DSB (Austria) - D124.0507/24 2024-0.633.166

From GDPRhub
DSB - D124.0507/24 2024-0.633.166
LogoAT.png
Authority: DSB (Austria)
Jurisdiction: Austria
Relevant Law: Article 4(11) GDPR
Article 5(1)(a) GDPR
Article 17 GDPR
Article 25(1) GDPR
Type: Complaint
Outcome: Partly Upheld
Started: 11.08.2021
Decided: 28.10.2024
Published:
Fine: n/a
Parties: Österreichischer Rundfunk - ORF
National Case Number/Name: D124.0507/24 2024-0.633.166
European Case Law Identifier: n/a
Appeal: n/a
Original Language(s): German
Original Source: NOYB (in DE)
Initial Contributor: Ao

The DPA ordered the public broadcaster to adjust its news website’s cookie banner since the graphic emphasis of the "accept all cookies" option invalidates the data subject’s consent Article 6(1)(a) GDPR.

English Summary

Facts

On the 11 August 2021, the data subject, represented by noyb filed a complaint against the Austrian public broadcaster (Österreichischer Rundfunk – ORF). The data subject visited the website of the controller (www.orf.at) on the 21 January 2021 and was confronted with a cookie banner which lacked any clear option to refuse the placement of cookies. Further, the controller had placed cookies ahead of any interaction with the cookie banner. The complaint highlighted that through the design of the cookie banner, the controller could not rely on the unambiguous consent of users for the processing of personal data and requested the erasure of their personal data gathered through the cookies.

The data subject therefore requested the DPA to order the controller to delete the data subject's personal data in accordance with Article 17 GDPR and to cease the unlawful processing of personal data of users.

Throughout the course of the proceedings, the controller revised the cookie banner and included two buttons, one to reject the placement of cookies and one to set certain preferences. The two added buttons were set with the same colour as the cookie banner background. The button to accept all cookies however was equipped with a dark blue colour.

The controller argued, that the difference in colour made the selection process easier for the user. Further, none of the data gathered through cookies was stored by the controller and during the course of the proceedings the controller informed recipients of the data subject's request for erasure.

Holding

Design of the cookie banner

Primarily, the DSB reiterated that economic necessity such as personalized advertising does not equate to the technological necessity of cookies for the functioning of the website. The cookies placed before any interaction with the cookie banner were for statistical and analytical purposes and not technologically necessary for the functioning of the website. Therefore, prior consent of the user is required.

Secondarily, in order to obtain prior consent, the DSB held that no unfair practices can be involved in the design of the cookie banner. Specifically, the button to reject the use of cookies cannot be made less prominent than the accept button. The DSB stated that the decision making process of the data subject shall not be distorted or impaired in any way. The revised cookie banner showed a prominent dark blue colour for the accept all cookie button while the other two options of setting preferences and accepting only necessary cookies were given a pale white colour which blended into the cookie banner background. The DSB concluded that the contrast is the deciding factor and points out that a 3:1 minimal contrast is required. This resulted in the DSB’s reasoning that no unambiguous expression of agreement as defined in Article 4(11) GDPR was given by the data subject.

In relation to the design of the cookie banner, the DSB ordered the controller to adjust the banner within a period of six weeks to ensure equal prominence of all cookie selection options. The DSB declared that the controller must ensure equal design in regard to colour, size, contrast, placement and prominence of the buttons. It detailed that it is unlawful to emphasize any of the options through overly conspicuous design such as a different colour, larger font or more prominent placement.

Right to erasure and order to comply

Regarding the processing of personal data of the data subject, the DSB accepted that the controller did not store the personal data collected through cookies and that it had informed the recipients of the request for erasure and therefore found no violation of Article 17 GDPR.

Comment

Share your comments here!

Further Resources

Share blogs or news articles here!

English Machine Translation of the Decision

The decision below is a machine translation of the German original. Please refer to the German original for more details.

Barichgasse 40-42  
A-1030 Vienna  
Tel.: +43-1-52152 302549  
E-Mail: dsb@dsb.gv.at  
File No.: D124.0507/24   2024-0.633.166  
Officer in Charge:
For the attention of NOYB  
Data Protection Complaint (Article 77(1) GDPR, § 24(1) DSG)  
Against  
Austrian Broadcasting Corporation (ORF)  
Delivered via Email

Decision  
Ruling

The Data Protection Authority (DPA) hereby issues a decision concerning the data protection complaint lodged by (complainant), represented by NOYB – European Center for Digital Rights, Goldschlagstraße 172/4/3/2, 1140 Vienna, ZVR: 1354838270, dated 11 August 2021, against the Public Foundation, Austrian Broadcasting Corporation (Respondent), represented by Schönherr Rechtsanwälte GmbH, regarding (A) the right to erasure and the obligation to inform about the erasure, and (B) the request to order the Respondent to cease unlawful processing activities, as follows:

