APD/GBA (Belgium) - 162/2023
| APD/GBA - 162/2023 | |
|---|---|
 | |
| Authority: | APD/GBA (Belgium) |
| Jurisdiction: | Belgium |
| Relevant Law: | Article 5(3) ePrivacy Directive Collection Consent rules and Article 83(1) Regulation (EU) 2016/679 Report of the work undertaken by the Cookie Banner Taskforce Act of 30 July 2018 on the protection of individuals with regard to the processing of personal data Article 10(2)(2) Act of 30 July 2018 on the protection of individuals with regard to the processing of personal data Article 95 Belgian Law establishing the national data protection authority (LCA) |
| Type: | Complaint |
| Outcome: | Upheld |
| Started: | 18.07.2023 |
| Decided: | 30.11.2023 |
| Published: | 01.12.2023 |
| Fine: | n/a |
| Parties: | Ms. X, represented by noby - European Center for Digital Rights RADIO TÉLÉVISION BELGE DE LA COMMUNAUTÉ FRANÇAISE |
| National Case Number/Name: | 162/2023 |
| European Case Law Identifier: | n/a |
| Appeal: | Unknown |
| Original Language(s): | French |
| Original Source: | Gegevensbeschermingsautoriteit (in FR) |
| Initial Contributor: | kaelasophie |
The DPA laid out stricter rules on the use of cookie banners. The controller was accused of using misleading cookie banners and obscure models, therefore violating the collection of consent rules in the GDPR as well as Article 5(3) ePrivacy Directive.
English Summary
Facts
On 18 July 2023 Noby (the data subject) filed a complaint with the Belgian Data Protection Authority (Autorité de Protection des données - APD [Belgian DPA]) against the RADIO TÉLÉVISION BELGE DE LA COMMUNAUTÉ FRANÇAISE (Rtbf - the controller) for their "misleading cookie banners" and "obscure models" on their website. On 21 September 2023, the DPA started the discussions on a settlement proposal. After receiving the proposal on 20 October 2023 the data subject requested six changes to the proposal, including more explicit rules on the appearance of the cookie banners as well as their location, an injunction of the controller to cease unlawful treatment, and a fine under the Article 83(1) of the GDPR. The DPA rejected all of the changes arguing it would not change the outcome of the settlement and that the fine was only possible if the case was tried on its merits which is not the case in a settlement proposal.
Holding
The complaint was settled through a settlement decision provided in Article 95 (1)(2) LCA, meaning that the holding is the settlement however there are no explicit outlines of the current violations in the settlement. Instead, there are rules that the controller has to follow in the future. The DPA held that:
1) a "refuse all" button is considered equal to the already provided "accept all cookies" button. Further, the DPA states that if one button is provided the other one is required as well.
2) the website has to ensure that both buttons mentioned above are equally visually attractive to the data subject.
3) it is the data subjects' right under Article 5(3) of the ePrivacy Directive to be able to revoke their consent with the same amount of steps that they needed to give that consent.
4) the "legitimate interest" reasoning for processing cookies will only be used for strictly necessary technical or functional cookies. They will not use "deceptive" techniques to process data.
The controller has one month after the settlement decision to prepare a document showing all the adjustments and changes made on their website to fulfill the conditions outlined above.
Comment
The controller was obligated to change the cookie banners to some extent, however, if there was a standard cookie banner provided by the EU, required to be used by every website the design aspect of these complaints would be a lot easier to rule on.
Further Resources
Share blogs or news articles here!
English Machine Translation of the Decision
The decision below is a machine translation of the French original. Please refer to the French original for more details.
