Datatilsynet (Denmark) - 2021-31-5553

From GDPRhub
Revision as of 13:42, 22 February 2023 by 10.90.129.155 (talk)
Datatilsynet - 2021-31-5553
LogoDK.png
Authority: Datatilsynet (Denmark)
Jurisdiction: Denmark
Relevant Law: Article 5(1)(a) GDPR
Article 5(2) GDPR
Article 6(1)(a) GDPR
Article 58(2)(d) GDPR
Type: Complaint
Outcome: Upheld
Started:
Decided: 08.02.2023
Published:
Fine: n/a
Parties: n/a
National Case Number/Name: 2021-31-5553
European Case Law Identifier: n/a
Appeal: n/a
Original Language(s): Danish
Original Source: Datatilsynet (in DA)
Initial Contributor: n/a

The Danish DPA reprimanded Jysk Fynske Medier, a media group, for its Pay-or-Okay consent mechanism. Visitors of the website could choose whether to consent to the processing of personal data for advertising purposes to get limited access to the website, or to subscribe to the controller's service to get full access to the content. The DPA determined that the consent was not freely given because the available content was not equivalent between the two ways to get access.

English Summary

Facts

The controller is this decision was Jysk Fynske Medier, a media group. The data subject was a visitor of the controller's website (jv.dk).

During a visit to the website, the data subject was presented with a cookie wall. There were two ways in which he could access the contents of the website. First, he could consent to the use of cookies, which were used to collect his personal data and for statistical and marketing purposes. In this case, he would get limited access to the content of the website. Alternatively, the data subject could buy a subscription for DKK 99 (€13,30) a month, which would grant him full access to the contents of the website.

The data subject filed a complaint with the Danish DPA on 18 September 2021, stating that he could only access the controller's website by giving consent to the controller's processing or by subscribing to the controller's service.

The Danish DPA started an investigation.

The controller stated that in case the data subject consented to the use of cookies, the data subject's IP address, ID and technical information on the browser would be collected for statistical and marketing purposes. It also clarified that its legal basis for processing this data was Article 6(1)(a) GDPR. The controller also explained that it had made an assessment to determine if the consent had been 'freely given'. It referred to point 37 of the EDPB Guidelines on consent (05/2022, point 37) and stated that the two different options of getting access were clearly explained to the data subject. Furthermore, it also mentioned, among other things, that no cookies were set until consent was given, that the payment for a subscription was not dis-proportionally expensive and that there was no harm or inconvenience in refusing or withdrawing the consent.

In its last argument, the controller stated that it understood that the lack of consent should not lead to harm or disadvantage on the part of the data subject. However, the controller explained that it could not deliver its service ('High quality editorial content') free of charge. The controller had to generate revenue, and part of its current revenue stream was advertising revenue. If the data subject did not want to consent to the processing for advertising purposes, the data subject had the option to subscribe for DKK 99 (€13,30) a month, which the controller found a 'modest and proportionate payment' for access to all articles.

Holding

First, the DPA determined that in general, it can be considered that data subjects have a real and voluntary choice in a situation such as the current one, where a company offers content to the visitors of its website, in exchange for consent for the processing of personal data. However, in such a situation, the company should also offer an alternative way to get access the same content without consenting to the processing of his personal data. This also implies that the offered content should be similar in both instances, both when the data subject has consented to the processing and when he has paid for a subscription.

Second, in this case, the DPA determined that the controller's approach did not meet the requirements for valid consent pursuant to Article 4(11) GDPR. When the data subject consented to processing of his personal data, the content on the website was more limited compared to the content that was offered if he had subscribed to the controller's service instead. Therefore, the controller did not offer an alternative service that was broadly equivalent to the service offered when the data subject consented to the processing. This meant that the data subject had not presented with a free choice.

Third, the DPA also determined that the controller did not demonstrate that the processing of personal data for statistical purposes was a necessary part of its processing. The DPA reiterated that the controller stated that it collected data for advertising purposes because this was a part of the controller's revenue. The DPA stated that the controller had not justified to what extent the processing for statistical purposes was also necessary for this advertising purpose.

