DSB (Austria) - D124.0507/24 2024-0.633.166

From GDPRhub
Revision as of 13:56, 29 October 2024 by Mba (talk | contribs) (→‎Facts)
DSB - D124.0507/24 2024-0.633.166
LogoAT.png
Authority: DSB (Austria)
Jurisdiction: Austria
Relevant Law: Article 4(11) GDPR
Article 5(1)(a) GDPR
Article 17 GDPR
Article 25(1) GDPR
Type: Complaint
Outcome: Partly Upheld
Started: 11.08.2021
Decided: 28.10.2024
Published:
Fine: n/a
Parties: Österreichischer Rundfunk - ORF
National Case Number/Name: D124.0507/24 2024-0.633.166
European Case Law Identifier: n/a
Appeal: n/a
Original Language(s): German
Original Source: NOYB (in DE)
Initial Contributor: Ao

The DPA orders a controller to adjust the colour design of a cookie banner to ensure the unambiguous expression of agreement of users through equal prominence of the options.

English Summary

Facts

On the 11 August 2021, the data subject, represented by noyb filed a complaint against the Austrian public broadcaster (Österreichischer Rundfunk – ORF). The data subject visited the website of the controller (www.orf.at) on the 21 January 2021 and was confronted with a cookie banner which lacked any clear option to refuse the placement of cookies. Further, the controller had placed cookies ahead of any interaction with the cookie banner. The complaint highlighted that through the design of the cookie banner, the controller could not rely on the unambiguous consent of users for the processing of personal data and requested the erasure of their personal data gathered through the cookies.

The data subject therefore requested the DPA to order the controller to delete the data subject's personal data in accordance with Article 17 GDPR and to cease the unlawful processing of personal data of users.

Throughout the course of the proceedings, the controller revised the cookie banner and included two buttons, one to reject the placement of cookies and one to set certain preferences. The two added buttons were set with the same colour as the cookie banner background. The button to accept all cookies however was equipped with a dark blue colour.

The controller argued, that the difference in colour made the selection process easier for the user. Further, none of the data gathered through cookies was stored by the controller and during the course of the proceedings the controller informed recipients of the data subject's request for erasure.

Holding

Design of the cookie banner

Primarily, the DSB reiterated that economic necessity such as personalized advertising does not equate to the technological necessity of cookies for the functioning of the website. The cookies placed before any interaction with the cookie banner were for statistical and analytical purposes and not technologically necessary for the functioning of the website. Therefore, prior consent of the user is required.

Secondarily, in order to obtain prior consent, the DSB held that no unfair practices can be involved in the design of the cookie banner. Specifically, the button to reject the use of cookies cannot be made less prominent than the accept button. The DSB stated that the decision making process of the data subject shall not be distorted or impaired in any way. The revised cookie banner showed a prominent dark blue colour for the accept all cookie button while the other two options of setting preferences and accepting only necessary cookies were given a pale white colour which blended into the cookie banner background. The DSB concluded that the contrast is the deciding factor and points out that a 3:1 minimal contrast is required. This resulted in the DSB’s reasoning that no unambiguous expression of agreement as defined in Article 4(11) GDPR was given by the data subject.

In relation to the design of the cookie banner, the DSB ordered the controller to adjust the banner within a period of six weeks to ensure equal prominence of all cookie selection options. The DSB declared that the controller must ensure equal design in regard to colour, size, contrast, placement and prominence of the buttons. It detailed that it is unlawful to emphasize any of the options through overly conspicuous design such as a different colour, larger font or more prominent placement.

Right to erasure and order to comply

Regarding the processing of personal data of the data subject, the DSB accepted that the controller did not store the personal data collected through cookies and that it had informed the recipients of the request for erasure and therefore found no violation of Article 17 GDPR.

Comment

Share your comments here!

Further Resources

Share blogs or news articles here!

English Machine Translation of the Decision

The decision below is a machine translation of the German original. Please refer to the German original for more details.

Barichgasse 40-42

A-1030 Vienna

Tel.: +43-1-52152 302549

E-mail: dsb@dsb.gv.at

GZ: D124.0507/24 Clerk:

2024-0.633.166

AT NOYB

Data protection complaint (Art. 77 para. 1 GDPR, Section 24 para. 1 DSG)

/Austrian Broadcasting Corporation (ORF)

by email:

DECISION

APPEAL

The data protection authority decides on the data protection complaint from

(complainant party), represented by NOYB – European Center for Digital Rights,

Goldschlagstraße 172/4/3/2, 1140 Vienna, ZVR: 1354838270, dated August 11, 2021 against the foundation

under public law, Austrian Broadcasting (respondent), represented by Schönherr

Rechtsanwälte GmbH, due to A) the right to erasure and the obligation to notify in connection with the

erasure and B) the application for an order against the respondent to stop the unlawful

processing, as follows:

1) The complaint is dismissed.

