Datatilsynet (Denmark) - 2021-41-0149
Datatilsynet - 2021-41-0149 | |
---|---|
Authority: | Datatilsynet (Denmark) |
Jurisdiction: | Denmark |
Relevant Law: | Article 4(11) GDPR Article 5(1)(a) GDPR Article 6(1)(a) GDPR |
Type: | Investigation |
Outcome: | Violation Found |
Started: | |
Decided: | 27.10.2022 |
Published: | 09.11.2022 |
Fine: | n/a |
Parties: | JP/Politikens Hus A/S |
National Case Number/Name: | 2021-41-0149 |
European Case Law Identifier: | n/a |
Appeal: | n/a |
Original Language(s): | Danish |
Original Source: | Datatilsynet (in DA) |
Initial Contributor: | Vadym Kublik |
The Danish DPA reprimanded a controller for a cookie banner that did not comply with Articles 6 and 4(11) GDPR as the consent was not informed and because the controller used colours and designs to influence the user's choice in violation of Article 5(1)(a) GDPR.
English Summary
Facts
JP/Politikens Hus A/S (controller) is an operator of the news website, www.eb.dk. In 2021, the Danish DPA conducted an inspection into how the controller processed personal data of visitors on its website. During the check, the website had a cookie consent solution allowing the visitors to click on three different boxes: "Only necessary" (in a red box), "Customise settings" (in a grey box) and "Accept all" (in a green box).
From the "first layer" of the consent solution, it appeared that the controller processed personal data for statistical and marketing purposes. In the "second layer", which the visitor could access by clicking on "Customise settings", the visitor could select the processing for preferences, statistics and marketing.
Holding
The DPA held that visitors of the controller's website did not give informed consent, as visitors who clicked on "Accept all" did not receive information about all processing purposes. Namely, information about the preferential purpose only appeared from the "second layer". As a result, the consent did not meet the requirements of Article 4(11) GDPR, and thus the controller could not rely on Article 6(1)(a) GDPR as a legal basis for the processing.
Furthermore, the DPA also held that using a traffic light-like colour and design scheme in the consent solution constitutes a form of "guiding" (nudging). Therefore, as it interferes with the user's ability to make an informed choice, it is incompatible with the principles of lawfulness, fairness, and transparency of Article 5(1)(a) GDPR. Consequently, the DPA reprimanded the controller for the identified violations.
Comment
Share your comments here!
Further Resources
Share blogs or news articles here!
English Machine Translation of the Decision
The decision below is a machine translation of the Danish original. Please refer to the Danish original for more details.
Serious criticism of JP/Politik's consent solution at www.eb.dk Date: 27-10-2022 Decision Private companies Serious criticism Supervision / self-operating case Clarification of data responsibility Basis of processing Cookies / processing of personal data about website visitors GDPR's scope of application Basic principles The Danish Data Protection Authority expresses serious criticism of JP/Politik's consent solution, which JP/Politik used on www.eb.dk. The inspectorate found, among other things, that the consent solution did not comply with the rules, as the consent of visitors to the page was not sufficiently informed. Journal number: 2021-41-0149 Summary In 2021, the Norwegian Data Protection Authority had a special focus on, among other things, processing of personal data about website visitors. Against this background, the Data Protection Authority initiated a written inspection with, among other things, JP/Politiken A/S' processing of personal data about visitors to www.eb.dk. JP/Politiken used a consent solution that gave visitors three options (Only necessary, Customize Settings and Accept all). From the "first layer" of the consent solution, it appeared that JP/Politiken processed personal data for statistical and marketing purposes. In the "second layer" of the consent solution, which the visitor could access by clicking Customize Settings, the visitor could select the processing purposes preferences, statistics and marketing. The Danish Data Protection Authority assessed that visitors to www.eb.dk did not give informed consent, as visitors who clicked on Accept all did not receive information about all processing purposes - as information about the preferential purpose only appeared from the "second layer". With the decision, the supervisory authority determined that there are large degrees of freedom for the use of color choices and design elements, as long as the design does not "push" the user towards choices that lead to illegal scenarios or undermine the rights of the data subject. In the specific case where the option Accept all led to a defective consent, the supervisory authority found that it contradicted the principle of legality, fairness and transparency. Based on the above, the Danish Data Protection Authority expressed serious criticism of JP/Politik's processing of information about website visitors. The interaction of the data protection rules with the cookie decree In addition to the consent solution itself, the Danish Data Protection Authority also generally dealt with the interaction of the data protection rules with the cookie order (order no. 1148 of 9 December 