DSB (Austria) - 2023-0.174.027
| DSB - 2023-0.174.027 | |
|---|---|
 | |
| Authority: | DSB (Austria) |
| Jurisdiction: | Austria |
| Relevant Law: | Article 4(11) GDPR |
| Type: | Complaint |
| Outcome: | Partly Upheld |
| Started: | 13.08.2021 |
| Decided: | 29.03.2023 |
| Published: | |
| Fine: | n/a |
| Parties: | Der Standard |
| National Case Number/Name: | 2023-0.174.027 |
| European Case Law Identifier: | n/a |
| Appeal: | Unknown |
| Original Language(s): | German |
| Original Source: | DSB (Austria) (in DE) |
| Initial Contributor: | mg |
Following a complaint by noyb, the Austrian DPA declared that a “pay or okay” cookie banner on the website of a newspaper was not GDPR compliant in light of the granularity of consent principle.
English Summary
Facts
On 13 August 2021 the data subject visited the website of Der Standard, an Austrian newspaper. In order to access the content, the website’s cookie banner offered the data subject either the option to consent to targeted advertising or to buy a subscription to the online version of the newspaper. The data subject chose the first option. As a consequence, their data were shared with at least 125 third parties. According to the data subject, consent was invalid as the cookie banner did not meet the requirements established by the GDPR. Among others, the data subject claimed that they were not in the position of freely giving their consent to the processing for advertising purposes, as the only feasible alternative would have been to subscribe to the newspaper. Therefore, the data subject asked the Austrian DPA to declare the unlawfulness of the processing and order the controller to erase data (Article 17 GDPR) and stop processing operations. The data subject also suggested the adoption of a fine.
The controller replied that journalism is not free of costs. It also claimed that there was no evidence that the data subject effectively visited the website. The controller also stressed that the price for an alternative to the data subject’s consent (the subscription) was reasonable. Moreover, the practice of sharing data for targeted advertising was not a choice of the controller, as today almost 100% of online advertisement is to some extent personalised.
The data subject objected that the fact that a business model is dominant does not make it legal. In particular, consent is not validly given if the only feasible alternative is a binding contract with the controller (“pay or okay”). Data showed that users of the website opted for “consent” in more than 99% of the cases, which is a clear sign that consent was not freely given. The controller denied that these data were applicable to the present case.
Holding
As a preliminary consideration, the Austrian DPA stressed that no journalistic exception under national law applied to the controller, as cookies do not have the purpose to spread information, thoughts and ideas to the public.
Then, the DPA argued that valid consent, in accordance with Article 4(11) GDPR, must be free, specific, informed and unambiguous. The DPA further clarified that the “granularity of consent” plays a major role in determining whether consent is valid in similar cases. In particular, consent shall be specific to every “processing operation” (i.e. the purpose of the processing). When there are multiple processing operations, consent shall be given for each of them. This did not occur in the present case. As a matter of fact, a single consent was requested for several purposes: from targeted advertising to analytics and social media plugins. The DPA acknowledged that the right to conduct a business enshrined in Article 16 of the EU Charter was relevant. However, an appropriate balance between this fundamental right and data protection was excluded by the fact the controller did not even consider the implications of the granularity principle.
In addition, according to the DPA, the fact that a data subject could choose another media outlet is not relevant, either. In addition, the DPA stated that this “blanket consent” practice, if authorised, would seriously impair data protection rights of data subjects that cannot afford a subscription.
Also according to Article 5(3) of the e-privacy Directive, cookies require valid consent to be installed on the device of a user. In light of this provision and the GDPR, the DPA declared the unlawfulness of the processing.
Concerning the right to erasure under Article 17 GDPR, the DPA gave the controller one month to clarify whether it was still processing the data subject’s personal information.
However, the DPA held that there is not subjective right to a processing ban pursuant to Article 58(2)(f) GDPR. A DPA has full discretion in the choice of the corrective measure. Likewise, the data subject has no right to obtain a fine against the controller.
Comment
It is important to stress that the DPA, despite partly upholding the data subject’s complaint, did not directly address the issue of “pay or okay” cookie banners. The unlawfulness of processing was based, among others, on the violation of the granularity of consent principle, which did not form part of the original arguments brought by the parties.
Further Resources
Share blogs or news articles here!
English Machine Translation of the Decision
The decision below is a machine translation of the German original. Please refer to the German original for more details.
