to 16, 18 to 20, and 21.1 of the GDPR do not apply to the processing of personal data carried out for journalistic purposes and for academic, artistic, or literary expression. - § 3. Articles 30.4, 31, 33, and 36 of the GDPR do not apply to processing for journalistic purposes and for academic, artistic, or literary expression when their application would compromise a planned publication or constitute a prior control measure before publishing an article. - § 4. Articles 44 to 50 of the GDPR do not apply to the transfer of personal data carried out for journalistic purposes and for academic, artistic, or literary expression to third countries or international organizations to the extent necessary to reconcile the right to data protection with freedom of expression and information. - § 5. Article 58 of the GDPR does not apply to the processing of personal data carried out for journalistic purposes and for academic, artistic, or literary expression when its application would provide indications on information sources or constitute a prior control measure before publishing an article. 90. Firstly, it should be noted that Articles 5.1.a and 6.1 of the GDPR are not exempt for processing carried out for the purposes mentioned in point 87. 91. The Contentious Chamber also notes from the report on the work undertaken by the Cookie Banner TaskForce that no general model for cookie banners can be imposed on controllers regarding colors [and contrasts]. The same report explains that the validity of the cookie banner must be assessed case by case to verify that the colors or contrasts used do not clearly direct users towards a choice inconsistent with their personal data sharing preferences. 92. This means that controllers, whose compliance with the GDPR must be assessed on a case-by-case basis, have considerable discretion in choosing colors [and contrasts] for their cookie banners. They are fully allowed to be creative, reflecting their brand identity. This discretion also allows controllers to comply with GDPR requirements while respecting principles of inclusive design, for example. 93. Moreover, the Contentious Chamber emphasizes that the defendant could keep the same colors used in its cookie banner, provided it swaps the color used for the acceptance button with that used for the refusal button. As explained in point 83, controllers must ensure that the color used does not clearly encourage users to consent to cookie placement. However, nothing prevents controllers from using a button color that similarly encourages users to refuse cookies. 94. Ultimately, the defendant wrongly argues that the requirements governing the choice of colors used in its cookie banner infringe its artistic freedom of expression and the coherent and aesthetically pleasing experience it wishes to offer its users, including visually impaired persons. 95. For the reasons stated above, the Contentious Chamber concludes that the defendant has violated Articles 5.1.a) and 6.1.a) of the GDPR, as well as Article 10/2 of the LCA. ### II.3.4. On the Methods of Withdrawing Consent 96. Article 7.3 of the GDPR states: "The data subject shall have the right to withdraw his or her consent at any time. The withdrawal of consent shall not affect the lawfulness of processing based on consent before its withdrawal. The data subject shall be informed of this before giving consent. It shall be as easy to withdraw as to give consent." 97. The EDPB specifies that a violation of Article 7.3 of the GDPR results in the non-compliance of the controller's consent mechanism. 98. The report on the work undertaken by the Cookie Banner Taskforce specifies that no specific consent withdrawal model, including the solution of a floating banner or button (or "hovering solution"), can be imposed on controllers. The same report further states that a link placed in a visible and standardized location is an appropriate solution to comply with Article 7.3 of the GDPR. 99. The Contentious Chamber adds that the duty to allow data subjects to withdraw their consent as easily as they give it must be balanced with the convenience of use for data subjects. This duty should not make the browsing experience on the controller’s website burdensome for users—otherwise, it would be unreasonable. 100. In this case, the Contentious Chamber observes that the defendant's website provides users with a "Manage Cookies" button at the bottom of each navigation page. The Contentious Chamber finds that this button is reasonably accessible to users. 101. Moreover, within the options presented in the "Manage Cookies" button, there are "Accept All" and "Reject All" buttons. Users can thus withdraw their consent with a single button click. 102. The fact that the withdrawal process is not identical to the method used to collect consent is not problematic here, as otherwise, the interests of users (and specifically the complainant) would be affected. 103. Consequently, the Contentious Chamber decides to dismiss this grievance. ### III. Corrective and Provisional Measures 104. Under Article 100 of the LCA, the Contentious Chamber has the authority to: 1. Dismiss the complaint; 2. Order a dismissal of proceedings; 3. Pronounce a suspension of the ruling; 4. Propose a settlement; 5. Issue warnings and reprimands; 6. Order compliance with the data subject's requests to exercise their rights; 7. Order the data subject to be informed of the security issue; 8. Order the freezing, limitation, or temporary or permanent prohibition of processing; 9. Order the processing to be brought into compliance; 10. Order the rectification, restriction, or erasure of data and the notification of such actions to the data recipients; 11. Revoke the certification of certification bodies; 12. Impose penalties; 13. Impose administrative fines; 14. Order the suspension of cross-border data flows to another state or international organization; 15. Transmit the case file to the prosecutor’s office of the Public Prosecutor of Brussels, who will inform them of the follow-up; 16. Decide, on a case-by-case basis, to publish its decisions on the website of the Data Protection Authority. ### III.1. Compliance Order 105. The Contentious Chamber deems it appropriate to impose two compliance orders on the defendant, based on the identified breaches. 