APD/GBA (Belgium) - 162/2023: Difference between revisions

From GDPRhub
m (Fixed a typo)
 
(2 intermediate revisions by one other user not shown)
Line 11: Line 11:


|Original_Source_Name_1=Gegevensbeschermingsautoriteit
|Original_Source_Name_1=Gegevensbeschermingsautoriteit
|Original_Source_Link_1=https://deref-gmx.net/mail/client/634p27D9Kmw/dereferrer/?redirectUrl=https%253A%252F%252Fwww.gegevensbeschermingsautoriteit.be%252Fpublications%252Fart95-schikking-nr.-162-2023.pdf
|Original_Source_Link_1=https://www.gegevensbeschermingsautoriteit.be/publications/art95-schikking-nr.-162-2023.pdf
|Original_Source_Language_1=French
|Original_Source_Language_1=French
|Original_Source_Language__Code_1=FR
|Original_Source_Language__Code_1=FR
Line 55: Line 55:
|National_Law_Link_5=
|National_Law_Link_5=


|Party_Name_1=Ms. X, represented by noby - European Center for Digital Rights
|Party_Name_1=Ms. X, represented by noyb - European Center for Digital Rights
|Party_Link_1=https://noyb.eu/de
|Party_Link_1=https://noyb.eu/de
|Party_Name_2=RADIO TÉLÉVISION BELGE DE LA COMMUNAUTÉ FRANÇAISE
|Party_Name_2=RADIO TÉLÉVISION BELGE DE LA COMMUNAUTÉ FRANÇAISE
Line 73: Line 73:
}}
}}


The DPA laid out stricter rules on the use of cookie banners. The controller was accused of using misleading cookie banners and obscure models, therefore violating the collection of consent rules in the GDPR as well as Article 5(3) ePrivacy Directive.
The DPA found that Radio Télévision Belge de la Communauté Française did not use misleading cookie banners on their website.


== English Summary ==
== English Summary ==


=== Facts ===
=== Facts ===
On 18 July 2023 Noby (the data subject) filed a complaint with the Belgian Data Protection Authority (Autorité de Protection des données - APD [Belgian DPA]) against the RADIO TÉLÉVISION BELGE DE LA COMMUNAUTÉ FRANÇAISE (Rtbf - the controller) for their "misleading cookie banners" and "obscure models" on their website. On 21 September 2023, the DPA started the discussions on a settlement proposal. After receiving the proposal on 20 October 2023 the data subject requested six changes to the proposal, including more explicit rules on the appearance of the cookie banners as well as their location, an injunction of the controller to cease unlawful treatment, and a fine under the Article 83(1) of the GDPR. The DPA rejected all of the changes arguing it would not change the outcome of the settlement and that the fine was only possible if the case was tried on its merits which is not the case in a settlement proposal.
On 18 July 2023, a data subject filed a complaint with the Belgian DPA against Radio Télévision Belge de la Communauté Française (Rtbf - the controller) for their misleading cookie banners. Specifically, the complainant alleged four practices on the website: that there was no “refuse” option on the first level of information in the cookie banner, the presence of misleading button colours, that it was not as easy to withdraw consent as to give it and that the controller referred to legitimate interest.
 
On 21 September 2023, the DPA started the discussions on a settlement proposal. After receiving the proposal on 20 October 2023, the complainant requested six changes to the proposal, including more explicit rules on the appearance of the cookie banners as well as their location, an injunction of the controller to cease unlawful treatment, and a fine under the [[Article 83 GDPR#1|Article 83(1) GDPR]].


=== Holding ===
=== Holding ===
The complaint was settled through a settlement decision provided in Article 95 (1)(2) LCA, meaning that the holding is the settlement however there are no explicit outlines of the current violations in the settlement. Instead, there are rules that the controller has to follow in the future.
Considering the facts of the case and the changes requested by the complainant, the DPA rejected all the changes; arguing it would not change the outcome of the settlement and that the fine was only possible if the case was tried on its merits, which is not the case in a settlement proposal.
The DPA held that:
 
Indeed, the complaint was settled through a settlement decision provided in [https://www.autoriteprotectiondonnees.be/publications/loi-organique-de-l-apd.pdf Article 95(1)(2) LCA], the Belgian national law establishing the national data protection authority.
1) a "refuse all" button is considered equal to the already provided "accept all cookies" button. Further, the DPA states that if one button is provided the other one is required as well.  
 
With regards to the first request, the DPA held that a "refuse all" button does not need to be added to the first layer together with the "accept and close" button since this would not lead to a concrete result.  


2) the website has to ensure that both buttons mentioned above are equally visually attractive to the data subject.  
Secondly, the DPA held that it was true that both buttons mentioned above were equally visually attractive. However, generally, controllers should not display 'less (visually) attractive' options.  


