Digitaliseringsstyrelsen - Decision against Google of 30 October 2023

From GDPRhub
Revision as of 17:05, 21 November 2023 by Ar (talk | contribs)
Digitaliseringsstyrelsen - Decision against Google of 30 October 2023
Courts logo1.png
Court: Digitaliseringsstyrelsen (Denmark)
Jurisdiction: Denmark
Relevant Law: Article 4(11) GDPR
Article 2(8) Cookiebekendtgørelsens
Article 3 Cookiebekendtgørelsens
Decided: 30.10.2023
Published:
Parties: Google LLC
National Case Number/Name: Decision against Google of 30 October 2023
European Case Law Identifier:
Appeal from:
Appeal to:
Original Language(s): Danish
Original Source: Digitaliseringsstyrelsen (in Danish)
Initial Contributor: ar

The Danish Agency for Digitalization ordered Google to adapt its cookie banner and the information provided in its cookie policy, as well as to make the information always accessible, so that they comply with the national law on cookies.

English Summary

Facts

On 1 and 16 September 2022, the Danish Business Authority sent consultation letters to Google LLC regarding the use of cookies on their website, based on how the solution looked at that time.

The Danish Business Authority pointed out that the website did not allow users to give granular consent. The text on the first layer of the cookie banner stated that by selecting "accept all", users agreed that Google could use cookies to process their data for four purposes. Users would also be given the option of dividing their consent under "More choices" on the second layer of the cookie banner. However, users were only given the option to split their consent over two purposes, different to the ones in the first layer. Secondly, the Danish Business Authority found that Google did not provide users with adequate information about all cookies used on the website. It also pointed out that the information was not considered to be permanently available through direct and marked access on the website, as it was difficult for users to retrieve information when clicking away the cookie banner.

On 13 September and 6 October 2022, Google Denmark ApS, Google LLC and Google Ireland Limited submitted comments to the letters. They argued that Google Ireland Limited was the rightful data subject under the rules of the ePrivacy Directive and the Cookie Order, not Google LLC. Thus, it contested the Danish Business Authority’s territorial competence to supervise Google Ireland Limited. In addition, they stated that the subject of the Cookie Order is limited to the website operator: Google Ireland Limited. Thus, Google argued that the use of cookies on the website was only covered by the Irish implementation of the e-Privacy Directive, subject to the supervision of the Irish DPA.

Until 15 December 2022, the Danish Business Authority was responsible for supervising compliance with the Cookie Order. Due to the reorganization, the supervision of compliance with these rules was transferred to the Danish Agency for Digitization (the Agency), the authority issuing the decision.

Holding

Firstly, the Agency confirmed that the website owner is the subject of the obligation regarding the use of cookies under the Cookie Order since it has final control over the content of the website. Meaning that Google LLC, as the website owner, was subject to its requirements. Henceforth, on the territorial scope, the Agency, citing the EDPB Internal Document 04/2021, reiterated that a supervisory authority is competent to handle a case when the controller or processor is established in that Member State and when the processing of personal data is carried out as part of the establishment's activities. Hence, the Agency affirmed to have territorial jurisdiction given that Google Denmark ApS, a subsidiary of Google LLC, has its registered office in Copenhagen. Furthermore, because the placing of cookies on users’ terminal equipment was part of the activities carried out by Google Denmark ApS in the Danish market on behalf of Google LLC.

Secondly, on the Cookie banner, the Agency assessed that the four purposes described in the first layer of the cookie banner were not sufficiently similar to be grouped under the two overall purposes of the second layer. Since users should give separate consent for each general purpose under Articles 2(8) and 3(1) of the Cookie Law , the condition for voluntary and specific consent (as also described in Article 4(11) GDPR) was not met. In connection with this, the Agency acknowledged that the website allowed users to withdraw their consent. However, it was not immediately accessible and unclear how consent could be withdrawn, breaching Articles 3(2), (4) and (5) of the Cookie Law. Hence, the Agency ordered Google LLC to change the consent solution and provide users with immediate access to withdraw their consent to cookies.

Thirdly, the Agency assessed that users did not have access to a cookie policy with clear, precise and easily understandable language under Article 3(1) and (2) of the Cookie Law. This was because the information was given as examples, and the adequate explanation was only given in English, while the recipient group primarily spoke Danish. Additionally, the Agency found that the required information was not permanently available through direct and clearly marked access on the website, contrary to Articles 3(1), (2) and (5) of the Cookie Law. The Agency recognized this had been changed and now required fewer clicks for users to access the information. However, it still believed it was not easy for users to reach it. Therefore, the Agency required Google LLC to provide all the information in clear, precise and easily understandable language and for the information to be made always accessible.

In conclusion, the Agency ordered Google LLC to comply with the above requirements no later than 27 November 2023 and by the same date at the latest to explain how it has complied with the orders.

Comment

The rules on the use of cookies can be found in the Danish Telecommunications Act, and the more detailed requirements for consent solutions regarding the use of cookies are laid down in the Danish Cookie Law. These two provisions originate from the implementation of the ePrivacy Directive and specify and supplement the GDPR.

It should also be noted that the Danish Agency for Digitization only supervises the rules in the Cookie Law. That explains why the Agency has not taken a position on the processing of the personal data collected via cookies and similar technologies on the website under the GDPR.

Further Resources

Share blogs or news articles here!

English Machine Translation of the Decision

The decision below is a machine translation of the Danish original. Please refer to the Danish original for more details.

File history
Click on a date/time to view the file as it appeared at that time.
Date/TimeDimensionsUserComment
current17:02, 21 November 2023 (514 KB)Ar (talk | contribs)
You cannot overwrite this file.File usage
There are no pages that use this file.