2) The respondent is ordered officially to

amend the request for consent (the cookie banner, see statement of facts C.6.) on

the website www.orf.at within a period of six weeks in such a way that a valid

consent is obtained when visiting the website. To this end, the respondent must in any case

amend the cookie banner in such a way that the data subject is offered an

equivalent choice between “Accept all cookies” and “Only necessary

cookies” on the first level of the cookie banner. It must be ensured that both options are designed equally in terms of

visual design, including color, size, contrast, placement and emphasis. It is not permitted to emphasize one of the options through

an overly conspicuous design, such as a preferred color scheme, a larger font size or

a more prominent placement. - 2 –

b) Modify the website www.orf.at in such a way that when visiting this website before giving consent, the following cookies are not set:

i) ioam2018 (see fact finding C.7.);

ii) i00 (see fact finding C.7.);

iii) UserID1 (see fact finding C.7.);

iv) autouserid2 (see fact finding C.7.).

Legal basis: Article 4, paragraph 11, Article 5, paragraph 1, letter a, Article 7, Article 12, paragraph 1, Article 17, Article 19, Article 57, paragraph 1, letter f, Article 58, paragraph 2 and Article 77, paragraph 1 of Regulation (EU) 2016/679 (General Data Protection Regulation, GDPR), OJ No. L 119 of 4 May 2016, p. 1; Sections 18, paragraph 1 and 24, paragraph 1, paragraph 2, item 5, paragraph 4 and paragraph 5 of the Data Protection Act (DSG), Federal Law Gazette I No. 165/1999 as amended; Section 165 of the

Telecommunications Act 2021 (TKG 2021), Federal Law Gazette I No. 190/2021 as amended; Section 1 Paragraph 1 of the ORF

Act (ORF-G), Federal Law Gazette No. 379/1984 as amended. - 3 -

REASONING

A. Arguments of the parties and course of proceedings

A.1. In a submission dated August 11, 2021, the complaining party (hereinafter: bP)

summarized the following:

The bP visited the website of the respondent (hereinafter: BG) at www.orf.at on January 20, 2021. The website displayed a cookie banner. Cookies were set, some with

a unique user identification number (“unique ID”). A summary of all HTTP requests and responses is attached as an appendix. The term “relevant processing activities” is used for all processing activities for which the BG wants to establish a legal basis within the framework of the cookie banner. Due to the design of the cookie banner mentioned, several violations have occurred. It cannot be assumed that there was valid consent. It is requested that the BG be instructed to stop all relevant processing activities and to delete all relevant personal data. The GDPR allows the competent supervisory authority to make an order that goes beyond the personal data of the bP. The present complaint (case number C-037-401) is directed against ORF Online and Teletext GmbH & Co KG. Several attachments were attached to the submission. A.2. In a statement dated July 10, 2023, ORF Online and Teletext GmbH & Co KG

summarized the following:

The Austrian Broadcasting Corporation is responsible for storing cookie values and other device information, which is also evident from the cookie guidelines. On the other hand, ORF

Online and Teletext GmbH & Co KG is not responsible.

A.3. In a statement dated July 26, 2023, the bP summarized the following:

Based on the statement by ORF Online and Teletext GmbH & Co KG, the complaint is directed against the BG (Austrian Broadcasting Corporation). The list of controllers and processors available online at https://orf.at/stories/datenschutz-verantwortliche/ does not indicate which legal entity is responsible for which data processing.

A.4. In a statement dated September 4, 2023, the BG summarized the following:

The change of the respondent was inadmissible due to preclusion because the subjective preclusion period had expired. An official correction of the designation was inadmissible. The bP's

applications were also inadmissible because none of the applications made in the data protection complaint had been lawfully carried out. The bP had not specified the facts and it was

unreasonable to check the .har file (Appendix 5). This contains around 17,000 lines. Regardless of this, the BG checked the file. A large part of the cookies were not set by the BG, but by the domain "derstandard.at". There was no cooperation with "derstandard.at" at the time of the proceedings. The bP had also not submitted an application for

deletion. The complaint was also unfounded in terms of content. It can also be assumed that
the bP only visited the website to create an auto-generated complaint. The

complaint is not a highly personal exercise of claim, but rather an inadmissible

association complaint. In addition, the BG answered the questions of the data protection authority.

A.5. In a statement dated November 8, 2023, the bP summarized the following:

The bP refers to the previous submissions, according to which, based on the online list of

the ORF's controllers and processors, it is unclear for which data processing the

various legal entities of the ORF are responsible. In this respect, the complaint was

originally directed against the body that was thought to be the operator of the website www.orf.at.

The information is still available today that ORF Online and Teletext GmbH & Co KG is responsible for

www.orf.at. In addition, the complaint was submitted on time and

the applications submitted were admissible. It was merely pointed out that the data protection authority could issue orders that went beyond the complainant (presumably meaning his data). Regarding the .har file, it should be noted that it also contains visits to the website "derstandard.at". This is relevant to show that it is a "normal" internet visit in which several websites were visited. A URL search for orf.at resulted in 357. There is therefore a direct or indirect correlation. An application for deletion is not required to assert the right to deletion. The cookie banner still does not meet the data protection requirements. A.6. In its statement of March 28, 2024, the BG summarized the following: The bP submitted an appendix 4 when submitting the complaint in question. It can be assumed that the bP is aware of the content of appendix 4. In Appendix 4, the ORF is expressly named as the responsible party. The party declaration (meaning the original name of the respondent) is not open to any other interpretation due to its express nature. In principle, however, this can be left open, since - as already stated in the statement of September 4, 2023 - the bP's request for deletion was complied with. The proceedings should be discontinued in accordance with Section 24 (6) of the Data Protection Act. With regard to the alleged continuous violation of law, it should be noted that this should not be regarded as a change to the application initiating the proceedings, since such a change would be inadmissible due to the preclusion that has occurred. The submission cannot be regarded as a new complaint either, since the party declaration shows that the bP wants to continue to maintain the original data protection complaint. The reference to the "IDE" cookie does not change the preclusion. The bP did not even claim that the same "IDE cookie value" was stored in the browser at the time in question (January 20, 2021). In summary, the bP's request for deletion was granted. The BG also redesigned the entire ORF website (including the cookie banner).

