APD/GBA (Belgium) - 12/2019: Difference between revisions

From GDPRhub
(Added links to in-depth commentaries)
(Added links to in-depth case comments)
Line 71: Line 71:
Several in-depth commentaries of the decision are available in English:
Several in-depth commentaries of the decision are available in English:


* [https://www.nautadutilh.com/en/information-centre/news/cookies-merry-christmas Cookies: Merry Christmas? New decision by litigation chamber of the Belgian data protection authority] (24 December 2019)
* [https://www.nautadutilh.com/en/information-centre/news/you-may-need-a-new-dpo-according-to-the-belgian-data-protection-authority You may need a new DPO, according to the Belgian Data Protection Authority]
* [https://blogs.dlapiper.com/privacymatters/belgium-belgian-dpa-fines-for-cookie-non-compliance-and-warns-other-companies-to-act-in-compliance/ Belgian DPA fines for cookie non-compliance and warns other companies to act in compliance] (9 January 2020)
* [https://www.linklaters.com/en/insights/blogs/digilinks/2020/may/belgium---can-a-head-of-act-as-a-data-protection-officer Belgium – Can a “head of” act as a data protection officer?]


==Further Resources==
==Further Resources==

Revision as of 05:09, 14 May 2020

APD/GBA - DOS-2019-01356
LogoBE.png
Authority: APD/GBA (Belgium)
Jurisdiction: Belgium
Relevant Law: Article 4(11) GDPR

Article 6(1)(a) GDPR

Article 7 GDPR

Article 12 GDPR

Article 13 GDPR

ePrivacy Directive

Type: Investigation
Outcome: Violation found
Decided: 17.12.2019
Published: n/a
Fine: 15,000 EUR
Parties: Anonymous
National Case Number: DOS-2019-01356
European Case Law Identifier: n/a
Appeal: Cour des marchés de la cour d'appel de Bruxelles (Belgium)
Original Language:

French and Dutch

Original Sources: GBA (in NL)

The APD/GBA fined € 15.000 for cookies placed without prior consent.

English Summary

Facts

The ADP/GBA conducted investigations into a webpage for violations of Article 6(1)(a), 12 and 13 GDPR.

Holding

After having conducted investigations, the GBA submitted a report in June 2019 regarding several violations:

  • The company’s privacy statement and cookie policy did not comply with the GDPR and the national law implementing the ePrivacy Directive.
  • The policies did not contain transparent information regarding the data subject’s rights and their exercise. Thus, the GBA considered that the company violated Article 12 GDPR.
  • The company did not provide information regarding the legal basis for the processing, the data subject's rights nor the retention period, and was, thus, in breach of Article 13 GDPR.
  • No consent was gathered for the use of cookies regardless the entity who installs them on the user’s terminal equipment. Indeed, the user’s consent to the installation of cookies was obtained via pre-ticked boxes. Therefore, this practice was contrary to the national law implementing the ePrivacy Directive and Articles 6(1)(a) and 7 GDPR, in the lights of Article 4(11) and Recital 32 GDPR.

Following this report, the GBA issued a decision confirming that the company did infringe the national law implementing the ePrivacy Directive and the GDPR on the grounds mentioned above. As a consequence, the GBA fined the company € 15.000.

Comment

Several in-depth commentaries of the decision are available in English:

Further Resources

Share blogs or news articles here!

English Machine Translation of the Decision

The decision below is a machine translation of the Dutch original. Please refer to the French or Dutch original for more details.

File number : DOS-2019-01356
 
Dispute room

Decision on the merits 12/2019 of 17 December
2019
 



Subject : Inspection report - X - 'Y' website

The Disputes Chamber of the Data Protection Authority, composed of Mr Hielke Hijmans, chairman, and Messrs Dirk Van Der Kelen and Frank De Smet, members;

Having regard to Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of individuals with regard to the processing of personal data and on the free movement of such data and repealing Directive 95/46/EC (General Data Protection Regulation), hereinafter AVG;

Having regard to the Act of 3 December 2017 establishing the Data Protection Authority (hereinafter 'WOG');

Having regard to the Rules of Internal Procedure, as approved by the Chamber of Representatives on 20 December 2018 and published in the Belgian Official Gazette on 15 January 2019;

Having regard to the documents in the file;




.
 
has taken the following decision regarding:

- the processing manager: X, acting under the name "Y"; having as counsel Mr Z, lawyer in the office W;


1.	Facts and procedure


Investigation Inspectorate

On 27 February 2019, the Executive Committee of the GBA decided to refer the matter to the Inspectorate of the Data Protection Authority (hereinafter 'GBA') on the basis of Article 63, 1° of the WOG. The reason for the aforementioned referral was the privacy policy (including the privacy statement and associated information banners) and the cookie management of the website managed by the defendant ('Y', hereinafter 'website'). This website specialises in legal news from, for and about legal practitioners, with a self-proclaimed monthly reach of 35,000 readers.


The Inspectorate of the GBA informed the Respondent of this decision of the Executive Committee of the GBA by letter dated 26 March 2019.

The Inspectorate then investigated the website and found a first version of the website on 12 March 2019 ("first version"), a second version on 29 April 2019 ("second version") and a third version on 29 May 2019 ("third version").

The Inspectorate sent two letters dated 26 March 2019 and 29 April 2019 to the defendant with findings regarding alleged infringements of the AVG, read together with the Electronic Communications Act of 13 June 2005 ('WEC').

In its final report dated 29 May 2019 (hereinafter 'the Inspection Report'), the Inspectorate noted that between the first contact made on 26 March 2019 and the findings made on 29 May 2019, the defendant made adjustments which ensured that - on the third version of the website
- its privacy policy and cookie management have become more - but not completely - AVG-compliant.


In the course of the Inspectorate's investigation, various breaches of the AVG were identified, the most important of which - including infringements that have since been resolved - are listed below:
 
o Findings regarding transparent information, communication and further rules for the exercise of the rights of the person concerned (art. 12 AVG):
On 12 March 2019, the Inspectorate established that the privacy statement on the website was only available in English where the website was addressed to a Dutch and French-speaking audience; the information was not easily accessible to the data subjects and reference was made to "US privacy law". In addition, the statement that "your IP address" is not personal data was not in accordance with article 12 of the AVG, as this statement is contrary to the definition of personal data in article 4.1 and recital 30 of the AVG. These defects were resolved by the defendant step by step1 .
On 12 March 2019, the Inspectorate established that the privacy policy and cookie management was not easily accessible to those concerned.
On April 29, 2019, the Inspectorate determined that the homepage of the website contained a hyperlink "Privacy Policy" and that the reference to the "US privacy law" (and to the "California Online Privacy Protection Act") had been removed.

o Determinations regarding information to be provided when personal data is collected from the data subject (Section 13 of the AVG):
The privacy statement on the first version of the website did not include the identity and contact details of the data controller. The defendant only explicitly stated in the privacy statement on 29 May 2019 that "X" was responsible for the processing and its contact details, after the Inspectorate made it clear by letter that, in its opinion, the first amendment of the privacy statement dated 29 April 2019 was insufficiently clear (reference was made to "X" and its contact details without explicitly stating that this company was the data controller);
The privacy statement on the first version of the website stated neither the rights that data subjects may invoke, nor the legal basis for the processing, nor the processing purposes, nor the right of data subjects to lodge a complaint with the Data Protection Authority, nor a retention period for the personal data collected by cookies).2


1 Inspection report, p. 5.
2 The Inspectorate's findings of 12 March 2019.
 
o Findings in relation to the obligation to give consent (Article 6 of the AVG, Articles 4, 11 in conjunction with 7 of the AVG as well as recital 32 of the AVG, read in conjunction with Article 129 WEC), including:

In the first two versions of the website, the privacy statement did not request permission for the use of cookies, either from the data controller or from Google.
In the last version of the website examined by the Inspectorate prior to its first report, the preferences for the use of cookies were indeed requested from the website user, but the consent was obtained on the basis of already ticked windows, which according to recital 32 of the AVG cannot count as valid consent.

On 29 April 2019, the Inspectorate established that the privacy policy and cookie management did not yet comply with Article 13 of the AVG, as shown in column 2 of the list below:
- the information provided does not explicitly clarify who is responsible for processing;
- for submitting a complaint, reference is made to the Dutch Personal Data Authority, which is not competent in Belgium.


On 29 May 2019, according to the Inspectorate, the privacy policy and cookie management on the webpage https://Y/privacy-policy/ was justified in the light of Article 13 of the AVG. In this respect, the Inspectorate refers to column 3 of the table below.3


Column 1 Column 2 Column 3
Privacy policy and cookie management on the webpage https://Y/privacy-policy/ on 12/3/2019 (pieces 4 and 7) Privacy policy and cookie management on the webpage https://Y/privacy-policy/ on 29/4/2019 (pieces 8 and 9) Privacy policy and cookie management on the webpage https://Y/privacy-policy/.
on 29/5/2019 (pieces 13 and 14)
a. The identity of the processing representative
verbatim and are a. "X" is mentioned
without explicit a. It is explicitly stated that "X"
is responsible

3 Inspection report, p. 7.
 

contact details are not given;
b.	The processing purposes for which the personal data are intended, as well as the
legal basis for the processing is not mentioned;










c.	The period for which the personal data will be stored, or the criteria for determining that period, shall not be stated; it shall be stated that this is the data controller;
b.	The purposes of the processing and the legal basis shall be stated, but with little explanation.			For example, reference is made to 'our services' and to
"legal obligation", without
specify which services and legislation are concerned in concrete terms.
c.	Reference is made to retention periods, but with little explanation.		For example, reference is made to
"applicable administrative obligations", without
specify which obligations are specifically concerned.
d.	A report is made
made of the materials used for the processing of the
personal data;
b.	The processing purposes and legal grounds shall be clearly explained.















c.	The retention periods shall be clearly linked to the processing activities.











d.	Reference shall be made to the rights of
 

d.	The rights which may be invoked by the persons concerned shall not be mentioned;







e.	The right of the data subjects to lodge a complaint with the Data Protection Authority shall not be mentioned.
mentioned.	rights of
involved in various
paragraphs, each with its own title.
e. Reference shall be made to the right of
persons concerned to lodge a complaint with the Personal Data Protection Authority.		Which
name is not correct, because in Belgium the data protection authority is
authorized.	persons concerned in different paragraphs, each with its own title.
e. Reference is made to the right of data subjects to lodge a complaint with the data protection authority.
("GBA") with a hyperlink to the relevant webpage of the GBA.