1) The complaint is dismissed.
2) The Respondent is hereby ordered ex officio to, within six weeks,
   a) modify the consent request (cookie banner, see Finding of Facts C.6.) on the website www.orf.at to ensure that valid consent is obtained upon visiting the website. To this end, the Respondent must modify the cookie banner to provide the data subject with an equal choice on the first level of the cookie banner between "Accept all cookies" and "Only necessary cookies". It must be ensured that both options are designed equally in terms of visual appearance, including color, size, contrast, placement, and emphasis. It is not permissible to highlight one of the options through an excessively prominent design, such as preferred color, larger font size, or more prominent placement.
   b) modify the website www.orf.at to ensure that the following cookies are not set prior to obtaining consent upon visiting this website:
      i) ioam2018 (see Finding of Facts C.7.);
      ii) i00 (see Finding of Facts C.7.);
      iii) UserID1 (see Finding of Facts C.7.);
      iv) autouserid2 (see Finding of Facts C.7.).

Legal Basis: Articles 4(11), 5(1)(a), 7, 12(1), 17, 19, 57(1)(f), 58(2) and 77(1) of Regulation (EU) 2016/679 (General Data Protection Regulation, GDPR), OJ L 119, 4.5.2016, p. 1; §§ 18(1) and 24(1), (2)(5), (4) and (5) of the Data Protection Act (DSG), Federal Law Gazette I No. 165/1999 as amended; § 165 of the Telecommunications Act 2021 (TKG 2021), Federal Law Gazette I No. 190/2021 as amended; § 1(1) of the Austrian Broadcasting Act (ORF-G), Federal Law Gazette No. 379/1984 as amended.

Reasoning

A. Submissions of the Parties and Procedural History  
A.1. In their submission dated 11 August 2021, the complainant (hereinafter referred to as “CP”) summarised as follows:

The CP visited the Respondent's website (hereinafter "R") at www.orf.at on 20 January 2021. The website displayed a cookie banner, and cookies were set, some containing a unique user identification number. A summary of all HTTP requests and responses was attached as an annex. For all processing activities that R sought to justify based on the cookie banner, the term "relevant processing activities" is used. Several violations occurred due to the design of the mentioned cookie banner, and valid consent could not be assumed. The CP requested that R be instructed to cease all relevant processing activities and delete all relevant personal data. The GDPR permits the supervisory authority to issue an order that goes beyond the personal data of the CP. This complaint (case number C-037-401) was directed against ORF Online and Teletext GmbH & Co KG. Several annexes were attached to the submission.

A.2. In their response dated 10 July 2023, ORF Online and Teletext GmbH & Co KG summarised as follows:

The Austrian Broadcasting Corporation is responsible for storing cookie values and other device information, as evidenced by the cookie policy. However, ORF Online and Teletext GmbH & Co KG is not responsible.

A.3. In a further statement dated 26 July 2023, the CP summarised as follows:

Following ORF Online and Teletext GmbH & Co KG's response, the complaint is directed against R (Austrian Broadcasting Corporation). The online list of controllers and processors at https://orf.at/stories/datenschutz-verantwortliche/ does not indicate which legal entity is responsible for which data processing.

A.4. In their statement dated 4 September 2023, R summarised as follows:

The change of Respondent is impermissible due to preclusion, as the subjective preclusive period has elapsed. An ex officio correction of the designation is impermissible. The CP's applications are likewise inadmissible as none of the applications made in the data protection complaint were lawfully implemented. The CP did not specify the facts, and it would be unreasonable to review the .har file (Annex 5), which contains approximately 17,000 lines. Nevertheless, R reviewed the file, and most cookies were not set by R but by the domain "derstandard.at". There was no cooperation with "derstandard.at" at the time of the complaint. The CP also did not apply for deletion. The complaint is also substantively unfounded. It is also to be assumed that the CP visited the website only to generate an automatically generated complaint. The complaint is not a personal exercise of rights but rather an inadmissible association complaint. Furthermore, R responded to the DPA’s inquiries.

A.5. In a statement dated 8 November 2023, the CP summarised as follows:

The CP refers to previous submissions, stating that the online list of controllers and processors of ORF does not make it clear which legal entities of ORF are responsible for which data processing. Thus, the complaint was initially directed at the party presumed to be the operator of the website www.orf.at. The information is still available today that ORF Online and Teletext GmbH & Co KG is responsible for www.orf.at. Furthermore, the complaint was submitted within the time limit, and the applications made are admissible. It was merely indicated that the DPA could issue orders beyond the complainant (presumably the complainant’s data). Concerning the .har file, it is noted that it also contains visits to "derstandard.at". This is relevant to show that this was a "normal" internet visit, during which multiple websites were visited. A URL search for orf.at yielded 357 results. A direct or indirect correlation exists. An application for deletion is not required to assert the right to erasure. The cookie banner continues to fail to meet data protection requirements.