A.7. In a statement dated April 17, 2024, the bP repeated the previous submissions in

essentials.

A.8. In a settlement dated August 2, 2024, the data protection authority requested the BG as follows (excerpt):

"Subject: Request for a statement

The data protection authority encloses the complainant's statement dated April 17, 2024. The data protection authority has since taken note of the changes on the website

www.orf.at.

You are requested to comment on the complainant's statement and the following

points within two weeks of receiving this letter and, if necessary, to provide or state appropriate evidence to prove your own submission:

x Why are the cookies "ioam2018" and "i00" set before consent is given? Insofar as Section 7 ORF-G is cited in this regard, they are asked to explain to what extent this can be reconciled with Section 165 Paragraph 3 TKG 2021 or Article 5 Paragraph 3 of Directive 2002/58/EC. x For what purpose is the "Accept all cookies" field colored blue, while the other two fields do not have a color that stands out from the background?" A.9. In a statement dated August 16, 2024, the BG summarized the following: The "Accept all cookies" button is colored blue because the entire website is primarily designed in white and blue. The color contrast makes it easier for users to make a selection. The white buttons are also clearly visible against the light gray background. The legality of the data processing in question derives from the BG's legal obligation to measure reach in accordance with Sections 4e and 7 of the ORF Act. The measurement is absolutely necessary in order to comply with the legal mandate. The data collection through the cookies "ioam2018" and "i00" is - as a precaution - based both on the legal basis of fulfilling a legal obligation and on the performance of a task that is in the public interest. The BG has asked the Austrian Web Analysis (ÖWA), which acts as the BG's service provider, to delete the corresponding cookie values. Furthermore, these cookie values are not personal data. The data protection authority is not responsible for the implementation of Section 165 Paragraph 3 of the TKG 2021. A.10. In a statement dated March 28, 2024, the bP summarized the following: - 6 -

In the bP's opinion, the design of the cookie banner and the button colors chosen are misleading. The color design has a significant influence on users' choices, which has been academically proven. The standards cited by the BG are not a suitable basis for data processing, especially since the ORF-G does not provide for how the reach is to be measured. There are other options than tracking cookies. In addition, the cookies "ioam2018" and "i00" (or their values) are personal data from a legal point of view.

B. Subject of the complaint

B.1. Based on the bP's submission, a decision must be made as to whether the BG should be ordered to A) delete the bP's

personal data (the cookie values) and inform the recipients of the deletion,

and B) stop the "relevant processing activities".

By "relevant processing activities", the bP refers to those cookies (and similar

technologies) that were used during the bP's visit to www.orf.at on January 20, 2021.

B.2. However, it must first be checked whether the complaint - as raised by the BG - is not

already precluded under Section 24 (4) DSG.

C. Findings of fact

C.1. Cookies can be used to collect information that has been generated by a website and stored via an Internet user's

browser. It is a small file or text information (usually less than one kilobyte) that is placed by a website on the hard drive of an Internet user's computer or mobile device through an Internet user's browser. A cookie allows the website to "remember" the user's actions or preferences. Most web browsers support cookies, but users can set their browsers to refuse cookies. They can also delete cookies at any time. Websites use cookies to identify users, remember their customers' preferences, and allow users to complete tasks without having to re-enter information when they move to another page or return to the website later. Cookies can also be used to collect information based on online behavior for targeted advertising and marketing. For example, companies use software to track user behavior and create personal profiles that allow users to be shown advertising tailored to their previous searches. Assessment of evidence C.1.: The statements on the functionality of cookies come from the

Opinion of the Advocate General of 21 March 2019 in case C-673/17 (Planet 49), para. 36 ff with further references. - 7 -

Since this is a case-independent and general technical description of the possible

functions of cookies, these statements had to be included at the factual level - and not in the

legal assessment.

C.2. The BG is the operator of the website www.orf.at. It decides under which

conditions which cookies are set or read when the website is accessed.

Assessment of evidence C.2.: The findings made are based on the BG's statement of

10 July 2023. The bP did not subsequently dispute this argument. The

Data Protection Authority has no indications to cast doubt on the BG's argument.

C.3. The bP visited the website www.orf.at at least on January 20, 2021.

The cookie banner looked as follows on January 20, 2021: - 8 –

Figure 1

Evaluation of evidence C.3.: The findings made are based on the bP's entry of August 11, 2021 and are undisputed. The screenshot is based on the attachment "Appendix 2.png" submitted by the bP.

