Rb. Amsterdam - C/13/747646 / KG ZA 24-191
Rb. Amsterdam - C/13/747646 / KG ZA 24-191 | |
---|---|
Court: | Rb. Amsterdam (Netherlands) |
Jurisdiction: | Netherlands |
Relevant Law: | Article 5(1)(a) GDPR Article 6(1) GDPR |
Decided: | 22.04.2024 |
Published: | 01.07.2024 |
Parties: | Criteo |
National Case Number/Name: | C/13/747646 / KG ZA 24-191 |
European Case Law Identifier: | ECLI:NL:RBAMS:2024:3095 |
Appeal from: | |
Appeal to: | |
Original Language(s): | Dutch |
Original Source: | Rechtspraak.nl (in Dutch) |
Initial Contributor: | ec |
A court imposed a new penalty of €500 per day against Criteo until stops placing tracking cookies on the data subject’s devices. The court held that the fact that the controller can only comply with the prohibition by not placing tracking cookies at all, does not relieve the controller from its obligation to comply.
English Summary
Facts
The controller is Criteo SA, a global technology company operating in media and entertainment that does consultancy, provides software and services in relation to digital marketing, media advertising and real time ads bidding. The controller places tracking cookies for targeted advertising on computers and mobile devices of users visiting certain third party websites. The controller uses the Real Time Bidding (RTB) System to recognise a user within seconds and to show personalised ads.
On 15 June 2023 the French DPA ("CNIL") fined the controller €40 million for violating the GDPR.
On 8 August 2023, the data subject wrote to the controller that the placing of tracking cookies on the data subject’s devices without the data subject’s consent, violates Article 11.7a(1) Dutch telecommunications law (“Telecommunicatiewet – TW”) and Articles 5(1)(a), 6(1), 7, 13 and 14 GDPR.
The controller responded that it is the responsibility of the third party websites to obtain consent.
The data subject filed an urgency procedure (“kort geding”) at the Amsterdam District Court (“Rechtbank Amsterdam”) against the controller and the Dutch company Criteo B.V.
The court prohibited the controller from placing tracking cookies on the devices of the data subject and imposed a penalty of €250 for every day they fail to comply with the decision (with a maximum of €25.000).
The controller appealed this decision on 30 October 2023. The Court of Amsterdam (“Gerechtshof Amsterdam”) held that the Dutch company Criteo B.V. was not a controller. However, it did find that tracking cookies were placed and that the data subject’s personal data was processed in violation of the GDPR. The court therefore prohibited the controller Criteo SA from placing tracking cookies and upheld the imposed penalty of the District Court after service of the judgement.
In January 2024, the controller voluntarily complied with the penalty of €25.000 before the judgement was handed down.
On 17 April 2024, the controller initiated proceedings on the merits at the Amsterdam District Court, because it disagreed with the judgement in the urgency procedure.
The controller argued that it did not place the cookies themselves, but that they were placed by third party websites. The controller argued that it did not have factual control or power over the way these websites design their websites and how they ask for consent. They can only contractually obligate these websites to obtain consent. If it appears these third party websites do not obtain consent, the controller can give a written warning. The controller also argued it is factually impossible to comply with the prohibition of the court as it cannot single out the devices of the data subject to stop placing tracking cookies.
As the unlawful processing continued, the data subject requested the court to impose a penalty of €1.500 per violation or €5.000 per day the controller continues to place tracking cookies. By complying with the maximum amount of the penalty, the data subject argued that it appears that the business model of the controller is that lucrative that the imposed penalty is an insufficient financial incentive to stop the unlawful processing. Also the fine of 40 million by the French DPA did not change the behaviour of the controller.
Holding
The court held that the controller already complied with the maximum penalty but paying the the penalty does not release the controller from the duty to comply with the prohibition.
The court further held that it is the responsibility of the controller to check whether it complies with the prohibition to place tracking cookies on the data subject's devices. Although the controller made steps in the right direction by writing warnings and ending contracts with websites that did not comply, the prohibition is still not complied with.
By paying the maximum penalty, the court held that the controller also knew it was not complying with the imposed prohibition. Therefore, the imposed penalty is an insufficient financial incentive to comply with the judgement and there are sufficient arguments to impose a new and higher penalty.
The court also dismissed the argument of the controller that it cannot prevent that tracking cookies are placed on the devices of the data subject and can only comply with the prohibition by not placing tracking cookies at all irrespective of the device. The court held that this argument cannot relieve the controller from its obligation to comply with the judgement.
Thus, the court imposed an additional penalty of €500 per day (with a maximum of €50.000) against the controller until it complies with the prohibition of placing tracking cookies on the data subject's devices.
Comment
Share your comments here!
Further Resources
Share blogs or news articles here!
English Machine Translation of the Decision
The decision below is a machine translation of the Dutch original. Please refer to the Dutch original for more details.