Editing Datatilsynet - 2018-32-0357

From GDPRhub

Warning: You are not logged in. Your IP address will be publicly visible if you make any edits. If you log in or create an account, your edits will be attributed to your username, along with other benefits.

The edit can be undone. Please check the comparison below to verify that this is what you want to do, and then save the changes below to finish undoing the edit.

Latest revision Your text
Line 182: Line 182:
 
First-time visitors to the site were prompted for consent to the use of cookies. However, cookies were used and personal data was processed even before the visitor had given consent.
 
First-time visitors to the site were prompted for consent to the use of cookies. However, cookies were used and personal data was processed even before the visitor had given consent.
  
When the complaint was filed on 29 August, 2018, consent was gathered via a non-intrusive banner at the bottom of the page containing only a short text about the use of cookies and an “OK” button. There was no way to refuse consent.
+
When the complaint was filed on 29 August, 2018, consent was gathered via a non-intrusive banner at the bottom of the page containing only a short text about the use of cookies and an “OK” button. There was no was to refuse consent.
  
 
A few months later, while Datatilsynet was still processing the complaint, DMI launched a redesign of their website. New visitors were now prompted for consent in an overlay which blocked access to the site, until the visitors had either given or refused consent. Visitors could click “OK” to give consent. To refuse consent, the visitor had to click “Show details” to reveal several pre-checked checkboxes representing different processing purposes. The visitor should uncheck these and then press “Update consent”.
 
A few months later, while Datatilsynet was still processing the complaint, DMI launched a redesign of their website. New visitors were now prompted for consent in an overlay which blocked access to the site, until the visitors had either given or refused consent. Visitors could click “OK” to give consent. To refuse consent, the visitor had to click “Show details” to reveal several pre-checked checkboxes representing different processing purposes. The visitor should uncheck these and then press “Update consent”.
Line 198: Line 198:
 
Consent to processing and to the use of cookies was gathered through the same user interface. The consent, however, was not valid for the following reasons:
 
Consent to processing and to the use of cookies was gathered through the same user interface. The consent, however, was not valid for the following reasons:
 
* It was not ''voluntary'', because it was not possible for the visitor to give granular consent to different processing purposes (analytics and behavioural ads) in the initial screen. Instead the visitor could click “Show details” and only then get access to multiple checkboxes representing each purpose (“one click away”).
 
* It was not ''voluntary'', because it was not possible for the visitor to give granular consent to different processing purposes (analytics and behavioural ads) in the initial screen. Instead the visitor could click “Show details” and only then get access to multiple checkboxes representing each purpose (“one click away”).
* It was not ''informed'', because it was not specified which personal data was processed and disclosed, and the identity of the joint controller was unclear. The joint controller should have been mentioned using a company name (Google). Instead a product/brand name (DoubleClick) was used.
+
* It was not ''informed'', because the visitor was not informed about which personal data was processed and transferred or about the identity of the joint controller. The joint controller should have been mentioned using a company name (Google). Instead a product/brand name (DoubleClick) was used.
 
* It was not ''transparent'', because was not as easy to refuse consent as to give it. Instead the button for refusing consent was “one click away” and less prominently displayed, and it was confusingly labeled.
 
* It was not ''transparent'', because was not as easy to refuse consent as to give it. Instead the button for refusing consent was “one click away” and less prominently displayed, and it was confusingly labeled.
  
Line 221: Line 221:
 
The matter was discussed at a meeting of the Data Council.
 
The matter was discussed at a meeting of the Data Council.
  
Datatilsynet first notes that since the filing of the complaint, DMI has reached the conclusion that personal data, including data about the complainant, has been processed and disclosed without legal basis, which is why the institute has changed the way by which consent is collected for collection and disclosure of personal data about the visitors on dmi.dk.
+
Datatilsynet first notes that since the filing of the complaint, DMI has reached the conclusion that personal data, including data about the complainant, has been processed and transferred without legal basis, which is why the institute has changed the way by which consent is collected for collection and transfer of personal data about the visitors on dmi.dk.
  