106. Order 1: The Contentious Chamber requires the defendant to add a button that clearly allows the refusal of cookie placement with a single click, at the same level as the button allowing acceptance of cookies, at each level of the cookie banner where the button for accepting cookies is present. 107. Order 2: The Contentious Chamber requires the defendant to use colors and contrasts that are not clearly misleading. The button allowing the refusal of cookies must be displayed at least as prominently as the acceptance button. The Contentious Chamber specifies that the defendant may retain the current colors used in the cookie banner, provided it swaps the color used for the refusal button with the acceptance button; it refers to point 94 in this regard. 108. As examples, the Contentious Chamber includes an illustration from its [Cookie Checklist](https://www.autoriteprotectiondonnees.be/publications/checklist-cookies.pdf) below as a good practice. However, the implementation of these orders is the sole responsibility of the defendant. 109. Each of these two orders must be satisfied no later than the 45th day following the notification of this decision to the defendant. Within the same period, the defendant must submit a document to the Contentious Chamber and the complainant reflecting how it has complied with the two orders issued. 110. In case of non-compliance—even apparent—beyond the 45th day following the notification of this decision, the Contentious Chamber will notify the defendant. From the date of this notification, the penalty will be enforced. It will only cease once the Contentious Chamber recognizes that the defendant has fully complied with the orders. ### III.2. Accessory Sanction: The Penalty #### III.2.1. Preliminary Considerations 111. The penalty is fully conditional. The amount payable is uncertain. The defendant initially has a period to comply or to appeal the decision. It is only in the event of non-compliance after a 45-day period from the notification of this decision that the penalty will be enforced. Therefore, the amount of the penalty is variable and may even be zero, if applicable. 112. The penalty differs from an administrative fine as it serves as an indirect means of enforcing the primary sanction(s) to achieve compliance with applicable law, while an administrative fine has a punitive character. The penalty thus also has an accessory nature. The penalty and the administrative fine differ both in their nature and the objectives they pursue. 113. In a judgment of February 19, 2020, the Court of Markets stated: "Before a sanction is imposed, the offender must be informed of the nature of the proposed sanction and its amount (in the case where a fine is envisaged). The offender must be warned (to avoid unnecessary sanctions) and given the opportunity to defend the amount of the fine proposed by the Contentious Chamber before the sanction is effectively imposed and enforced." 114. Following this judgment, the President of the Contentious Chamber considered that issuing a sanction form was also necessary when the Contentious Chamber intended to impose a penalty. 115. The Contentious Chamber's position today is different, considering that it should not inform the defendant of its intention to impose a penalty for the following two reasons: a) The obligation to send a sanction form to the defendant before the decision originates from the jurisprudence of the Court of Markets. It is an obligation that adds to the existing legal framework. This step in the Contentious Chamber’s procedure makes it heavier and more time-consuming. While the Contentious Chamber acknowledges all the benefits of this step, it notes that this strictly national obligation can hinder the consistent application of the GDPR among different supervisory authorities. The Contentious Chamber thus considers that this obligation should be interpreted restrictively, favoring an interpretation that does not conflict with the objectives pursued by the legislator in granting powers to supervisory authorities. b) As explained in point 112, the nature of the penalty differs fundamentally from that of an administrative fine. The penalty is an accessory sanction, aimed at encouraging the defendant to comply with the primary sanction. In this sense, it is widely recognized in legal doctrine that the penalty is not punitive in nature. In conclusion, the decision to impose a penalty is at the strict discretion of the Contentious Chamber and cannot be contested by a party to the case. The Belgian legislator has deliberately chosen to grant this competence to impose penalties to the DPA; the intention of the Belgian legislator must be acknowledged and respected. 116. The Contentious Chamber reminds that its decisions do not have precedent value. The policies of the Contentious Chamber are not binding. The Contentious Chamber recognizes that publishing these policies establishes a certain level of trust with the public and strives to communicate transparently with the public. However, this cannot constitute an obstacle to the development of the Contentious Chamber's practices and the legal framework implemented, which are essential. 117. In light of the reasons mentioned above, the Contentious Chamber exercises its prerogative to impose penalties on the defendant in this case and does not consider that it must inform the defendant beforehand by means of a sanction form. #### III.2.2. Practical Modalities of the Penalty 118. To allow the defendant sufficient time to comply with the orders issued in this decision, the penalty will not be enforced immediately after the notification of this decision to the defendant. 119. In this case, the Contentious Chamber considers that a period of 45 days from the notification of this decision is sufficient for the defendant to comply with the said orders. 120. The period begins on the day the defendant receives the registered letter notifying them of this decision or on the day the period expires for the defendant to collect the registered letter from the post office, if applicable. 