A.6. In a statement dated 28 March 2024, R summarised as follows:

The CP submitted Annex 4 as part of the complaint. It is assumed that the CP is aware of the content of Annex 4. In Annex 4, ORF is expressly designated as the controller. The designation of the party (i.e., the original designation of the Respondent) cannot be interpreted otherwise due to its explicitness. However, this can remain undecided since, as already stated in the statement dated 4 September 2023, the CP’s deletion request was granted. The procedure is to be discontinued according to § 24(6) DSG. As for the alleged continuous legal infringement, this does not constitute a change to the initial complaint, as such a change would be impermissible due to preclusion. The submission cannot be regarded as a new complaint, as the CP’s statement shows that they intend to maintain the original data protection complaint. The reference to the "IDE" cookie does not change the preclusion. The CP did not even claim that the same "IDE cookie value" was stored in the browser at the time in question (20 January 2021). In summary, the CP’s deletion request was granted. R also overhauled the entire ORF website (including the cookie banner).

A.7. In a statement dated 17 April 2024, the CP essentially reiterated the previous submissions.

A.8. In a communication dated 2 August 2024, the DPA requested that R provide a statement within two weeks and submit or specify any suitable evidence to substantiate its submissions. The DPA highlighted the following issues (excerpt):

"Subject: Request for Statement
The DPA hereby transmits the CP’s statement dated 17 April 2024. In the meantime, the DPA has noted the changes on the website www.orf.at.
You are requested to provide a statement on the CP’s submission and the following points:
   - Why are the cookies "ioam2018" and "i00" set before consent is given? If § 7 ORF-G is cited in this regard, please explain how this complies with § 165(3) TKG 2021 and Art. 5(3) of Directive 2002/58/EC.
   - Why is the "Accept All Cookies" button coloured blue, while the other buttons lack

 any distinctive colour?"

A.9. In a statement dated 16 August 2024, R summarised as follows:

The "Accept All Cookies" button is coloured blue because the entire website primarily uses the colours white and blue. The contrast facilitates selection for users. The white buttons are also clearly distinguished from the light grey background. The lawfulness of the data processing in question derives from the legal obligation of R to measure reach under §§ 4e, 7 ORF-G. Measurement is essential to fulfil the statutory mandate. The data collection by the cookies "ioam2018" and "i00" is based, as a precaution, on both the legal basis of compliance with a legal obligation and the exercise of a task carried out in the public interest. R has instructed the Austrian Web Analysis (ÖWA), which acts as a service provider for R, to delete the corresponding cookie values. Furthermore, these cookie values are not personal data. The DPA is not competent for enforcing § 165(3) TKG 2021.

A.10. In a statement dated 28 March 2024, the CP summarised as follows:

According to the CP, the design of the cookie banner and the colours chosen for the buttons are misleading. Colour design has a significant impact on user choice, which has been academically proven. The norms cited by R do not provide an adequate basis for data processing, as the ORF-G does not stipulate how reach is to be measured. Other options than tracking cookies are available. Furthermore, the cookies "ioam2018" and "i00" (or their values) are legally considered personal data.

B. Subject of the Complaint  
B.1. Based on the CP’s submissions, it must be decided whether R is to be ordered to delete the CP’s personal data (cookie values) and to notify the recipients of this deletion, as well as to cease the "relevant processing activities".
The "relevant processing activities" refer to cookies (and similar technologies) used during the CP’s visit to www.orf.at on 20 January 2021.
B.2. However, it must first be examined whether, as R argues, the complaint is already time-barred under § 24(4) DSG.

C. Findings of Facts  
C.1. Cookies allow information generated by a website to be stored and saved via the user’s browser. It is a small file or text information (generally less than 1 KB) that a website places on a user’s computer or mobile device through the browser.
A cookie allows the website to "remember" the user’s actions or preferences. Most web browsers support cookies, but users can set their browsers to reject cookies and can delete them at any time.
Websites use cookies to identify users, remember their preferences, and enable users to complete tasks without re-entering information when switching pages or returning to the website.
Cookies can also be used to collect information based on online behaviour for targeted advertising and marketing. For example, companies use software to track user behaviour and create personal profiles, enabling them to show users advertisements tailored to previous searches.

Evidence for C.1.: The descriptions regarding cookie functions are based on the Advocate General’s opinion of 21 March 2019 in Case C-673/17 (Planet 49), para. 36 ff. Since this is a technical description of cookie functionality independent of individual cases, it was included at the factual level rather than in the legal assessment.

C.2. R operates the website www.orf.at and decides under which conditions which cookies are set or read upon accessing the said website.

Evidence for C.2.: The findings are based on R's statement dated 10 July 2023. The CP has not disputed this submission subsequently. The DPA has no reason to question R’s submission.