 
With this decision, Datatilsynet considers whether the processing of personal data about the complainant prior to DMI's change of the institute's procedure for obtaining consent has been justified, as well as whether the institute's current processing of personal data on visitors on dmi.dk takes place within the framework of the General Data Protection Regulation.
 
With this decision, Datatilsynet considers whether the processing of personal data about the complainant prior to DMI's change of the institute's procedure for obtaining consent has been justified, as well as whether the institute's current processing of personal data on visitors on dmi.dk takes place within the framework of the General Data Protection Regulation.
Line 228: Line 228:
 
Datatilsynet finds that neither DMI's previous nor current solution for obtaining consent for the processing of personal data about the visitors on dmi.dk meets the data protection regulation [1] for the data subject's consent in Article 4(11), and the basic principle of legality, reasonableness and transparency in Article 5(1)(a).
 
Datatilsynet finds that neither DMI's previous nor current solution for obtaining consent for the processing of personal data about the visitors on dmi.dk meets the data protection regulation [1] for the data subject's consent in Article 4(11), and the basic principle of legality, reasonableness and transparency in Article 5(1)(a).
  
Furthermore, Datatilsynet finds that DMI's processing of personal data about the complainant by collection and disclosure to Google has been - and is - in violation of Article 6 of the General Data Protection Regulation, since none of the provisions of Article 6(1) of the General Data Protection Regulation are applicable.
+
Furthermore, Datatilsynet finds that DMI's processing of personal data about the complainant by collection and transferring to Google has been - and is - in violation of Article 6 of the General Data Protection Regulation, since none of the provisions of Article 6(1) of the General Data Protection Regulation are applicable.
  
 
On the basis of the above, Datatilsynet finds that there are grounds for expressing '''serious criticism''' that DMI's processing of personal data on the visitors on dmi.dk, including the complainant, has not been in accordance with the General Data Protection Regulation.
 
On the basis of the above, Datatilsynet finds that there are grounds for expressing '''serious criticism''' that DMI's processing of personal data on the visitors on dmi.dk, including the complainant, has not been in accordance with the General Data Protection Regulation.
Line 238: Line 238:
  
 
==== 2.1. The complainant's remarks ====
 
==== 2.1. The complainant's remarks ====
The complainant has generally stated that DMI shows banner ads on its website, including among other things ads from Google Ad Exchange, which uses personal information to personalise ads, such as information about visits to other websites.
+
The complainant has generally stated that DMI shows banner ads on its website, including among other things ads from Google Ad Exchange, which uses personal information to personalize ads, such as information about visits to other websites.
  
 
The complainant has also stated that Google offers a number of services that are aimed at website owners who want to buy and sell ads, both with and without Google as an intermediary. The services are marketed under the names DoubleClick, Google Ads, AdSense, AdWords etc. (hereafter “Google's ad platform”). The services are tightly integrated and subject to the same guidelines for use, and for the majority of these services, Google is the data controller.
 
The complainant has also stated that Google offers a number of services that are aimed at website owners who want to buy and sell ads, both with and without Google as an intermediary. The services are marketed under the names DoubleClick, Google Ads, AdSense, AdWords etc. (hereafter “Google's ad platform”). The services are tightly integrated and subject to the same guidelines for use, and for the majority of these services, Google is the data controller.
Line 247: Line 247:
 
In addition, the complainant stated that Google is able to collect personal information about him during his visit on dmi.dk and use it to target ads only because DMI has engaged Google to sell ads on dmi.dk and implemented Google's plugin (so-called ad tags) on dmi.dk.
 
In addition, the complainant stated that Google is able to collect personal information about him during his visit on dmi.dk and use it to target ads only because DMI has engaged Google to sell ads on dmi.dk and implemented Google's plugin (so-called ad tags) on dmi.dk.
  
