Rb. Amsterdam - C/13/747731 | |
---|---|
Court: | Rb. Amsterdam (Netherlands) |
Jurisdiction: | Netherlands |
Relevant Law: | Article 6 GDPR Article 26(3) GDPR Article 7(2) Brussels I bis Regulation Article 8(1) Brussels I bis Regulation Article 11.7a of the Dutch Telecommunications act |
Decided: | 07.06.2024 |
Published: | 12.06.2024 |
Parties: | Linkedin Microsoft Xandr |
National Case Number/Name: | C/13/747731 |
European Case Law Identifier: | ECLI:NL:RBAMS:2024:3331 |
Appeal from: | |
Appeal to: | Unknown |
Original Language(s): | Dutch |
Original Source: | Rechtbank Amsterdam (in Dutch) |
Initial Contributor: | BartM |
A court prohibited Microsoft, LinkedIn and Xandr from placing tracking cookies without user consent and imposed a penalty of €1,000 per company for every day of non compliance with the decision. The court held that these platforms remain responsible for ensuring that valid consent is collected, even when they outsource such a collection to third party websites embedding their tracking technologies.
English Summary
Facts
The data subject visited several popular websites and refused all cookies. However, tracking cookies were still placed on the data subject’s device.
The controllers are Linkedin Ireland, Linkedin Netherlands, Microsoft Corporation (US), Microsoft Ireland Operations, Microsoft (NL) and Xandr (US).
LinkedIn offers an advertising service and allows for companies to place tracking cookies on the browsers of a user after they view or click their ads.
Microsoft has an advertising service that sells ad space on various websites. The service also allows advertisers to show their ads on the ad space of 'third-party' website operators and can place tracking cookies on the devices of website visitors.
Xandr is an online platform that buys and sells digital ads. To use the services of Xandr, website users need to install a Java-script that places tracking cookies on the devices of website visitors.
All of them are part of the Microsoft Group.
The data subject hired a third party specialist to make an independent analysis of the controllers’ collection of personal data via the placed cookies. The analysis confirmed that out of the 30 websites the data subject visited, 27 websites placed and/or read cookies without the data subject’s consent. 24 websites did this even after explicit refusal to consent. Thus, the controllers were collecting personal data of the data subject’s browsing habits without their consent.
The data subject filed an urgency procedure (“kort geding”) at the Amsterdam District Court (“Rechtbank Amsterdam”), asking the court to forbid the controllers to place tracking cookies without the data subject’s consent.
Holding
Jurisdiction of the court
Brussels I bis Regulation regulates which courts of the EU Member States have jurisdiction in cases with links to more than one Member State in the EU. Article 7(2) Brussels I bis Regulation states that, in matters relating to tort, delict or quasi-delict, a person domiciled in a Member State may be sued in another Member State if the harmful event occurred or may occur in that Member State. Article 8(1) of the Regulation states that a person can also be sued in another Member State when one of the defendants is domiciled where the court is also located, "provided the claims are so closely connected that it is expedient to hear and determine them together to avoid the risk of irreconcilable judgments resulting from separate proceedings.”
Although some of the controllers are established in Ireland, the court held that it had the jurisdiction to rule on this matter: a) under Article 79(2) GDPR, as the data subject had their habitual residence the Netherlands and, b) under Article 7(2) Brussels I bis Regulation, as Amsterdam is the place where the harmful event occurred and, c) under Article 8(1) Brussels I bis Regulation, as two of the controllers are established in the Netherlands and there is a close link between the claims against the controllers.
The court rejected the controllers’ argument that the “place where the harmful event occurred” is only applicable when the data subject demands a claim for damages, because it could not be inferred from the legislative history and case-law that jurisdiction on the bases of where the harmful event occurred only applies to compensation claims.
The court held that with regards to the controllers established in the US, Brussels I bis Regulation did not apply, but Articles 1-14 of the Dutch Civil Procedure Code did. The court held it had the jurisdiction under Article 6 of the Dutch Civil Procedure Code (in case of unlawful acts, jurisdiction is based on the place of the harmful event) and Article 7 of the Dutch Civil Procedure Code (there is such a connection between the claims against the various defendants that reasons of efficiency justify a joint procedure).
Urgency
Furthermore, the court held that the data subject had an urgent interest, because if the controllers were acting unlawfully by violating the data subject’s privacy rights, the court must put an end to this as soon as possible. Therefore, the court held that the data subject cannot be asked to wait for a decision through a normal court procedure and allowed for the urgency procedure.