2011), which falls under the Danish Business Authority's area. In this context, the Danish Data Protection Authority noted that the processing of personal data, which is carried out on the basis of the exception rule on Necessary cookies in the cookie order - in the Danish Data Protection Authority's opinion - falls outside the authority's competence. The Danish Data Protection Authority, which considers itself competent for any further processing of the personal data in question, noted in this connection that the Danish Data Protection Authority hardly sees any scope for data controllers to further process personal data, which is processed on the basis of the exception rule on Necessary cookies, for other purposes, than the leeway intended in relation to Necessary cookies. Situations with shared data responsibility As far as joint data responsibility is concerned, the Danish Data Protection Authority noted that such cooperation must be regulated by a scheme that determines the respective responsibilities of the individual parties in relation to the data protection rules, and that the scheme must be clearly communicated to the data subject. In addition, the Danish Data Protection Authority pointed out that, in future, the Danish Data Protection Authority will have a greater focus on situations where there is joint data responsibility. Decision JP/Politikkens Hus A/S (hereafter 'JP') was among the companies that the Data Protection Authority supervised in the second half of 2021. The inspection was a written inspection which focused on JP's processing of personal data about website visitors via the website www.eb.dk. During the processing of the case, JP changed the consent solution that appeared on www.eb.dk, and on the basis of which the supervisory authority initiated the supervision. The Danish Data Protection Authority has therefore decided to limit the supervisory investigation, so that the present decision only concerns JP's previous consent solution, and the supervisory authority has therefore not dealt with the legality of JP's new consent solution on www.eb.dk. 1. The Danish Data Protection Authority's decision After a review of the case, the Danish Data Protection Authority seriously criticizes that JP's processing of personal data on the website www.eb.dk has not taken place in accordance with Article 6 of the Data Protection Regulation, cf. Article 4, No. 11, and Article 5, subsection 1, letter a. Below follows a closer review of the case and a rationale for the Data Protection Authority's decision. 2. The circumstances of the case 2.1. JP had implemented a consent solution at www.eb.dk at the time of the Data Protection Authority's initiation of the present supervisory case. The following emerged from the solution: "It's your choice We collect and use data in order to deliver and finance up-to-date journalistic content for you. We and our partners want to use cookies and personal data about IP, ID and browser information for statistics and marketing purposes. That is, we store and/or access information on your device to display customized ads and ad measurement, customized content, content measurement, audience insights, and product development. In addition, precise geolocation information and active scanning of device characteristics are used for identification. Under "Customize settings" you can choose who and for what purposes cookies may be set and personal data processed. See also our personal data policy. You can always withdraw your consent and correct settings by clicking on "Manage consent" on the pages. The consent solution allowed the visitors to click on three different boxes "Only necessary" (in a red box), "Customize Settings" (in a gray box) and "Accept all" (in a green box). If the visitor clicked on "Customize settings", the visitor was redirected to a "second layer" of the consent solution. On the "second layer" of the consent solution, the visitor had the opportunity to select and/or deselect the individual purposes. By letter of 29 November 2021, the Danish Data Protection Authority notified the supervisory authority of JP's website www.eb.dk and in that connection requested JP for an opinion on the matter. On 5 January 2022, Plesner Advokatpartnerselskab (hereinafter 'Plesner') submitted a statement on the matter on behalf of JP. On 1 February 2022, the Danish Data Protection Authority requested a supplementary opinion, which Plesner forwarded on 22 February 2022. 2.2. JP's remarks Plesner has stated on behalf of JP that JP is responsible for processing personal data about website visitors that takes place on the basis of cookies that JP itself places. JP processes information for various purposes, such as to use the website's functionality, determine the visitors' preferences, statistics and marketing. The information processed for the functionality of the website is cookie ID, device information (information about operating system, device, browser, language) and IP address. The information that is processed for the other purposes is cookie ID, device information, IP address, information on technical choices/settings and behavioral data. Processing of personal data for use in the functionality of the website takes place only through the use of "necessary cookies" and in accordance with Article 6, paragraph 1 of the Data Protection Regulation. 