APD/GBA (Belgium) - 103/2022: Difference between revisions

Revision as of 14:29, 20 June 2022

APD/GBA - DOS-2020-02998

Authority:	APD/GBA (Belgium)
Jurisdiction:	Belgium
Relevant Law:	Article 4(11) GDPR Article 6(1)(a) GDPR Article 7(1) GDPR Article 7(3) GDPR Article 12(1) GDPR Article 13 GDPR Article 14 GDPR
Type:	Investigation
Outcome:	Violation Found
Started:	16.01.2019
Decided:
Published:	17.06.2022
Fine:	50.000 EUR
Parties:	Rossel Group (sudinfo) Rossel Group (le soir) Rossel & Cie
National Case Number/Name:	DOS-2020-02998
European Case Law Identifier:	n/a
Appeal:	Not appealed
Original Language(s):	French
Original Source:	ADP/GBA (in FR)
Initial Contributor:	Elsje Gold

The Belgian DPA fined a large media company (Rossel & Cie) €50.000 for violations regarding its cookie-policy, mainly for the placement of not strictly necessary cookies without obtaining prior consent.

English Summary

Facts

On 16 January 2019, the Executive-committee of the Belgian DPA (GBA) started an investigation on the placement of cookies on Belgian media websites. The controller is Rossel & Cie, the owner of the websites of Le Soir, Sudinfo and Sudpresse éditions digitales. The investigation revealed the following potential violations.

First of all, the placement of cookies that were not strictly necessary - including statistical and social-network cookies - prior to consent of the data subject. The controller does not dispute this. However, it argues that the method used for the investigation was not reliable to establish a violation. Furthermore, that the statistical cookies placed do not require prior consent. As for the social-network cookies, the controller argued that it had a legitimate interest for the processing activities.

Second, the qualification of 'further browsing' as consent. The cookie-banner disappears if the user continues scrolling on the website. The controller argues that this is 'active behaviour' that meets the 'active consent' requirement of "Planet 49".

Third, pre-ticked boxes to grant consent for third-party-cookies.

Forth, an incomplete and poorly accessible cookie policy.

Sixth, unjustified retention periods for the storage of cookies.

Lastly, revoking consent was impossible.

Holding

The DPA held that the controller violated [[Article 6 GDPR#1a|Article 6(1)(a)]] by placing not strictly necessary cookies without obtaining prior consent. The DPA noted that statistical cookies also require consent under the current legal framework. Furthermore, the controller did not provide any evidence for the legitimate interest regarding the social-network cookies. However, the DPA will take into account that the controller now (allegedly) has another legal basis for the social-network and analytical cookies.

Regarding the qualification of 'further browsing' as consent, the DPA stated that this can be seen as active behaviour as referred to in "Planet 49" in specific situations. However the act of simply scrolling, is not. A computer action (e.g. a mouse-click) could change this. The DPA further noted that it also lacked the requirement for consent to be specific. The DPA therefore held that the controller violated Article 6(1)(a) (jo Article 4(11) and Article 7(1)).

Regarding the pre-ticked boxes for third-party cookies, the DPA argued that this cannot constitute lawful consent by the definition of Article 4(11). The DPA thus found another violation of Article 6(1)(a).

The DPA further held that the controller violated Article 4(11) Article 12(1), Article 13 and Article 14 as their cookie policy was incomplete (it only mentioned 13 of the 500 partners). Furthermore, it was not sufficiently accessible and and/or in the data subject's language .

Lastly, the DPA found that the controller violated Article 7(3), for the placement of additional cookies after withdrawing consent.

The DPA fined the controller €50.000. The DPA further ordered the controller to get its processing of personal data - for which a violation was established - in compliance with the GDPR within 3 months.

Comment

This is the second decision following this decision of the Management Committee. See also APD/GBA Belguim - 85/2022.

Further Resources

Share blogs or news articles here!

English Machine Translation of the Decision

The decision below is a machine translation of the French original. Please refer to the French original for more details.