Joint controllership
The court rejected the controllers’ argument that they were merely processors and that the responsibility lied with the website operators. The court ruled that under Article 4(7) GDPR, LinkedIn, Microsoft and Xandr were controllers as they determined the means and purposes of data processing. This responsibility remains even if the controllers outsourced the obtaining of consent to their partners (the website operators). Under Article 26 GDPR, multiple parties can be jointly responsible for the processing of personal data. Therefore, the court held that LinkedIn, Microsoft and Xandr were considered joint controllers, and thus responsible for complying with the GDPR.
Personal data and consent
The court rejected the controllers’ argument that they do not process personal data with their tracking cookies under Article 4(2) GDPR. The court stated that the controllers acknowledged that most of the cookies were set for the purpose of capturing personal data, which can be used to build profiles that can be read for advertising purposes. Moreover, the court held that already placing a cookie that automatically collects personal data constitutes a processing of personal data, and not only when personal data collected by the tracking cookie is actually read for the purpose of advertising. The court dismissed the argument of the controllers that some of these cookies were not tracking cookies and thus not processing personal data.
The court held that under Article 6 GDPR and Article 11.7a of the Dutch Telecommunications act, the placing and reading of tracking cookies requires consent of the data subject. Controllers must demonstrate that they have consent under Article 5(2) GDPR. The court took into account the independent analysis that showed that websites placed cookies without the consent of the data subject, even after rejecting consent. The court also found that the controllers failed to prove that their tracking cookies were only placed on the data subject’s devices after his consent. The fact that the findings in the analysis are not representative because hundreds of other websites that have the controllers’ tracking cookies do comply with the GDPR by not placing cookies without consent was deemed irrelevant.
Responsibility of the controllers
The court stated that controllers were allowed to contractually outsource the obtaining of consent to their partners (the websites placing these tracking cookies), meaning that these websites provide information about and obtains consent for the placement of cookies. The controllers do not necessarily have to provide this information and obtain consent themselves as well. However, the court held that the controllers cannot put the sole responsibility on their partners for obtaining consent. The controllers remain (also) responsible themselves for ensuring consent is obtained in a legally valid and lawful manner for the placement and reading of the tracking cookies. The court thus held that controllers can be held liable for this on the basis of Article 26(3) GDPR, regardless of what the contract with its partners states.
The court stated that the controllers could have made tools available to their partners that made it impossible to place tracking cookies without consent. If that would have been the case, there would be no unlawful conduct by the controllers. However, this was not done by the controllers. Therefore, the court held that the controllers could not rely on the fact that they have done everything necessary, or at least everything that can be required of them, to prevent the placement of tracking cookies on the data subject’s devices without his consent.
Conclusion
The court concluded that the controllers violated the GDPR and the Dutch Telecommunications Act by placing and reading tracking cookies without the consent of the data subject. The court thus prohibited the controllers from placing or reading tracking cookies on the data subject's devices without his consent. The court also imposed a penalty of €500 per violation (or €1000 per day), up to a maximum of €25,000 per company until they complied. Lastly, the court ordered the controllers to pay the data subject’s legal costs.
Comment
Share your comments here!
Further Resources
Share blogs or news articles here!
English Machine Translation of the Decision
The decision below is a machine translation of the Dutch original. Please refer to the Dutch original for more details.