On 29 May 2019, according to the Inspectorate, the privacy policy and cookie management on the website was 'not yet in accordance with Articles 4, 11) in conjunction with Article 7 of the AVG and Article 129 of the WEC', as shown in column 3 of the table below and the Inspectorate's comments below4 :
- reference is made to "our legitimate interest" as the legal basis for cookies used "with the aim of simplifying your use of the website and collecting statistical data relating to the use of the website" (documents 13 and 14), whereas consent is required for this as these cookies are not necessary. This follows from the explanation on page 11 under the heading "4.3 Analysis by the first party" of the Opinion 04/2012 on exemption from the obligation to consent for cookies of the Article 29 Data Protection Working Party, which can be consulted on the webpage.

4 Inspection report, p. 9, under the title "Establishment of the consent obligation (Articles 4,11), 6 and 7 of the AVG and Article 129 of the WEC".
 
https://ec.europa.eu/justice/article-29/documentation/opinion- recommendation/files/2012/wp194_en.pdf and from the text of Article 129 WEC. Consequently, there is no legal basis for the processing of personal data in this specific context as required by Article 6 of the AVG;
- the cookie window on the website https://Y/ (the same on the French version https://Y/fr/) already contains ticked boxes (which according to recital 32 of the AVG does not count as consent), contrary to Articles 4, 11 and 7 of the AVG, and does not contain a button to refuse cookies;
- the text on the aforementioned French version is stated in Dutch "


Column 1 Column 2 Column 3
Privacy policy and cookie management on the webpage https://Y/privacy-policy/ on 12/3/2019 (pieces 4 and 7) Privacy policy and cookie management on the webpage https://Y/privacy-policy/ on 29/4/2019 (pieces 8 and 9) Privacy policy and cookie management on the webpage https://Y/privacy-policy/ on 29/5/2019 (pieces 13, 14 and 15)
a.   The permission for the
The use of cookies by the data controller or Google is not requested from the data subjects; a. The consent to the use of cookies by the data controller or Google is not requested from the data subjects; b. The consent to the use of cookies by Google is not requested from the data subjects.
use of cookies by the person responsible for processing or by Google is not asked of those involved; a. The privacy policy and cookie management on the web page https://Y/privacy- policy/ is correct.
specify that permission is sought for the use of cookies that are not strictly
are necessary. However, it wrongly refers to "us justified
interest" as
 

		legal basis for cookies used "for the purpose of simplifying your use of the website and collecting statistical data relating to the use of the website" (Documents 13 and 13).
14).
Another shortcoming concerns the cookie window that appears at the bottom of the
screen when you open the website https://Y/ or the French version https://Y/fr/ for the first time (piece 15):
- already ticked boxes in the preferences regarding cookies (which according to consideration
32 of the AVG does not apply
 






























b.   It is not stated how the data subjects give their consent to the use of cookies by the data controller or by Google.
...can withdraw.	




























b.   It is not stated how the data subjects give their consent to the use of cookies by the data controller or by Google.
as consent);
- there is an "OK" button to accept cookies, but there is no button to reject cookies;
- the text of the cookie window on the
French version https://Y/fr/ is mentioned in Dutch.




b. It is mentioned how the
those concerned may revoke a given consent under a separate title in the text.

(Inspection report, p. 9)
 
In the Inspectorate's report, the Inspectorate states that the defendant has an exemplary role in terms of compliance with the AVG, in view of the legal expertise disseminated by the website.

The Inspectorate submitted its report dated 3 June 2019 to the Disputes Chamber on the basis of Article 92, 3° of the WOG.

The procedure before the Disputes Chamber

At a hearing on 26 June 2019, the Disputes Chamber decided on the basis of Article 98 of the WOG that the file was ready to be dealt with on the merits.

On 28 June 2019, the defendant was informed by registered mail of this decision, as well as of the Inspection Report and of the inventory of the documents in the file submitted by the Inspection Service to the Chamber of Disputes. At the same time, the defendant was informed of the provisions as mentioned in article 98 of the WOG and, pursuant to article 99 of the WOG, the defendant was informed of the time limits for submitting his defences. The deadline for receiving the defendant's response was set at 29 July 2019.

On 29 July 2019, the Chamber of Disputes received the conclusion of the defendant's response.

The defendant acknowledged that certain mandatory entries were not included in one or more of the successive versions of the website's privacy statement examined by the Inspectorate. The defendant explained that in the meantime (in the course of the first investigation or after the conclusion of the first inspection report) these missing entries were added to the Privacy Statement (fourth version of the website - July 2019).

In its conclusion, the defendant questioned the Inspectorate's findings regarding the actual course of the consent process on the website. Indeed, the defendant stated that cookies for the collection of statistical data were only collected "after the consent of the data subjects", despite the contrary statement in the previous version of the Privacy Statement (May 2019) in that regard. The defendant states that the website's Privacy Statement has since been adapted to reality.

Furthermore, the defendant's conclusion states as follows, to the extent relevant for the decision of the Dispute Resolution Chamber:
 
(1) As regards the Inspectorate's findings that consent had not been requested prior to the placement of certain cookies, in particular from "Google Analytics", "Google Tag manager" and "Google Adsense":5 "For the adaptation of the website, visitors were only informed about the fact that the website used cookies. The cookie window [sic] on the website could only be closed. The cookies used at that time were identical to the cookies currently used on the website (see overview in the cookie statement). The sole purpose of these cookies was (1) to make the functioning of the website possible, (2) to enable certain services (playing videos, parts of articles on LinkedIn, etc.) and (3) to analyse the use of the website and compile statistics.
The defendant submits an overview of the cookies that were present on the website on 6 July 2019. This list was drawn up by the defendant using the "Cookiebot" application which provides a scan of the cookies on the website6. The defendant claims that this list reflects the cookies used for the adaptation of the website, i.e. for the closing of the first Inspection Report ("The cookies used at that time were identical to the cookies still used on the website") 7.

(2) As regards the recent adaptations to the website, the defendant requests that the possible sanction be determined taking into account the fact that the website has always taken additional measures as a result of the Inspectorate's findings. It points to "the intention to comply strictly with its obligations deriving from the AVG (and national legislation)" and to "the adaptations implemented by [the website] (and in particular the consequences of these adaptations) testify to this intention".

The substance of the case was discussed for the first time by the Disputes Chamber at its hearing on 15 October 2019.

The Disputes Chamber established that the list under (1) did not contain certain cookies of which the Inspectorate had established the presence on the website, in particular the cookies of "Google Analytics", "Google Tag Manager" and "Google Adsense".

In view of the prima facie discrepancy between the Inspectorate's report and the conclusion, on the one hand, and in view of the facts newly invoked by the defendant (the adaptation of the website with a view to

5 Piece 2 of the Inspection Report.
6 See the Cookiebot services as offered on the following web page: https://www.cookiebot.com/en/functions/.
7 Conclusion defendant, p. 8.
 
compliance with the AVG) on the other hand, the Disputes Chamber decided at the hearing that for the settlement of this case additional information was needed in relation to (a) the cookies used by the website and (b) in relation to the way in which the most recent version of the website complied with the AVG's obligations regarding consent (including the revocation thereof) as well as its information obligations regarding cookies.

The Disputes Chamber also decided to draw the defendant's attention to the "Planet49" judgment of the European Court of Justice dated 1 October 20198 , which, among other things, concerns the way in which consent for the use of cookies under Article 7 AVG must be obtained, as well as a clear interpretation of the scope of the information obligations under Article 13 AVG (including how long the cookies remain active and whether or not third parties can have access to the personal data collected by cookies). The Disputes Chamber informed the defendant that it would take this new judgment into account in its decision and gave the defendant the opportunity to express his views on the matter.

In view of the possibility for the Disputes Chamber to subject certain breaches of the AVG (such as breaches of the basic principles of processing, including the conditions for consent pursuant to articles 5, 6, 7 and 9) to an administrative fine corresponding to a percentage of the annual turnover in the preceding business year, the Disputes Chamber also decided to include the three most recent annual accounts of the defendants as a document in the proceedings, and to give the defendant in this case the possibility to inform it, if necessary, of the correctness of the data contained therein, in particular with regard to the turnover figure.

Finally, the Litigation Chamber decided to invite the defendant to an oral hearing on the basis of Articles 98 and 99 of the WOG. By letter dated 17 October 2019, the Disputes Chamber informed the defendant of the date and time of the hearing (6 November 2019).

In this letter, the Disputes Chamber asked the defendant to prepare questions for the hearing, with the possibility to submit additional documents before or during the hearing, if necessary.

With this letter, the defendant was also informed that the Inspection Service still had the possibility to draw up an additional report on one or more of these questions on its own initiative, in accordance with article 63 6° WOG, and that this report would be sent by email at least five working days before the hearing, if applicable.



8 CJEU, 1 October 2019, C-673/17, Bundesverband der Verbraucherzentralen und Verbraucherverbande - Verbraucherzentrale Bundesverband v Planet49 GmbH, ECLI:EU:C:2019:801 ('Planet49').
 
The Dispute Chamber delivered a copy of this letter to the Inspectorate. On 24 October 2019, the Inspectorate submitted its additional report to the Disputes Chamber. This Inspection Report was communicated to the defendant by e-mail dated 29 October 2019.

This report provides the following information regarding the questions that the Disputes Chamber put to the defendant:

- The Inspectorate provided a screenshot of the "Cookiebot" information that it was able to observe on the website on 17 and 20 October 2019, with the following explanation: "Effectively, all the cookies used on 29 July 2019 are now no longer used. Indeed, in order to determine this, it suffices to compare the cookies mentioned in the Cookiebot Consent Management Page on 06/10/2019 and on 20/10/2019 that were observed by the Inspection Service on the website on 17/10/2019 and on 20/10/2019 respectively, a copy of which is shown above. However, if we look at the table mentioned in the Inspectorate's answer to question 2 of the Dispute Resolution Chamber below, we notice that there are more cookies than announced. 50 cookies are mentioned in that table. Several of them are not indicated;

In an answer to the second question of the Disputes Chamber "which first party/third party cookies are used by the current website", the Inspectorate established "that there are 9 first party cookies and 41 third party cookies, i.e. more than 80% divided between" Youtube.com, Google.com, Linkedin.com, Twitter.com, doubleclick.net. etc.