Lastly, the DPA concluded that the controller had not assessed and demonstrated to what extent it was necessary to obtain consent for processing personal data for statistical purposes. This meant that the controller did not demonstrate that there was a voluntarily given consent. The controller failed to show that its processing had been lawful pursuant to Articles 6(1)(a) GDPR and 4(11) GDPR and did therefore violate Articles 5(2) and 5(1)(a) GDPR.

The DPA ordered the controller pursuant to Article 58(2)(d) GDPR to ensure that it asked consent in a way that was compliant with Article 4(11) GDPR. Pursuant to Articles 5(2) and 5(1)(a) GDPR, the controller also had to be able to demonstrate that the consent complied with the 'freely given' requirement. The controller also had to show that the processing for statistical purposes was a necessary part of the processing. If this was not the case, the controller had to adjust its consent procedure to make sure that data subjects could also give separate consent for processing for statistical purposes.

The DPA also stated that the controller could resolve this situation by making sure that the content offered on the website was the same, regardless of the fact whether the data subject consented to the processing of his data or subscribed to the controller's service.

Comment

Share your comments here!

Further Resources

Share blogs or news articles here!

English Machine Translation of the Decision

The decision below is a machine translation of the Danish original. Please refer to the Danish original for more details.

Jysk Fynske Media's use of cookie walls

Date: 08-02-2023

Decision Private companies Order No criticism Complaint Cookies / processing of personal data about website visitors Basis of processing Processed by the Data Council

The Danish Data Protection Authority has made two principled decisions regarding the use of so-called cookie walls. One concerns the use of cookie walls on Jysk Fynske Medier's website.

Journal number: 2021-31-5553

Summary

Since the Norwegian Data Protection Authority focused on the processing of personal data about website visitors in early 2020, the Norwegian Data Protection Authority has received a number of inquiries about the use of so-called cookie walls.

On the basis of two concrete complaints, the Danish Data Protection Authority has decided to what extent Gul og Gratis' and Jysk Fynske Medier's use of so-called cookie walls was within the framework of the data protection rules.

The cases have been dealt with in the Data Council.

The Danish Data Protection Authority generally found that a method whereby the website visitor can access the content of a website or service in exchange for either giving consent to the processing of his personal data or for payment, meets the requirements of the data protection rules for a valid consent.

Jysk Fynske Media's use of cookie walls

As far as Jysk Fynske Medier is concerned, the Danish Data Protection Authority found that the company's specific approach, where visitors could, against their consent, gain access to parts of the content on jv.dk (unlocked articles) or to all the content on jv.dk by taking out a subscription, did not meet the requirements for a valid consent.

This is because the service offered against consent was not to a large extent equivalent to that which was offered against payment, and that the visitors were thus not really presented with a free choice.

Similarly, the Danish Data Protection Authority found that Jysk Fynske Medier had not demonstrated that the processing of personal data for statistical purposes was also a necessary part of the alternative to payment.

The company was therefore notified of an order to ensure that the consent of the visitors to jv.dk meets the requirements of the data protection regulation, and to be able to demonstrate that the consent meets the requirements for voluntary consent – that is, the company must either demonstrate that statistical purposes are a necessary part of the alternative to payment, or must adapt the consent solution so that visitors can give separate consent for this purpose.

Find the decision regarding Gul og Gratis' use of cookie walls here.

Decision

The Danish Data Protection Authority hereby returns to the case where [X] (hereafter complainant) on 18 September 2021 complained to the Danish Authority about Jysk Fynske Medier P/S' processing of personal data about him on the website jv.dk, since he can only access the website's content by giving consent to the processing of his personal data or by taking out a subscription.

The Data Protection Authority initially notes that it is not clear from the case whether Jysk Fynske Medier has processed the complainant's personal data in connection with the person concerned's visit to jv.dk, and if so when.