C.3. The CP visited the website www.orf.at on at least 20 January 2021. The cookie banner on 20 January 2021 was designed as follows:

Evidence for C.3.: The findings are based on the CP’s submission of 11 August 2021 and are undisputed. The screenshot is based on the exhibit "Annex 2.png" submitted by the CP.

C.4. As a result of the visit to the website www.orf.at on 20 January 2021, cookies were set and read on the CP’s device containing a unique, randomly generated value (Universally Unique Identifier, hereinafter "UUID").

The contents of exhibits "Annex 5.har" and "Annex 6.csv" form the basis for these findings.

Evidence for C.4.: The findings are based on the CP’s submission dated 11 August 2021 and the submitted exhibits "Annex 5.har" and "Annex 6.csv". R's statement of 4 September 2023, stating that the submitted exhibits also contain information about visits to other websites (such as www.derstandard.at), is noted. However, as the CP correctly stated on 8 November 2023, the exhibits contain information about an internet visit during which several websites were accessed. Indeed, numerous entries for the URL "orf.at" can be found in the exhibits.

C.5. At present, R does not store any cookie values that were set and read on the CP's device following the visit to www.orf.at on 20 January 2021. R has also informed the recipients of the data transmission (specifically the providers of the services implemented on its website) about the deletion.

Evidence for C.5.: These findings are based on R's statements from 28 March 2024 and 16 August 2024. Upon the DPA’s request, R stated that the relevant data (cookie values) had been deleted, and a notification had been sent to the service providers, notwithstanding the arguments presented. The CP has not disputed this claim but merely noted that no proof was provided. In the DPA's view, there is no reason to doubt R's claim, particularly as R has shown cooperation during the investigation and adjusted the cookie banner, albeit not to the complete satisfaction of all parties and the DPA. Overall, there are no investigative findings that would justify a contrary conclusion.

C.6. R has modified its cookie banner (the request for consent) on the website www.orf.at. The current design of R’s cookie banner is as follows:

Evidence for C.6.: The findings on the cookie banner are based on an ex officio inquiry by the DPA on the website www.orf.at, last accessed on 28 October 2024. The finding that R modified the cookie banner is also derived from the record at hand and is undisputed. The findings on the selected colors for the cookie banner and the buttons are based on an ex officio inquiry on https://encycolorpedia.de/ (last accessed on 28 October 2024). The findings on contrast ratios are based on the publicly accessible website www.orf.at and https://coolors.co/contrast-checker (last accessed on 24 October 2024). The findings regarding the ISO standard are based on the content of ISO-9241–3. The recommended contrast according to this ISO standard is also discussed on https://biti-wiki.de/index.php?title=1.01.0_-_Ausreichender_Kontrast (last accessed on 24 October 2024).

C.7. When accessing the website www.orf.at, the following cookies are set or read before any interaction with the displayed consent request (cookie banner):

| Domain               | Cookie Name     |
|-|--|
| orf.at               | ioam2018        |
| iocnt.net            | i00             |
| orf.at               | didomi_token    |
| adfarm1.addtion.com  | UserID1         |
| www.orf.at           | _autouserid2    |

The cookie "ioam2018" contains a UUID and is used to determine statistical values regarding website usage. The provider is the Austrian Web Analysis (ÖWA), which notes on https://orf.at/stories/datenschutz-cookies/: "Stores a client hash for the Austrian Web Analysis (ÖWA) to optimize the metrics for Unique Clients and Visits. This cookie is set in the context of the domain orf.at."

The cookie "i00" also contains a UUID and serves to recognize user devices. The ÖWA’s description on https://orf.at/stories/datenschutz-cookies/ reads: "This cookie is used by the ÖWA to recognize devices. If the cookie is suppressed, the ÖWA tries to recognize the device through a combination of IP address and browser information. For apps, the ÖWA uses the so-called ‘Advertiser ID,’ unless the use of the ‘Advertiser ID’ (Advertising ID) is deactivated via device settings."

The cookie "didomi_token" contains a UUID and serves as a consent management tool.

The cookie "UserID1" contains a UUID and is used to retarget users with online advertising based on interests shown on the website.

The cookie "_autouserid2" contains the same UUID as "UserID1." It is the first-party cookie equivalent to "UserID1" if third-party cookies are blocked.