- With regard to the third question of the Dispute Resolution Chamber concerning the obligations regarding consent on the current website (articles 4.11 and 7 of the AVG read together with article 129 of the WEC) and the way in which the internet user receives information regarding the right to withdraw his consent afterwards (article 7.3 of the AVG), the Inspection Service provides the following information:
"The permission of users of the website [...] to place and consult cookies on his equipment is requested via a cookie drop-down menu that appears when that website is visited for the first time. […]
The home page presents a contextual window (CMP) that gives the user the choice either to accept all cookies or to accept only the necessary cookies that are active by default. There are two problems with this :
- the user cannot decide on an individual choice, cookie by cookie. Consequently, the consent here does not meet the requirements of consent as imposed by Article 4, point 11 of the AVG as it is not specific. In this respect, the Inspectorate refers to recitals 61 and 62 of the judgment of
 
the Court of Justice of 1 October 2019 in Case C-673/179. Finally, the Inspectorate refers in this context to the Guidelines on consent under Regulation 2016/679 of the European Data Protection Board10 . These emphasise on pages 13 and 14 that in order to be valid within the meaning of the AVG, consent must be specific; the other conditions that must be met in order for a valid consent within the meaning of the AVG to be valid are also explained in the aforementioned Guidelines.
- even if the user leaves the website immediately because he does not want cookies to be placed, 4 cookies will be placed at the first loading before the user is notified and has expressed his opinion by leaving the website. Cookies are therefore placed without the user's consent. […]

- With regard to the fourth question of the Disputes Chamber to the defendant 'How is the Internet user informed by the [...] website about how long cookies remain active and whether or not third parties can have access to the personal data collected by cookies', the Inspectorate provides the following information:

"[...] After clicking on the link "our cookie policy" above, the person concerned will be taken to the web page https://Y/cookies/. There the explanation of cookies is given in English only, there is the link 'Change your consent' and several cookies are listed in a table under the column names 'Name', 'Provider', 'Purpose', 'Expiry' and ''Type [...]'.
The Inspectorate then provides a printed version of the list of cookies made available by the website ('Cookie declaration last updated on 06/10/2019 by Cookiebot'). The cookies are presented by category: "necessary", "statistics", "marketing", "unclassified").

On 31 October 2019, the defendant requested - in accordance with article 95 of the WOG - to inspect the file of the Chamber of Disputes and to take a copy of it. On 31 October 2019, the Chamber of Disputes sent a copy of the file to the defendant by e-mail.

9 Recitals 61 and 62 of the Planet judgment49 read as follows:
"61 The wording used in Article 4(11) of Regulation 2016/679 to define, for the purposes of this Regulation, the notion of consent of the person concerned and, in particular, the wording of Article 6(1)(a) thereof, to which Question 1(c) refers, appear to be apparent, as the Advocate General established in substance in paragraph 70 of his Opinion, even stricter than that laid down in Article 2(h) of Directive 95/46, since it requires a 'free, specific, informed and unambiguous' expression of the will of the data subject, in the form of a statement or an 'unambiguous active act' representing his consent to a processing of personal data concerning him.
62 Thus, Regulation 2016/679 now explicitly requires active consent. In this context, it should be noted that according to recital 32 of this Regulation, consent can be expressed in particular by clicking on a box when visiting a website. On the other hand, this recital explicitly excludes 'silence, use of already ticked boxes or inactivity' as consent.
10 Data Protection Working Party, Guidelines on consent under Regulation 2016/679, WP259.
 


By letter of 4 November 2019, the Dispute Chamber informed the defendant that the hearing scheduled for 6 November 2019 had to be postponed for organisational reasons. On 7 November 2019, the Chamber of Disputes informed the defendant of a new date for the hearing, i.e. 25 November 2019.

The hearing

The case was resumed on 25 November 2019 and the hearing took place.

The following persons are present at the hearing to represent the defendant:
- Mrs. V, case attorney;
- Mr Z, lawyer;
- Mrs. U, staff member;
- Mr T, staff member.

The hearing is recorded - with the consent of the defendant - in order to draw up an official report. The recording is destroyed as soon as there is agreement on the content of the report.

The person responsible for processing submits a 'supplementary note in response to the questions of the Disputes Chamber', a collection of documents including print outs from the website, as well as a summary table of the Inspectorate's findings of infringements and the date on which they were remedied.

The defendant provides an explanation of the establishment and operation of his company and declares that, following the inspection reports, he has invested in order to put the cookies on the website in order. He modified the website up to and including the previous Saturday. Many cookies were removed from the website. The buttons with direct links to social media websites were removed from the website, as a precaution, because he does not want to be a conduit for third parties who might misuse the data collected by them.

According to the summary table, permission for the use of cookies that are not strictly necessary was only requested on the website as of May 2019, while in the website version of March and April 2019, no permission was requested for the use of cookies by the controller or Google.

The data controller explains, with reference to documentation submitted by him/her, that the data processing by means of "Google Analytics" cookies is carried out "completely anonymously" by
 
by assigning a randomly selected identification number to each unique visitor. At the request of the Dispute Chamber, it is acknowledged that the description "anonymous" is a material error and should be removed from the text. The defendant also states that it wishes to remain very cautious with regard to the qualification as "first party" or "third party" cookie of the "Google Analytics" cookies. Therefore, the defendant cautiously refers to Google's "privacy policy".

The defendant submits the successive adaptations of its "privacy policy" and explains that the way to withdraw consent is to be found in the cookie statement, and that this statement has been given a more prominent place on the website. A "cookie management pop-up" now appears at the bottom of each page. The retention period is always stated, as well as whether or not the cookies share information with third parties and whether or not the cookies are placed by the website or by third parties.

The defendant explains that the problems in updating the list of cookies present are due to the "Cookiebot" application, and that it has meanwhile changed technology to remedy this. He declares that the monitoring of cookies will always be taken into account in the future.

According to the defendant, the website clarifies in a cookie window that certain media (e.g. videos) are not available if marketing cookies are not accepted. All marketing cookies (and not only the cookies needed for each particular movie) must be accepted, because the system is so much simpler and the viewing of the movie would become complicated if the viewer only had to accept a few cookies.

With regard to the cookies that are still placed on the last (October) version of the website without prior consent, the processing manager explains that these are essential cookies.

The data controller declares that the turnover of the website is negligible. The Chamber of Disputes then asks the data-processing manager to communicate his turnover figure for the last 3 financial years.

On 29 November 2019, the processing manager sent an accounting document showing the turnover as follows:
- financial year 2018: 1,710,319.69;
- financial year 2017: 1,175,066.83;
- financial year 2016: 1,144,830.17.
 
The Disputes Chamber sent the draft to the defendant on 29 November 2019.

On 4 December 2019, the data controller reported by e-mail that he had no comments with regard to the content of the draft PV. The data controller sent a new document as an attachment to this last e-mail: a representation of the modified cookie statement. According to the defendant, "the material error regarding the anonymisation of certain data was rectified".

2.	Reason
2.1 Competence of the data protection authority


As also acknowledged by the defendant, the website collects personal data by means of cookie technology11 and consequently processes personal data.

The Disputes Chamber is competent to adjudicate in cases concerning the processing of personal data, on the basis of Article 4 § 1 of the WOG12, Article 55 of the AVG13, and in compliance with Article 8 of the Charter of Fundamental Rights of the European Union14 .

The above is without prejudice to the fact that, according to Belgian national law, BIPT has been designated as supervisor for the WEC, including Article 129 WEC which implements Article 5.3 of Directive 2002/5815 (hereinafter, "ePrivacy Directive"), in accordance with Article 14 § 1 of the Law of 17/01/2003 on the status of the regulator of the Belgian postal and telecommunications sector. In its Opinion 5/2019 on the interaction between the ePrivacy Directive and the AVG (issued on the basis of Article 64.2 AVG), the European Data Protection Committee (hereinafter: "EDPB") confirmed that data protection authorities have competence to


11 According to the opinion 04/2012 of the Data Protection Working Party on cookie waiver, WP208, the term 'cookie' covers a range of technologies, https://ec.europa.eu/justice/article- 29/documentation/opinion-recommendation/files/2013/wp208_en.pdf. Recital 30 of the AVG explains that natural persons can be linked to online identifiers such as identification cookies.
12 Art. 4 § 1 WOG: 'The Data Protection Authority is responsible for monitoring and ensuring compliance with the fundamental principles of personal data protection, within the framework of this Act and the laws containing provisions on the protection of the processing of personal data'.
13 Art. 55 AVG: 'Each supervisory authority shall have the competence to carry out on the territory of its Member State the duties assigned to it in accordance with this Regulation and to exercise the powers granted to it in accordance with this Regulation'.
14 Article 8 of the Charter of Fundamental Rights of the European Union (the 'Charter'): 'Everyone has the right to the protection of personal data concerning him or her. 2. Such data must be processed fairly for specified purposes and with the data subject's consent or on any other legitimate basis laid down by law. Everyone has the right of access to data which has been collected concerning him or her, and the right to have it rectified. 3. Compliance with these rules shall be monitored by an independent authority'.
15 Directive 2002/58/EC of the European Parliament and of the Council of 12 July 2002 concerning the processing of personal data and the protection of privacy in the electronic communications sector (Directive on privacy and electronic communications, as amended by Directive 2009/136/EC of the European Parliament and of the Council of 25 November 2009, hereinafter the 'ePrivacy Directive').
 
are to apply the AVG to data processing, including in the context where other public authorities would be competent to monitor certain parts of the processing of personal data under national implementation of the ePrivacy Directive16 . Moreover, in a judgment of 16 February 201817 , the Dutch-speaking Court of First Instance of Brussels already ruled that the predecessor of the GBA had jurisdiction to bring an action before the court "insofar as it relates to alleged violations of the Privacy Act of 8 December 1992, to which art. 129 WEC, which is a clarification and supplement, explicitly refers "18.

BIPT's power to supervise certain parts of the processing - such as the placing of cookies on an Internet user's terminal equipment - does not affect the general power of the GBA. For example, the GBA is authorised to verify whether or not the requirement of consent for the placing of cookies (if applicable) is in accordance with the conditions of consent set out in the GTC. In addition, the GBA is authorised to check whether all other conditions required by the GCC - such as the transparency of processing (Art. 12 GCC) or the information to be provided (Art. 13 GCC) - have been met when placing cookies and processing the data collected with them.

The legal predecessor of the EDPB (Article 29 Data Protection Working Party, further: Working Party on Data Protection) has also stated that the requirements of the AVG for obtaining valid consent apply in situations falling within the scope of the e-Privacy Directive19.



16 EDPB Opinion 5/2019 on the interaction between the ePrivacy Directive and the AVG, in particular as regards the competence, tasks and powers of data protection authorities: "When the processing of personal data triggers the material scope of both the GDPR and the ePrivacy Directive, data protection authorities are competent to scrutinize subsets of the processing which are governed by national rules transposing the ePrivacy Directive only if national law confers this competence on them. However, the competence of data protection authorities under the GDPR in any event remains unabridged as regards processing operations which are not subject to special rules contained in the ePrivacy Directive. This demarcation line may not be modified by national law transposing the ePrivacy Directive (e.g. by broadening the material scope beyond what is required by the ePrivacy Directive and granting exclusive competence for that provision to the national regulatory authority)".
17 In the case Facebook Ireland Limited, Facebook Inc. and Facebook Belgium BVBA v Commission for the Protection of Privacy.
18 Rb. Brussels, 24th Chamber of Civil Cases, 16 February 2018, Rolnr. 2016/153/A, marginal 26, p. 51, available on the following webpage: https://www.gegevensbeschermingsautoriteit.be/nieuws/de-gegevensbeschermingsautoriteit-verdedigt-haar- argumentation-for-the-court-of-a-job-brussels-the-facebook case.
19 Data Protection Working Party, Guidelines on consent under Regulation 2016/679, WP259, p. 4: 'With regard to the existing e-Privacy Directive, WP29 notes that references to the repealed Directive 95/46/EC should be read as references to the AVG8. This also applies to references to consent in the current Directive 2002/58/EC as the e-Privacy Regulation is not (yet) in force on 25 May 2018. Article 95 AVG does not impose additional obligations in relation to processing in connection with the provision of publicly available electronic communications services in public communications networks in the Union in so far as they are subject to specific obligations with the same objective under the e-Privacy Directive. WP29 notes that the requirements for consent under the AVG are not regarded as an 'additional obligation' but as a precondition for lawful processing. Therefore, the AVG requirements for obtaining valid consent apply in situations falling within the scope of the e-Privacy Directive'.
 