verdict COURT OF AMSTERDAM Private law department, civil preliminary relief judge case number / docket number: C/13/747731 / KG ZA 24-199 VVV/MB Judgment in summary proceedings dated June 7, 2024 in the case of [plaintiff], living in [place of residence], plaintiff in (identical) short-term summons dated March 21, 2024 and writ dated April 25, 2024, lawyer M.H.L. Hemmer in Rotterdam, in return for 1. the legal entity under Irish law LINKEDIN IRELAND UNLIMITED COMPANY, with offices in Dublin, Ireland, 2. the private company with limited liability LINKEDIN NETHERLANDS B.V., Based in Amsterdam, lawyer Mr. R.J.J. Westerdijk in Amsterdam, 3. the legal entity under the law of the United States MICROSOFT CORPORATION, with offices in Redmond, Washington, United States, 4. the legal entity under Irish law MICROSOFT IRELAND OPERATIONS LTD., with offices in Dublin, Ireland, 5. the private company with limited liability MICROSOFT B.V., with offices in Schiphol, lawyer L. Poolman in Amsterdam, 6. the legal entity under the law of the United States XANDR INC., located in Redmond, Washington, United States, lawyer C. Jeloschek in Amsterdam, defendants. The procedure Before its start on April 11, 2024, the oral hearing in this case was moved to May 22, 2024. At the hearing on that day, the plaintiff, hereinafter [plaintiff], explained the claims as described in the summons. Defendants (hereinafter also: Microsoft et al.) submitted (on May 17, 2024) an incidental claim containing an exception of lack of jurisdiction or inadmissibility. [Plaintiff] has put forward a defense in the incident on the basis of a statement of defense. Both parties have submitted written documents and a pleading. Present at the hearing were, insofar as relevant: - [plaintiff] the first half hour via a video connection, Mr. Hemmer and his office colleague Mr. S. Hendriks (physically present); - for defendants 1 and 2 (jointly also LinkedIn and separately LinkedIn Ireland and LinkedIn B.V.: via a video connection: [name 1], [name 2] (both from the technical department), [name 3], [name 4] and [ name 5] (all three from the legal department), - for defendants 3, 4 and 5 (jointly also Microsoft and separately Microsoft VS, MIOL and Microsoft BV): via a video connection: [name 6] and [name 7] (both from the technical department), [name 8] and [ name 9] (both from the legal department). For defendant 6 (Xandr): via video connection: [name 10] from the technical department. The following lawyers were (physically) present for the defendants: Mr. Westerdijk and Mr. Jeloschek, Mr. Poolman and their colleague Mr. R. Berg; Also present were L. Crul and, via video connection, A. Mijné and G. Bugel, interpreters on behalf of the defendants. Judgment is set today. 2 Introduction 2.1. The plaintiff, hereinafter [plaintiff], claims in these summary proceedings that the defendants, large internet companies, be prohibited from placing so-called tracking cookies without his permission, because that would be contrary to privacy rules. Cookies are (text) files that are stored on browsers of users' equipment to collect data. Tracking cookies make it possible to create profiles of people. 3 The facts 3.1. [plaintiff] is a Dutch natural person. 3.2. LinkedIn is an online networking platform, mainly aimed at establishing and maintaining professional relationships, finding a job or an internship and the like. 3.2.1. The LinkedIn Platform is offered to European users by LinkedIn Ireland. Before a user can access the LinkedIn Platform, he must create an account. 3.2.2. LinkedIn also offers the 'LinkedIn Marketing Solutions' (LMS) service. Companies can carry out advertising campaigns via this service, among other things, by showing targeted advertisements via the internet to their target audience (website visitors and potential customers). LMS customers ('advertisers') can install the 'Insight Tag', a piece of JavaScript code (computer language) that the advertiser places on its website. This places the 'bcookie' and the 'li_sugr cookie' on the browsers of visitors to those websites. Currently, approximately 870,000 LMS customers use the 'Insight Tag'. According to LinkedIn, the 'Insight Tag' has the following capabilities: Create conversions to track when a LinkedIn member visits a page or takes an action on your website after viewing or clicking your ads (…) Create and build website audiences to retarget LinkedIn members who visit your site. 3.3. In addition to its consumer products, Microsoft offers business software to business customers in the European Union (EU) and related services, including advertising and analytics services. 3.3.1. One of Microsoft's analytical services is Clarity. This service is aimed at analyzing the behavior of website visitors. In order to use Clarity, the website operator must also integrate a piece of Java Script, which results in the 'CLID cookie' being placed on the browsers of those website visitors. MIOL is the provider of the Clarity service in the EU. Millions of website administrators currently use the Clarity service. Microsoft's Privacy Statement states, among other things: Unless otherwise stated, in situations where Microsoft is a data controller, Microsoft Corporation and, for individuals in the European Union (…) Microsoft Ireland Operations Limited, act as data controllers for personal data we collect through the products covered by this statement. 