121. The day after this period expires, the Contentious Chamber notifies the defendant: 1) That they have fully complied with the orders issued in this decision; or 2) That they have partially complied with the orders issued in this decision; or 3) That they have not complied with the orders issued in this decision. The Contentious Chamber initiates the enforcement of the penalty on the same day of this notification in the second and third scenarios. 122. The penalty amounts are as follows: a) Order 1: The defendant must pay EUR 20,000 per day of delay from the day the Contentious Chamber notifies them of partial or non-compliance with the orders issued in this decision; b) Order 2: The defendant must pay EUR 20,000 per day of delay from the day the Contentious Chamber notifies them of partial or non-compliance with the orders issued in this decision. If the defendant fails to satisfy both orders, they must then pay EUR 40,000 per day of delay from the day the Contentious Chamber notifies them of partial or non-compliance with the orders issued in this decision. 123. The Contentious Chamber reiterates, as stated in point 112, that the penalty does not have a punitive character. Each order is accompanied by a penalty to ensure its proper execution. The penalty amounts are reasonable in view of the harm caused by the defendant to the complainant’s rights, and to users more generally, as well as considering the defendant's financial capacity and the benefit they may derive from non-compliance with the orders. 124. If the defendant considers that full compliance with the orders is impossible within the prescribed period despite all reasonable efforts, they may submit a motivated request for an extension to the Contentious Chamber within 45 days following the notification of this decision. 125. The penalty is daily and cannot exceed a maximum amount of EUR 2,000,000. 126. The practical modalities of the penalty can be schematized as follows: - Receipt of the compliance notification: partial or null compliance – initiation of the penalty EUR 20,000 per day per infraction 127. Given the importance of transparency concerning the decision-making process of the Contentious Chamber, this decision is published on the Data Protection Authority’s website. 128. Considering that the defendant is a major player in the television and radio services sector, and that the personal data processing carried out by the defendant is conducted on a national scale, the Contentious Chamber believes that the defendant’s identity must be known in this decision. This is also consistent with the position already taken by the Contentious Chamber in similar cases involving media groups. 129. Knowing the defendant’s identity is also important to better understand the procedure followed in this case. Noyb has revealed the circumstances of this procedure on its website. Therefore, it is appropriate to detail transparently the differences in the examination of the present complaint compared to other complaints filed by complainants represented by noyb. +--------------------------------------------------------------------------------+ | FOR THESE REASONS, | | | | The Contentious Chamber of the Data Protection Authority decides, after | | deliberation: | | | | In accordance with Article 100, §1, 9° of the LCA, to order the defendant to | | add a button that clearly allows users to refuse the placement of cookies with | | a single click, at each level of the cookie banner where there is a button | | allowing the acceptance of cookies with a single click, in compliance with | | Article 6 of the GDPR and Article 10/2 of the LCA, and to provide both the | | complainant and the Contentious Chamber with documentation on the measures | | taken to comply with this order (Injunction 1). Furthermore, the Contentious | | Chamber requires the defendant to use colors and contrasts that are not | | manifestly misleading. The button clearly allowing the refusal of cookies must | | be displayed at least as prominently as the acceptance button (Injunction 2); | | | | In accordance with Article 100, §1, 12° of the LCA, to accompany Injunction 1 | | with a penalty. The defendant must pay 20,000 EUR per day of delay from the | | day the Contentious Chamber notifies that it has partially or not at all | | complied with the orders issued in this decision; | | | | In accordance with Article 100, §1, 12° of the LCA, to accompany Injunction 2 | | with a penalty. The defendant must pay 20,000 EUR per day of delay from the | | day the Contentious Chamber notifies that it has partially or not at all | | complied with the orders issued in this decision; | | | | In accordance with Article 100, §1, 1° of the LCA, to dismiss the third | | grievance related to the modalities for withdrawing consent. | +--------------------------------------------------------------------------------+ In accordance with Article 108, § 1 of the LCA, an appeal against this decision can be lodged within thirty days from its notification, with the Court of Market (Court of Appeal of Brussels), naming the Data Protection Authority as the defendant. Such an appeal can be submitted by means of an interlocutory application, which must contain the information enumerated in Article 1034ter of the Judicial Code. The interlocutory application must be: 1. The indication of the day, month, and year; 2. The name, first name, and address of the applicant, as well as, if applicable, their status and national registration number or company number; 3. The name, first name, address, and, if applicable, the status of the person to be summoned; 4. The subject and a summary statement of the grounds for the claim; 5. The indication of the judge who is seized of the request; 6. The signature of the applicant or their lawyer. The application must be filed at the registry of the Court of Market in accordance with Article 1034quinquies of the Judicial Code, or via the e-Deposit information system of the Ministry of Justice (Article 32ter of the Judicial Code). (signed) Hielke HIJMANS President of the Contentious Chamber