3) it is the data subjects' right under Article 5(3) of the ePrivacy Directive to be able to revoke their consent with the same amount of steps that they needed to give that consent.  
Next, the DPA considered the complainant's argument that it is a data subject's right under [https://eur-lex.europa.eu/legal-content/EN/ALL/?uri=celex%3A32002L0058 Article 5(3) ePrivacy Directive] to be able to revoke their consent with the same amount of steps that they needed to give that consent. The DPA stated, however, that it was inappropriate to require such an amendment.  


4) the "legitimate interest" reasoning for processing cookies will only be used for strictly necessary technical or functional cookies. They will not use "deceptive" techniques to process data.  
Lastly, with regard to the "legitimate interest" reasoning for processing cookies, the DPA stated that this contention was not relevant since, in the present case, the complaint does not regard the alleged violation of the complainant's rights.  


The controller has one month after the settlement decision to prepare a document showing all the adjustments and changes made on their website to fulfill the conditions outlined above.
Therefore, the DPA found no violation.  


== Comment ==
== Comment ==
The controller was obligated to change the cookie banners to some extent, however, if there was a standard cookie banner provided by the EU, required to be used by every website the design aspect of these complaints would be a lot easier to rule on.
''Comment from the original contributor:'' The controller was obligated to change the cookie banners to some extent, however, if there was a standard cookie banner provided by the EU, required to be used by every website the design aspect of these complaints would be a lot easier to rule on.


== Further Resources ==
== Further Resources ==

Latest revision as of 12:23, 27 February 2024

APD/GBA - 162/2023
LogoBE.png
Authority: APD/GBA (Belgium)
Jurisdiction: Belgium
Relevant Law:
Article 5(3) ePrivacy Directive
Collection Consent rules and Article 83(1) Regulation (EU) 2016/679
Report of the work undertaken by the Cookie Banner Taskforce
Act of 30 July 2018 on the protection of individuals with regard to the processing of personal data
Article 10(2)(2) Act of 30 July 2018 on the protection of individuals with regard to the processing of personal data
Article 95 Belgian Law establishing the national data protection authority (LCA)
Type: Complaint
Outcome: Upheld
Started: 18.07.2023
Decided: 30.11.2023
Published: 01.12.2023
Fine: n/a
Parties: Ms. X, represented by noyb - European Center for Digital Rights
RADIO TÉLÉVISION BELGE DE LA COMMUNAUTÉ FRANÇAISE
National Case Number/Name: 162/2023
European Case Law Identifier: n/a
Appeal: Unknown
Original Language(s): French
Original Source: Gegevensbeschermingsautoriteit (in FR)
Initial Contributor: kaelasophie

The DPA found that Radio Télévision Belge de la Communauté Française did not use misleading cookie banners on their website.

English Summary

Facts

On 18 July 2023, a data subject filed a complaint with the Belgian DPA against Radio Télévision Belge de la Communauté Française (Rtbf - the controller) for their misleading cookie banners. Specifically, the complainant alleged four practices on the website: that there was no “refuse” option on the first level of information in the cookie banner, the presence of misleading button colours, that it was not as easy to withdraw consent as to give it and that the controller referred to legitimate interest.

On 21 September 2023, the DPA started the discussions on a settlement proposal. After receiving the proposal on 20 October 2023, the complainant requested six changes to the proposal, including more explicit rules on the appearance of the cookie banners as well as their location, an injunction of the controller to cease unlawful treatment, and a fine under the Article 83(1) GDPR.

Holding

Considering the facts of the case and the changes requested by the complainant, the DPA rejected all the changes; arguing it would not change the outcome of the settlement and that the fine was only possible if the case was tried on its merits, which is not the case in a settlement proposal.

Indeed, the complaint was settled through a settlement decision provided in Article 95(1)(2) LCA, the Belgian national law establishing the national data protection authority.

With regards to the first request, the DPA held that a "refuse all" button does not need to be added to the first layer together with the "accept and close" button since this would not lead to a concrete result.

Secondly, the DPA held that it was true that both buttons mentioned above were equally visually attractive. However, generally, controllers should not display 'less (visually) attractive' options.

Next, the DPA considered the complainant's argument that it is a data subject's right under Article 5(3) ePrivacy Directive to be able to revoke their consent with the same amount of steps that they needed to give that consent. The DPA stated, however, that it was inappropriate to require such an amendment.

Lastly, with regard to the "legitimate interest" reasoning for processing cookies, the DPA stated that this contention was not relevant since, in the present case, the complaint does not regard the alleged violation of the complainant's rights.

Therefore, the DPA found no violation.

Comment

Comment from the original contributor: The controller was obligated to change the cookie banners to some extent, however, if there was a standard cookie banner provided by the EU, required to be used by every website the design aspect of these complaints would be a lot easier to rule on.

Further Resources

Share blogs or news articles here!

English Machine Translation of the Decision

The decision below is a machine translation of the French original. Please refer to the French original for more details.