With this decision, the Danish Data Protection Authority therefore takes a position on whether Jysk Fynske Medier's current processing of personal data about visitors to jv.dk takes place within the framework of the data protection regulation[1].

In this connection, the Danish Data Protection Authority exclusively takes a position on the question of whether Jysk Fynske Medier's procedure for obtaining consent for the processing of information about website visitors on jv.dk meets the data protection regulation's requirement that consent be voluntary, cf. the data protection regulation's article 4, no. 11.

The matter has been dealt with in the Data Council.

1. Decision

After a review of the case, the Danish Data Protection Authority finds that Jysk Fynske Medier's processing of personal data is not in accordance with Article 6, paragraph 1 of the Data Protection Regulation. 1, letter a, cf. article 4, no. 11, and the regulation's article 5, subsection 2, cf. Article 5, subsection 1, letter a.

The Danish Data Protection Authority therefore finds grounds to notify Jysk Fynske Medier of an order to ensure that the consent that Jysk Fynske Medier obtains from the website visitors meets the requirements of Article 4, No. 11 of the Data Protection Regulation, as well as being able to demonstrate that the consent meets the Data Protection Regulation's requirement of a voluntary consent, cf. the regulation's article 5, subsection 2, cf. Article 5, subsection 1, letter a.

If Jysk Fynske Medier still wishes to use an approach where visitors are offered access against consent or against payment, the order can be complied with by allowing visitors, against consent, to gain access to content that largely corresponds to the content that the visitors can get access to for a fee. Alternatively, the order can be complied with by Jysk Fynske Medier offering (yet) a payment alternative where the visitors can access content which essentially corresponds to the content that the visitors can access against consent.

Jysk Fynske Medier must also be able to demonstrate that the processing of personal data for statistical purposes is a necessary part of the alternative to paid access. Alternatively, Jysk Fynske Medier must adapt its solution for obtaining consent, so that it is possible for website visitors to give separate consent to the processing of personal data for statistical purposes.

The deadline for compliance with the order is 8 March 2023. The Danish Data Protection Authority must request to receive confirmation that the order has been complied with by the same date.

The order is announced in accordance with the data protection regulation, article 58, subsection 2, letter d.

According to the Data Protection Act § 41, subsection 2, no. 4, anyone who fails to comply with an order issued by the Data Protection Authority pursuant to Article 58 of the Data Protection Regulation shall be punished with a fine or imprisonment for up to 6 months. 2, letter d.

Finally, in view of the fundamental questions in the case, which the Data Protection Authority has not previously had the opportunity to take a position on, the Danish Data Protection Authority finds that there is no basis for expressing criticism of Jysk Fynske Medier in connection with the above.

Below follows a closer review of the case and a rationale for the Data Protection Authority's decision.

2. Case presentation

It appears from the case that, when the complainant visited the jv.dk website, he was asked to give consent to the processing of personal data via a solution with the following wording:

"Privacy and cookie policy

The website uses cookies and collects personal data about IP, ID and your browser for statistics and marketing purposes. Information is shared with our business partners who store and/or access information on your device for the purpose of displaying customized ads and ad measurement, customized content, content measurement, audience insights and product development. See further info under settings and personal data policy.

You can always change your settings below or withdraw your consent by clicking on the link to "Cookie settings" at the bottom of the page under the menu.

We point out that opting out of cookies or personalizing cookie settings is reserved for paying subscribers. By clicking "OK", all cookies are accepted and free access to the website and all unlocked content is granted. By clicking "Confirm my selections" it is possible to purchase a subscription and login for subscribers."

Complainants were presented below with the option of (i) "Settings", which gave the complainant the opportunity to opt in or out of consent for various purposes, (ii) "Reject all", which rejected the use of all cookies (except those necessary) for the collection of personal data, or (iii) "OK", after which the complainant could consent to the use of cookies for the collection of personal data for all the purposes mentioned.

By choosing "Reject all", complaints were forwarded to a new page with the following wording:

“We want to give you high-quality news

We work on that every day of the year. Unfortunately, we cannot do this for free, and are therefore dependent on advertising revenue based on data and subscribers. If you do not want us to collect your data, you will instead be able to gain access to the page”

Below the text appeared the option "Are you a subscriber? Log in here”, and two additional tabs appeared.

From one tab, it appeared that the website's unlocked content could be accessed if the visitor consented to the collection of personal data using cookies for all the purposes in question.

From the second tab, it appeared that all content on the website could be accessed if the data subject purchased a subscription, and that Jysk Fynske Medier would in that connection accept the visitor's choice of the purposes for which the person's personal data could be collected.

2.1. Complainant's comments

The complainant has generally stated that the consent solution that Jysk Fynske Medier uses on the website jv.dk is in breach of the data protection rules, as the data subject can only access the website by giving consent to the processing of personal data for all purposes or against payment.

2.2. Jysk Fynske Medier remarks

Jysk Fynske Medier has stated that if the visitor consents to the use of cookies on jv.dk, personal data in the form of IP address, ID and technical information about the browser used is collected for statistical and marketing purposes.

In relation to the basis of processing, Jysk Fynske Medier has referred to Jysk Fynske Medier's privacy and cookie policy, from which it appears that Jysk Fynske Medier, when visiting their website(s), processes information on the basis of e.g. the data subject's consent, cf. the data protection regulation, article 6, subsection 1, letter a.

Regarding the processing of personal data when visiting jv.dk, the following is also stated in the privacy and cookie policy:

"When you visit our websites, you will be greeted by a pop-up where you can choose to consent to the collection of information and the use of cookies. If you do not wish to consent to the use of non-necessary cookies, you can continue to use the editorial websites by paying for our content or by logging in if you are already a subscriber. When you are logged in as a subscriber, you choose whether you want to consent to this. You can always withdraw your consent, with effect for the future.”

In relation to Jysk Fynske Medier's processing of personal data on the basis of the data subject's consent, Jysk Fynske Medier has stated that, in Jysk Fynske Medier's opinion, it is only the requirement of voluntariness that can be doubted.

However, it is Jysk Fynske Medier's opinion that this requirement – like the other validity conditions – is met, and that Jysk Fynske Medier's processing of personal data on the basis of the data subject's consent is therefore legal.

In this connection, Jysk Fynske Medier has referred to the European Data Protection Board's guidelines 05/2020 on consent[2], section 37, and stated that it is Jysk Fynske Medier's assessment that the consent solution that jv.dk has implemented meets the requirement of voluntariness, since:

The two options are clearly stated. Cookies are not set until the visitor has consented to this. The payment required for access is not disproportionately expensive (DKK 99/month) This is similar content with and without consent There is the possibility for the visitor to choose separately between several purposes It is not associated with damage or inconvenience to reject or withdraw consent

Jysk Fynske Medier has stated below that the company's assessment is also supported by a decision from the Austrian data supervisory authority regarding the news media "Der Standard". As the data protection regulation applies throughout the EU and uniform practice throughout the EU is intended, the rules should be applied consistently and uniformly throughout the Union as described in preamble recital no. 10 of the regulation.

The ruling by the Austrian Data Protection Authority concerned a news outlet that did not offer free access to content without consent to the collection of personal data for marketing purposes, but instead gave visitors a choice between giving consent or paying for access without the use of cookies. The Austrian data supervisory authority found that the news media Der Standard's consent solution met the requirement of voluntariness and emphasized in the decision:

that the two options were clearly stated that no cookies were placed before the user had agreed to cookies that the payment was proportionate and not disproportionately high that it was a question of equivalent services with and without consent that the paid access did not involve targeted advertising.

Finally, Jysk Fynske Medier has stated that a lack of consent must not cause damage or disadvantage, for example in the form of negative consequences for a registered person who does not want to give consent. If the price for the paid access is disproportionately high, this could be an obstacle to the consent being considered valid. Unfortunately, Jysk Fynske Medier cannot deliver high-quality editorial content for free. Jysk Fynske Medier is therefore dependent on income, part of which is advertising income. If the website visitor wants Jysk Fynske Medier's editorial content - without consenting to the processing of personal data - the payment for access without placing cookies is DKK 99/month, which in Jysk Fynske Medier's view is a modest and proportional payment for one month's access to all articles on jv.dk.

3. Reason for the Data Protection Authority's decision

3.1. Relevant legal regulations

This appears from the data protection regulation's article 6, subsection 1, letter a, that the processing of personal data is lawful if the data subject has given consent to the processing of information about the person concerned for one or more specific purposes.

A consent is defined in Article 4, No. 11 of the Data Protection Regulation as any voluntary, specific, informed and unequivocal expression of intent whereby the data subject, by declaration or clear confirmation, consents to the processing of personal data concerning the person concerned.

Consent will not be given voluntarily if the data subject does not have a real or free choice and control over information about himself. Any form of inappropriate pressure on or influence on the data subject's free will means that the consent is invalid.

A data controller can to a certain extent motivate the registered to give consent by the fact that there is an advantage associated with consent. Enrollment in a business benefit program can, for example, involve discounts which motivate the customer to consent to receiving advertising material from the business. The discount or the benefits that a consent to a benefit program entails do not exclude that the consent can be considered to be voluntary.

However, it is important to be aware of whether a lack of consent entails negative consequences for the registered person who does not want to give consent, e.g. in the form of additional costs.[3]

The European Data Protection Board's guidelines 5/2020 include, among other things, the following about the condition of voluntariness:

"37. The data controller can claim that his or her organization gives data subjects a real choice if they can choose between a service that implies consent to the use of personal data for additional purposes and a similar service offered by the same data controller that does not implies consent to the processing of personal data for additional purposes. As long as there is an opportunity to have the contract fulfilled or the service covered by a contract provided by the data controller without giving consent to the second or further use of the personal data, this is not a conditional service. However, the two services must be completely identical.

38. The Data Protection Board does not believe that consent can be considered to have been given voluntarily if a data controller claims that a choice can be made between the data controller's service, which includes consent to the use of personal data for additional purposes, and a similar service offered by a other data controller. In this case, the freedom of choice would depend on what other market players do and whether the data subject finds the other data controller's services completely identical. It would also oblige data controllers to monitor market developments to ensure that consent to their data processing activities remains valid as competitors may subsequently change their services. Based on this argument, consent based on an alternative provided by a third party is not in line with the GDPR, meaning that a service provider cannot prevent data subjects from accessing a service on the grounds that they do not have given consent.

39. In order for consent to be considered to be given voluntarily, access to services and functions must not be conditional on a user's consent to information being stored or access to information already stored in a user's terminal equipment (so-called cookie walls).

40. Example 6a: A website provider creates a script that prevents content from being visible, with the exception of a request to accept cookies and information about which cookies are inserted and for which purposes the data will be processed. It is not possible to access the content unless you click on the "Accept cookies" button. Since the data subject has no real choice, his or her consent is not given voluntarily.

41. This is not a valid consent, as the provision of the service depends on whether the registered person clicks on the "Accept cookies" button. The data subject does not have a real choice."

3.2. The Danish Data Protection Authority's assessment

It appears from the case that website visitors to jv.dk can gain access to unlocked articles by giving consent to the use of cookies for the collection of personal data for statistical and marketing purposes. Alternatively, visitors can take out a subscription for DKK 99/month[4], which gives them access to all articles.

It is the Danish Data Protection Authority's opinion that under certain conditions website visitors can be considered to have a real and voluntary choice in a situation where a company offers visitors content etc. against obtaining consent to the processing of personal data, as long as the company also offers an alternative way of accessing the content that does not involve the processing of personal data. However, this requires that the content offered by the company must be similar to a large extent, regardless of whether the visitors give consent or, for example, pay to access the content or service.

It is against this background that the Danish Data Protection Authority's assessment is that Jysk Fynske Medier's approach, where website visitors can gain access to parts of the content on jv.dk by giving consent to the processing of personal data or to all the content on jv.dk by taking out a subscription, does not meet the data protection regulation's requirement for a valid consent, cf. the data protection regulation's article 4, no. 11.

In this regard, the Danish Data Protection Authority has particularly emphasized that Jysk Fynske Medier offers website visitors access to unlocked articles in return for consent to the processing of information or access to all articles for a fee by taking out a subscription, and that Jysk Fynske Medier therefore does not offer an alternative service, which is largely equivalent to that offered in connection with giving consent. This means that website visitors are not really presented with a free choice.

The Danish Data Protection Authority also finds that Jysk Fynske Medier has not demonstrated that the website visitors' consent to the processing of personal data, also for statistical purposes, is a necessary part of the alternative to paid access.

The Danish Data Protection Authority has emphasized that Jysk Fynske Medier has only stated that the company is dependent on income in order to be able to deliver high-quality editorial content, and that part of this income comes from advertising income, and that Jysk Fynske Medier has not justified , to the extent that processing of personal data for statistical purposes is also necessary for this.

Given that Jysk Fynske Medier has not assessed and demonstrated to what extent it is necessary – as an alternative to access against payment – to obtain consent to the processing of personal data for statistical purposes, the Danish Data Protection Authority finds that Jysk Fynske Medier has not demonstrated that the data protection regulation's requirement that the consent is voluntary is met and thus that the processing is legal, cf. the regulation's article 6, paragraph 1, letter a, and article 4, no. 11, cf. the regulation's article 5, subsection 2, cf. Article 5, subsection 1, letter a.

The Danish Data Protection Authority therefore finds grounds to notify Jysk Fynske Medier of an order to ensure that the consent that Jysk Fynske Medier obtains from the website visitors meets the requirements of Article 4, No. 11 of the Data Protection Regulation, as well as being able to demonstrate that the consent meets the Data Protection Regulation's requirement of a voluntary consent, cf. the regulation's article 5, subsection 2, cf. Article 5, subsection 1, letter a.

If Jysk Fynske Medier still wishes to use an approach where visitors are offered access against consent or against payment, the order can be complied with by allowing visitors, against consent, to gain access to content that largely corresponds to the content that the visitors can get access to for a fee. Alternatively, the order can be complied with by Jysk Fynske Medier offering (yet) a payment alternative where the visitors can access content which essentially corresponds to the content that the visitors can access against consent.

Jysk Fynske Medier must also be able to demonstrate that the processing of personal data for statistical purposes is a necessary part of the alternative to paid access. Alternatively, Jysk Fynske Medier must adapt its solution for obtaining consent, so that it is possible for website visitors to give separate consent to the processing of personal data for statistical purposes.

The deadline for compliance with the order is 8 March 2023. The Danish Data Protection Authority must request to receive confirmation that the order has been complied with by the same date.

The order is announced in accordance with the data protection regulation, article 58, subsection 2, letter d.

According to the Data Protection Act § 41, subsection 2, no. 4, anyone who fails to comply with an order issued by the Data Protection Authority pursuant to Article 58 of the Data Protection Regulation shall be punished with a fine or imprisonment for up to 6 months. 2, letter d.

Finally, in view of the fundamental questions in the case, which the Data Protection Authority has not previously had the opportunity to take a position on, the Danish Data Protection Authority finds that there is no basis for expressing criticism of Jysk Fynske Medier in connection with the above.



[1] Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons in connection with the processing of personal data and on the free exchange of such data and on the repeal of Directive 95/46/EC (general regulation on data protection).

[2] European Data Protection Board, Guidelines 5/2020 on consent under Regulation 2016/679, v. 1.1

[3] The Danish Data Protection Authority's guidance on consent, section 2.3.

[4] On a visit to www.jv.dk on 20 October 2022, the Danish Data Protection Authority found that the price is now DKK 69 per month or DKK 409 per month (depending on the chosen subscription solution).