1, letter f. Processing of personal data for the other purposes – preferences, statistics and marketing – takes place in accordance with the regulation's article 6, subsection 1, letter a. It is overall JP's assessment that the consent solution, which was previously published by www.eb.dk, met the conditions of the data protection regulation, article 4, no. 11, and article 7, as the consent was voluntary, specific, informed and an expression of an unequivocal expression of will . In relation to the requirement for voluntariness (including granularity), JP has stated that the visitors – in accordance with, among other things The Danish Data Protection Authority's guidance on the processing of personal data about website visitors - an option was offered to give a differentiated consent, as visitors in the first layer of the consent were presented with the options "Only necessary", "Adjust settings" and "Accept all". In JP's view, it is irrelevant that visitors who clicked on "Customize settings" were directed to an additional layer of the consent solution, since visitors were presented with the option on the first layer of the consent solution, and since visitors had the option to opt in or out of the various purpose on the consent solution's second layer. JP also notes that neither the Data Protection Authority's nor the EDPB's guidelines describe how or when visitors must be given the opportunity to give differentiated consent, while the Irish Data Protection Authority's guidance opens up the possibility for website visitors to either accept or reject a website's processing of information can occur in the "second layer" of a consent solution. In addition to this, JP has stated that the question of whether visitors have the opportunity to give a differentiated consent is connected to the question of transparency, and that data controllers must make use of the most appropriate way of providing the information. JP has referred to the Article 29 Group's guidance on transparency[1], where it e.g. it is stated that data controllers must have the opportunity to test different modules with a view to arriving at which solution most appropriately provides registered information about the data processing. It is therefore JP's assessment that JP's previous consent solution gave registered users the opportunity to give a differentiated consent as stipulated in the supervision's own guidance. In addition, it was possible for data subjects to refrain from giving consent and to withdraw consent via the settings on www.eb.dk. JP was also able to demonstrate the validity of the consent. Overall, it is therefore JP's opinion that the consent that JP collected by using the previous consent solution from visitors to www.eb.dk was in accordance with Article 4, No. 11, and Article 7 of the Data Protection Regulation. In support of the above, JP has investigated whether there is a measurable difference in the consent rates for JP's old and new consent solution, respectively. The study was carried out to clarify whether it makes a difference that registered users can adapt purposes in the "first layer" or in the "second layer". The study showed that JP's old consent solution resulted in more "adapted" consents than the current consent solution. In relation to the processing of personal data about website visitors, JP has according to the data protection regulation article 6, subsection 1, letter f, states that JP has a legitimate interest in processing information about cookie ID, device information and IP address for use in the functionality of the website in order to deliver a website that works. In this connection, JP has emphasized that the personal data that is collected and processed in this connection does not require consent according to the cookie decree. In JP's opinion, this is a limited amount of information, and the information is necessary for JP to pursue the legitimate interest. The processing in question is also initiated by the data subject's own visit to www.eb.dk. JP has also stated that JP's legitimate interest exceeds the interests, fundamental rights and freedoms of the data subject, as there is no intrusive and/or extensive processing of personal data, and since the placement of the cookies with which the data is processed does not presupposes consent according to the rules of the cookie executive order. JP notes that the processing otherwise does not entail negative consequences for data subjects, and that it is therefore JP's assessment that the processing of personal data for functional purposes can take place within the framework of Article 6, paragraph 1 of the Data Protection Regulation. 1, letter f. JP has stated that JP is the joint data controller when third-party cookies are placed. However, JP's responsibility consists solely of passing on information about the third parties' collection and further processing, and JP is therefore not responsible for the third parties' processing in general, including whether the third parties have a valid basis for processing. In this connection, JP has explained that JP's website is set up in such a way that collection of personal data on the basis of cookies set by third parties takes place directly to the third party's server - i.e. directly from the visitor's equipment to the third party's server. JP therefore does not pass on personal data to third parties. In conclusion, JP has noted that the decision to change the consent solution at www.eb.dk was not due to concerns about the validity of the previous consent solution. 