C.4. As a result of visiting the website www.orf.at, cookies were set and read on the bP's device on January 20, 2021, which contained a unique, randomly generated value (Universally Unique Identifier, hereinafter: UUID).

The content of the attachments "Appendix 5.har" and "Appendix 6.csv" is used as the basis for the findings of fact.

Assessment of evidence C.4.: The findings are based on the bP's submission of August 11, 2021 and the submitted attachments "Appendix 5.har" and "Appendix 6.csv". The BG's statement of September 4, 2023, according to which the cited attachments also contain information about accessing other websites (such as www.derstandard.at), is not overlooked. However, as the bP correctly states in its statement of November 8, 2023, the attachments contain - 9 - information about an internet visit during which several websites were accessed. In fact, a search for the URL "orf.at" results in numerous hits in the attachments. In this respect, the bP's argument is proven by the submission of these attachments. C.5. The BG is currently not storing any cookie values that were set and read on the bP's device as a result of the visit to
www.orf.at on January 20, 2021.

The BG has also informed the recipients of the data transmission (specifically the providers of the services that

it has implemented on its website) of the deletion.

Evaluation of evidence C.5.: The findings made are based on the BG's statements of

March 28, 2024 and August 16, 2024. At the request of the data protection authority, the

BG stated that - without prejudice to the arguments put forward - the relevant data (the

cookie values) had been deleted and a notification had been sent to the service providers. The bP

did not dispute this claim, but merely pointed out that no evidence had been

presented. In the opinion of the data protection authority, there are no indications to cast doubt on the BG's

statement, especially since the BG has been very cooperative during the investigation and has adapted the cookie banner - albeit not to the complete satisfaction of

all parties and the data protection authority. Overall, there are no

investigation results that would justify a contrary finding.

C.6. The BG has adapted its cookie banner (the request for consent) on the website www.orf.at.

At the current time, the BG's cookie banner looks as follows: - 10 -

Figure 2

The background of the cookie banner (hexadecimal color code #f0f1f4) is a

very light shade of blue.

The "Accept all cookies" button is a dark blue shade

(hexadecimal color code #466199).

The “Cookie preferences” and “Only necessary cookies” button is a

white shade (hexadecimal color code #FFFFFF). - 11 –

The contrast ratio of #466199 (“Accept all cookies” button) to #f0f1f4 (background

of the cookie banner) is 5.42:1 and is rated “Good” according to the Color Contrast Checker at

https://coolors.co/contrast-checker.

The contrast ratio of #FFFFFF (“Cookie preferences” and “Only necessary cookies” buttons) to #f0f1f4 (background of the cookie banner) is 1.13:1 and is classified as “Very poor” according to the Color
Contrast Checker at https://coolors.co/contrast-checker.

A contrast of 3:1 is recommended as the minimum contrast according to ISO-9241–3.

If the “Cookie preferences” option is selected, the following button appears:

Figure 3

Evaluation of evidence C.6.: The findings made regarding the cookie banner are based on an

official research by the data protection authority on the website www.orf.at, last accessed on

October 28, 2024. The finding that the BG has adapted the cookie banner also arises

from the present file and is undisputed. The findings on the selected colors of the cookie banner and buttons are based on an official research at https://encycolorpedia.de/ (last accessed on October 28, 2024). The findings on the contrast ratios are based on the publicly accessible website www.orf.at and https://coolors.co/contrast-checker (last accessed on October 24, 2024). The findings on the - 12 - ISO standard are based on the content of ISO-9241–3. The recommended contrast of the aforementioned ISO standard is also discussed at https://biti-wiki.de/index.php?title=1.01.0_-_Ausreichender_Kontrast (last accessed on October 24, 2024). C.7. When you visit the website www.orf.at, the following cookies are set or read,

before any interaction with the displayed request for consent (cookie banner) takes place:

Domain name

orf.at ioam2018

iocnt.net i00

orf.at didomi_token

adfarm1.addtion.com UserID1

www.orf.at _autouserid2

The cookie “ioam2018” contains a UUID (for the definition of “UUID” see again

Fact finding C.4.). It is used to determine statistical parameters for the use of a

website. The provider is the Austrian Web Analysis (ÖWA). The following information can be found

at https://orf.at/stories/datenschutz-cookies/: “Stores a

client hash for the Austrian Web Analysis (ÖWA) to optimize the determination of the key figures

Unique Clients and Visits. This cookie is set in the context of the domain orf.at."

The cookie "i00" contains a UUID. It is used to recognize users' end devices. The following information can be found at https://orf.at/stories/datenschutz-cookies/: "This cookie is used by the ÖWA to recognize end devices. If the cookie is suppressed, the ÖWA tries to recognize the device by combining the IP address and browser name. For apps, the ÖWA uses the so-called "Advertiser ID", unless the use of the "Advertiser ID" (advertising ID) is deactivated via the device settings (meaning: deactivated)."

"didomi token" contains a UUID. This is a tool for consent management

(Consent Solution).

The cookie "UserID1" contains a UUID. This cookie is used to re-target the user with online advertising based on the interest shown on the website.