Evidence for C.7.: The findings regarding the cookie banner and cookies set are based on an ex officio inquiry by the DPA on the website www.orf.at, last accessed on 28 October 2024. The finding that R modified the cookie banner is derived from the record and is undisputed. The findings on the function of the cookies are based on an ex officio inquiry at the following sources (last accessed on 28 October 2024):
- https://orf.at/stories/datenschutz-cookies/ (information provided by R);
- https://oewa.at/tech-support/mcvd/ (for "ioam2018");
- https://support.didomi.io/didomi-cookies-storage-1 (for "didomi_token");
- https://www.ccm19.de/plugin.php?menuid=253&template=mv/templates/mv_show_front.html&mv_id=1&extern_meta=x&mv_content_id=139&getlang=de (for "UserID1");
- https://github.com/jkwakman/Open-Cookie-Database/blob/master/open-cookie-database.csv (also for "UserID1");
- https://www.cookie.is/UserID1# (also for "UserID1").

D. Legal Assessment

Jurisdictional Issues  
D.1. Relationship between e-Privacy Directive and GDPR

Processing operations in a given factual context can be subject to both the provisions of Directive 2002/58/EC (e-Privacy Directive) or TKG 2021 and the GDPR. While the placement or reading of cookies is assessed under Article 5(3) of the e-Privacy Directive, subsequent data processing falls within the scope of the GDPR (see EDPB Guidelines 01/2020 on processing personal data in connection with connected vehicles and mobility-related applications, Version 2.0, paras 15 and 53).

This also aligns with the European Court of Justice (CJEU) judgment in Fashion ID. The Court found that, following the implementation of a social plugin on a website (falling under the scope of the e-Privacy Directive), the transmission of the website visitor’s data to Facebook Ireland Limited and subsequent data processing fell within the scope of the (former) Directive 95/46 GDPR (see CJEU judgment of 29 July 2019, Case C-40/17, paras 26 and 85).

In comparable cases, the Federal Administrative Court has similarly held that the DPA is competent (see, inter alia, BVwG decision of 26 April 2024, GZ: W211 2281997-1/5E, with references).

The DPA is therefore competent for the present complaint since, as a result of the placement or reading of cookies, data processing (browser data, IP addresses, cookie values) has occurred (see Finding of Facts C.4), and the application of the GDPR is not excluded per se.

D.2. Possible Preclusion under § 24(4) DSG

R argues that the CP’s right to have the complaint addressed is already time-barred under § 24(4) DSG.

In summary, R argues that its privacy policy states that it (the Public Foundation, Austrian Broadcasting Corporation) is the controller for the website www.orf.at. The CP initially filed the complaint against ORF Online and Teletext GmbH & Co KG and subsequently “replaced” R.

It should be noted that the respondent must be specified in accordance with § 24(2)(2) DSG only insofar as is reasonable.

The DPA concurs with the CP’s position that the controller for the website www.orf.at was not clearly identified based on the information available at the time. Even currently, numerous legal entities of ORF are listed at https://orf.at/stories/datenschutz-verantwortliche/ (as of 28 October 2024), without specifying which processing operations each legal entity is responsible for.

R’s reference to the content of Annex 4, submitted by the CP, does not change this conclusion. While it is correct that ORF is designated as the controller in Annex 4, "ORF" can refer to multiple legal entities, as explained above.

Thus, the preclusive period of § 24(2)(2) DSG only began once the CP sufficiently clarified the controller’s identity, which occurred when the CP received R's statement on 10 July 2023. The CP subsequently clarified the respondent as R on 26 July 2023 (see VwGH decision of 27 June 2023, Ro 2023/04/0013, para. 34 on amending the respondent when designation is unreasonable).

Therefore, the (absolute and subjective) preclusion period is met, and the DPA has jurisdiction to address the complaint substantively.

D.3. Processing of Personal Data

The DPA has already ruled in the Google Analytics case, in line with the case law of the European Data Protection Supervisor (EDPS), that cookies containing a unique, randomly generated value (UUID) intended to individualize or distinguish persons meet the definition of personal data under Article 4(1) GDPR. It cannot be ruled out that cookie values and the IP address of a device may be combined at any stage of the processing chain with additional information, for example, when the data subject registers on a website with an email address or real name (see DPA decision of 22 April 2022, GZ: 2022-0.298.191, available on www.dsb.gv.at; this legal view is confirmed, inter alia, by BVwG decisions of 12 May 2023, GZ: W245 2252208-1, and 26 April

 2024, GZ: W211 2281997-1; regarding the identification potential of “Google Analytics cookies,” see the EDPS decision against the European Parliament of 5 January 2022, GZ: 2020-1013, p. 13).

These considerations apply here since cookies containing unique, randomly generated values were set and read on the CP’s device as a result of visiting the website www.orf.at on 20 January 2021 (see Finding of Facts C.4). These cookie values (in combination with browser data and the IP address of the device) were then transmitted to the servers of the respective providers (such as the provider of the advertising cookie "UserID1" with the domain adfarm1.addtion.com).

The material scope of the GDPR is therefore fulfilled.

D.4. Right to Erasure and Obligation to Inform (Complaint Point A)

As established, R currently does not store the information that can be considered the CP’s personal data—namely, the IP address and the cookie values from the CP’s device (see Finding of Facts C.5). Furthermore, the recipients of the data transmission were notified of the deletion in accordance with Article 19 GDPR.