The complainant has further stated that when inserting these ad tags, DMI has the opportunity to specify a number of parameters that determine how the ads are selected and presented on dmi.dk, and that DMI thereby greatly helps to determine the purpose and with what tools Google can process personal data. If DMI had not inserted these tags, Google would not be able to show ads to the visitors of dmi.dk or track their behaviour.
+
The complainant has further stated that when inserting these ad tags, DMI has the opportunity to specify a number of parameters that determine how the ads are selected and presented on dmi.dk, and that DMI thereby greatly helps to determine the purpose and with what tools Google can process personal data. If DMI had not inserted these tags, Google would not be able to show ads to the visitors of dmi.dk or track their behavior.
  
In addition, the complainant states that DMI probably does not have access to the personal data that Google collects and processes about the visitors on dmi.dk, except in the case of anonymised or aggregated form, but that this does not exclude the possibility that there may be joint data liability.
+
In addition, the complainant states that DMI probably does not have access to the personal data that Google collects and processes about the visitors on dmi.dk, except in the case of anonymized or aggregated form, but that this does not exclude the possibility that there may be joint data liability.
  
 
===== On consent =====
 
===== On consent =====
 
The complainant states that DMI has not obtained his consent to this processing and that, in his opinion, DMI does not have a legal basis for the processing of personal data about him.
 
The complainant states that DMI has not obtained his consent to this processing and that, in his opinion, DMI does not have a legal basis for the processing of personal data about him.
  
Furthermore, the complainant points out that it is Google's own opinion that the processing of personal data that occurs in connection with Google's advertising platform cannot be done without the consent of the data subjects, i.e. the consent of the visitors to the websites that have implemented the ad platform. Therefore, Google requires in its guidelines that visitor consent should be obtained when an organisation uses the ad platform to display personalised banner ads.
+
Furthermore, the complainant points out that it is Google's own opinion that the processing of personal data that occurs in connection with Google's advertising platform cannot be done without the consent of the data subjects, i.e. the consent of the visitors to the websites that have implemented the ad platform. Therefore, Google requires in its guidelines that visitor consent should be obtained when an organization uses the ad platform to display personalized banner ads.
  
 
In addition, the complainant is of the opinion that DMI, with the new solution to obtain the visitor's consent, still does not meet the requirements of the General Data Protection Regulation.
 
In addition, the complainant is of the opinion that DMI, with the new solution to obtain the visitor's consent, still does not meet the requirements of the General Data Protection Regulation.
  
Furthermore, the complainant has stated that the consent is not informed as it does not indicate which third parties, including Google, personal data is transferred to.
+
Furthermore, complainant has stated that the consent is not informed as it does not indicate which third parties, including Google, personal data is transferred to.
  
 
The complainant has further stated that the consent solution makes use of pre-ticked fields, which cannot constitute a valid consent, and that the fields are even hidden unless you select “Show details”.
 
The complainant has further stated that the consent solution makes use of pre-ticked fields, which cannot constitute a valid consent, and that the fields are even hidden unless you select “Show details”.
Line 304: Line 304:
 
For example, when you visit a website that uses advertising services such as AdSense, including analytics tools such as Google Analytics, or embeds video content from YouTube, your web browser automatically sends certain information to Google. This includes the URL of the page you are visiting and your IP address. We may also set cookies on your browser or read cookies that are already there. Apps that use Google advertising services also share information with Google, such as the name of the app and a unique identifier for advertising.
 
For example, when you visit a website that uses advertising services such as AdSense, including analytics tools such as Google Analytics, or embeds video content from YouTube, your web browser automatically sends certain information to Google. This includes the URL of the page you are visiting and your IP address. We may also set cookies on your browser or read cookies that are already there. Apps that use Google advertising services also share information with Google, such as the name of the app and a unique identifier for advertising.
  
Google uses the information shared by sites and apps to deliver our services, maintain and improve them, develop new services, measure the effectiveness of advertising, protect against fraud and abuse and personalise content and ads that you see on Google and on our partners' sites and apps.”
+
Google uses the information shared by sites and apps to deliver our services, maintain and improve them, develop new services, measure the effectiveness of advertising, protect against fraud and abuse and personalize content and ads that you see on Google and on our partners' sites and apps.”
 