3.3.2. An advertising service from Microsoft is Microsoft Advertising. Microsoft operates several websites on which advertising space is offered for sale to advertisers who use the Microsoft Advertising service. One of those websites is www.bing.com, Microsoft's online search engine. Through Microsoft Advertising, advertisers can also show their advertisements on the advertising space of 'third-party' website operators. The website administrators can integrate the piece of Java script from Microsoft Advertising, which places the 'MUID' and the 'MSPTC' cookie on the browsers of website visitors. Tens of thousands of customers currently use the Microsoft Advertising services. 3.4. Xandr is an online platform for buying and selling digital advertising. In this context, it offers the 'Monetize' service for 'publishers' and the 'Invest' service for advertisers. 3.4.1. To use Xandr's services, the website operator must integrate the Xandr Java script, with which the 'uuid2', 'XANDR-PANID' and/or 'anj' cookies can be placed on the browsers of website visitors. 3.5. All defendants are part of the Microsoft group, Xandr since 2022. 3.6. The case documents include a report by M. Stoter of the English company Collective Shift, engaged by (the lawyer of) [plaintiff] to make an independent analysis of the personal data collected by Microsoft et al. via the websites he visits, including placing and reading cookies placed on [plaintiff's] equipment. It states that 27 of the 30 websites visited by [plaintiff] on January 22, 2024 placed and/or read cookies without permission from [plaintiff] and 24 of those sites also after his explicit refusal to grant that permission. Stoter's conclusion is that Microsoft collects individual personal data about [plaintiff]'s 'browsing habits' in this way without his consent. 3.7. Defendants subjected Stoter's report to a technical analysis, broken down into the cookies of LinkedIn (Bcookie and li_sugr), Clarity (CLID), Microsoft Advertising (MUID and/or MSPTC) and Xandr (uuid, XANDR-PANID, anj) respectively. ). This analysis concludes with regard to the websites visited (reported) by [plaintiff]: - with regard to LinkedIn: that 1 of the 11 websites has placed LinkedIn cookies without permission; - with regard to Microsoft Advertising: 7 out of 16; - with regard to Xandr: 5 out of 11; - with regard to Clarity: neither of the two reported websites; (a total of 13 out of 40) 3.8. In letters dated February 1 and 2, 2024, [plaintiff] ordered Microsoft et al. to no longer place tracking cookies on his computer or other devices, whether or not via 'third-party websites', without his permission. 3.9. In letters (e-mails) dated 27 and 29 February 2024, Microsoft et al. informed [plaintiff's] lawyer that it is not possible to identify [plaintiff] on the basis of the MUID, CLID or LinkedIn (bcookie and li_sugr) - because the cookies mentioned cannot be reliably linked to him. Microsoft further states that [plaintiff] can remove these cookies from his equipment. 3.10. Following additional reports from [plaintiff] about websites he visited on May 15, 2024, Microsoft et al. again made a technical analysis. This also shows that some of the website owners of websites visited by [plaintiff] have placed cookies without prior permission. (6 of the 12 additionally examined websites). 4 The dispute 4.1. [Plaintiff] demands a judgment to be declared provisionally enforceable: I. to separately order each of the defendants, subject to penalty payments, to immediately cease and desist from unlawful conduct by no longer using, whether or not via third-party websites, Tracking Cookies or other cookies for which permission is required to place or read on [plaintiff's] computer and/or devices before [plaintiff] has given legally valid permission for this; II. to provide an EEX certificate as referred to in Article 53 Brussels I bis-Vo to [plaintiff] with regard to LinkedIn Ireland and MIOL, III. to order Microsoft et al. to pay the (subsequent) costs of the summary proceedings, plus the statutory interest thereon; 4.2. Defendants are defending themselves. 4.3. The parties' statements, where relevant, will be discussed in more detail below in the assessment. 5 The assessment Jurisdiction 5.1. Before all defenses, defendants contested the jurisdiction of the preliminary relief judge with regard to defendants 1, 3, 4 and 6. However, the preliminary relief judge also considers itself competent with regard to those defendants. The following is being considered about this. 5.2. Contrary to what the defendants have argued, it is assumed that [plaintiff] lives in [place of residence]. He has a Dutch passport and has submitted a document whereby he will be replaced as a tenant at an address in [place of residence], as of May 1, 2024. [plaintiff] has stated that he has been living in [place of residence] for approximately three years, prior to to May 1, 2024 at a different address. For the time being, there are no reasons to doubt the correctness of that statement. [residence] is therefore regarded as his normal residence in these summary proceedings. 