The case law of the Federal Administrative Court (BVwG) also provides that there is no subjective right to a declaration that data subject rights—in this case, the right to erasure—were possibly fulfilled too late (see BVwG decision of 31 January 2020, GZ: W258 2226305-1, with references).

Therefore, at the time of the decision, there is no violation of Articles 17 and 19 GDPR.

D.5. Request for an Order against R to Cease Unlawful Processing (Complaint Point B)

The CP has also requested an order directing R to cease unlawful processing activities.

Under Article 77(1) GDPR, any data subject has "the right to lodge a complaint with a supervisory authority, particularly in the Member State of their habitual residence, place of work, or place of the alleged infringement, if they consider that the processing of personal data relating to them infringes this Regulation."

The wording of Article 77(1) GDPR suggests that any requests submitted within a complaint procedure must pertain to the data of the complainant ("personal data relating to them").

As stated, R currently does not store the CP’s data subject to the complaint, meaning there is no remedy applicable to the CP’s data.

In light of the conclusive nature of the remedies available under Article 58(2) GDPR (see also VwGH ruling of 1 September 2022, Ra 2022/04/0066) and the wording of Article 77(1) GDPR and § 24(1) DSG ("infringes" and not "infringed" or "will infringe"; English version: "infringes," French version: "constitue"), no order can be issued within the scope of a complaint procedure for future data processing (i.e., if the CP visits the website again in the future).

Thus, there is no need to address the CP’s general allegations concerning the cookie banner.

The complaint is therefore dismissed as stated in the ruling.

General Considerations on Point 2 of the Ruling

D.6. Remedial Powers

The DPA has authority under Article 58(2)(d) GDPR to issue corrective orders that may, among other things, instruct a controller to amend or carry out processing activities in a particular way within a specified period.

Neither the GDPR, the DSG, nor the AVG stipulate that ex officio powers may only be exercised within the scope of a data protection review under Article 58(1)(b) GDPR.

Therefore, the Federal Administrative Court has already held that the DPA may also use the corrective powers under Article 58(2) GDPR ex officio within a complaint procedure (see BVwG decision of 16 November 2022, Zl. W274 2237056-1/8E, and most recently, BVwG decision of 31 July 2024, GZ: W108 2284491-1/15E).

The Federal Administrative Court’s reasoning aligns with the European Court of Justice (CJEU), which has held that a supervisory authority is obligated to exercise its remedial powers in the event of identified deficiencies (see CJEU judgment of 16 July 2020, C-311/18, para. 111).

Although the complaint was dismissed in the outcome, since the request for consent (cookie banner) and the use of cookies—based on the reasons detailed below—do not comply with data protection requirements, a corrective order ex officio was required.

With a communication dated 2 August 2024, the DPA granted R the opportunity to provide a statement on the website www.orf.at and the cookie banner. In its statement dated 16 August 2024, R presented its position.

D.7. Competence for Corrective Order and Application of the GDPR

Regarding the competence of the DPA and the applicability of the GDPR, reference is made to the considerations under D.1 (Relationship between e-Privacy Directive and GDPR) and D.3 (Processing of Personal Data).

These considerations are also relevant for the corrective order pursuant to Point 2 of the ruling, as cookies containing UUIDs and further browser data, along with the IP address, are still transmitted to third-party servers (see Finding of Facts C.7.).

There is also no evidence of technical safeguards that would prevent the association of these data with additional information within the processing chain (see CJEU judgment of 27 October 2022, C-129/21, para. 81 on accountability and compliance obligations of controllers).

It is unnecessary for R itself to be able to establish a personal connection (see CJEU judgment of 29 July 2019, C-40/17, paras. 66 ff with references).

A broad interpretation of Article 4(1) GDPR is further supported by the purpose of the Regulation. Its purpose is to ensure a high level of protection of the rights and freedoms of natural persons in the processing of personal data (see CJEU judgment of 1 August 2022, C-184/20, para. 61). This objective would be undermined by applying an overly narrow standard to "identifiability."

In a comparable case—at least with regard to the cookies ioam2018 and i00—the Federal Administrative Court also found the GDPR applicable (see BVwG decision of 26 April 2024, GZ: W211 2281997-1/5E, Section 3.2.1).

On Point 2(a) of the Ruling

D.8. Design of the Consent Request (Cookie Banner)

First, it should be noted that instructions under Article 58(2)(d) GDPR may also encompass adjustments to consent requests (see Zavadil in Knyrim, DatKomm Article 58 GDPR [as of 1 July 2024, rdb.at] Article 58 para. 34/1 with references).

When assessing how the cookie banner and interaction options should be understood, the standard of a reasonably informed, attentive, and circumspect consumer must be applied (see CJEU judgment of 16 July 1998, C-210/96 [Gut Springenheide GmbH], para. 37; BVwG decision of 13 December 2022, GZ: W214 2234934-1; Article 29 Data Protection Working Party, Guidelines on Consent under Regulation 2016/679, WP259 rev.01, 17/DE, p. 16; Greve in Sydow, Commentary Article 12 para. 11; Illibauer in Knyrim, DatKomm Article 12 para. 39; also Jahnel, Handbook, DSG 2000, para. 7/22 with references).

The standard for valid consent also requires that no unfair practices are used. The data subject must not be directly or subtly pressured into giving consent. It is therefore impermissible to design the “Reject” option in such a way (e.g., with colour differences, contrast ratios, or positioning) that it is less prominent than the “Accept” option (see "FAQs on Cookies and Data Protection," available at www.dsb.gv.at, especially Questions 7 and 8; also the EDPB Report of the Cookie Banner Taskforce, p. 6, available at https://edpb.europa.eu/our-work-tools/our-documents/report/report-work-undertaken-cookie-banner-taskforce_en).

Also, Recital 75 of Regulation (EU) 2024/900 states—in summary—that individual decision-making when giving consent should not be influenced in such a way as to distort or impair decision-making; although this regulation refers to political targeting, the considerations can generally be applied to data protection consents, as this Recital explicitly references the GDPR.

Based on this standard, the following can be noted for the website www.orf.at:

In the present case, a cookie banner is used to request consent for the use of cookies (and the associated processing of personal data). Specifically, a dark blue button ("Accept All Cookies") with hex code #466199 and two white buttons ("Only necessary cookies" and "Cookie preferences") with hex code #FFFFFF are presented. The background of the cookie banner is a very light shade of blue (hex code #f0f1f4; see Finding of Facts C.6.).

In the DPA’s view, the “Accept All Cookies” button is more prominent, as it stands out more significantly from the light blue background of the cookie banner than the other white buttons. The focus of the data subject’s attention in the consent request is therefore directed towards “Accept All Cookies” due to the choice of colour and contrast.

This conclusion is supported by Finding of Facts C.6., according to which the contrast ratio between the “Accept All Cookies” button and the background of the cookie banner is 5.42:1, while the contrast ratio between the “Only necessary cookies” and “Cookie preferences” buttons and the background of the cookie banner is 1.13:1. According to ISO-9241–3, a minimum contrast ratio of 3:1 is recommended.

The following is stated at https://biti-wiki.de/index.php?title=1.01.0_-_

Ausreichender_Kontrast (last accessed 28 October 2024):

"A brightness contrast of 3:1 is the minimum recommended by ISO-9241-303 for readable text with normal vision. A contrast of 4.5:1 is intended to account for the loss of contrast sensitivity due to moderately reduced visual acuity, colour blindness, or normal ageing. The ability to set personalized colours should not mean that the application in normal view is no longer easily readable. Users with minor impairments usually want to use the standard view to facilitate interaction with other users. This criterion also benefits users of black-and-white monitors and those in environments with strong light."

Taking all these considerations into account, the DPA finds that the current cookie banner on www.orf.at (the consent request) cannot be considered an unambiguous expression of the data subject’s will within the meaning of Article 4(11) GDPR. Specifically, it cannot be ruled out that data subjects selected the “Accept All Cookies” option simply because they did not recognize other available options due to the design.

This finding is further supported by the fact that R, as the controller, bears the burden of proof for the validity of any consent obtained (see CJEU judgment of 4 July 2023, C-252/21, para. 95). However, this burden of proof cannot be met with such a design of a consent request or with the choice of colour.

Furthermore, such a misleading design violates the principle of fair processing under Article 5(1)(a) GDPR and the principle of data protection by design under Article 25(1) GDPR. This also supports the DPA’s interpretation of Article 4(11) in conjunction with Article 7 GDPR.

The Respondent must therefore redesign the consent request. Either the same colour should be used for all buttons, or colours should be chosen that comply with the aforementioned contrast recommendations under ISO-9241-303.

On Point 2(b) of the Ruling

D.9. Use of Cookies before Interaction with the Cookie Banner

a) Use of Non-Essential Cookies Based on the ORF-G

The use of cookies (and the associated processing of personal data) that are not technically essential for a website requires prior consent (see BVwG ruling of 31 October 2023, VwGH Ro 2020/04/0024; also Article 29 Working Party, Opinion 04/2012 on Cookie Consent Exemption, WP 194, 00879/12/EN pp. 9 ff).

According to the case law of the Federal Administrative Court, Article 5(3) of Directive 2002/58/EC (together with § 165(3) TKG 2021) cannot be interpreted as covering "economic necessity."

This interpretation means that advertising cookies, for instance, are not "technically necessary" simply because personalized advertising is essential for financing the website’s operation (see BVwG decision of 12 March 2019, GZ: W214 2223400-1).

As far as R invokes §§ 4e and 7 ORF-G as a basis for data processing, it must be countered that the clear wording of Article 5(3) of Directive 2002/58/EC (e-Privacy Directive) requires consent for non-essential cookies, which now must comply with the requirements of the GDPR (see Article 94(2) GDPR).

In other words, the use of non-essential cookies cannot be based on a statutory provision. Consequently, the national implementation in § 165(3) TKG 2021 must also be understood in a manner consistent with the Directive.

It is noted that the DPA’s competence is linked to data processing occurring after cookies are set or read (see Section D.7.).

However, the CJEU has already clarified that, under the interaction between Directive 2002/58/EC (e-Privacy Directive) and the GDPR, processing can only be considered lawful under the GDPR if it also complies with the e-Privacy Directive (see CJEU judgment of 17 June 2021, C-597/19, paras. 97 ff, and especially para. 118, with references).

For the lawfulness of processing under Article 6(1) GDPR, it is therefore necessary to determine first whether valid consent under the e-Privacy Directive has been obtained. If consent is invalid, this results in unlawful processing under the GDPR.

b) Cookies Set on www.orf.at before Any Interaction with the Cookie Banner

As established, the cookie "ioam2018" is used to collect statistical data and to track user behavior on www.orf.at.

The cookie "i00" serves to recognize user devices. If the cookie "i00" is suppressed, ÖWA attempts to identify the device through a combination of IP address and browser information.

The cookie "UserID1" is used to retarget the user with online advertising based on their interests shown on the website. The related domain is adfarm1.addtion.com. The "_autouserid2" cookie is the first-party equivalent of "UserID1" when third-party cookies are blocked.

In view of the considerations in Section D.9.a), these cookies are not technically essential to provide an information society service expressly requested by the user or participant. Their purpose is to track user behavior, recognize devices, or serve advertising.

This conclusion aligns with the position in legal literature, which interprets the exception in § 165(3) TKG 2021—“providing an expressly requested service of the information society” and the associated requirement of “strict necessity”—as restrictive (see Riesz in Riesz/Schilchegger [eds], TKG [2016] § 96 para. 48).

It follows that these cookies must not be used before valid consent is obtained.

Addressee of the Corrective Order and Compliance Period

D.10. Conclusion

As established, R operates the website www.orf.at and decides which cookies are set on the website (and the associated data processing; see Finding of Facts C.2.).

This makes R the controller under Article 4(7) GDPR for the data processing in question, as it determines the purposes and means of the processing. The corrective order was therefore addressed to R.

A six-week compliance period is deemed reasonable for R to adjust the website (including the cookie banner) accordingly.

The decision was therefore made as stated in the ruling.

Appeal Instructions

An appeal against this decision may be filed within four weeks of delivery by submitting a written complaint to the Federal Administrative Court. The complaint must be filed with the Data Protection Authority and must include:
- the designation of the contested decision (File No., subject),
- the designation of the DPA as the authority concerned,
- the grounds for the alleged illegality,
- the request, and
- the information required to assess whether the complaint was submitted within the deadline.

The DPA may, within two months, either amend its decision through an administrative appeal decision or forward the complaint along with the case files to the Federal Administrative Court.

A complaint against this decision is subject to a fee. The fixed fee for such a submission, including annexes, is 30 Euros. The fee is payable to the Austrian Tax Office, and the designated payment purpose should be specified.

The fee must generally be paid electronically using the “Tax Office Payment” function. The recipient should be specified as the Austrian Tax Office - Department of Special Jurisdiction (IBAN: AT83 0100 0000 0550 4109, BIC: BUNDATWW). Additionally, the tax number/assessment account number 10 999/9102, the tax type "EEE – Complaint Fee," the date of the decision as the period, and the amount must be specified.

If the e-banking system of your bank does not support the “Tax Office Payment” function, the EPS procedure in FinanzOnline may be used. An electronic transfer can only be omitted if the taxpayer does not use an e-banking system (even if they have internet access). In that case, the payment must be made using a payment instruction, with careful attention to correct allocation. Further information can be obtained from the Tax Office and the "Electronic Payment and Payment Notification for Self-Assessed Taxes" manual.

Proof of payment must be attached to the submission to the DPA, either as a payment receipt or a printout showing that a payment instruction has been issued. Failure to pay the fee, or to pay it in full, will result in a report to the competent Tax Office.

A timely and admissible complaint to the Federal Administrative Court has a suspensive effect. However, the suspensive effect may be excluded in the ruling of the decision or by a separate decision.

28 October 2024  
For the Head of the Data Protection Authority:

Signed by serial number 1449622981, CN=Data Protection Authority, C=AT  
Date/Time 2024-10-28T09:44:16+01:00