The cookie "autouserid2" contains the same UUID as "UserID1". It is the first-party cookie equivalent to "UserID1" if third-party cookies are blocked. - 13 -

Evaluation of evidence C.7.: The findings made regarding the cookie banner and the cookies set are based on an official search by the data protection authority on the website www.orf.at, last accessed on October 28, 2024. The finding that the BG has adjusted the cookie banner is evident from the present file and is undisputed.

The findings regarding the function of the cookies are based on an official search at (each last accessed on October 28, 2024)

▯ https://orf.at/stories/datenschutz-cookies/ (information provided by the BG);

▯ https://oewa.at/tech-support/mcvd/ (for “ioam2018”);

▯ https://support.didomi.io/didomi-cookies-storage-1 (for “didomi_token”);

▯ https://www.ccm19.de/plugin.php?menuid=253&template=mv/templates/mv_show_front.html&

mv_id=1&extern_meta=x&mv_content_id=139&getlang=de and (for “UserID1”);

▯ https://github.com/jkwakman/Open-Cookie-Database/blob/master/open-cookie-database.csv

(also for “UserID1”);

▯ https://www.cookie.is/UserID1# (also for “UserID1”).

D. From a legal point of view, this results in:

Questions of jurisdiction

D.1. On the relationship between the e-Data Protection Directive and the GDPR

Processing operations of a matter can be subject to both the provisions of Directive 2002/58/EC as amended (e-Data Protection Directive) or the TKG 2021, as well as the GDPR.

While the setting or reading of cookies is to be assessed according to the requirements of Art. 5 (3) of the e-

Data Protection Directive, the subsequent data processing falls within the scope of the GDPR (cf. the EDSA Guidelines 01/2020 on the processing of personal data in connection with connected vehicles and mobility-related

applications, version 2.0, para. 15 and para. 53).

This also corresponds to the legal opinion of the European Court of Justice in the Fashion ID case. This also assumed that, as a result of the implementation of a social plug-in on a website (this falls within the scope of the e-Privacy Directive), the transfer of the website visitor's data to Facebook Ireland Limited and the subsequent data processing fell within the scope of the (then) Directive 95/46 GDPR (see the ECJ judgment of 29 July 2019, C-40/17, para. 26 and in particular para. 85). In comparable cases, the Federal Administrative Court has also assumed that the data protection authority was responsible (see, among many others, the BVwG ruling of 26 April 2024, GZ: W211 2281997-1/5E mwN). - 14 –

The data protection authority is therefore responsible for the complaint in question because data processing (browser data, IP addresses, cookie values) has taken place as a result of setting or reading cookies (see statement of facts C.4) and the application of the GDPR is not excluded per se.

D.2. On the possible preclusion pursuant to Section 24 Para. 4 DSG

The BG argues that the right to have the bP's complaint dealt with is already precluded pursuant to Section 24 Para. 4 DSG.

To summarize the main points, the BG argues that it is clear from its data protection declaration that it (i.e. the foundation under public law, Austrian Broadcasting) is the

person responsible for the website www.orf.at. However, the bP originally directed the complaint against ORF Online and Teletext GmbH & Co KG and only subsequently "replaced" the BG.

The BG's argument must be countered by the fact that the respondent is to be named (only) to the extent that this is reasonable, in accordance with Section 24 Paragraph 2 Item 2 of the Data Protection Act. The data protection authority agrees with the bP's argument that the person responsible for data protection for the website www.orf.at - based on the information at the time - was not clearly identified. Even at the current time, numerous legal entities of the ORF are listed at https://orf.at/stories/datenschutz-verantwortliche/ (as of October 28, 2024), although it is not explained for which specific processing operations the respective legal entities are responsible. This is not changed by the BG's reference to the content of Appendix 4, which was submitted by the bP. It is true that in Appendix 4 the ORF is named as the person responsible; however, as already explained, many legal entities can be understood by "ORF". In any case, the information provided by the BG does not meet the requirements of Art. 12 Para. 1 GDPR

for clear and precise language.

It follows that the limitation period of Section 24 Para. 2 Z 2 DSG only began to run after

the responsibility for the bP had been sufficiently clarified. This was the case after the bP received the

statement of the BG dated July 10, 2023. Subsequently, the bP clarified the BG on

July 26, 2023 (see the decision of the VwGH of June 27, 2023, Ro 2023/04/0013, according to para. 34, for the correction of the respondent in the event of the unreasonableness of the designation).

The (absolute and subjective) limitation period is thus observed and the data protection authority is

responsible for deciding on the content of the complaint. - 15 –

D.3. Processing of personal data

In the Google Analytics case, the data protection authority has already stated – in accordance with the case law of the European Data Protection Supervisor (EDPS) – that cookies that contain a unique,

randomly generated value (Universally Unique Identifier, hereinafter: UUID) and that are set with the

purpose of individualizing and separating people meet the definition of Art. 4 Z 1
GDPR. In particular, it can never be ruled out that the cookie values and the IP

address of a person's device are combined with additional information at some point in the processing chain, e.g. if the data subject registers on a website with
their email address or real name (see the decision of April 22, 2022, GZ: 2022-

0.298.191, available on the website www.dsb.gv.at; this legal opinion is confirmed, among others, by the

findings of the Federal Administrative Court of May 12, 2023, GZ: W245 2252208-1 and of April 26, 2024, GZ: W211

2281997-1; on the personal reference of "Google Analytics cookies" also the decision of the EDSB
against the European Parliament of January 5, 2022, GZ: 2020-1013, p. 13).