</blockquote>
 
</blockquote>
  
Line 316: Line 316:
 
Many websites, such as news sites and blogs, partner with Google to show ads to their visitors. Working with our partners, we may use cookies for a number of purposes, such as stopping you from seeing the same ad over and over again, detecting and stopping click fraud and showing ads that are likely to be more relevant (such as ads based on websites you have visited).
 
Many websites, such as news sites and blogs, partner with Google to show ads to their visitors. Working with our partners, we may use cookies for a number of purposes, such as stopping you from seeing the same ad over and over again, detecting and stopping click fraud and showing ads that are likely to be more relevant (such as ads based on websites you have visited).
  
We store a record of the ads we serve in our logs. These server logs typically include your web request, IP address, browser type, browser language, the date and time of your request, and one or more cookies that may uniquely identify your browser. We store this data for a number of reasons, the most important of which are to improve our services and maintain the security of our systems. We anonymise this log data by removing part of the IP address (after 9 months) and cookie information (after 18 months).
+
We store a record of the ads we serve in our logs. These server logs typically include your web request, IP address, browser type, browser language, the date and time of your request, and one or more cookies that may uniquely identify your browser. We store this data for a number of reasons, the most important of which are to improve our services and maintain the security of our systems. We anonymize this log data by removing part of the IP address (after 9 months) and cookie information (after 18 months).
  
 
''Our advertising cookies''
 
''Our advertising cookies''
Line 372: Line 372:
  
 
<blockquote>
 
<blockquote>
“A “purpose element” may also be responsible for the information “about” a particular person. The “purpose element” may be considered to exist when the information is used or - taking into account all the circumstances of the case in question - may be expected to be used for the purpose of assessing a person, treating that person in a particular way or affecting the person's status or behaviour.”
+
“A “purpose element” may also be responsible for the information “about” a particular person. The “purpose element” may be considered to exist when the information is used or - taking into account all the circumstances of the case in question - may be expected to be used for the purpose of assessing a person, treating that person in a particular way or affecting the person's status or behavior.”
 
</blockquote>
 
</blockquote>
  
This view reiterates the Article 29 Working Party's opinion on behavioural advertising on the Internet [6], which includes the following:
+
This view reiterates the Article 29 Working Party's opinion on behavioral advertising on the Internet [6], which includes the following:
  
 
<blockquote>
 
<blockquote>
 
“Behavioral advertising usually involves collecting IP addresses and processing unique identifiers (via the cookie). The use of such devices with a unique identifier makes it possible to track the users of a particular computer, even if dynamic IP addresses are used.
 
“Behavioral advertising usually involves collecting IP addresses and processing unique identifiers (via the cookie). The use of such devices with a unique identifier makes it possible to track the users of a particular computer, even if dynamic IP addresses are used.
  
In other words, such devices make it possible to "designate" data subjects, even though their real names are not known. ii) The information collected in the context of behavioural advertising relates to (ie deals with) a person's characteristics or behaviour and is used to influence that particular person. This position is further confirmed if the possibility that profiles can be linked at any time with directly personally identifiable information provided by the data subject, e.g. registration related information is taken into account. Other scenarios that can lead to identifiability are data merge, data loss and the increased availability of personal data on the Internet in combination with IP addresses. "
+
In other words, such devices make it possible to "designate" data subjects, even though their real names are not known. ii) The information collected in the context of behavioral advertising relates to (ie deals with) a person's characteristics or behavior and is used to influence that particular person. This position is further confirmed if the possibility that profiles can be linked at any time with directly personally identifiable information provided by the data subject, e.g. registration related information is taken into account. Other scenarios that can lead to identifiability are data merge, data loss and the increased availability of personal data on the Internet in combination with IP addresses. "
 
</blockquote>
 
</blockquote>
  
Line 398: Line 398:
 
</blockquote>
 
</blockquote>
  
In Case C-210/16 ''Wirtschaftsakademie Schleswig-Holstein'', the European Court of Justice has stated the following on common data liability :
+
In Case C-210/16 Wrtschaftsakademie Schleswig-Holstein, the European Court of Justice has stated the following on common data liability :
  
 
<blockquote>
 
<blockquote>
Line 422: Line 422:
 