The European Court of Justice confirmed in the Planet judgment49 , inter alia, that the collection of data by means of cookies can be regarded as processing of personal data20. Consequently, the Court interpreted Article 5.3 of the ePrivacy Directive on the basis of the AVG21 , more specifically on the basis of Articles 4.11 and 6.1.a of the AVG (consent requirement) as well as Article 13 of the AVG (information to be provided).

As explained below, the GBA is also competent to examine whether the exceptions to the requirement of consent for the placing of cookies are being applied in accordance with data protection law.

Above, the relationship between the GPG and Article 5.3 of the ePrivacy Directive has been explained, in cases where Article 5.3 requires consent, which must meet the requirements of the GPG. However, Article 5.3 of the ePrivacy Directive (and Art. 129 WEC) contains exceptions, and allows cookies to be stored in the terminal equipment of a communications network user without prior consent, when those cookies have the "sole purpose" of (a) "carrying out the transmission of a communication over an electronic communications network" or (b) "providing a service explicitly requested by the subscriber or end-user when this is strictly necessary for this purpose".

The exceptions to the consent requirement contained in Art. 5.3 ePrivacy Directive should be read in the light of Art. 6 AVG (e.g. the legitimate interest of the data controller and/or of the end user of the communications network22), in the context where the provisions of the ePrivacy Directive specify and complement the AVG23. However, should it be assumed that certain rules in the ePrivacy Directive derogate from the AVG and do not include the legal basis "legitimate interest "24 , the exceptions to the "technical storage" or "service requested by the subscriber" of Art. 5.3 of the ePrivacy Directive are the following


20 Arrest Planet49, ro 45.
21 Also by reference to Directive 95/46/EC of the European Parliament and of the Council of 24 October 1995 on the protection of individuals.
22 The exception "service explicitly requested by the subscriber or end-user" in Art. 129 WEC (5.3 ePrivacy Directive) has no real counterpart in the AVG. Art. 6.1.b AVG entails the requirement of processing that is "necessary" for the performance of an agreement. Art. 129 WEC uses the criterion 'strictly necessary'.
23 See Article 1 of the ePrivacy Directive: '1.This Directive harmonises Member States' rules necessary to ensure an equivalent level of protection of fundamental rights and freedoms - particularly the right to privacy - with respect to the processing of personal data in the electronic communications sector and to ensure the free movement of such data and of electronic communications equipment and services in the Community. 2. For the purposes set out in paragraph 1, the provisions of this Directive specify and complement Directive 95/46/EC. […]” [Underlining by Dispute Room]
24 See also a EDPS recommendation: 'Some Amendments propose an additional exemption to the confidentiality of communications based on legitimate interest of service providers and other parties to process electronic communications data. Neither the current ePrivacy Directive nor the Proposed Regulation contain such exemption and the Draft Report also did not propose any such exemptions, neither for metadata nor for content' (EDPS Recommendations on specific aspects of the proposed ePrivacy Regulation, p. 2, https://edps.europa.eu/sites/edp/files/publication/17-10- 05_edps_recommendations_on_ep_amendments_en.pdf).
 
Directive as a legal basis in its own right. The ePrivacy Directive will then be a lex specialis for these provisions that deviates from the AVG.

As regards the exception for the provision of a 'service explicitly requested by the subscriber or end-user when strictly necessary', it should be noted that the 'necessary' criterion is interpreted in line with the protection objectives of European data protection law25 , given that it is used as an exception to the consent requirement to be interpreted in conformity with the AVG.

The Dispute Settlement Chamber, as a body of the GBA, is therefore competent to interpret the exceptions to the consent requirement of Article 129 WEC26.

2.2 Established infringements


The statements made by the defendant in his conclusion of reply and at the hearing confirm the finding that a number of infringements were committed.

2.2.1 Lack of transparent information on the privacy statement in the original website (Article 12 AVG) and breaches of the rules on information to be provided (Article 13 AVG)

Article 12.1 AVG states that the controller must take appropriate measures to ensure that data subjects receive the information required by, among others, Article 13 AVG in a concise, transparent, comprehensible and easily accessible form and in a clear and simple language. Article 12.2 of the AVG provides that the controller must facilitate the rights of the data subject.

Articles 13.1 and 13.2 AVG stipulate as follows:



25 On the notion of 'necessary' in a data protection context, see mutatis mutandis the EDPB Guidelines 2/2019 on the processing of personal data under Article 6.1.b AVG in the context of the provision of online services', marginal 23-25: 'Necessity of processing is a pre-requisite for both parts of Article 6(1)(b). At the outset, it is important to note that the concept of what is 'necessary for the performance of a contract' is not simply an assessment of what is permitted by or written into the terms of a contract. [...]The concept of necessity has an independent meaning in European Union law, which must reflect the objectives of data protection law. Therefore, it also involves consideration of the fundamental right to privacy and protection of personal data, as well as the requirements of data protection principles including, notably, the fairness principle. The starting point is to identify the purpose for the processing, and in the context of a contractual relationship, there may be a variety of purposes for processing. Those purposes must be clearly specified and communicated to the data subject, in line with the controller's purpose limitation and transparency obligations. https://edpb.europa.eu/sites/edpb/files/consultation/edpb_draft_guidelines-art_6-1-final_public_consultation_version_en.pdf:.
26 See also Data Protection Working Party, Advice 04/2012 on exemption from the consent requirement for cookies, WP208, its statement on cookie analysis, https://ec.europa.eu/justice/article-29/documentation/opinion- recommendation/files/2012/wp194_en.pdf.
 
1.	Where personal data relating to a data subject are collected from that person, the data controller shall provide the data subject with all of the following information at the time of obtaining the personal data:
(a) the identity and contact details of the controller and, where applicable, of the controller's representative;
(b) where appropriate, the contact details of the data protection officer;
(c) the processing purposes for which the personal data are intended and the legal basis for the processing;
(d) the legitimate interests of the controller or of a third party where the processing is based on Article 6(1)(f);
(e) where applicable, the recipients or categories of recipients of the personal data;
(f) where applicable, that the controller intends to transfer the personal data to a third country or an international organisation; whether or not an adequacy decision of the Commission exists; or, in the case of transfers referred to in Article 46, Article 47 or the second subparagraph of Article 49(1), what are the appropriate or appropriate safeguards, how a copy can be obtained or where it can be accessed.

2.	In addition to the information referred to in paragraph 1, the controller shall provide the data subject with the following additional information when the personal data are obtained in order to ensure proper and transparent processing:
(a) the period for which the personal data will be stored or, if that is not possible, the criteria for determining that period;
(b) the legitimate interests of the controller or of a third party where the processing is based on Article 6(1)(f);
(c) that the data subject has the right to obtain from the controller access to, and the right to rectify or erase, the personal data concerning him or her or to object to the processing operation and the right to obtain the transfer of data;
(d) where processing is based on point (a) of Article 6(1) or point (a) of Article 9(2), that the data subject shall have the right to withdraw consent at any time, without prejudice to the lawfulness of processing based on consent prior to withdrawal;
(e) that the data subject has the right to lodge a complaint with a supervisory authority;
(f) whether the communication of personal data is a legal or contractual obligation or a necessary precondition for the conclusion of a contract, and whether the data subject is obliged to provide the personal data and what the possible consequences are if those data are not provided;
 
(g) the existence of automated decision making, including the profiling referred to in Article 22(1) and (4), and, at least in those cases, useful information on the underlying logic and the importance and likely impact of the processing for the data subject.

In the Planet judgment49 , the Court of Justice ruled that, in order to ensure proper and transparent information (Article 5.3 ePrivacy Directive on the placing of cookies in conjunction with the information obligations laid down in Article 13.2(a) and (e) of the AVG),27 the controller must provide information on how long the cookies remain active and whether or not third parties may have access to the cookies.

Pursuant to Articles 5.2 and 24 of the AVG, the data controller must take appropriate technical and organisational measures to ensure and be able to demonstrate that the processing of personal data using cookies is carried out in accordance with Articles 12 and 13 of the AVG. The Respondent acknowledges in its conclusion that certain mandatory statements in the original privacy statement of the website were missing, such as the processing purposes for which the personal data is intended, the legal basis for the processing, the retention period for the processed data, the rights that data subjects can invoke or the possibility to lodge a complaint with the Data Protection Authority.

The Chamber of Disputes finds that certain original information deficiencies have been resolved in later versions of the website, as specified below:

- the information relating to the processing purposes and retention period of the cookies is available by cookie in the third version of the cookie statement, as opposed to the findings relating to the version examined of 29 April 2019.28
- regarding third party access to cookies: information in this regard is already provided in the July 2019 version of the website (fourth version) and always in the October 2019 version (fifth version): the name of the third party placing the cookie is mentioned, as well as the name of the third party using the cookie, in cases where this party is different from the party placing the cookie on the website.29






27 As interpreted by the Court of Justice in the Planet judgment49 , Article 5(3) of Directive 2002/58 as amended by Directive 2009/136 (the so-called "cookie provision" from the ePrivacy Ricthtlijn) "must be interpreted as meaning that the service provider must inform the user of a website, among other things, how long the cookies remain active and whether or not third parties can have access to the cookies", ro 81.
28 Inspection report, p. 6.
29 Conclusion of the defendant and additional inspection report, p. 15 et seq.
 
Nevertheless, the Chamber of Disputes rules that the defendant took a careless attitude with regard to several aspects of its transparency obligations pursuant to art. 12 and 13 of the AVG.

First of all, the text of the privacy statement dated 12 March 2019 examined by the Inspectorate was not in accordance with reality; analysis cookies were, according to the defendant's claims in his conclusion, only used after the consent of the persons concerned, contrary to the information provided on the website in the aforementioned privacy statements.30 However, the controller must guarantee the truthfulness and transparency of the information he makes available on his website pursuant to Sections 12 and 13 of the AVG.