@@ Line 82: / Line 82: @@
 === Facts ===
-On 16 January 2019, the Executive-committee of the Belgian DPA (GBA) started an investigation on the placement of cookies on Belgian media websites. The controller is Rossel & Cie, the owner of the websites of Le Soir, Sudinfo and Sudpresse éditions digitales.
+On 16 January 2019, the Executive-committee of the Belgian DPA (GBA) started an investigation on the placement of cookies on Belgian media websites. The controller is Rossel & Cie, the owner of the websites of Le Soir, Sudinfo and Sudpresse éditions digitales. The investigation revealed the following potential violations.
-The investigation revealed the following potential violations. First of all, the placement of cookies that were not strictly necessary - including statistical and social-network cookies - prior to consent of the data subject. The controller does not dispute that cookies were placed that require prior consent. However, the controller argues that the method used for the investigation was not reliable to establish a violation. Furthermore, the statistical cookies placed do not require prior consent according to the controller. As for the social-network cookies, the controller argued that it had a legitimate interest for the processing activities.
+First of all, the placement of cookies that were not strictly necessary - including statistical and social-network cookies - prior to consent of the data subject. The controller does not dispute this. However, it argues that the method used for the investigation was not reliable to establish a violation. Furthermore, that the statistical cookies placed do not require prior consent. As for the social-network cookies, the controller argued that it had a legitimate interest for the processing activities.
-Second, the qualification of 'further browsing' as consent. The cookie-banner disappears if the user continues browsing the website. The controller argues that further browsing is active behaviour that falls under the 'active consent' requirement of "Planet 49".
+Second, the qualification of 'further browsing' as consent. The cookie-banner disappears if the user continues scrolling on the website. The controller argues that this is 'active behaviour' that meets the 'active consent' requirement of "Planet 49".
-Third, pre-ticked boxes to grant consent for third-party-cookies. Fifth, an incomplete and poorly accessible cookie policy. Sixth, unjustified retention periods for the storage of cookies. Lastly, revoking consent was impossible.
+Third, pre-ticked boxes to grant consent for third-party-cookies.
-The controller argued that statistical cookies are used for aggregated basic statistics, necessary for the business model of the website. No personal data is being processed for this activity, as such, the GDPR does not apply.
+Forth, an incomplete and poorly accessible cookie policy.
-The controller argued that regarding the statistical cookies, the personal data was anonymised. The controller further argued that the Belgian DPA did not provide adequate guidelines for companies to comply with the GDPR. The controller refers to e.g. the French and Dutch DPA, who have provided this.
+Sixth, unjustified retention periods for the storage of cookies.
+Lastly, revoking consent was impossible.
 === Holding ===
-The DPA held that the controller violated Article 6(1)(a) by placing not strictly necessary cookies without obtaining prior consent. The DPA noted that statistical cookies also require consent under the current legal framework. Furthermore, the controller did not provide any evidence for the legitimate interest regarding the social-network cookies. However, the DPA will take into account that the controller now (allegedly) has another legal basis for the social-network and analytical cookies.
+The DPA held that the controller violated <nowiki>[[Article 6 GDPR#1a|Article 6(1)(a)]]</nowiki> by placing not strictly necessary cookies without obtaining prior consent. The DPA noted that statistical cookies also require consent under the current legal framework. Furthermore, the controller did not provide any evidence for the legitimate interest regarding the social-network cookies. However, the DPA will take into account that the controller now (allegedly) has another legal basis for the social-network and analytical cookies.
-Regarding the qualification of 'further browsing' as consent, the DPA noted that this can be seen as active behaviour as referred to in "Planet 49" in specific situations. However the act of simply scrolling through the page in the current case is not sufficient. The DPA further noted that it also lacked the requirement for consent to be specific.
-Regarding the pre-ticked boxes for the cookies from partner companies, the DPA argued that this cannot constitute lawful consent by the definition of Article 4(11) (and with reference to Planet49). The DPA thus found another violation of Article 6(1)(a).
-The DPA held that regarding the disclaimer placed on their website for third-party cookies, the controller violated the principle of accountability laid down in Article 5(2). The DPA stated that controllers are responsible for compliance with the GDPR and the demonstration thereof (Article 24).
+Regarding the qualification of 'further browsing' as consent, the DPA stated that this can be seen as active behaviour as referred to in "Planet 49" in specific situations. However the act of simply scrolling, is not. A computer action (e.g. a mouse-click) could change this. The DPA further noted that it also lacked the requirement for consent to be specific. The DPA therefore held that the controller violated Article 6(1)(a) (jo Article 4(11) and Article 7(1)).
-The DPA found that the privacy policy of the controller contained false, incomplete and insufficient information. The DPA therefore held that the controller violated Article 12(1), as it did not communicate the information referred to in of Article 13 and Article 14 in a "concise, transparent, intelligible and easily accessible form". The DPA furthermore held that the controller violated the principle of storage limitation laid down in Article 5(1)(e) by not proactively defining the criteria for the storage of cookies.
+Regarding the pre-ticked boxes for third-party cookies, the DPA argued that this cannot constitute lawful consent by the definition of Article 4(11). The DPA thus found another violation of Article 6(1)(a).
-Lastly, the DPA found that the controller violated Article 7(3), as withdrawing consent was made impossible by the controllers cookie-management tool. The DPA noted that withdrawing consent must be as easy as providing consent for users.
+The DPA further held that the controller violated Article 4(11) Article 12(1), Article 13 and Article 14 as their cookie policy was incomplete (it only mentioned 13 of the 500 partners). Furthermore, it was not sufficiently accessible and and/or in the data subject's language .
-The DPA found that the alleged absence of concrete guidelines is not a valid argument against a violation of data protection legislation. The DPA held that it is the responsibility of the controller to comply with the law and further noted that numerous guidelines for companies to ensure compliance with the GDPR already exist.
+Lastly, the DPA found that the controller violated Article 7(3), for the placement of additional cookies after withdrawing consent.
 The DPA fined the controller €50.000. The DPA further ordered the controller to get its processing of personal data - for which a violation was established - in compliance with the GDPR within 3 months.
 == Comment ==