Rb. Amsterdam - C/13/761516 / KG ZA 24-1034
| Rb. Amsterdam - C/13/761516 / KG ZA 24-1034 | |
|---|---|
 | |
| Court: | Rb. Amsterdam (Netherlands) |
| Jurisdiction: | Netherlands |
| Relevant Law: | Article 5(1)(b) GDPR Article 5(1)(c) GDPR Article 55 Brussels I Article 611(a)(3) Wetboek van Burgerlijke Rechtsvordering |
| Decided: | 05.02.2025 |
| Published: | |
| Parties: | LinkedIn Microsoft Corporation Xandr Microsoft IE |
| National Case Number/Name: | C/13/761516 / KG ZA 24-1034 |
| European Case Law Identifier: | ECLI:NL:RBAMS:2025:700 |
| Appeal from: | |
| Appeal to: | Unknown |
| Original Language(s): | Dutch |
| Original Source: | Rechtbank Amsterdam (in Dutch) |
| Initial Contributor: | elu |
The court confirmed that LinkedIn IE, Microsoft IE, Microsoft Corporation, and Xandr Inc violated an injunction by unlawfully placing cookies on a data subject's devices. Xandr and Microsoft Corporation were not fined due to delays in the judgment.
English Summary
Facts
Linkedin IE, Microsoft IE, Microsoft Corporation and Xandr Inc, the controllers, appealed to claim of a data subject.
The claim arose from a judgement of 7 June 2024, where the judge in the preliminary proceedings ordered the controllers to cease and desist from placing cookies on the data subject’s computer or devices. This judgement imposed a fine of €500 per violation of the injunction on each controller. In case of non-compliance with the cease and desist order, the controllers would be subjected to a payment of €1,000 for each day of the violation, until maximum of €25,000.
The data subject tasked an expert to investigate whether the controllers were effectively complying with the judgement. On 15 January 2025, this expert issued a report in which he stated that on the 22 July 2024 and 1 August 2024, the controllers were placing cookies on the data subject’s computer without his consent.
Consequently, the data subject on 17 October 2025 served a notice of forfeiture of €25,000 on each of the controllers for violating the injunction to cease and desist from placing cookies on the data subject’s computer.
Holding
Preliminary remarks
Concerning the jurisdiction applicable to the case at hand and the competence of the court, the Court acknowledges that all the controllers are not domiciled in the Netherlands. However, as per Article 7(2) Brussels I for LinkedIn IE and Microsoft IE, and under Article 6 Brussels I for Microsoft Corporation and Xandr Inc, can be tried by the Dutch court. As per Article 4 Rome II, Dutch law is applicable to the case at hand.
First, in relation to the question of whether, and if so when, the judgment was served. Indeed, a penalty payment cannot be forfeited before the judgment establishing it has been served on the condemned person (Article 611(a)(3) Dutch Code of Civil Procedure, the Wetboek van Burgerlijke Rechtsvordering).
The Court considered that the judgement was not served on Xandr up until 22 July or 1 August 2024. Therefore, Xandr could not have forfeited penalties. The same reasoning applied to Microsoft Corporation.
The judgment was served on LinkedIn IE and Microsoft IE on 19 July 2024, on Microsoft Corporation on 14 August 2024, and on Xandr (finally, after previous unsuccessful attempts) on 26 September 2024. Therefore, the data subject found that cookies were in place on their computer before the judgment was served to Xandr and Microsoft Corporation. The Court found that Xandr and Microsoft Corporation did not fail to comply with the injunction and did not forfeit periodic payments. Accordingly, the payment injunctions were lifted.
Second, in relation to whether Article 55 Brussels I precludes enforcement of the judgment against LinkedIn IE and Microsoft IE. The Court found that, as per Article 55 Brussels I, judgments delivered in a Member State with an order to pay a periodic penalty payment are enforceable in the Member State in which enforcement is sought only when the amount has been finally determined by the court of origin.
However, the data subject is not yet enforcing the judgment in Ireland. This article is thus inapplicable and the Dutch Court is competent to determine the enforcement of the preliminary judgement.
On the Merits
The Court found that the controllers could reasonably expect that not only the cookies explicitly mentioned in the decision would have been required.
Moreover, the Court did not find that the controllers took the necessary steps to avoid that the cookies are read or placed without data subject’s consent, even if no explanation has been given as to when and how that happened.
Three major causes of concern were raised by the Court:
1. Cookies are placed on third party websites
The Court found that the purposes that the controller claimed are inconsistent with the cookies set. More specifically, the cookies set are entirely unrelated to LinkedIn. The Court considered that the plausible purpose of such cookies are profiling and advertising purposes.
Thus, the use of these cookies on third-party sites cannot be reconciled as lawful as they do not have a purpose directly related to the operation or functionality of the specific website.
2. Cookies have unnecessarily long expiration dates
The Court considered that all cookies in question have a 12 and 6-months expiration date, which the Court deems excessive. The Court considers that 30 days would be a sufficient term to recognise returning users and store consent preferences and that each time these users visit LinkedIn, these cookies could be reset, so that no long-lasting identifiers are required.
Thus, the extended lifespans of those cookies are neither necessary or proportionate and thus the controllers violated Article 5(1)(b) GDPR and Article 5(1)(c).
3. Cookies are read and set through network calls to LinkedIn’s ad server
The Court highlighted that the setting up of the cookies in question was performed through network calls to the controllers’ advertising server. In this context, the Court bears no doubt that the injunction ordered by preliminary injunction court was violated.
Fine refining
The Court levied the injunction against Xandr and Microsoft Corporation, and ordered the data subject to cease and desist the enforcement of penalties allegedly forfeited by Xandr and Microsoft Corporation for violations of the judgment on July 22, 2024 and August 1, 2024.
The Court ordered LinkedIn and MIOL to pay the costs of the proceedings, estimated to date at €1,616.00, to be increased for attorney's fees and the costs of serving the judgment, and declared this judgment enforceable to this extent.
The court confirmed that LinkedIn IE, Microsoft IE, Microsoft Corporation, and Xandr Inc violated an injunction by placing cookies on a data subject's devices without consent, and imposed penalties. However, Xandr and Microsoft Corporation were not liable for fines due to delays in receiving the judgment, while LinkedIn IE and Microsoft IE were ordered to pay the costs of the proceedings.
Comment
Share your comments here!
Further Resources
Share blogs or news articles here!
English Machine Translation of the Decision
The decision below is a machine translation of the Dutch original. Please refer to the Dutch original for more details.