3. The Danish Data Protection Authority's assessment 3.1. Of the data protection regulation, article 6, subsection 1, letter a, it follows that the processing of personal data is lawful if the data subject has given consent to the processing of his personal data for one or more specific purposes. A consent from the data subject is defined in Article 4, No. 11 of the Data Protection Regulation as: "Any voluntary, specific, informed and unequivocal expression of will whereby the data subject, by declaration or clear confirmation, consents to the processing of personal data concerning the person concerned for treatment.” In order to be voluntary, consent must give data subjects a free choice and control over personal data about themselves. A consent is not considered voluntary if the data subject does not have a real or free choice, and any form of inappropriate pressure on or influence on the data subject's free will will result in the consent being invalid. In addition, consent cannot be considered voluntary if the procedure for obtaining consent does not give data subjects the opportunity to give separate consent for different processing purposes, thereby forcing data subjects to consent to several and/or all purposes, which - in addition to the defining content of the data protection regulation article 4, no. 11, also appears from article 7, subsection 4. A valid consent must therefore be granulated.[2] A valid consent also requires that it be specific. It must therefore not be designed in a general way and/or without a precise indication of the purposes for which personal data is processed, as well as which personal data is processed. The specification requirement must be seen in the context of the principle of purpose limitation, cf. Article 5, paragraph 1, letter b of the data protection regulation, which means that personal data must always be collected for explicitly stated and legitimate purposes, as well as that the data must not be further processed in a way that is incompatible with these purposes. Consent must also be informed, which means that data subjects must be aware of what consent is given to. Data subjects must therefore have, as a minimum, information about the identity of the data controller, the purpose of the processing, which information is processed, and the right to withdraw consent. 3.2. The Danish Data Protection Authority assumes – in accordance with what JP explained – that personal data is processed for preferential, statistical and marketing purposes on the basis of the data subject's consent. It appears from the text of the "first layer" in the forwarded copy of the consent solution that information is collected for "statistics and marketing purposes". It also appears that registered users have 3 possible choices, "Only necessary" in a red field, "Customize settings" in a gray field and "Accept all" in a green field. The Danish Data Protection Authority - according to JP's own information on this - assumes that the purpose of preferences could only be seen by using "Adjust settings", thereby accessing an additional layer of the consent solution. JP has stated that 72-75% of those who visited the website chose the "Accept all" button. It is the opinion of the Danish Data Protection Authority that the website visitors who, on the basis of the text in the "first layer" selected the "Accept all" button, have not been adequately informed that this also included processing for the purpose of preferences, because the information about this does not appear in the consent solution first layer. Since all requirements in the regulation's article 4, no. 11 have not been met, and since there is therefore no valid consent, this cannot form a basis for processing personal data in accordance with the data protection regulation's article 6, subsection 1, letter a. In this connection, it is irrelevant that data subjects could find information about the preferred purpose if they clicked "Customize Settings" or accessed the personal data policy, since information about the processing purpose in question - in the frequently occurring interaction "Accept all" in the "first layer" of the consent solution - would not be presented to the data subjects. The Danish Data Protection Authority finds – in view of JP's comments on this – reason to note that, in the Danish Data Protection Authority's view, it does not – in itself – contravene the requirement for voluntariness, including the requirement for granularity, to use a solution whereby data subjects on the "first layer" of the consent solution ” is presented for “Customize Settings”, while registered users on the “second layer” exercise the choice between the various purposes. The use of such a solution, however, requires that data subjects in connection with the choices that can be exercised receive information on how they can opt in and/or opt out of the individual purposes, and that the layer used in the consent solution otherwise does not affect or make it difficult the choice between the different purposes. However, the options to accept or reject all purposes must – as stated in the Danish Data Protection Authority's case with j. no. 2018-32-0357 - always appear from the same "layer". 