These considerations can be applied to the present case, since as a result of the

visit to the website www.orf.at on January 20, 2021, cookies with unique, randomly generated

values were set and read in the bP's end device (see factual findings C.4).

The cookie values (in combination with browser data and the IP address of the

end device) were subsequently transmitted to the servers of the respective providers (e.g. to the provider of the advertising cookie "UserID1"

with the domain adfarm1.addtion.com).

The (factual) scope of application of the GDPR is therefore fulfilled.

On point 1

D.4. On the right to erasure and the obligation to notify (complaint point A)

As stated, the BG does not currently store the information that can be considered personal data of the bP - i.e. the IP address and the cookie values of the bP's end device.

In addition, the recipients of the data transfer were informed of the

erasure in accordance with Art. 19 GDPR (see fact finding C.5).

According to the case law of the Federal Administrative Court, there is also no subjective right to a determination that the

rights of the data subject - here: the right to erasure - were complied with too late (cf. the

decision of the Federal Administrative Court of January 31, 2020, GZ: W258 2226305-1 mwN).

At least at the time of the decision, there is therefore no violation of Art. 17 (in conjunction with Art. 19) GDPR.

D.5. On the application for an order against the BG to stop the unlawful processing

(Complaint point B) - 16 –

In addition, the bP has filed an application to order the BG to stop the unlawful

processing.

According to Art. 77 Para. 1 GDPR, every data subject has “[…] without prejudice to any other

administrative or judicial remedy, the right to lodge a complaint with a

supervisory authority, in particular in the Member State of his or her habitual residence, place of work or place of the alleged infringement, if the data subject considers

that the processing of personal data concerning him or her infringes this Regulation.”

It is clear from the wording of Art. 77 Para. 1 GDPR that any applications made in the context of

a complaint procedure must relate to the person of the complaining party (“personal data concerning him or her”).

As already stated, the BG does not currently store the bP's data that is the subject of the complaint, so that no remedy can be used that relates to the bP's personal data. In view of the final nature of the remedy powers under Art. 58 Para. 2 GDPR (see again the decision of the VwGH of September 1, 2022, Ra 2022/04/0066) and the wording of Art. 77 Para. 1 GDPR and Section 24 Para. 1 DSG (violates and not: "has violated" or "will violate"; English version of the GDPR: "infringes", French version of the GDPR: "constitue"), no order can be issued in the context of a complaint procedure that relates to data processing pro futuro (i.e. in the event that the bP accesses the website again in the future). It is therefore no longer necessary to address the abstractly formulated violations of the bP in connection with the
cookie banner.

The complaint was therefore rejected in accordance with the ruling.

General information on ruling point 2

D.6. On the powers of remediation

The data protection authority has powers of remediation pursuant to Art. 58 para. 2 lit. d GDPR, which allow it, among other things, to instruct a controller to change or carry out processing operations in a certain way

and within a certain period of time.

Neither the GDPR, nor the DSG or the AVG stipulate that official powers may only be exercised in the context of a data protection review pursuant to Art. 58 para. 1 lit. b GDPR. - 17 –

The Federal Administrative Court has therefore already ruled that the data protection authority can also make use of its powers stipulated in Article 58 (2) GDPR in appeal proceedings (see the decision of November 16, 2022, Ref. No. W274 2237056-1/8E;

most recently confirmed by the decision of July 31, 2024, Ref. No. W108 2284491-1/15E).

The Federal Administrative Court's considerations are also in line with the case law of the

European Court of Justice, according to which a supervisory authority is obliged to make use of its remedial powers in the event of identified

deficiencies (see the judgment of the ECJ of July 16, 2020 C-311/18, para. 111).

The complaint in question was ultimately rejected; however, since the request for consent (the cookie banner) and the use of cookies - for the reasons set out below - are not in line with data protection requirements, an official service contract was required. With its decision on August 2, 2024, the data protection authority gave the BG the opportunity to comment on the website www.orf.at and the cookie banner. In its statement of August 16, 2024, the BG set out its view. D.7. Responsibility for the service contract and application of the GDPR Regarding the responsibility of the data protection authority and the question of the (material) scope of application of the GDPR, reference is made to the considerations under D.1. (Relationship between the e-Data Protection Directive and the GDPR) and D.3. (Processing of personal data). The considerations are also relevant for the performance contract according to point 2, since cookies are currently being used that contain a UUID and that (along with other browser data and the IP address) are transmitted to third-party servers (see factual findings C.7.). There is also no evidence that technical protective measures have been implemented to prevent this data from being linked to other additional information within the processing chain (see the ECJ judgment of October 27, 2022, C-129/21, para. 81, on the accountability and compliance obligations of a controller). It is not necessary for the BG itself to be able to establish a personal reference (see the ECJ judgment of July 29, 2019, C-40/17, para. 66 ff. with further references). Finally, the protective purpose of the

Regulation also speaks in favor of a broad interpretation of Art. 4 Z 1 GDPR. This is to ensure a high level of protection of the fundamental rights and freedoms

of natural persons when processing personal data (see the judgment - 18 -

of the ECJ of August 1, 2022, C-184/20, para. 61). This protective purpose would be counteracted if the standard of "identifiability" is applied too narrowly.

In a comparable case - at least with regard to the cookies ioam2018 and i00 - the

Federal Administrative Court also assumed the scope of application of the GDPR (see again

the decision of the BVwG of April 26, 2024, GZ: W211 2281997-1/5E, point 3.2.1.).

On point 2 a)

D.8. Design of the request for consent (cookie banner)

It should be noted that instructions pursuant to Art. 58 Para. 2 lit. d GDPR can also include adjustments

regarding requests for consent (cf. Zavadil in Knyrim, DatKomm Art. 58 GDPR

[as of 1.7.2024, rdb.at] Art. 58 Rz 34/1 mwN).

To assess how the cookie banner and the interaction options are to be understood, the figure of an averagely informed, attentive and intelligent consumer must be used (see the judgment of the ECJ of July 16, 1998, C-210/96 [Gut Springenheide GmbH] para. 37; the decision of the BVwG of December 13, 2022, GZ: W214 2234934-1; Article 29-

Data Protection Working Party, Guidelines on consent under Regulation 2016/67, WP259

rev.01, 17/DE, p. 16; Greve in Sydow, Commentary Art. 12 para. 11; Illibauer in Knyrim, DatKomm Art. 12 para. 39; with regard to the DSG 2000 also Jahnel, Handbook para. 7/22 with further references).

The standard for valid consent also requires that no unfair practices are used. The person concerned may therefore not be pressured either directly or subtly to give consent. It is therefore not permitted to design the "Reject" option in such a way (e.g. color differences, different contrast ratios or positioning) that it is less prominent in comparison to the "Accept" option (see the "FAQ on cookies and data protection", available at www.dsb.gv.at, in particular questions 7 and 8; see also the EDPB Report of the work undertaken by the Cookie Banner Taskforce, p. 6, available at https://edpb.europa.eu/our-work-tools/our-documents/report/report-work-undertaken-cookie-banner-

taskforce_en). Reference should also be made to Recital 75 of Regulation (EU) 2024/900, which states – in summary – that the decision of individuals when giving consent should not be influenced in such a way that their decision-making is distorted or impaired; although this regulation refers to political targeting, the considerations can generally be transferred to consent under data protection law, especially since the aforementioned Recital expressly refers to the GDPR. Based on this standard, the following can be noted for the website www.orf.at: - 19 – In the present case, a cookie banner is used as a request for consent for the use of cookies (and the associated processing of personal data). Specifically,

a dark blue button (hexadecimal color code #466199) with

“Accept all cookies” and two white buttons (hexadecimal color code #FFFFFF) with “Only

necessary cookies” and “Cookie preferences” are offered as options. The background of the cookie banner is

a very light shade of blue (hexadecimal color code #f0f1f4; see all of this

Fact finding C.6.).From the point of view of the data protection authority, however, the "Accept all cookies" button is more prominent, as its dark blue color makes it stand out much more clearly from the light blue background of the cookie banner than the other buttons with a white background. When requesting consent, the attention of data subjects is therefore primarily drawn to "Accept all cookies" due to the choice of color or contrast. This conclusion is also supported by factual finding C.6. Accordingly, the contrast of the "Accept all cookies" button to the background of the cookie banner is 5.42:1, and the contrast of the "Only necessary cookies" and "Cookie preferences" buttons to the background of the cookie banner is 1.13:1. However, as stated, ISO-9241–3 recommends a minimum contrast of 3:1. At https://biti-wiki.de/index.php?title=1.01.0_-_Ausreichender_Kontrast (last accessed on October 28, 2024) it says the following:

"A brightness contrast of 3:1 is the minimum recommended by ISO-9241-303 for easily legible text

with normal vision. A contrast of 4.5:1 is used to take into account the loss of contrast sensation resulting from moderately reduced visual acuity, color blindness or normal aging. The possibility of a personalized color setting must not result in the application no longer being easy to read in the normal view. This is because users with minor limitations usually want to use the normal view in order to be able to communicate more easily with other users. Users of black and white monitors and in environments with strong light also benefit from this success criterion." Taking all these considerations into account, it can therefore be stated that the cookie banner in question from www.orf.at (the request for consent) cannot be considered an unambiguous expression of intent within the meaning of Art. 4 Z 11 GDPR. In particular, it cannot be ruled out that data subjects selected the "Accept all cookies" option simply because they did not realize that other options were available due to the design. This result is also supported by the fact that the BG, as the party responsible for the validity of each consent, bears the burden of proof (cf. the judgment of the ECJ of July 4, 2023, C-252/21 para. 95). However, this burden of proof cannot be met with such a design of a request for consent or with such a color selection. - 20 –

In addition, such a misleading design does not comply with the principle of data processing

in good faith (“fairly processed”) pursuant to Art. 5 para. 1 lit. a GDPR nor with the principle of

privacy by design pursuant to Art. 25 para. 1 leg. cit. This

fact also speaks in favor of the interpretation of Art. 4 Z 11 in conjunction with Art. 7 GDPR advocated by the data protection authority.

The BG will therefore have to redesign the request for consent. The BG will either use the same color for all buttons or it will use colors so that the above-mentioned

recommendations of ISO-9241-303 regarding contrast are complied with.

On point 2 b)

D.9. On the use of cookies before interacting with the cookie banner

a) On the use of technically unnecessary cookies on the basis of the ORF-G

The use of cookies (and the associated processing of personal data), which

are not technically absolutely necessary for the use of a website, requires prior

consent (see the decision of the VwGH of October 31, 2023, VwGH Ro 2020/04/0024; see also

Art. 29-WP Opinion 04/2012 on Cookie Consent Exemption, WP 194, 00879/12/EN p. 9 ff).

According to the case law of the Federal Administrative Court, Art. 5 Para. 3 of Directive 2002/58/EC as amended (in conjunction with

Section 165 Para. 3 TKG 2021) is also not to be interpreted in the sense of an “economic necessity”.

This means that, for example, advertising cookies for displaying personalized advertising are not "technically necessary" because displaying personalized advertising is necessary to finance the operation of the website (see the decision of the BVwG of March 12, 2019, GZ: W214 2223400-1).

To the extent that the BG refers to Sections 4e and 7 of the ORF-G with regard to data processing, it must be countered that the clear wording of Article 5, Paragraph 3 of Directive 2002/58/EC as amended (e-

Data Protection Directive) requires consent for technically unnecessary cookies, which (now) must comply with the requirements of the GDPR (see Article 94, Paragraph 2 of the GDPR).

In other words: the use of technically unnecessary cookies cannot be supported by a legal basis. It follows that the national implementation in Section 165 Para. 3

TKG 2021 - according to an interpretation in line with the directive - cannot be understood in any other way.

It should not be overlooked that the competence of the data protection authority is linked to the data processing

that is carried out after cookies are set or read (see point D.7.). - 21 -

However, the ECJ has already stated that in the interaction between Directive 2002/58/EC

as amended and the GDPR, lawful data processing within the meaning of the GDPR can only be assumed

if the requirements for lawful processing under Directive 2002/58/EC as amended are also met (see the ECJ judgment of June 17, 2021, C-597/19, para. 97 ff and

in particular para. 118 with further references).

As a preliminary question for the legality of data processing according to Art. 6 Para. 1 GDPR, it must therefore be checked whether there is valid consent within the meaning of Directive 2002/58/EC as amended. If this is denied, this will also result in unlawful data processing under the GDPR. b) Regarding the cookies that are set on www.orf.at before an interaction with the cookie banner As stated, the cookie "ioam2018" is used to determine statistical values, whereby the user behavior of people on www.orf.at is determined. The cookie "i00" is used to recognize users' end devices. If the cookie "i00" is suppressed, the ÖWA attempts to recognize the device by combining the IP address and browser name. The cookie "UserID1" is used to re-target the user with online advertising based on the interest shown on the website. The associated domain is adfarm1.addtion.com. The cookie “_autouserid2” is the first-party cookie equivalent to “UserID1” if third-party cookies are blocked.

Taking into account the considerations in point D.9. a), it should be noted that from a technical point of view, these cookies are not absolutely necessary to provide an information society service expressly requested by the subscriber or user. The purpose of the cookies is either to determine user behavior, to recognize users or their end devices, or to display advertising.

This conclusion of the data protection authority also corresponds to the opinion expressed in the literature, according to which the exception “provision of an expressly requested information society service” (as well as the associated wording “absolutely necessary”) contained in (now) Section 165 Para. 3 TKG 2021 is to be interpreted restrictively. (cf. Riesz in Riesz/Schilchegger
[ed.], TKG (2016) § 96 Rn 48).

It follows that these cookies may not be used before (valid) consent has been given. - 22 –

Addressee of the service contract and deadline

D.10. Result

As established, the BG is the operator of the website in question www.orf.at and decides

which cookies are placed on its website (and, associated with this, which

data processing is carried out; see statement of facts C.2.).

It follows that the BG is to be qualified as the data protection controller in accordance with Art. 4 Z 7 GDPR for the data processing in question, since it decides on the purposes and means of the data processing. The service contract therefore also had to be awarded to the BG.

From the point of view of the data protection authority, a period of six weeks is appropriate to adapt the website in question (including the cookie banner) accordingly.

The decision was therefore made in accordance with the ruling.

LEGAL REMEDIES

A written appeal against this decision can be lodged with the Federal Administrative Court within four weeks of delivery. The appeal must be lodged with the data protection authority

and must contain

- the name of the contested decision (reference number, subject)

- the name of the authority concerned,

- the reasons on which the claim of illegality is based,

- the request and

- the information required to assess whether the appeal was lodged in time.

The data protection authority has the option of amending its decision within two months either by

a preliminary decision on the appeal or by submitting the appeal with the files of the

proceedings to the Federal Administrative Court.

The appeal against this decision is subject to a fee. The fixed fee for a

corresponding submission including attachments is 30 euros. The fee must be paid into the account of the Austrian tax office, stating the

purpose of payment.

The fee must always be transferred electronically using the “tax office payment” function. The Austrian tax office - Special Competences Department must be specified or

selected as the

recipient (IBAN: AT83 0100 0000 0550 4109, BIC: BUNDATWW). Furthermore, the