5.3. With regard to legal entities established in Ireland, the Dutch preliminary relief judge is competent to rule on the claims, both on the basis of Article 79(2) of the General Data Protection Regulation (GDPR) (habitual residence of the data subject), Article 7(2) of Regulation (EU) No. 1215/2012 of the European Parliament and of the Council on jurisdiction and the recognition and enforcement of judgments in civil and commercial matters (Brussels Ia) (place of harmful event, 'Erfolgsort', in this case Amsterdam) as Article 8(1) Brussels I bis (close link between claims against defendants). Contrary to what the defendants have argued, it cannot be deduced from legislative history and case law that jurisdiction under the 'Erfolgsort' is only relevant if a claim for damages is submitted. It follows from the fact that the jurisdictional ground also applies when the harmful event “may occur” in the Heritage that this ground is not limited to claims for damages. Moreover, the interpretation of Microsoft et al. would have the absurd consequence that a claim to cease unlawful conduct, or to request a judgment as to whether this exists, could not be submitted to the same court as the claim for payment of the resulting damage. . This is, among other things, at odds with a judgment of the Court of Justice of the EU of 25 October 20121, as [plaintiff] rightly argued. 5.4. With regard to the American defendants, Brussels I-bis does not apply, but the common rules for international jurisdiction in Article 1-14 of the Code of Civil Procedure (Rv.) must be followed on the basis of Article 6(e) of the Code of Civil Procedure. (in the event of tort, jurisdiction on the basis of the location of the harmful event) and Article 7(1) DCCP. (there is such a connection between the claims against the various defendants that reasons of expediency justify joint treatment) the preliminary relief judge therefore also considers himself competent against them. 5.5. Dutch law applies to the claims on the basis of Article 10:159 of the Dutch Civil Code. Article 4(1) Regulation (EU) No. 864/2007 of the European Parliament and of the Council on the law applicable to non-contractual obligations (Rome II). Urgent interest 5.6. Contrary to what Microsoft et al. argue, [plaintiff] has an urgent interest in his claims. After all, he states that defendants are acting unlawfully towards him by violating his privacy rights. If that is the case, it must be stopped as soon as possible. In that context, [plaintiff] cannot be required to await the outcome of substantive proceedings. Microsoft et al. have themselves acknowledged that a number - although in their view only a small number - of the websites to which this litigation relates do not comply with the consent requirement for placing certain cookies. An urgent interest in the requested facilities follows from this. The fact that it is possible for [plaintiff] to pursue a broader interest than just his own – according to the defendants he is waging war against Tracking cookies and the so-called real-time bidding system as such, thus pursuing an 'activist goal' – does not change the fact that that he has an individual interest in having his privacy rights respected. He can therefore submit a dispute about this to the court for review. [Plaintiff] is therefore admissible in his claims. Tracking cookies 5.7. This case revolves around (mainly third-party) tracking cookies. The Dutch Data Protection Authority (AP) defines cookies as follows: Cookies are small files that a website owner places on a visitor's device. For example on a computer, laptop, smartphone or tablet. For example, the owner can collect or store information about the website visit or about (the device of) the visitor. There are 3 types of cookies: - functional cookies; - analytical cookies; - tracking cookies.2 The AP says about tracking cookies: If cookies can also be read when you visit another website, we call these tracking cookies. These cookies allow organizations to track people's internet behavior over time. Tracking cookies make it possible to draw up profiles of people (profiling) and treat them differently. Tracking cookies usually process personal data. Personal interests can be derived from the information about visited websites. This allows organizations to, for example, show their website visitors targeted advertisements. (…) Do you process personal data of visitors to your website with tracking cookies? Then you must comply with the rules of the General Data Protection Regulation (GDPR). Requirements under applicable regulations 5.8. The parties agree that prior consent from the data subject is required for placing and reading tracking cookies, on the basis of Article 11.7a of the Telecommunications Act and for the processing of personal data collected on the basis of the GDPR. Article 11.7a of the Telecommunications Act reads, insofar as relevant, as follows: 1. Without prejudice to the General Data Protection Regulation, storing or accessing information in a user's peripheral equipment via an electronic communications network shall only be permitted provided that the user concerned: a. is provided with clear and complete information in accordance with the General Data Protection Regulation, in any case about the purposes for which this information is used, and b. has given permission for this. Controllers within the meaning of the GDPR must have a legal basis for processing personal data using cookies. In the case of tracking cookies with which personal data are processed, this will generally be the a-ground of Article 6 GDPR: “the data subject has given permission for the processing of his personal data for one or more specific purposes”. These provisions also apply to a service provider established outside the EU, if it targets persons in the EU. Defendants' defenses 5.9. Defendants argue – regardless of the procedural defenses – that [plaintiff's] claims cannot be granted because, in short: - they do not use the cookie (data) for advertising purposes without explicit permission from the person in question; - no permission is required for functional cookies; - permission has been granted for LinkedIn cookies; - LinkedIn is not a controller with regard to the li_sugr cookie, but a processor, and this also applies to Xandr with regard to the cookies it uses; - the obligation under the Telecommunications Act lies with the website administrators and not with the defendants; - insofar as defendants themselves have obligations under the GDPR, they comply with them and they make every effort to ensure that the website operators with whom they contract also do so; For example, they provide scripts that prevent the installation and reading of tracking cookies without permission; most website owners also comply with those rules; the report of the expert engaged by [plaintiff], which allegedly shows that this is not the case, is shoddy. Are personal data processed? 