3.3. The Danish Data Protection Authority is of the opinion that the use of colors when choosing response buttons – depending on the circumstances – can influence visitors to make certain choices. In particular, the authority is of the opinion that the use of a traffic light-like system can constitute a form of "guiding" (nudging) that is not compatible with the principle in Article 5, paragraph 1 of the Data Protection Regulation. 1, letter a. The Danish Data Protection Authority generally allows considerable design freedom in layout and content, as long as this does not lead to opacity or unreasonable processing situations. It appears from the consent solution at the time that the three options were specified; "Only necessary" in a red field, "Customize settings" in a gray field and "Accept all" in a green field. As the selection of the button, which was designed with the green color as stated above – in the opinion of the Danish Data Protection Authority – means that the possibilities of the data subject to exercise an informed choice can be bypassed, it is the opinion of the Danish Data Protection Authority that the choice of color and design scheme under these conditions constitute a violation of the Data Protection Regulation, Article 5, subsection 1, letter a. For the detected violations of Article 6 of the Data Protection Regulation, cf. Article 4, No. 11, and Article 5, subsection 1, letter a, the Danish Data Protection Authority expresses serious criticism of JP's processing of personal data on the website www.eb.dk. 3.4. The Danish Data Protection Authority's view is that the processing that only takes place in accordance with Section 4 of Executive Order No. 1148 of 9 December 2011 falls outside the Danish Data Protection Authority's immediate area of competence. However, any further processing of personal data that may be stored on an end user's terminal equipment falls under the competence of the Danish Data Protection Authority. The Danish Data Protection Authority must draw attention to the fact that the Danish Data Protection Authority - only with difficulty - sees room for maneuver for a data controller to further process personal data that is stored on the data subject's terminal equipment in accordance with § 4 of the Executive Order, according to the provision in Article 6, subsection of the Data Protection Regulation. 1, letter f. This is because section 4, subsection 2, defines when the processing is required, and § 4, subsection 1, when in these situations it is possible to carry out the two forms of processing (storage and access to stored information on the end-user's terminal equipment) without consent, cf. section 3 of the executive order. The Danish Data Protection Authority assumes that JP only processes the personal data collected through the use of so-called "necessary cookies" as a technical prerequisite to be able to deliver the service that visitors have expressly requested, and that the information is not processed further beyond this . On this basis, the Danish Data Protection Authority finds that the processing only falls within § 4 of executive order 1148 of 9 December 2011. The supervisory authority has not assessed these treatments further. 3.5. It follows from Article 26 of the Data Protection Regulation that if two or more data controllers jointly determine the purposes and means of processing, they are joint data controllers. Where joint data responsibility exists, the parties involved must transparently establish their respective responsibilities for compliance with the obligations under the Data Protection Regulation by means of an arrangement between them. Such an arrangement must properly reflect the joint data controllers' respective roles and relationship with the data subjects. The most important content of the scheme must also be made available to those registered.[3] JP has stated that JP is the joint data controller when third-party cookies are placed on the website visitor's device via www.eb.dk. JP's responsibility consists solely of passing on information about the collection and further processing of personal data by third parties. In this decision, the Danish Data Protection Authority has not dealt with JP's joint data responsibility with others. The supervisory authority would like to emphasize that these constructions presuppose considerable communicated clarity to the data subjects, and that JP, in accordance with Article 26 of the regulation, has entered into an arrangement with the partners who place third-party cookies, so that the parties' respective responsibilities for compliance with the obligations under the data protection regulation are agreed, and that the most important parts of the agreement are otherwise – in a transparent manner – made available to registered users who visit www.eb.dk. The Danish Data Protection Authority must point out that, in future, the Danish Data Protection Authority expects to carry out an in-depth examination of situations where there is joint data responsibility. [1] Article 29 Data Protection Working Party, Guidelines on transparency under Regulation 2016/679, April 2018 [2] This also follows from the EDPB guidance on consent, version 1.1., adopted on 4 May 2020. [3] See also the decision of the European Court of Justice of 29 July 2019, Fashion ID GmbH & Co. KG v Verbraucherzentrale NRW eV, paragraphs 67-85.