Secondly, the original website did not provide any means (e.g. a link) to make the privacy statement easily available to the persons concerned. The defendant has now provided a cookie management pop-up under each page, giving the internet visitor the opportunity to access the cookie statement.31

Thirdly, the provision of information in languages that do not correspond to the language of the target group. The privacy policy and cookie management of the website (version 12 March 2019) were only available in Dutch, while the website is also aimed at French-speakers.32 This does not alter the fact that the defendant adjusted this part of the privacy related information after a second letter from the Inspectorate.33

Moreover, the additional Inspection Report dated 24 October 2019 also shows that the information relating to cookies is now only provided in English (neither in Dutch nor in French): "After clicking on the link "our cookie policy" referred to above, the person concerned will be redirected to the web page https://Y/cookies/. There, cookies are explained in English only, there is the link "Change your consent" and several cookies are listed in a table under the column names "Name", "Provider", "Purpose", "Expiry", and "Type"; these column names are only visible on one of the screenshots below".

Fourth, previous versions of the website referred to "US Privacy Law" and the "California Privacy Protection Act". The defendant states that this was due to an IT bug, i.e. the deployment of


30 Form of order sought by the defendant, p. 7.
31 PV of the hearing.
32 The Inspectorate stated that information in the first version of the website dated 12 March 2019 "is only available in Dutch, while the mention "Français" on the top left shows that it (and by extension the website https://Y) also addresses French speakers" (Inspection report, p. 4).
33 On 29 May 2019, the Inspectorate notes that the information mentioned is available in Dutch and in French.
 
of an incorrect "plug-in" when restoring a backup of the website34. In this context, the Litigation Chamber points out that the defendant, in his capacity as data controller, has a duty to ensure the accuracy of the legal information relating to the rights of data subjects, including the legal framework within which they can invoke these rights.

Fifthly, there is a lack of clarity regarding the cookies used. The list of cookies submitted by the defendant does not coincide with the Inspectorate's findings, in particular regarding the presence of "Google Adsense", "Google Tag Manager" and "Google Analytics".35 This is due to the fact that these findings were made using different applications and that, according to the defendant's statements during the hearing, the "Cookiebot" application failed to correctly reflect the cookies placed. The defendant therefore proceeded to use a new technology to remedy this.

Sixth, not all inaccuracies have been remedied. In the Supplementary Inspection Report, the Inspectorate found, for example, that the version of the website (October 2019) did not provide sufficient information regarding the right of the person concerned to withdraw his consent. Indeed, the Inspectorate noted that the person concerned is invited to submit a written proof or electronic request with proof of his identity 'to us', without clearly stating the electronic or other contact details to be used for this purpose.36.

In addition, the website contained the erroneous statement that certain data processing operations were 'anonymous' even though there was the assignment of a 'randomly chosen identification number' to each visitor, which is a form of pseudonymisation within the meaning of art. 4.1.5 AVG37. However, anonymisation can only occur if it is no longer possible to attribute the data concerned directly or indirectly - if necessary on the basis of other information - to an individual38. Following the hearing, the defendant adapted its website on this point.

In doing so, the Disputes Chamber found that the defendant had acted negligently on a number of points. However, it does point out that the defendant has made an effort to improve the information provided by the court.



34 Form of order sought by the defendant, p. 2.
35 After investigation by the Inspectorate dated March 2019 (See conclusion 9 of the defendant). See also Document 2 of the Inspectorate's report.
36 Additional Inspection Report, p. 10.
37 According to Article 4.1.5 AVG, 'Pseudonymisation' is defined as 'the processing of personal data in such a way that personal data can no longer be linked to a specific data subject without the use of additional data, provided that these additional data are kept separately and technical and organisational measures are taken to ensure that personal data are not linked to an identified or identifiable natural person'.
38 Data Protection Working Party, Opinion 05/2014 on anonymisation techniques, WP216, https://ec.europa.eu/justice/article- 29/documentation/opinion-recommendation/files/2014/wp216_en.pdf.
 
of Articles 12 and 13 of the AVG, after receipt of the comments of the Inspectorate and/or the Dispute Chamber.

The defendant wrongly assumes that the target group of the website, i.e. "lawyers, tax specialists, notaries, bailiffs, paralegals, magistrates or law students", can release him from the transparency obligations of art. 12 and 13 AVG. Indeed, in that context, the defendant states that visitors to the website would understand a very "concise" privacy statement, in the context in which the target group of the website consists of "lawyers, tax lawyers, notaries, bailiffs, paralegals, magistrates or law students".39

The Chamber of Disputes cannot accept this defence. However, pursuant to Article 12 of the AVG, the privacy information must be 'understandable', which means that the message must be adapted to the target group in terms of language level ('clear and simple language')40 . However, the fact that Article 12 AVG requires the privacy information to be 'concise' does not mean that the mentioning of mandatory information under Article 13 AVG, such as the clear designation of the data controller, even if the target group concerned is at university level, should be prejudiced. For example, in order to comply with the requirement to provide prior information on the identity and contact details of the controller pursuant to Article 13(1)(a) AVG, it is not sufficient to mention that the website is an 'initiative of X'. As further explained by the Working Party, this information should 'ensure easy identification of the [controller]'41 (telephone number, email, postal address, etc.).

The Litigation Chamber deduces from the infringement findings listed above that the defendant did not originally comply with its transparency obligations under Article 12 TPG and its information obligation under Article 13 TPG and that this non-compliance is due to reprehensible negligence in breach of accountability. In this respect, the Disputes Chamber emphasises that it is the responsibility of the data controller to ensure that the information provided on the website is in line with reality, in accordance with Articles 12 and 13 of the AVG. The Disputes Chamber explicitly refers here to the accountability laid down in Articles 5.2 and 24 of the AVG.

39 Conclusion of the defendant, p. 5.
40 Data Protection Working Party, Guidelines on consent according to Regulation 2016/679, WP259, p. 4; Guidelines on transparency according to Regulation (EU) 2016/679, WP260, p. 7: 'The requirement that information should be 'comprehensible' means that it should be comprehensible to an average member of the target public. Understandability is closely linked to the requirement to use clear and simple language. A data controller observing the principle of accountability will have knowledge of the persons from whom information is collected and can use this knowledge to determine what the target audience is likely to understand. For example, a data controller who collects personal data from working professionals may assume that his or her target group has a higher level of understanding than the target group of a data controller who collects personal data from children. […]”.
41 Data Protection Working Party, WP260, Guidelines on transparency under Regulation (EU) 2016/679, p. 41.
 


2.2.2 Obligations relating to consent ('opt-in') (Articles 5, 6(1)(a) and 4(11) in conjunction with Article 7 of the Data Protection Working Party, read in conjunction with Article 129 of the WEC) and obligations relating to the withdrawal of consent (Articles 5, 6(1)(a) and 4(11) in conjunction with Articles 7(3) and 13(2)(c) of the Data Protection Working Party, read in conjunction with Article 129 of the WEC).


(a) Repetition of the applicable AVG Rules a.1 The Law of Consent

Art. 5.3 of the ePrivacy Directive, as transposed by Art. 129 WEC, stipulates the condition that the user has "given his consent" for placing and consulting cookies on his terminal equipment, with the exception of the technical storage of information or the provision of a service explicitly requested by the subscriber or end user when the placing of a cookie is strictly necessary for this purpose.

Recital 17 of this Directive clarifies that, for its application, the notion of "consent" must have the same meaning as "the data subject's consent" as defined and specified in the Data Protection Directive 95/4642, now replaced by the AVG.

The European Court of Justice clarified in the Planet judgment49 the consent requirement for the placing of cookies as a consequence of the entry into force of the AVG, interpreted as follows, to the effect that explicit active consent is now required:

"Regulation 2016/679 now explicitly prescribes active consent. In this context, it should be noted that, according to recital 32 of this regulation, consent can be expressed in particular by clicking on a box when visiting a website. On the other hand, this recital expressly excludes "silence, use of already ticked boxes or inactivity" as consent. It follows that the consent provided for in Articles 2(f) and 5(3) of Directive 2002/58, read in conjunction with Articles 4(11) and 6(1)(a) of Regulation 2016/679, is not validly granted where the storage of information or the gaining of access to information already stored in the terminal equipment of the user of a website is permitted by means of a standard ticked box which the user must uncheck if he refuses to grant his consent'. (The Chamber of Disputes underlines)43.

42 Directive 95/46/EC of the European Parliament and of the Council of 24 October 1995 on the protection of individuals with regard to the processing of personal data and on the free movement of such data.
43 Judgment Planet49, ro. 61 and 62.
 

In addition, the consent must be "specific". The Dispute Chamber refers to the Guidelines on consent under Regulation 2016/67944 endorsed by the EDPB:

"Article 6(1)(a) confirms that the consent of the data subject must be given in relation to "one or more specific" purposes, and that a data subject has a choice in relation to each of these purposes "45. This means 'that a controller wishing to obtain consent for a number of different purposes must offer a separate opt-in for each purpose in order to allow users to give specific consent for specific purposes' 46.

In particular, the website user should be provided with information on, among other things, how to express their consent to cookies and how to accept all, certain or no cookies.47 In this respect, the Dispute Resolution Chamber refers to the Guidelines of the Data Protection Working Party on how to obtain consent. According to the Data Protection Working Party, consent must be obtained by cookie or by category of cookie48.

a.2 The right of withdrawal of consent

Art. 7.3 AVG imposes strict conditions on the withdrawal of a valid consent (Art. 7.3 AVG):
(a) the person concerned has the right to revoke his consent at any time, (b) he must be informed of this in advance, and (c) revocation of the consent must be as simple as giving it. Pursuant to Article 129 WEC, last paragraph, the data controller is obliged to give the end-users of the equipment concerned "free of charge" the possibility to "easily withdraw the consent given" .

This right to withdraw consent must therefore be subject to prior notification (Art. 7.3.b), and must also be read in conjunction with the requirement for proper and transparent processing within the meaning of Arts. 5 and 13.2.c AVG. Existing or inadequate information on the right to withdraw consent would result in de facto consent being given for an indefinite period of time and the data subject being deprived of his or her right to withdraw his or her consent.


44 Data Protection Working Party, Guidance on consent under Regulation 2016/679, WP259, p. 4.
45 Ibid., p. 14.
46 Ibid., p. 14.
47 Data Protection Working Party, Working Document 02/2013, providing guidance on obtaining consent for cookies', p. 3, https://ec.europa.eu/justice/article-29/documentation/opinion-recommendation/files/2013/wp208_en.pdf.
48 Ibid.
 

These rules apply to both so-called "first party" and "third party" cookies, as set out below.

(b) Findings

As further explained below, on the basis of the first inspection report, the Disputes Chamber states that
of 29 May 2019 that

- no consent process was foreseen on the website prior to the placement of "first party" analysis cookies on the terminal equipment of the website users, according to the privacy statements dated 12 March 2019 and 29 April 2019, and that the defendant erroneously invoked the legal basis of "legitimate interest" in that respect (breach of article 5,
6.1.a and 4.11 in conjunction with Art. 7 AVG);

- the website used pre-ticked boxes to obtain permission for cookies;

- the two first investigated versions of the website dated 12 March 2019 and 29 April 2019 did not mention how the person concerned can withdraw a given permission for the use of cookies by the processing manager or by third parties (infringement of article 7.3 AVG).


(c) Defence with regard to the consent process

In its first inspection report, the Inspectorate found that no consent had been sought on the website prior to the placement of analysis cookies (without distinction between "first party" and "second party" analysis cookies) on the terminal equipment, and that the defendant referred to "our legitimate interest" as the legal basis for cookies used "with the aim of simplifying your use of the website and collecting statistical data relating to the use of the website".49 In its letter to the Inspectorate dated 29 May 2019, the defendant stated that, following the findings of 12 March 2019, the website had been adapted with regard to consent to the use of cookies and the withdrawal of consent.

In its conclusion of 29 July 2019, the defendant stated that the website (version of May 2019) did indeed require consent prior to the placement of analysis cookies, and this in


49 Inspection report, p. 9.
 
Contrary to the privacy information scattered at the time. The defendant also does not dispute that consent was not sought on the first two versions of the website.

This is confirmed in the summary table submitted by the defendant at the hearing. The Dispute Chamber finds that the consent for the use of cookies that are not strictly necessary was not requested in March and April 2019.

As regards the website version of May 2019, the defendant stated in its conclusion that the consent was indeed requested, contrary to the statements in the website's privacy statement:

"Despite the mention of the processing of cookies to facilitate the use of the website and the collection of statistical data, these data were only collected after the consent of the data subject. [...] It is clear from document 10 that analysis cookies are not loaded without the consent of the data subject (see the cookie window in the background)'.

However, the Chamber of Disputes cannot deduce from the documents submitted by the defendant whether the consent of the persons concerned was indeed and in concreto requested prior to the placement of 'first party' analysis cookies in the version of the website dated 29 May 2019. The documents submitted do not contain a date that would show that the consent was indeed requested during the period in question. More fundamentally, there is no description of the consent process claimed by the defendant.

The Disputes Chamber therefore ruled that the defendant was unable to refute the following findings of the Inspectorate:
- "the consent for the use of cookies by the controller or Google is not requested from the data subjects" (findings of 12 March 2019 and 29 April 2019);
- the website's privacy policy refers to "our legitimate interest" as the "legal basis for cookies used to facilitate your use of the website and to collect statistical data relating to the use of the website" (adoption of 29 May 2019) .50


(d) As regards "first party" analysis cookies:


The defendant states that the cookies used to analyse the use of the website and to compile statistics are "essential" cookies "for the platform and for attracting (in the

50 Inspection report, p. 11.
 
(particularly permanent) authors'. The Chamber of Disputes understands that by this the defendant means that these cookies would be "essential" for the provision of the service provided by the website, on the understanding that no consent is required for the placement of such "strictly necessary" cookies pursuant to article 129, 2° of the WEC51.

In its conclusion, the defendant states that the "statistical and analytical cookies" are indispensable in order to provide the authors of the website with "essential insights regarding the articles written by them", since "the authors are and remain prepared to provide articles to [the website] only if it appears that they reach a large number of readers".

(d.1) Definitions of "first party" versus "third party" cookies

Whether or not a cookie belongs to the "first party" or the "third party" depends on the website or the domain that places and processes the cookie. First party cookies are placed directly by the website visited by the Internet user. […]. "Third party" cookies are set by a domain different from the domain visited by the Internet user. This typically occurs when the website incorporates elements from other websites such as images, social media "plugins" or advertisements. When these elements are retrieved by the browser or other software from other websites, they may also place cookies. 52

"Third party" cookies make it possible "for personal data to be sent to third parties either directly (e.g. by an active component linked to a banner or a spy pixel) or indirectly by placing cookies that are accessible to websites other than those of the advertiser "53. These data transfers are made implicitly while the page is being uploaded "and thus without the Internet user's knowledge" 54.

54. "First party" cookies do not presuppose any transfer of personal data to third parties, but may make use of a third party processor, for example for the compilation of statistics. Provided that the third party processor does not use this data for its own purposes, such cookies are in principle less privacy-intrusive. However, they do not prevent the processing of

51 In so far as relevant, Section 129 of the WEC reads as follows: "The storage of information or the gaining of access to information already stored in the terminal equipment of a subscriber or user shall be allowed only on condition that : [...] 2° the subscriber or end-user has given his consent after having been informed in accordance with the provisions in 1°. The first paragraph does not apply to the technical storage of information or access to information stored in the terminal equipment of a subscriber or end-user for the sole purpose of carrying out the transmission of a communication over an electronic communications network or of providing a service explicitly requested by the subscriber or end-user when this is strictly necessary for this purpose". [Underlining by Dispute Room]
 
52 Based on ICO, Guidance on the use of cookies and similar technologies, entitled "What are 'first party' and 'third party' cookies", https://ico.org.uk/for-organisations/guide-to-pecr/guidance-on-the-use-of-cookies-and-similar- technologies/what-are-cookies-and-similar technologies/#cookies.
53 CBPL, Recommendation on the use of cookies No 01/2015 of 4 February 2015, p. 21, https://www.gegevensbeschermingsautoriteit.be/sites/privacycommission/files/documents/aanbeveling_01_2015.pdf.
54 Ibid.
 
(whether or not pseudonymised) personal data, and that this processing is subject to the AVG rules on consent (and to Article 129 WEC).

(d.2) Analysis of cookies


Analysis cookies "collect information on the technical data of the exchange or on the use of the website (pages visited, average duration of the visit, ...) in order to improve its functioning [i.e. to learn how to use the website]. The data thus collected by the website are in principle aggregated and processed anonymously but may also be processed for other purposes". 55 The fact that the data is often processed anonymously by means of analysis cookies does not mean that the processing process is completely anonymous from the outset.

(d.3). "First party" analysis cookies

The defendant refers to the opinion of the Data Protection Working Party on the exemptions from the consent requirement for cookies (WP 194) in support of its view that applicable law does not require consent for such cookies. The Data Protection Working Party stated that "first party" analysis cookies, under certain conditions, do not pose a privacy risk: "However, according to the Working Party, first party analysis cookies are not likely to pose a privacy risk if they are strictly limited to aggregated statistics for the benefit of the website operator and are used by websites that already provide clear information about these cookies and provide appropriate privacy safeguards in their privacy policies "56.

56. The Dispute Settlement Chamber does not dispute this finding of the Data Protection Group, but finds that it does not affect the requirement for consent. Under the current state of the law, there is no exception for consent for "first party analytical cookies", so prior consent for the setting of such cookies is required. In this respect, the Chamber of Disputes refers to an opinion of the predecessor of the GBA (Commission for the Protection of Privacy) which stated that it is 'up to the legislator to clarify the issue of the nonexemption of users' consent in relation to cookies for origin analysis' 57.


55 Ibid., p. 23. See also: Data Protection Working Party, Opinion 4/2012 on exemption from the consent requirement for cookies, https://ec.europa.eu/justice/article-29/documentation/opinion-recommendation/files/2012/wp194_nl.pdf, p. 10.
56 Data Protection Working Party, Opinion 04/2012 on waiving the obligation to give consent for cookies, WP208, p. 10.
57 CBPL, Own-initiative recommendation on the use of cookies no. 01/2015, Ibid, marginal no. 311, p. 64.
 
In this context, the Dispute Settlement Chamber cannot prejudge the outcome of the debates on a possible future amendment and possible relaxation at European level of the rules contained in the ePrivacy Directive 2002/58/EC58 and notes that consent is still required for the placing of analysis cookies, so that the lack of consent constitutes a breach of Articles 6 and 7 in conjunction with Article 4.11 AVG, read together with Article 129 WEC.

The Litigation Chamber is of the opinion that "first party" statistical cookies do not fall under the exception "strictly necessary cookies" in Article 5.3 paragraph 2 of the ePrivacy Directive, which exception, as set out above, could be based on the AVG legal basis "legitimate interest" to the extent that the ePrivacy Directive specifies and complements the AVG on that point59.

De Geschillenkamer finds that statistical cookies cannot be considered as cookies that are strictly necessary to provide a service requested by a subscriber within the meaning of Article 129(2) WEC. The notion of 'necessary' must be interpreted in accordance with the protection objectives of European data protection law60 , in the sense that this exception may only be invoked in the interest of the data subjects (website visitors) and not in the exclusive interest of the providers of the information service. Even if website operators consider that these cookies are indispensable for the provision of their service, they are not necessarily indispensable for the provision of the information service requested by the website visitor.61

The Dispute Settlement Chamber does not exclude the possibility that under certain conditions certain statistical cookies would indeed be strictly necessary for the provision of an information service requested by the party concerned, for example to detect navigation problems. However, this is not the case in this case.



58 Proposal for a Regulation of the European Parliament and of the Council with regard to respect for privacy and protection of personal data in electronic communications and repealing Directive 2002/58/EC (Directive on privacy and electronic communications), COM/2017/010 final.
59 See explanation under Title 2.1 "Jurisdiction of the Litigation Chamber". The Disputes Chamber can no longer agree with the (contradictory) assertion of the CBPL in the now obsolete Recommendation No 1/2015 that 'in accordance with the various points of view, it can be stated that this processing [first batch of statistical (analysis) cookies] meets a legitimate interest of the data controller provided that the cookies are specific to the website visited and that the statistics are strictly anonymous' (p. 63, marginal 308).
60 On the notion of 'necessary' in a data protection context, EDPB Guidelines 2/2019, cited in footnote 25.
61 See in the same sense, Data Protection Working Party, Opinion 04/2012 on waiver of consent for
cookies, WP208: "Although these tools are often considered "strictly necessary" for website operators, they are not strictly necessary to provide a function explicitly requested by the user or subscriber. Indeed, the user can access all the functions offered by the website, even if such cookies are disabled. These cookies are therefore not covered by an exemption under [Article 5.3(3)]", p.11. See also ICO, "How do the exemptions apply to different types of cookies": "You are likely to view analytics as 'strictly necessary' because of the information they provide about how visitors engage with your service. However, you cannot use the strictly necessary exemption for these. Consent is required because analytics cookies are not strictly necessary to provide the service that the user requests. For example, the user can access your online service whether analytics cookies are enabled or not", https://ico.org.uk/for-organisations/guide-to- pecr/guidance-on-the-use-of-cookies-and-similar technologies/how-do-we-comply-with-the-cookie-rules/COlytics,
 
With regard to all cookies that are not strictly necessary for the provision of the information society service in question, the Disputes Settlement Chamber is of the opinion that consent within the meaning of articles 7 and 6.11 AVG is indeed required prior to the placement of the cookie on the terminal equipment of the person concerned.

(d.4) Decision regarding the "first party" analysis of cookies on the website

Even if the Chamber of Disputes is prepared to take into account the potentially low impact of the "first party" analytical cookies of the website in terms of possible sanctions62 , subject to an examination of the purpose of the processing by possible processors who would process the data on behalf of the data controller, the Chamber of Disputes cannot accept the arguments of the defendant regarding the "essential" nature of the "first party" cookies in question. Indeed, it appears from the defendant's conclusion that the cookies in question would not be 'strictly necessary' to provide the information service to the data subjects, but would be used to provide aggregated information to third parties. The Disputes Chamber therefore finds that the AVG has been infringed.

Needless to say, the Geschillenkamer reminds the defendant that the exception of consent under Article 129 WEC only applies to the provision of services to the subscribers or end-users of an information service - such as the service provided by the website to its Internet visitors - and that this exemption only applies to the subscribers or end-users on whose terminal equipment the cookie is placed. This exemption therefore does not apply to the placing of cookies which - according to the statements of the defendant itself - are intended to provide analytical services to the authors/contributors of the website, since those authors are not subscribers or end users of the information service in question, which according to the description of the website itself relates to the provision of legal information.63

The Inspectorate has established that the website used cookies from "Google Analytics" on 12 March 2019 and 29 April 2019, without requesting permission to do so. Needless to say, the Disputes Chamber points out that in the most recent cookie statement available (version of the website as submitted after the hearing), this cookie is described by the defendant as a "first party" cookie.

Since the Inspectorate has not investigated the nature of the cookies involved as well as the underlying data flows on the website, the Disputes Chamber will refrain from


62 See ICO: "Although the ICO cannot rule out the possibility of formal action in any area, this may not always be the case where the setting of a first-party analytics cookie results in a low level of intrusiveness and low risk of harm to individuals", Ibid.
63 Defendant's conclusion, p. 6.
 
any qualification of these "Google Analytics" cookies as "first party" (with or without analysis by a third party processor) or "third party" in concrete terms. Indeed, this would require an accurate analysis of the website concerned and the underlying IT and legal environment. The Dispute Resolution Chamber can only conclude that the versions of the website concerned dated 12 March 2019 and 29 April 2019 did not provide for a consent process for the use of non-essential cookies by the controller. In the third version of the website (29 May 2019), according to the Inspection Report and the statements made by the defendant during the hearing, a consent process is provided for the use of cookies that are not strictly necessary64 .

The Inspectorate found that the website used analysis cookies such as "Google Analytics" on 13 March 2019 and on 29 April 2019, without requesting consent. The list of cookies submitted by the defendant does not include a cookie from "Google Analytics". However, in its conclusion regarding these two versions of the website, the defendant stated that 'the cookies used at that time were identical to the cookies currently used on the website'. 65

The data controller explained at the hearing that the problems in updating the list of cookies present were due to the "Cookiebot" technology, and that he has since changed technology to remedy this.

The Dispute Chamber takes note of the modified cookie statement filed by the Respondent after the hearing. In this statement, the defendant states that a prior consent process is provided for "first party" analysis cookies, which the defendant has limited to two types of cookies: the cookies of "Google Analytics" and "Pikwik". However, the Chamber of Disputes has not been able to examine this consent process in concrete terms and it is therefore not taken into account in this decision.

(e) As regards "third party" cookies


The defendant filed a list of cookies that were used in the July version of the website, including cookies placed by the domain of third parties such as "doubleclick.net" or "youtube.com" (both related to Google).

Given the lack of accuracy of the lists updated by the "Cookiebot" technology, according to subsequent statements by the defendant, the Litigation Chamber cannot make a final determination.

64 Inspection report, p. 10.
65 In its conclusion (p. 7 and 8), the defendant refers to the version of the website that predates the modification that required permission for cookies.
 
Neither as regards the third party cookies that were present on the first two versions of the website nor as regards the absence of consent to the placing of 'third party' cookies on these versions of the website.

(f) Decision regarding the consent requirement ("opt-in") on cookies


The Disputes Chamber must therefore establish that in the versions of the website dd. 12 March 2019 and 29 April 2019 examined, the defendant did not request consent where consent was required for the collection and processing of personal data using 'first party' cookies.

In addition, the Inspectorate established on the website dated 29 May 2019 that there were already ticked boxes in the preferences regarding cookies, which according to recital 32 AVG does not count as consent. In this context, reference is also made to the Planet 49 judgment, in which the European Court of Justice states 'that, according to recital 32 of this Regulation, consent can be expressed in particular by clicking on a box when visiting a website'. On the other hand, this recital expressly excludes 'silence, use of already ticked boxes or inactivity' from constituting consent'. 66

In his conclusion, the defendant explains that he deliberately chose to move from an "opt-in" system to an "opt-out" system with pre-checked boxes (with all boxes pre-checked in order to accept the use of cookies).

This constitutes an infringement of Articles 6 and 7 in conjunction with 4.11 of the AVG.


(g) Defence with regard to the right to revoke consent


The Dispute Chamber does not discuss the finding from the first inspection report that the third version of the website examined contains an "OK" button to accept cookies, but not a button to refuse cookies. In its conclusion, the defendant rightly observes that such an "opt-out" button is not required in itself and that the GBA website - which in principle serves as an example - is
- Moreover, it does not contain an explicit "opt-out" function in addition to the "opt-in" function.

In its conclusion, the defendant submits a document, which should show that the visitor of the website "can easily (implicitly) refuse the use of (non-essential) cookies". It concerns a cookie banner on which the following can be read: "Some cookies are necessary for the proper functioning of the website and cannot be refused if you do not use them.


66 Judgment Planet49, ro. 62. See also ro. 63-64.
 
website to visit. We use other cookies for analysis purposes. You can refuse them if you wish. More info. However, the defendant does not show how easy it is then to refuse permission for the cookies after clicking on "more info".

In the latest version of the website examined by the Inspectorate, it appears that the information for the person concerned about the right to revoke his consent is not sufficient to allow effective exercise of the right. After all, on 17 October 2019 the Inspectorate established that the person concerned who wishes to revoke his consent must submit a written or electronic request with proof of his identity 'to us', without any reference or mention of the contact details that the person concerned must provide for this purpose.

The Chamber of Disputes reminds the defendant that, pursuant to Article 7.3, the data subject has the right to withdraw his consent at any time, and the withdrawal of consent must be as simple as giving it. The person concerned must be informed of this right under the same AVG clause before giving his consent (art. 7.3 AVG).

In his supplementary memorandum, the data controller explains that the cookie declaration and privacy statement have been amended in response to the Inspectorate's supplementary report "in order to make the possibility of withdrawing consent with regard to cookies clearer".67

The Disputes Chamber ruled that in the most recently examined version of the website (dated October 2019), the defendant infringed Article 7.3 of the AVG, because withdrawing consent there is not as easy as giving it, and because the data subject is not given sufficient information about how to withdraw consent (vagueness about the contact details and means of contact to be used).

(h) Other findings of the last Inspection Report dated October 2019 as regards the
 placing 4 cookies without consent and with regard to the condition of a "specific" consent

In the additional Inspection Report, the Inspectorate states that the website places 4 cookies before the user is notified and has expressed its opinion as to whether or not to accept the cookies.68 This concerns 3 cookies placed by the website itself and 1 cookie placed from the Cloudflare.com domain. The Inspectorate does not explain to what extent this would constitute an infringement of the AVG, among other things because it is not demonstrated that such cookies do require prior consent and not under one of the exceptions in article 5.3.

67 Additional note from the controller, p. 5 and 6.
68 Additional Inspection Report, p. 9.
 
of the ePrivacy Directive (and art. 129 WEC) (e.g. technical storage or cookies that would be essential for the service requested by the subscriber). The Litigation Chamber therefore does not take these findings into account.

The additional Inspection Report describes the concrete consent process on the website dated 17 October 201969, and states that the user cannot express an opinion on an individual choice, "cookie by cookie". The Inspectorate is of the opinion that the way in which consent is obtained, with the choice either to accept all cookies or to accept only the necessary cookies, does not comply with the requirement of consent as imposed by article 4, point 11 [in conjunction with article 7] of the AVG "since it is not specific" (Ibid., p. 8). The Dispute Resolution Chamber finds that Group 29's previous guidelines on cookies do not explicitly require such granularity in consent and that it is sufficient to offer a choice per "type or category of cookie or purposes of these cookies".70 However, these guidelines date from the period prior to the AVG.

In its Guidance on consent under Regulation 2016/679 of 10 April 2018, the Data Protection Working Party explained that the condition of a 'specific' consent has not been changed by the AVG:

"'The requirement that consent should be 'specific' aims at ensuring a certain degree of control and transparency for the data subject. This requirement has not been changed by the AVG and remains closely linked to the requirement of 'informed' consent. At the same time, it should be interpreted in line with the requirement of "granularity" in order to obtain "free" consent. In short, in order to comply with the element of 'specific', the data controller must apply the following:
(i) Specification of purposes as protection against 'function creep',
(ii) Granularity in consent requests; and
(iii) A clear separation of information relating to obtaining consent for processing operations from information on other matters'. 71

Taking into account the interpretation and information available so far regarding the requirement of a "specific" consent under Article 4(11) [in conjunction with Article 7] of the General Assembly, the



69 Additional Inspection Report, p. 8.
70 Guidelines on how to obtain consent on cookies, https://ec.europa.eu/justice/article-29/documentation/opinion-recommendation/files/2013/wp208_en.pdf, p. 3.
71 Data Protection Working Party, Guidance on consent under Regulation 2016/679, WP260, p. 13.
 
Dispute resolution chamber that there is no breach of the consent requirement of the AVG on this specific point.

In this case, the website used, for example, 47 cookies in July 2019.72 It cannot be the AVG's intention to require consent for each of these 47 cookies per se. However, the AVG does require a more granular choice than a simple "all" or "nothing". The Dispute Resolution Chamber is therefore of the opinion that, in the first instance, consent must not be obtained per cookie but per type of cookie, in view of the importance of weighing the requirement of specific consent against the requirement of clear information.

The website (version October 2019) offers a choice between types of cookies, with the possibility for those concerned to obtain information about the individual cookies that were grouped under each category of cookie (e.g. "marketing cookies"). No possibility is offered to accept or reject certain cookies under the same category (e.g. "marketing cookies" or "statistical cookies"), which is justified according to the Dispute Resolution Chamber.

However, the Disputes Chamber does not rule out the possibility that a choice per cookie would still be relevant, but in a second instance, in the context of a second layer of information. After the person concerned has been able to express his consent per cookie category, he should ideally in the future also be able to express his consent per cookie type, within each category, if so desired. Admittedly, the interpretation of the AVG and of the consent requirement must also take into account the evolution of society, including the expectations of ideally more and more IT-savvy and privacy-conscious average Internet users, who would like to express their preferences between different cookies depending, for example, on whether or not certain cookies are intrusive and/or depending on the reputation of the third party that would place the cookie on the website.


2.2.3 Other defences of the controller

In his account of the facts, the defendant states that certain of the Inspectorate's findings 'fall outside the original scope of the directions' (conclusion,
p. 2). The Disputes Chamber wishes to emphasise that the Inspectorate is not bound by the scope of its initial findings under the WOG and may or may not, ad nutum, make additional findings on the basis of its right of initiative.



72 Conclusion of the defendant.
 
Indeed, referrals to the Inspectorate may be made "on its own initiative when it discovers serious indications of the existence of a practice that may give rise to a breach of the fundamental principles of the protection of personal data, within the framework of this Act and of the laws containing provisions on the protection of the processing of personal data" (article 63, 6° WOG). The Chamber of Disputes may then be seized by the Inspection Service on the basis of its new findings pursuant to article 92, 3° WOG. It ensures that all grievances raised by the Inspection Service regarding indications of an infringement of the AVG are subjected to a contradictory debate with respect for the rights of the defence. For the sake of clarity, the competence of the Disputes Chamber is not limited to the facts of which it is informed by the Inspection Service in application of article 92, 3°. The Disputes Chamber is therefore free, with respect for the rights of the defence, to assess, by means of questions to the defendant, the facts submitted to its assessment against the applicable fundamental principles of the protection of personal data by virtue of article 4 § 1 of the WOG.

The defendant takes the view that equivalent practices are used on other websites that provide legal information.73 This defence is not valid. A data controller cannot invoke the principle of equality in cases where a violation of the AVG is established.

The defendant further argues that although the website is specialised in the publication of legal news, it does not itself have any special legal expertise. This legal expertise would rather lie with the authors of the publications, as a result of which the website would not have an exemplary function with respect to privacy statements, contrary to the Inspectorate's findings in that respect. The Disputes Chamber takes note of this. In a context where the essence of the activities of the website consists of disseminating legal information, the Disputes Chamber assumes that the defendant is aware of the importance of the accuracy of the legal information posted on his website, as well as of the duty to comply with legal requirements. Like any controller, the defendant is subject to Section 24 of the AVG, which includes the obligation to take appropriate technical and organizational measures to ensure and demonstrate that the processing complies with the AVG. On the other hand, the Chamber of Disputes is of the opinion that the fact that the controller provides general legal services would not justify a heavier sanction.

According to the defendant, the breach of the obligation to provide information (from Articles 12 and 13 AVG) has 'no real impact' on the rights of data subjects 'since the processing was mainly targeted


73 Form of order sought by the defendant, p. 4.
 
on obtaining statistical information' (defendant's conclusion, p. 10). This argument is not convincing. The right to data protection is a fundamental right of everyone and as such enshrined in Article 8 of the Charter of Fundamental Rights of the European Union. The data controller has no discretion as to the extent of this right in function of the alleged minor impact of the breach, where the AVG imposes a positive obligation, such as e.g. naming the data controller (Art. 13 AVG) or providing transparent information (Art. 12 AVG). The Brussels Court of Appeal clarified this principle as follows in its recent judgment dated 9 October 2019, in the context of a dispute in which the data subject had unsuccessfully requested the rectification of his personal data:

"The current (in 2019!) assertion that the modification of a computer program would require several months of work and/or entail additional financial costs for the banking institution does not allow the [...] to disregard the rights of the person concerned. The rights granted to the individual are equivalent to performance obligations on the part of the processor of the personal data. A correctly functioning banking institution can be expected - when using a computer program, to have a computer program that meets current standards, which includes the aforementioned right to correct spelling of the name. The right of rectification is a fundamental right. [...] The question whether [...] damage would be suffered as a result of the erroneous mention of his surname is irrelevant. Such a condition is imposed neither by the AVG, nor by the Privacy Framework Act, nor by the WOG, and would be contrary to Article 8(1). 3 EU Charter, which explicitly mentions the right of rectification as part of the core of everyone's fundamental right to the protection of personal data'74.

74. According to the defendant, the fact that "all personal data collected by means of cookies have been "always rendered anonymous" (defendant's conclusion, p. 10) is not a convincing defence: the AVG - including transparency and information obligations - will continue to apply as long as the data are not rendered genuinely "anonymous", i.e. if it is still possible to attribute the data concerned directly or indirectly - if necessary by other information - to an individual75 . As long as the data are not made anonymous, there is still a risk of physical, material or immaterial harm to natural persons, such as loss of control over their personal data, restriction of their rights, loss of confidentiality of data transmitted by




74 Brussels Court of Appeal, 9 October 2019, 2019/AR/1006, p. 15 and 16, available on the GBA website.
75 Data Protection Working Party, WP216, Opinion 05/2014 on anonymisation techniques, WP216.
 
personal data protected by professional secrecy or any other significant economic or social harm to the person in question76.

The Internet user should therefore be able to make a sovereign decision on the basis of transparent information as to whether or not to continue browsing the website in question, let alone to give his consent to certain processing operations where such consent is required. Anonymisation is also a further processing of personal data77 and, as such, the original processing must comply with all AVG requirements, including the existence of a legal basis.

Moreover, the Respondent does not submit any evidence of its claim that the data in question were ultimately "anonymized" (and not merely pseudonymized), so that the Litigation Chamber cannot take this into account either.

2.2.4 Decision as regards penalties


The Disputes Chamber is of the opinion that the infringement of Articles 6, 7 in conjunction with 4.11°, 12 and 13 AVG has been proven, and will proceed to impose sanctions.

Pursuant to Section 100 of the WOG, the Disputes Chamber is authorised to impose administrative fines (Sections 100.13°, 101 and 102 of the WOG) and to publish the decision on the website of the Data Protection Authority (Section 100.16° of the WOG).

As regards "first party" analytical cookies, the Chamber of Disputes takes into account the fact that the defendant no longer holds that the use of "first party" analytical cookies can take place on the basis of the legal basis "legitimate interest".

In its capacity as data controller, the defendant bears the responsibility to be able to guarantee and demonstrate that "first party" analytical cookies are indeed covered by the exception "strictly necessary" cookies of Article 128 WEC on the understanding that the concept of "necessary" must be interpreted in accordance with the GTC, i.e. for the benefit of the data subjects whose personal data are processed and not exclusively for the benefit of the website. In accordance with Section 24.1 of the AVG, the data controller is also obliged to take all appropriate measures to ensure and be able to demonstrate that the processing is carried out in accordance with Article 24.1 of the AVG.

76 See recital 85 of the AVG: "A personal data breach may, if not addressed in an appropriate and timely manner, result in physical, material or immaterial harm to individuals, such as loss of control over their personal data or the limitation of their rights, discrimination, identity theft or fraud, financial loss, unauthorized reversal of pseudonymization, damage to reputation, loss of confidentiality of personal data protected by professional secrecy, or any other significant economic or 4.5.2016 L 119/16 Official Journal of the European Union EN 5.2016 L 119/16 Official Journal of the European Union'.
77 Data Protection Working Party, Opinion 05/2014 on anonymisation techniques, WP216, p. 3.
 
compliance with this Regulation shall be carried out taking into account the nature, extent, context and purpose of the processing, as well as the possible risks for the rights and freedoms of data subjects.

With regard to the consent process for the acceptance of cookies, the Chamber of Disputes finds that the defendant has stopped the pre-ticking of the selected cookies. However, the Disputes Chamber is of the opinion that the imposition of a fine is appropriate in view of the negligent nature of the infringement and the existence of clear guidelines in that respect in the considerations of the AVG itself (recital 32 of the AVG cited above).

In determining the level of the fine, the Chamber of Disputes must take account of the criteria laid down in Article 83 AVG according to the circumstances. In the present case, the Chamber of Disputes takes into account the following circumstances which it considers sufficient for it to take the decision
as to the sanction:

a) duration of the infringement: several infringements were only solved after a second notification from the Inspectorate, which is not acceptable in the context of article 24 AVG (see above, under the title 2.2.1);
b) number of persons affected: self-proclaimed monthly reach of 35,000 readers;
c) intentional or negligent nature of the infringement: the Disputes Chamber notes the repeated carelessness of the defendant with regard to the transparency obligations under Articles 12 and 13 AVG (see above, under the title 2.2.1); the Disputes Chamber also notes that the defendant has voluntarily switched from an "AVG-compliant" method to a conscious "non-compliant" method with regard to the pre-ticking of the proposed cookies (see above, under the title 2.2.2).(f); with regard to the legal basis of 'legitimate interest' wrongly invoked by the controller with regard to statistical cookies, the Litigation Chamber limits itself to repeating and clarifying the common principles (see above, under Title 2.2.d); with regard to the obligation to offer an easy way of withdrawing consent, the defendant remains in default after the Inspectorate has repeated the applicable rules in its first report (see above, under Title 2.2.2.g);
(d) measures taken by the controller: subsequent improvements to the privacy statement made by the defendant do not affect the original findings of breaches of Articles 12 and 13 of the AVG dated 12 March 2019 and 29 April 2019;;


In this context, the defendant's carelessness with regard to the transparency and accuracy of the privacy statement as well as the placing of cookies without consent is reprehensible, so that a fine can be imposed.
 
of 15,000 Euro is justified, for infringements of Articles 12 and 13 of the AVG, as well as Articles 6, 7 in conjunction with 4.11 of the AVG.

The Disputes Chamber is of the opinion that this amount is not disproportionate in view of the self-proclaimed turnover of EUR 1,710,319.69 for the financial year 2018.

The fact that the defendant always took the Inspectorate's comments into account does not detract from the fact that the website had to disseminate correct information from the outset.

In view of the importance of transparency in relation to the decision of the Disputes Chamber, this decision is published on the website of the Data Protection Authority. However, it is not necessary for the social name of the data controller to be published directly for this purpose.


FOR THESE REASONS,

the Data Protection Authority's Litigation Chamber, after deliberation, shall decide with respect to the defendant:
- on the basis of Article 101 of the WOG, to impose an administrative fine of EUR 15,000 for these infringements;
- pursuant to Article 100, 1, 16° of the Act of 3 December 2017, to publish this decision on the website of the Data Protection Authority, albeit without publication of the social name of the data controller.


An appeal against this decision can be lodged with the Data Protection Authority as defendant within a period of thirty days from the service of the notification at the Market Court, pursuant to art. 108, §1 of the Act of 3 December 2017.




Hielke Hijmans
President of the Chamber of Disputes