5.10. With the defense that they do not use the cookie (data) for advertising purposes without explicit permission from the person in question, defendants appear to argue that they do not process personal data due to their actions with regard to the tracking cookies. That defense fails for the following reasons. 5.10.1. Defendants acknowledge that the majority of the cookies at issue here, namely the MUID, MSPTC, UUID, XANDR-PANID and anj cookies from Microsoft and Xandr, are placed to record personal data, with which profiles can be built up that can be read for advertising purposes. For the time being, partly in view of the explanation provided by [plaintiff] and the report submitted by him, it is sufficiently plausible that personal data are processed when placing such cookies, in this specific case those of [plaintiff]. Reference is made to Article 4(2) of the GDPR, in which “processing” means: an operation or set of operations performed on personal data or on sets of personal data, whether or not carried out by automated means, such as collecting, recording, organizing, structuring, storing, updating or modifying, retrieving, consulting, using, providing by means forwarding, disseminating or otherwise making available, aligning or combining, blocking, erasing or destroying data. It is not the case that 'processing' only applies when personal data is actually read for the purpose of advertisements. Recording it in a cookie is sufficient. By placing tracking cookies, which are then automatically 'filled' with personal data as soon as someone (in this case [plaintiff]) visits the website in question, with the aim of reading this data later, defendants process his personal data. It is important that the concept of 'personal data' is interpreted broadly in the applicable legislation and is not limited to name, address and residence details. It is sufficient that the data of individualized data subjects - in this case [plaintiff] - can be linked to an 'identifier' and recorded for further processing, aimed at advertising purposes. 5.10.2. With regard to the CLID cookie, Microsoft has disputed that it can be qualified as a tracking cookie. However, given her own description of how it works: [a] free behavioral analysis tool that helps you understand how customers interact with your website. By integrating Universal Event Tracking (UET) with Clarity, you can use a single UET tag for behavioral insights such as heatmaps and session playbacks, conversion tracking, automated bidding, and audience targeting. (…) Do you want to know more about who is visiting your website and what they do on it? If so, you will love Clarity's new feature: Visitor Profiles. this dispute is without merit. The CLID cookie also aims to map (individual) visitors and their surfing behavior and can therefore certainly be regarded as a tracking cookie, with which personal data are processed. 5.10.3. Defendants have also disputed that they can be regarded as tracking cookies with regard to the LinkedIn cookies. According to them, the bcookie is not used to identify LinkedIn members and not for online advertising purposes, but to prevent fraudulent traffic. According to the defendants, it is therefore a functional cookie, as also explained by [name 2] in a statement dated May 17, 2024. [plaintiff] has not stated enough to assume otherwise. The li_sugr cookie, on the other hand, is intended to determine whether the website visitor is a LinkedIn member. Defendants have explained that the reason for this is that the cookie data obtained via the Insight tag in the EU is only used for personalized advertisements if the website visitor is a LinkedIn member and has given prior permission for this. The li_sugr does record data from the website visitor for advertising purposes. This means that personal data of [plaintiff] is processed. Who is the controller? 5.11. According to Article 4 GDPR, the “controller” is: 7. a natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data; where the purposes and means of such processing are determined by Union or Member State law, this may provide for the controller or the criteria according to which he or she is to be designated; And the “processor”: 8. a natural or legal person, public authority, agency or other body which processes personal data on behalf of the controller; 5.12. Microsoft itself states in its Privacy Statement (3.3.1) that it is responsible for the collection of data through its products. With regard to the CLID, MUID and MSPTC cookies, MIOL believes that this is the case, in addition to the website operators. Contrary to what the defendants have argued, the other defendants - possibly with the exception of the Dutch companies, about which more below - can also be regarded as controllers with regard to the respective other cookies mentioned here. They have developed the tracking cookies and may or may not make them available to the website administrators, with whom they make agreements about, among other things, the privacy rules. They are therefore the (legal) persons who influence the relevant processing of personal data and therefore participate in determining the purposes and means of this processing. The fact that the website administrators can also be controllers does not alter this. After all, under the GDPR there can also be joint responsibility. The foregoing also applies to Xandr. Defendants have not provided sufficient substantiation on the basis of which LinkedIn and 5.12.1. Defendants have argued that the Dutch companies, LinkedIn B.V. and Microsoft B.V., do not play any role in offering analytical and advertising services and therefore not in placing and reading tracking cookies. [Plaintiff] has not sufficiently demonstrated that it is otherwise. The mere fact that the privacy statements of LinkedIn and Microsoft state that data is shared with branches and subsidiaries, to which [plaintiff] has pointed out, is insufficient for this. 5.12.2. These Dutch companies cannot therefore be regarded in advance as controllers and there has been no evidence of any unlawful conduct by them towards [plaintiff] in any other way. For this reason, [plaintiff]'s claims against these defendants fail. Tracking cookies placed without permission? 5.13. Stoter's report (3.6) and its supplement state and explain that many partners of defendants have not fulfilled their obligations because cookies were placed before [plaintiff] could choose anything. In addition, defendants continued to receive cookie data and browser information from some sites, even after refusing consent. 5.14. Controllers must demonstrate that they have this consent (Article 5(2) GDPR) and, as shown above, they are unable to do so in a large number of cases. Although the defendants have labeled the report as 'nonsense', their own technical analyzes also show that 19 of the 52 websites visited by [plaintiff] - such as www.kieskeurig.nl, www.condoom-anoniem.nl, www.bedrijvenbalans .nl and www.gratisaftehalen.nl – placing tracking cookies without prior permission, or even after permission has been explicitly refused. Contrary to what the defendants believe, these are not negligible numbers. The defendants, who can be regarded as controllers, have therefore not fulfilled their legal obligations towards [plaintiff]. The fact that possibly hundreds of other website owners do comply with the rules and the websites provided by [plaintiff] are not 'representative' of all contacts of the defendants, as they have argued, does not alter this. 5.15. The fact that defendants now state that they have not found the unique cookie codes mentioned by [plaintiff] that refer to his browser in their (advertising) systems does not change the foregoing. According to the defendants themselves, there may be several causes for this, one of which may be that the defendants have determined that valid consent from the defendants was lacking, as a result of which the cookie (data) has not been included in the systems. They did not explain in further detail what the other causes could be. In view of Stoter's report, which indicates the opposite, defendants have not sufficiently demonstrated that tracking cookies are only placed on [plaintiff's] equipment if the latter has given his permission for this. 5.16. Contrary to what the defendants have argued, they have not demonstrated that [plaintiff] gave permission for the placement of the LinkedIn cookies. [plaintiff] has stated that these cookies appeared in his empty browser without his permission; According to the defendants, this should not be possible, unless [plaintiff] had given permission at an earlier stage, which the computer has 'remembered'. For the time being, this (assumption) statement is insufficient to assume that consent has been given, compared to the reasoned challenge thereto by [plaintiff]. Who is obliged to obtain consent? 5.17. The defendants involved cannot hide behind their partners to obtain consent. They have contractually outsourced the obtaining of permission to its partners and that is allowed. This means that if the partner provides information about and obtains consent for placing cookies, defendants do not have to do so as well.3 However, as controllers, the defendants involved remain (also) responsible for ensuring that consent is obtained in a legally valid and lawful manner for placing and reading tracking cookies and they can also be held accountable for this under Article 26(3) GDPR, regardless of what is stated in the contract with its partners. 5.18. Contrary to what the defendants have argued, the obligations under the Tw also do not rest solely on the website owners. The legislator expressed this as follows: In practice, cookies are also often placed that serve a purpose other than the execution of communication or are strictly necessary to ensure that the provider of an information society service requested by the user can provide this service. This often concerns cookies that are placed and read by a site (domain) other than the site chosen by the user and that are intended to collect data about the user's surfing behavior. This data can then be used for marketing purposes. Such a course of action is permitted provided that the user has been informed of these purposes and permission has been obtained from the user in accordance with the first paragraph.4 The provision in the first paragraph [of Article 11.7(a) Tw] is aimed at the person who stores the information on the peripheral device or the person who accesses information on the peripheral device. The person who places the cookie is the person the first member is addressing. This placer can be the provider of the website in question, but that is not necessary. It may also be a third party who has agreed with the website provider (or an intermediary) that he may place/read cookies via the website. This does not alter the fact that the provider of the website has a certain responsibility.5 The rulings of the Trade Appeals Board on which Defendants rely - which allegedly ruled that a software provider could not be held accountable for violations of the Universal Service and End User Interests Decree - do not lead to a different judgment. These statements do not justify the conclusion that only the website holder and not also the third party who facilitates the placing of tracking cookies, or places them via the website holder, can be held liable for such obligations. The basis for those statements was the software provider's lack of control over the actions in question. The cookies discussed here are placed as part of the services provided to defendants by website operators on the basis of agreements concluded by defendants with those website operators. Defendants therefore do have control over the use of cookies. Have defendants done enough to fulfill their obligations? 5.19. If the defendants/controllers make tools available to their contracting partners that make it impossible to place tracking cookies without permission and ensure that this actually leads to a corresponding practice, there will be no unlawful act. However, this has not been the case so far, as can be seen from the foregoing (particularly what was considered in 5.14). Defendants cannot therefore rely on the fact that they have done everything necessary, or at least everything that can be expected of them, to prevent the placement of tracking cookies on [plaintiff's] devices without his permission. It has not yet become plausible that this would be technically impossible. Conclusion 5.20. All this leads to the conclusion that Microsoft et al. (with the exception of LinkedIn B.V. and Microsoft B.V.) have acted unlawfully towards [plaintiff] by placing and/or reading the (tracking) cookies without his permission, due to a violation of the Tw and the GDPR. There are therefore sufficient grounds for granting [plaintiff]'s claim under I, on the understanding that a specific order is granted to cease and desist from placing and reading tracking cookies and other cookies without his permission. for which permission is required, on [plaintiff's] devices. The advanced is formulated slightly differently, but comes down to the same thing; the claimed 'cessation of unlawful actions' does not seem to have an independent meaning and is therefore omitted. No separate defense has been put forward against the claims under II and III, so they are also ready for award. A weighing of interests does not lead to a different judgment. The penalty will be moderated and maximized as stated below in the decision. If defendants can still sufficiently demonstrate at a later stage that [plaintiff] has given his consent for the placement of certain cookies, they are not acting in violation of the order given and they obviously do not owe any penalty payments. 5.21. As the unsuccessful party, Microsoft et al. (with the exception of LinkedIn B.V. and Microsoft B.V.) will be ordered to pay [plaintiff]'s legal costs. For an order for costs in favor of LinkedIn B.V. and Microsoft B.V., against whom the claims are rejected, there are insufficient grounds, as they have not incurred any (substantial) additional costs compared to their co-defendants. 5.22. The EEX certificate as referred to in Article 53 of the Brussels I-bis Regulation will be issued as requested, no later than June 14, 2024. 6 The decision The preliminary relief judge 6.1. refuses the requested facility towards LinkedIn B.V. and Microsoft B.V., 6.2. orders LinkedIn Ireland, Microsoft USA, MIOL and to hold, 6.3. stipulates that each of the defendants referred to under 6.2 will forfeit a penalty of €500.00 (in words: five hundred euros) per violation of this order or - at the option of [plaintiff] - €1,000.00 for each day (or part thereof) ) where the defendant in question fails to comply with the order referred to under 6.2 and/or acts contrary to it, up to a maximum of a total of € 25,000.00 (in words: twenty-five thousand euros) per defendant has been reached, 6.4. orders LinkedIn Ireland, Microsoft USA, MIOL and – €543.88 €543.88 in writ costs – €543.88 €320.00 in court fees and – €543.88 €1,661.00 in lawyer's salary, – €543.88 €178.00 in additional costs, €2,702.88 total – to be increased by € 92.00 and the costs of service if this judgment must be served, 6.5. declares this judgment to the extent provisionally enforceable, 6.6. rejects the more or otherwise advanced. This judgment was delivered by Mr. T.H. van Voorst Vader, preliminary relief judge, assisted by M. Balk, clerk, and pronounced in public on June 7, 2024.6 1 ECLI:EU:C:2012:664 2 https://www.autoriteitpersoonsgegevens.nl/themas/internet-slimme-machines/cookies/tracking-cookies 3 Amsterdam District Court, March 15, 2023, ECLI:NL:RBAMS:2023:1407, legal notice. 2:15 p.m 4 Parliamentary Papers II 2010.2011, 32 549, no. 3 (MvT), p. 79 5 Parliamentary Papers II 2013/14, 33 902, no. 3 (MvT), p. 17. 6 type: MB coll: JD