</blockquote>
 
</blockquote>
  
In Case C-40/17 ''Fashion ID'', the European Court of Justice has elaborated on its interpretation of joint data liability as referred to in the General Data Protection Regulation:
+
In Case C-40/17 Fashion ID, the European Court of Justice has elaborated on its interpretation of joint data liability as referred to in the General Data Protection Regulation:
  
 
<blockquote>
 
<blockquote>
 +
 
“67 Furthermore, since Article 2(d) of Directive 95/46 expressly provides that the term 'controller' includes the body which 'alone or together with others' determines the purpose and the means to be used processing of personal data, this term does not necessarily refer to a single body and may concern several actors participating in this processing, and therefore they are all subject to the applicable data protection provisions (cf. in this direction judgment of 5.6.2018, Wirtschaftsakademie Schleswig -Holstein, C-210/16, EU: C: 2018: 388, para 29, and of 10.7.2018, Jehovah's Witnesses Cate, C-25/17, EU: C: 2018: 551, para 65).
 
“67 Furthermore, since Article 2(d) of Directive 95/46 expressly provides that the term 'controller' includes the body which 'alone or together with others' determines the purpose and the means to be used processing of personal data, this term does not necessarily refer to a single body and may concern several actors participating in this processing, and therefore they are all subject to the applicable data protection provisions (cf. in this direction judgment of 5.6.2018, Wirtschaftsakademie Schleswig -Holstein, C-210/16, EU: C: 2018: 388, para 29, and of 10.7.2018, Jehovah's Witnesses Cate, C-25/17, EU: C: 2018: 551, para 65).
  
Line 561: Line 562:
 
Against this background, it is the opinion of Datatilsynet that DMI and Google together determine the purposes for which the personal data in question has been collected and disclosed.
 
Against this background, it is the opinion of Datatilsynet that DMI and Google together determine the purposes for which the personal data in question has been collected and disclosed.
  
As is clear from Cases of the European Court of Justice C-210/16 ''Wirtschaftsakademie'' and C-40/17 ''Fashion ID'', paragraphs 69 and 82, respectively, the fact that DMI does not itself have access to the personal data collected and transferred to Google, with whom DMI jointly determines the purposes and means for which personal data processing may be carried out, does not prevent the DMI from being the data controller.
+
As is clear from Cases of the European Court of Justice C-210/16 Wirtschaftsakademie and C-40/17 Fashion ID, paragraphs 69 and 82, respectively, the fact that DMI does not itself have access to the personal data collected and transferred to Google, with whom DMI jointly determines the purposes and means for which personal data processing may be carried out, does not prevent the DMI from being the data controller.
  
 
==== 5.3. Legal basis ====
 
==== 5.3. Legal basis ====
Line 573: Line 574:
 
In cases where the relevant processing basis is the data subject's consent, this consent must be provided before processing of personal data.
 
In cases where the relevant processing basis is the data subject's consent, this consent must be provided before processing of personal data.
  
In this connection, it should be noted that in its judgment of 29 July 2019 in Case C-40/17 ''Fashion ID'', also stated that it would be inconsistent with effective and timely protection of the data subject's rights if the consent was given only to the joint controller who is only later involved, ie. Google.
+
In this connection, it should be noted that in its judgment of 29 July 2019 in Case C-40/17 Fashion ID , also stated that it would be inconsistent with effective and timely protection of the data subject's rights if the consent was given only to the joint controller who is only later involved, ie. Google.
  
 
===== 5.3.2. What is the relevant processing basis? =====
 
===== 5.3.2. What is the relevant processing basis? =====

Please note that all contributions to GDPRhub are considered to be released under the Creative Commons Attribution-NonCommercial-ShareAlike (see GDPRhub:Copyrights for details). If you do not want your writing to be edited mercilessly and redistributed at will, then do not submit it here.
You are also promising us that you wrote this yourself, or copied it from a public domain or similar free resource. Do not submit copyrighted work without permission!

To edit this page, please answer the question that appears below (more info):

Cancel Editing help (opens in new window)

Template used on this page: