Datatilsynet (Denmark) - 2018-32-0357

From GDPRhub
Revision as of 13:24, 10 April 2020 by C960657 (talk | contribs) (fine)
Datatilsynet - 2018-32-0357
LogoDK.png
Authority: Datatilsynet (Denmark)
Jurisdiction: Denmark
Relevant Law: Article 4(11) GDPR
Article 5(1)(a) GDPR
Article 6(1)(a) GDPR
Article 26 GDPR
Type: Complaint
Outcome: Reprimand
Started:
Decided: 11.02.2020
Published: 17.02.2020
Fine: None
Parties: DMI
National Case Number/Name: 2018-32-0357
European Case Law Identifier: n/a
Appeal: n/a
Original Language(s): Danish
Original Source: Datatilsynet (in DA)
Initial Contributor: n/a

The Danish Data Protection Authority (Datatilsynet) issued a reprimand concerning the requirements for consent as required by Article 6(1)(a) GDPR.

English Summary

Facts

Datatilsynet examined a complaint regarding the processing of personal data on the website of the Danish Meteorological Institute (DMI), www.dmi.dk, with the purpose of displaying ads based on user behaviour. The ads were embedded as third-party plugins from Google's ad platform which uses cookies for tracking users.

First-time visitors to the site were prompted for consent to the use of cookies. However, cookies were used and personal data was processed even before the visitor had given consent.

When the complaint was filed on 29 August, 2018, consent was gathered via a non-intrusive banner at the bottom of the page containing only a short text about the use of cookies and an “OK” button. There was no way to refuse consent.

A few months later, while Datatilsynet was still processing the complaint, DMI launched a redesign of their website. New visitors were now prompted for consent in an overlay which blocked access to the site, until the visitors had either given or refused consent. Visitors could click “OK” to give consent. To refuse consent, the visitor had to click “Show details” to reveal several pre-checked checkboxes representing different processing purposes. The visitor should uncheck these and then press “Update consent”.

Dispute

The question for Datatilsynet was whether DMI had a legal basis for the processing personal data.

Holding

Datatilsynet considered both the old and the new way of gathering consent (before and after the redesign of www.dmi.dk).

Datatilsynet found that DMI and Google were joint controllers, but that DMI was responsible for gathering consent. This should have be gathered before any processing took place.

Datatilsynet found that consent was the appropriate basis for this processing. DMI is a public authority, so they could not rely on legitimate interest as legal basis.

Consent to processing and to the use of cookies was gathered through the same user interface. The consent, however, was not valid for the following reasons:

  • It was not voluntary, because it was not possible for the visitor to give granular consent to different processing purposes (analytics and behavioural ads) in the initial screen. Instead the visitor could click “Show details” and only then get access to multiple checkboxes representing each purpose (“one click away”).
  • It was not informed, because it was not specified which personal data was processed and disclosed, and the identity of the joint controller was unclear. The joint controller should have been mentioned using a company name (Google). Instead a product/brand name (DoubleClick) was used.
  • It was not transparent, because was not as easy to refuse consent as to give it. Instead the button for refusing consent was “one click away” and less prominently displayed, and it was confusingly labeled.

Even though cookies were involved, which are covered by the e-Privacy directive, other personal data was also processed, so Datatilsynet concluded that this case fell within their competence as data protection agency.

Comment

Further Resources

Together with the decision, Datatilsynet published new guidelines on how to gather consent from website visitors.

Following this decision, the Danish Business Authority updated their guide on gathering consent to using cookies as required by the e-Privacy directive.

English Machine Translation of the Decision

The decision below is a machine translation of the Danish original. Please refer to the Danish original for more details.

DMI's processing of personal information about website visitors

On the basis of a complaint, Datatilsynet has expressed serious criticism of DMI's processing of personal data in connection with the display of banner advertisements on the institute's website.

Datatilsynet hereby returns to the case where Christian Schmidt (hereafter “the complainant”) on 29 August 2018 has complained to Datatilsynet about the Danish Meteorological Institute's (hereafter “DMI”) processing of personal data about him in connection with the display of banner advertisements on DMI's website (www.dmi.dk).

The matter was discussed at a meeting of the Data Council.

Datatilsynet first notes that since the filing of the complaint, DMI has reached the conclusion that personal data, including data about the complainant, has been processed and disclosed without legal basis, which is why the institute has changed the way by which consent is collected for collection and disclosure of personal data about the visitors on dmi.dk.

With this decision, Datatilsynet considers whether the processing of personal data about the complainant prior to DMI's change of the institute's procedure for obtaining consent has been justified, as well as whether the institute's current processing of personal data on visitors on dmi.dk takes place within the framework of the General Data Protection Regulation.

1. Decision

Datatilsynet finds that neither DMI's previous nor current solution for obtaining consent for the processing of personal data about the visitors on dmi.dk meets the data protection regulation [1] for the data subject's consent in Article 4(11), and the basic principle of legality, reasonableness and transparency in Article 5(1)(a).

Furthermore, Datatilsynet finds that DMI's processing of personal data about the complainant by collection and disclosure to Google has been - and is - in violation of Article 6 of the General Data Protection Regulation, since none of the provisions of Article 6(1) of the General Data Protection Regulation are applicable.

On the basis of the above, Datatilsynet finds that there are grounds for expressing serious criticism that DMI's processing of personal data on the visitors on dmi.dk, including the complainant, has not been in accordance with the General Data Protection Regulation.

2. Facts

It is clear from the case that DMI shows banner ads on the institute's website, including from among others Google's advertising platform, whereby DMI contributes to the collection and disclosure of personal information about website visitors to Google.

DMI has had banner ads on dmi.dk since 2004, and the income from these forms part of the institute's funding.

2.1. The complainant's remarks

The complainant has generally stated that DMI shows banner ads on its website, including among other things ads from Google Ad Exchange, which uses personal information to personalise ads, such as information about visits to other websites.

The complainant has also stated that Google offers a number of services that are aimed at website owners who want to buy and sell ads, both with and without Google as an intermediary. The services are marketed under the names DoubleClick, Google Ads, AdSense, AdWords etc. (hereafter “Google's ad platform”). The services are tightly integrated and subject to the same guidelines for use, and for the majority of these services, Google is the data controller.

On joint controllership

The complainant has stated that DMI should be considered joint data controller with Google for the collection and disclosure of personal data about him.

In addition, the complainant stated that Google is able to collect personal information about him during his visit on dmi.dk and use it to target ads only because DMI has engaged Google to sell ads on dmi.dk and implemented Google's plugin (so-called ad tags) on dmi.dk.

The complainant has further stated that when inserting these ad tags, DMI has the opportunity to specify a number of parameters that determine how the ads are selected and presented on dmi.dk, and that DMI thereby greatly helps to determine the purpose and with what tools Google can process personal data. If DMI had not inserted these tags, Google would not be able to show ads to the visitors of dmi.dk or track their behaviour.

In addition, the complainant states that DMI probably does not have access to the personal data that Google collects and processes about the visitors on dmi.dk, except in the case of anonymised or aggregated form, but that this does not exclude the possibility that there may be joint data liability.

On consent

The complainant states that DMI has not obtained his consent to this processing and that, in his opinion, DMI does not have a legal basis for the processing of personal data about him.

Furthermore, the complainant points out that it is Google's own opinion that the processing of personal data that occurs in connection with Google's advertising platform cannot be done without the consent of the data subjects, i.e. the consent of the visitors to the websites that have implemented the ad platform. Therefore, Google requires in its guidelines that visitor consent should be obtained when an organisation uses the ad platform to display personalised banner ads.

In addition, the complainant is of the opinion that DMI, with the new solution to obtain the visitor's consent, still does not meet the requirements of the General Data Protection Regulation.

Furthermore, the complainant has stated that the consent is not informed as it does not indicate which third parties, including Google, personal data is transferred to.

The complainant has further stated that the consent solution makes use of pre-ticked fields, which cannot constitute a valid consent, and that the fields are even hidden unless you select “Show details”.

Finally, the complainant has stated that it is only possible to obtain the necessary information by reading DMI's privacy policy, which, however, cannot be accessed before giving or refusing to consent to the processing of personal data and that any consent also cannot is said to be informed.

On legitimate interest

The complainant states that the DMI's legitimate interest in processing personal data about him does not outweigh his rights and freedom. In this regard, the complainant has pointed out that Google's advertising platform is widely used across the internet and that the collection and disclosure of personal information to Google allows the company to draw a detailed picture of the complainant's internet usage, which is an essential infringement of his rights and freedoms.

Finally, the complainant has pointed out that it is possible for DMI to display banner ads that are not personalized to the visitors based on the processing of personal data on them.

2.2. DMI's comments

DMI has generally stated that the institute processes information about the complainant, if he has given consent to the use of cookies on dmi.dk.

On joint controllership

DMI has acknowledged that the institute by integrating advertisements from e.g. Google's ad platform on dmi.dk has contributed to the collection and disclosure of personal information about website visitors, including the complainant.

On consent

DMI has acknowledged that the collection and transmission of personal data in question has taken place without legal basis with regard to the complainant and other visitors who have opted out of the use of cookies on the website.

Furthermore, DMI has stated that this was an unintentional error and that the institute will therefore, in the form of a news or pop-up window, inform the visitors on dmi.dk that cookies have been placed for a period of time, without consent has been given, as well as provide guidance on how to delete these cookies from the visitors' browser.

In addition, DMI has generally stated that after the complaint has been submitted to Datatilsynet, the institute has commissioned a new website, where the visitors are presented with a very clear consent solution. In order to get to the content of the website it is necessary that visitors actively decide whether they will allow the use of cookies. If the visitor wishes to give consent, the consent is obtained by the visitors choosing "OK". If the visitor wants to opt out of cookies, select “View Details” and the visitors will be able to opt out of cookies.

In this connection, DMI has sent a copy of the implemented consent solution, of which provisions:

“DMI and third parties use cookies to make dmi.dk more usable, give you a better experience and for targeted marketing. By clicking OK here you consent to this. You can always withdraw your consent. Read more in our privacy policy.”

In this connection, DMI has stated that it is possible to give consent for some cookies, while other cookies, e.g. marketing cookies may be deselected.

DMI has stated that the source code for dmi.dk has been changed and that no personal data is collected and transmitted until the visitors have actively given their consent. Furthermore, DMI states that the consent solution has been changed so that the different types of cookies are no longer automatically pre-ticked if further information is sought about them.

Finally, DMI has stated that the institute going forward will make it clear to the visitors that dmi.dk uses Google's advertising platform. Visitors have been able to find cookies from Google in the list of selection cookies, but these are most often referred to by names not directly related to Google. Therefore, DMI will update its cookie and privacy policy on dmi.dk so that it is clear that accepting cookies will allow information to be passed to Google, as well as links to Google's descriptions of how they use the personal data collected.

2.3. Google's documentation

Datatilsynet has obtained publicly available information about Google's advertising platform for the purposes of the case.

Google's documentation [2] states, among other things, the following about data collection using Google services:

“How Google uses information from sites or apps that use our services

Many websites and apps use Google services to improve their content and keep it free. When they integrate our services, these sites and apps share information with Google.

For example, when you visit a website that uses advertising services such as AdSense, including analytics tools such as Google Analytics, or embeds video content from YouTube, your web browser automatically sends certain information to Google. This includes the URL of the page you are visiting and your IP address. We may also set cookies on your browser or read cookies that are already there. Apps that use Google advertising services also share information with Google, such as the name of the app and a unique identifier for advertising.

Google uses the information shared by sites and apps to deliver our services, maintain and improve them, develop new services, measure the effectiveness of advertising, protect against fraud and abuse and personalise content and ads that you see on Google and on our partners' sites and apps.”

Especially about advertising [3] following:

How Google uses cookies in advertising

Cookies help make advertising more effective. Without cookies, it's harder for an advertiser to reach its audience, or to know how many ads were shown and how many clicks they received.

Many websites, such as news sites and blogs, partner with Google to show ads to their visitors. Working with our partners, we may use cookies for a number of purposes, such as stopping you from seeing the same ad over and over again, detecting and stopping click fraud and showing ads that are likely to be more relevant (such as ads based on websites you have visited).

We store a record of the ads we serve in our logs. These server logs typically include your web request, IP address, browser type, browser language, the date and time of your request, and one or more cookies that may uniquely identify your browser. We store this data for a number of reasons, the most important of which are to improve our services and maintain the security of our systems. We anonymise this log data by removing part of the IP address (after 9 months) and cookie information (after 18 months).

Our advertising cookies

To help our partners manage their advertising and websites, we offer many products including AdSense, AdWords, Google Analytics and a range of DoubleClick-branded services. When you visit a page or see an ad that uses one of these products, either on Google services or on other sites and apps, various cookies may be sent to your browser.

These may be viewed from a few different domains, including google.com, doubleclick.net, googlesyndication.com, googleadservices.com or the domain of our partners' sites. Some of our advertising products enable our partners to use other services in conjunction with ours (such as an ad measurement and reporting service), and these services may send their own cookies to your browser. These cookies will be set from their domains.”

On server logs, Google writes the following [4]:

“Like most websites, our servers automatically record the page requests made when you visit our sites. These “server logs” typically include your web request, Internet Protocol address, browser type, browser language, the date and time of your request, and one or more cookies that may uniquely identify your browser.

A typical log entry for a search for 'cars' looks like this:

123.45.67.89 - 25/Mar/2003 10:15:32 - http://www.google.com/search?q=cars - Firefox 1.0.7; Windows NT 5.1 - 740674ce2123e969

123.45.67.89 is the Internet Protocol address assigned to the user by the user's ISP. Depending on the user's service, a different address may be assigned to the user by their service provider each time they connect to the Internet.

25/Mar/2003 10:15:32 is the date and time of the query.

http://www.google.com/search?q=cars is the requested URL, including the search query.

Firefox 1.0.7; Windows NT 5.1 is the browser and operating system being used.

740674ce2123a969 is the unique cookie ID assigned to this particular computer the first time it visited Google. (Cookies can be deleted by users. If the user has deleted the cookie from the computer since the last time they visited Google, then it will be the unique cookie ID assigned to their device the next time they visit Google from that particular device).”

3. Competence of Datatilsynet

Executive Order No. 1148 of December 9, 2011 on requirements for information and consent when storing or accessing information in the end-user's terminal equipment (the Cookie Order) issued pursuant to sections 9 and 81(2) of the Telecommunications Act, regulates the extent to which information may be stored and already stored information may be accessed in users' terminal equipment. This applies regardless of whether the information constitutes personal data or not.

The Cookie Order contains rules that implement parts of Directive 2002/58/EC of the European Parliament and of the Council (e-Privacy Directive), and it is the Danish Business Authority that supervises compliance with the Cookie Order.

Section (3)(1), of the Cookie Order, states:

“Natural or legal persons may not store information, or gain access to information already stored, in an end-user's terminal equipment, or let a third party store information or gain access to information, if the end-user has not consented thereto having been provided with comprehensive information about the storing of, or access to, the information.”

According to section (27)(1) of the Data Protection Act, Datatilsynet supervises compliance with the general data protection rules contained in the General Data Protection Regulation, the Data Protection Act and other legislation which fall within the framework of the General Data Protection Regulation for special rules on the processing of personal data.

In this context, Datatilsynet is of the opinion that rules implementing the e-Privacy Directive do not constitute “other legislation which falls within the framework of the General Data Protection Regulation for special rules on the processing of personal data”, but rather rules that implement a side-by-side EU act. Thus, there are special rules that replace similar general rules in the General Data Protection Regulation, whereas other legislation, such as certain provisions of the Health Act constitute supplementary legislation to the General Data Protection Regulation.

The supervision of rules on the processing of personal data, which has not been replaced by special rules implementing the e-Privacy Directive, is thus with Datatilsynet.

4. Legal basis

4.1. The concept of personal data

The concept of personal data is defined in Article 4(1) of the General Data Protection Regulation as any form of information about an identified or identifiable natural person (“the data subject”). An identifiable natural person means a natural person who, on the basis of the information, can be identified directly or indirectly.

In this regard, the opinion of the Article 29 Working Party on the concept of personal data [5] states:

“A “purpose element” may also be responsible for the information “about” a particular person. The “purpose element” may be considered to exist when the information is used or - taking into account all the circumstances of the case in question - may be expected to be used for the purpose of assessing a person, treating that person in a particular way or affecting the person's status or behaviour.”

This view reiterates the Article 29 Working Party's opinion on behavioural advertising on the Internet [6], which includes the following:

“Behavioral advertising usually involves collecting IP addresses and processing unique identifiers (via the cookie). The use of such devices with a unique identifier makes it possible to track the users of a particular computer, even if dynamic IP addresses are used.

In other words, such devices make it possible to "designate" data subjects, even though their real names are not known. ii) The information collected in the context of behavioural advertising relates to (ie deals with) a person's characteristics or behaviour and is used to influence that particular person. This position is further confirmed if the possibility that profiles can be linked at any time with directly personally identifiable information provided by the data subject, e.g. registration related information is taken into account. Other scenarios that can lead to identifiability are data merge, data loss and the increased availability of personal data on the Internet in combination with IP addresses. "

Similarly, from preamble recital 30 to the General Data Protection Regulation, the following is stated:

“Individuals can be associated with online identifiers provided by their devices, applications, tools and protocols, such as IP addresses and cookie identifiers, or other identifiers such as radio frequency identifiers. This can leave traces that, especially when combined with unique identifiers and other information that the servers receive, can be used to create profiles of natural persons and identify them.”

4.2. Controllership

Article 4(8) of the General Data Protection Regulation defines the data controller as a natural or legal person, public authority, institution or other body which alone or together with others decides for what purposes and aids to be processed of personal data.

Article 26 of the General Data Protection Regulation on common data controllers states the following in the provision. 1:

“If two or more data controllers jointly determine the purposes and tools for processing, they are the common data controllers. They shall transparently determine their respective responsibilities for compliance with the obligations laid down in this Regulation, in particular as regards the exercise of the data subject's rights and their respective obligations to provide the information referred to in Articles 13 and 14 by means of a arrangements between them, unless and to the extent that the respective responsibilities of the data controller are laid down in EU law or the national law of the Member States to which the data controller is subject. The scheme may designate a contact point for data subjects. "

In Case C-210/16 Wirtschaftsakademie Schleswig-Holstein, the European Court of Justice has stated the following on common data liability :

“35 However, while the mere use of a social network such as Facebook does not make a Facebook user co-responsible for that network's processing of personal data, it should be noted that by creating such a Facebook page, the administrator allows Facebook to place cookies on the user's computer or any other medium when they visit the fan page, whether that person has a Facebook account.

36 In this connection, it is clear from the information submitted to the Court that the creation of a Facebook fan page implies that the administrator makes a recommendation that is dependent on, inter alia, the target group as well as the objectives for the management and advertising of its activities, which have an impact on the processing of personal data for the purpose of compiling statistics on the basis of visits to the fan site. This administrator can, using the filters made available by Facebook, define the criteria on which the statistics are to be compiled and specify the categories of persons for whom Facebook will collect personal data. Accordingly, the administrator of a Facebook fan page contributes to the processing of personal information about the users of his site.

37 In particular, the administrator of a fan page may request to receive - and thus process - demographic information about the target audience, including: trends in age, gender, relationship status and work, information on the lifestyle and interests of the target audience, and information about users of the site's buying and buying behavior online, categories of products or services that interest the audience most, and geographic information that allows the fan page administrator to make specific promotions or arrange events or, more generally, better target his information offering.

38 While it is true that the statistics compiled by Facebook on the target audience are only disclosed to the fan page administrator in anonymized form, the compilation of these statistics is nevertheless based on the prior collection of users' personal data by cookies that Facebook has installed in users' computer or any other medium when they visit the Fan Page, and process their personal data for statistical purposes. In any event, where several operators share a common responsibility for the same processing, Directive 95/46 does not require each individual to have access to the personal data concerned.

39 In those circumstances, it must be assumed that the administrator of a Facebook fan page, such as Wirtschaftsakademie, helps to determine the purpose and means of processing personal data about the users of the fan page by making settings depending on, among other things, . the target group as well as the objectives for managing and advertising its activities. For this reason, the administrator together with Facebook Ireland in this case must be qualified as the EU controller as referred to in Article 2(d) of Directive 95/46.

40 The fact that the Administrator of a Fan Page uses the Facebook Platform and uses the related services does not relieve the Administrator of his personal data protection obligations.

41 It should also be pointed out that the Facebook fan pages can also be visited by people who are not Facebook users and who therefore do not have a user account on this network. In this case, the responsibility of a fan site's responsibility for processing these individuals 'personal information seems even more important, as users' mere consultation of the fan page automatically triggers a processing of their personal information.

42 Under these circumstances, the recognition that a social networking company and a fan site administrator on that network share a common responsibility in dealing with the users of that fan page's personal information helps to ensure more complete protection of the rights. which the users of such sites have in accordance with the requirements of Directive 95/46.

43 However, as stated by Advocate General in paragraphs 75 and 76 of the Opinion, the existence of a joint responsibility does not necessarily mean that the different operators involved in the processing of personal data have the same responsibility. On the contrary, the different operators may be responsible for the processing of personal data at different levels and to varying degrees, so that the individual's level of responsibility must be assessed taking into account all the relevant circumstances of the case.

44 In the light of the foregoing considerations, the answer to the first and second questions must be that Article 2(d) of Directive 95/46 must be interpreted as meaning that the term 'controller' within the meaning of that provision includes the administrator of a fan page on a social network. network.”

In Case C-40/17 Fashion ID, the European Court of Justice has elaborated on its interpretation of joint data liability as referred to in the General Data Protection Regulation:

“67 Furthermore, since Article 2(d) of Directive 95/46 expressly provides that the term 'controller' includes the body which 'alone or together with others' determines the purpose and the means to be used processing of personal data, this term does not necessarily refer to a single body and may concern several actors participating in this processing, and therefore they are all subject to the applicable data protection provisions (cf. in this direction judgment of 5.6.2018, Wirtschaftsakademie Schleswig -Holstein, C-210/16, EU: C: 2018: 388, para 29, and of 10.7.2018, Jehovah's Witnesses Cate, C-25/17, EU: C: 2018: 551, para 65).

68 The Court has also held that a natural or legal person who, for his own purposes, influences the processing of personal data and, because of the fact that he participates in the determination of the purposes and aids of that processing, can, on the other hand, be considered the controller as referred to in Article 2(d) of Directive 95/46 (Judgment of 10.7.2018, Jehovah's Order, C-25/17, EU: C: 2018: 551, para. 68).

69 In addition, the joint responsibility of several actors for the same processing referred to in this provision does not require that each of them has access to the personal data in question (see, to that effect, judgment of 5.6.2018, Wirtschaftsakademie Schleswig-Holstein, C-210 / 16, EU: C: 2018: 388, para 38, and of 10.7.2018, Jehovah's Toadistat, C-25/17, EU: C: 2018: 551, para 69).

70 Since the purpose of Article 2(d) of Directive 95/46 is - by a broad definition of the term 'controller' - to ensure the effective and complete protection of the persons concerned, the existence of a joint responsibility does not necessarily imply that: that different actors have the same responsibility for the same processing of personal data. On the contrary, the different actors may be responsible for the processing of personal data at different levels and to varying degrees, so that the individual's level of responsibility must be assessed taking into account all relevant circumstances of the case (cf. -25/17, EU: C: 2018: 551, para 66).

[...]

74 It follows, as the Advocate General essentially states in point 101 of the Opinion, that a natural or legal person may be solely the controller within the meaning of Article 2(d) of Directive 95/46 with others for processing operations involving personal data, if that person is co-determining the purpose and resources of those operations. By contrast, and subject to any liability under national law in this regard, this natural or legal person cannot be considered to be the controller within the meaning of that provision, for operations occurring before or after the course of proceedings and in respect of which the person in question does not establish any purpose or means.

75 Subject to review by the referring court, in the present case, the file available to the Court shows that by integrating the 'Like' button from Facebook on its website, Fashion ID appears having allowed Facebook Ireland to obtain personal information about site visitors, this opportunity arising from the time the person consulted the site and this occurs whether or not these visitors are members of the social network Facebook, whether they have clicked » like the "button" from Facebook, or whether they know that such an operation is taking place.

76 In the light of that information, it must be held that the processing operations relating to personal data for which Fashion ID, together with Facebook Ireland, can establish the purposes and the means, as defined by the concept of 'processing of personal data' in Article 2 (b) of Directive 95 / 46 is the collection and transmission of personal data transmitted to visitors to the Fashion ID website. On the other hand, with regard to the said information, it seems immediately excluded that Fashion ID determines the purposes and means for which subsequent processing operations regarding personal data of Facebook Ireland after their transmission to this company,why Fashion ID cannot be considered to be the controller of these operations within the meaning of Article 2(d) of that Directive.

77 As regards the means used for the collection and transmission of certain personal data relating to the visitors to the Fashion ID website, paragraph 75 of the present judgment states that Fashion ID appears to have integrated the 'Like' button from Facebook, as Facebook Ireland makes available to website operators, on its website, as Fashion ID is aware that this button is a means of collecting and transmitting the visitor's personal information regardless of whether they are members of the social network Facebook.

78 In addition, by integrating such a social module on its website, Fashion ID has a significant influence on the collection and transmission of the website visitor's personal data to the provider of said module, in the present case Facebook Ireland, which would not have taken place if said module had not been integrated into the site.

79 In the light of the foregoing, and subject to the scrutiny required by the referring court in this regard, it must be held that Facebook Ireland and Fashion ID jointly determine which aids are used for the collection and disclosure of the transmission of the Fashion ID website visitor's personal information.

80 As to the purpose of the said personal data processing operations, it appears that Fashion ID's integration of the "Like" button from Facebook on its website allows the company to optimize the marketing of its products by making them more visible on it. social network Facebook when a site visitor clicks on that button. It is in order to take advantage of this commercial advantage of increasing the mention of its products that by integrating such a button on its website, Fashion ID seems to have consented, at least implicitly, to the collection and transmission by transmission of the personal information of its website visitors, as these operations, which include the processing of personal data, take place in the financial interests of both Fashion ID and Facebook Ireland,the latter having this information available for personal marketing is the consideration for the benefit given to Fashion ID.

81 Without prejudice to the examination carried out by the referring court, it can be concluded, on that basis, that Fashion ID and Facebook jointly determine the purposes for which collection and transfer operations must be carried out in the transmission of the main proceedings. personal data referred to.

82 As is clear from the case-law cited in paragraph 69 of this judgment, the fact that the operator of a site, such as Fashion ID, does not itself have access to the personal data collected and transmitted to the social module provider, with whom the operator shall jointly determine the purposes and means for which personal data processing may be carried out, not preventing that operator from being the 'controller' within the meaning of Article 2(d) of Directive 95/46.

[...]

84 Consequently, it appears that Fashion ID can be regarded as the controller within the meaning of Article 2(d) of Directive 95/46 jointly with Facebook Ireland for the collection and disclosure of the transmission of personal data to site visitors.

85 In the light of all the foregoing considerations, the second question must be answered by the fact that the operator of a website, such as Fashion ID, integrates on this site a social module that allows the site's browser to request content from the provider of this module and in transferring the visitor's personal data to that provider may be considered as the controller within the meaning of Article 2(d) of Directive 95/46. However, this responsibility is limited to the operation or series of operations involving the processing of personal data for which or which this operator actually determines for what purpose and in what manner this may take place, ie. the collection and disclosure referred to in the main proceedings for the transmission of personal data. "

4.3. Legal basis for processing

The conditions for the legal processing of personal data are contained in Article 6 of the General Data Protection Regulation, which reads as follows:

Processing shall be lawful only if and to the extent that at least one of the following applies:

(a) the data subject has given consent to the processing of his or her personal data for one or more specific purposes;

(b) processing is necessary for the performance of a contract to which the data subject is party or in order to take steps at the request of the data subject prior to entering into a contract;

(c) processing is necessary for compliance with a legal obligation to which the controller is subject;

(d) processing is necessary in order to protect the vital interests of the data subject or of another natural person;

(e) processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller;

(f) processing is necessary for the purposes of the legitimate interests pursued by the controller or by a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject which require protection of personal data, in particular where the data subject is a child.

Point (f) of the first subparagraph shall not apply to processing carried out by public authorities in the performance of their tasks.

Consent of the data subject is defined in Article 4(11) of the General Data Protection Regulation, as any voluntary, specific, informed and unambiguous expression of the data subject, by which the data subject, by declaration or clear confirmation, agrees that personal data relating to the data subject is made for processing.

The preamble recital 32 of the General Data Protection Regulation states the following for consent:

“Consent should be given by a clear affirmative act establishing a freely given, specific, informed and unambiguous indication of the data subject’s agreement to the processing of personal data relating to him or her, such as by a written statement, including by electronic means, or an oral statement. This could include ticking a box when visiting an internet website, choosing technical settings for information society services or another statement or conduct which clearly indicates in this context the data subject’s acceptance of the proposed processing of his or her personal data. Silence, pre-ticked boxes or inactivity should not therefore constitute consent. Consent should cover all processing activities carried out for the same purpose or purposes. When the processing has multiple purposes, consent should be given for all of them. If the data subject’s consent is to be given following a request by electronic means, the request must be clear, concise and not unnecessarily disruptive to the use of the service for which it is provided.“

In addition, the following is stated in preamble recital 42 of the General Data Protection Regulation:

“Where processing is based on the data subject’s consent, the controller should be able to demonstrate that the data subject has given consent to the processing operation. In particular in the context of a written declaration on another matter, safeguards should ensure that the data subject is aware of the fact that and the extent to which consent is given. In accordance with Council Directive 93/13/EEC a declaration of consent pre-formulated by the controller should be provided in an intelligible and easily accessible form, using clear and plain language and it should not contain unfair terms. For consent to be informed, the data subject should be aware at least of the identity of the controller and the purposes of the processing for which the personal data are intended. Consent should not be regarded as freely given if the data subject has no genuine or free choice or is unable to refuse or withdraw consent without detriment.”

Finally, page 19 of the Article 29 Working Party Guidelines on Consent under Regulation 2016/679, WP 259 rev. 01, acceded to by the European Data Protection Council:

“In any event, consent must always be obtained before the controller starts processing personal data for which consent is needed. WP29 has consistently held in previous opinions that consent should be given prior to the processing activity. Although the GDPR does not literally prescribe in Article 4(11) that consent must be given prior to the processing activity, this is clearly implied. The heading of Article 6(1) and the wording “has given” in Article 6(1)(a) support this interpretation. It follows logically from Article 6 and Recital 40 that a valid lawful basis must be present before starting a data processing. Therefore, consent should be given prior to the processing activity. In principle, it can be sufficient to ask for a data subject’s consent once. However, controllers do need to obtain a new and specific consent if purposes for data processing change after consent was obtained or if an additional purpose is envisaged.”

Moreover, the processing of personal data must always take place in accordance with the basic principles of Article 5 of the General Data Protection Regulation. the following is stated:

“Personal data shall be:

(a) processed lawfully, fairly and in a transparent manner in relation to the data subject (‘lawfulness, fairness and transparency’);

(b) collected for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes; further processing for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes shall, in accordance with Article 89(1), not be considered to be incompatible with the initial purposes (‘purpose limitation’);

(c) adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed (‘data minimisation’);

(d) accurate and, where necessary, kept up to date; every reasonable step must be taken to ensure that personal data that are inaccurate, having regard to the purposes for which they are processed, are erased or rectified without delay (‘accuracy’);

(e) kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the personal data are processed; personal data may be stored for longer periods insofar as the personal data will be processed solely for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes in accordance with Article 89(1) subject to implementation of the appropriate technical and organisational measures required by this Regulation in order to safeguard the rights and freedoms of the data subject (‘storage limitation’);

(f) processed in a manner that ensures appropriate security of the personal data, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organisational measures (‘integrity and confidentiality’).;”

5. Justification for Datatilsynet's decision

5.1. Is this a case of processing personal data that the Datatilsynet has competence to assess?

Datatilsynet lays down, inter alia, based on Google's documentation, which is described in more detail in Section 2.3, that the information transmitted to Google, including includes visitor IP information, the website on which Google's ad is embedded, visitors request access, the date of the request, and information about online identifiers contained in cookies stored by Google in the visitors' browser.

The opinion of the Article 29 Working Party on the concept of personal data indicates that a “purpose element” may be responsible for the information "concerning" a particular person. There is a “purpose element” when the information is used or can be expected to be used for the purpose of assessing a person, treating the person in a particular way or influencing the person's status or behavior.

Furthermore, the Article 29 Working Party's Opinion on Behavioral Marketing states that the information collected for the purpose of behavioral marketing makes it possible to “identify” registrants, even though their real names are not known. The information collected relates to the characteristics or behavior of the data subject and the information is used to influence the particular person.

In this regard, Google's documentation states that the information includes: is used for “[personalization of content and ads that you see on Google and on our partners' websites and applications]”.

In conclusion, Datatilsynet considers that the information in question about the visitors on dmi.dk, which is collected and transmitted to Google, constitutes personal information about them, since the information relates to the data subject's characteristics and behavior and is used to process the person in question at a particular way relative to which ads are shown to that person.

As described above in section 3, the supervision of rules on the processing of personal data, which has not been replaced by special rules implementing the e-Privacy Directive, lies with the Datatilsynet.

Datatilsynet is of the opinion that in this case only information about cookie identifiers [7] is stored in the end-user's terminal equipment and which Google (via dmi.dk) obtains access to.

Thus, it is Datatilsynet's assessment that only a subset of the information that is collected and transmitted to Google falls within the scope of section 3 (3) of the Cookie Order. 1, which therefore falls under the supervisory competence of the Danish Business Authority. In particular, it is the information contained in cookies that Google has stored in the complainant's browser, including in particular the cookie identifier (s) information.

However, the information transmitted to Google does not limit itself to the information stored in the terminal equipment (cookie identifiers). Additional information is collected and transmitted on eg. visitors' IP address and other information as described above.

As this additional information constitutes personal information about visitors, it is the Authority's assessment that the Authority has the competence to assess whether processing of this other personal information about visitors collected and transmitted to Google is in accordance with the General Data Protection Regulation and Data Protection Act.

5.2. Controllership

The question then is whether DMI can be considered the data controller - possibly jointly with Google - for processing the personal data in question.

By integrating content from Google into its website, DMI has allowed Google to obtain personal information about the website visitors, this opportunity arising from the time they visit the website.

In view of this, Datatilsynet finds that the processing operations for which DMI together with Google can determine the purposes and the aids are the collection and disclosure of personal data concerning the visitors on dmi.dk.

On the other hand, with regard to the information in question, it seems to be immediately excluded that DMI will determine the purposes and means for which subsequent processing of personal data by Google is transmitted to them, and therefore DMI cannot be considered the data controller for these operations. .

Regarding the means used to collect and disclose the transmission of certain personal data concerning visitors on dmi.dk, it is clear from Section 2.2 that DMI has integrated Google's banner ads, which Google makes available to website operators, on its website and DMI is aware that these banner ads, in addition to displaying ads, also collect and transmit personal information about the website's visitors.

By integrating these banner ads on its website, DMI has a significant influence on the collection and transmission of personal information about the website's visitors to Google, as these processing operations would not have taken place if the banner ads had not been integrated on the website. [8]

Against this background, it must be possible in the opinion of Datatilsynet that DMI and Google together determine what tools are used for the collection and transmission of personal data about the visitors on dmi.dk.

As regards the purpose of processing the personal data in question, it can be assumed that DMI's integration of the Google banner ads on its website takes place with a view to advertising revenue.

By integrating these advertisements on its website, DMI has consented, at least implicitly, to the collection and disclosure of transmission of personal data about the website visitors, these operations being in the financial interests of both DMI and Google, with the latter providing this information with the purpose of evaluating and determining the data subjects' interests, personal preferences and behaviors contributes to streamlining Google's ad network, which also benefits DMI in the form of increased ad revenue. [9]

Against this background, it is the opinion of Datatilsynet that DMI and Google together determine the purposes for which the personal data in question has been collected and disclosed.

As is clear from Cases of the European Court of Justice C-210/16 Wirtschaftsakademie and C-40/17 Fashion ID, paragraphs 69 and 82, respectively, the fact that DMI does not itself have access to the personal data collected and transferred to Google, with whom DMI jointly determines the purposes and means for which personal data processing may be carried out, does not prevent the DMI from being the data controller.

5.3. Legal basis

5.3.1. Who should provide a legal basis for processing?

First, it must be clarified which of the data controllers must provide a valid processing basis for the initial processing operations in the form of collection and transmission by transmission.

While DMI and Google are jointly responsible for the initial processing operations in the form of collection and transmission by transmission, DMI only has a duty to ensure a valid processing basis for the processing operations for which DMI is co-responsible, that is, collection and transmission by transmission. DMI is thus not responsible for any processing performed by Google, including any profiling, etc., that occurs after the said collection and disclosure.

Therefore, when processing personal information about the visitors is triggered by visits on dmi.dk, it must be the responsibility of DMI and not Google to secure a valid processing basis.

In cases where the relevant processing basis is the data subject's consent, this consent must be provided before processing of personal data.

In this connection, it should be noted that in its judgment of 29 July 2019 in Case C-40/17 Fashion ID, also stated that it would be inconsistent with effective and timely protection of the data subject's rights if the consent was given only to the joint controller who is only later involved, ie. Google.

5.3.2. What is the relevant processing basis?

As can be seen above, the processing of personal data is legal only if one of the conditions set out in Article 6 of the General Data Protection Regulation applies, and it is therefore relevant to identify the relevant processing basis(es) in the present case.

In the light of the facts of the case, in particular Article 6(2) of the Regulation seems (a), (e) and (f) to be relevant to consider as a possible basis for processing.

On (f) DMI is part of the Ministry of Climate, Energy and Supply and thus part of the public administration.

Public authorities cannot process personal data as part of the performance of their duties using Article 6(1)(f) as legal basil. This follows from Article 6(1), second paragraph.

On (e) It is the opinion of the Datatilsynet that the processing of personal data, which consists in the collection and disclosure of personal data to Google, is not necessary for the purpose of performing a task in the public interest or which falls under the authority of DMI, and thus the processing cannot be done in pursuant to Article 6(1)(e) of the Regulation.

In this connection, Datatilsynet has placed crucial importance on the fact that DMI can set the embedded ads so that no personal data is processed about the visitors on dmi.dk, after which the visitors will continue to display banner ads which will not, however, personalized on the basis of their personal data.

Ad (a) On this basis, Datatilsynet considers that the relevant basis for the processing of the personal data at issue is Article 6(2)(a), on the consent of the data subject.

5.3.3. Is valid consent obtained?

In its assessment of whether a valid consent is obtained, Datatilsynet assumes that DMI obtains consent for the processing of personal data at the same time and through the same implemented consent solution as the one relating to consent for the placement and reading of cookies on the visitor's equipment.

On voluntarily

The purpose of the voluntary condition is to create transparency for the data subject and give the data subject a choice and control over his personal data. Therefore, consent is not considered voluntary if the data subject cannot make a real and free choice.

A service may include multiple processing operations for more than one purpose. An important element in assessing whether consent is voluntary is therefore also the principle of "granularity". The principle means that in the case of processings that serve several purposes, separate consent must be obtained for each purpose. Thus, in data protection law context, the division (granulation) of purposes is essential to ensure the registered control over its information and transparency in relation to which processing operations take place.

The DMI's opinion of February 12, 2019 shows a screenshot of the implemented consent solution, where at first interaction there are two choices; "OK" and "Show details". The solution further states that:

“DMI and third parties use cookies to make dmi.dk more useful, give you a better experience and for targeted marketing. By clicking OK here you consent to this. You can always withdraw your consent. Read more in our privacy policy.”

It is Datatilsynet's assessment that the sub-operations for which a visitor by choosing “OK” gives consent constitute several different processing purposes. In the opinion of Datatilsynet, personal data is thus processed for various purposes, including:

  • collection of personal data in order to generate statistics of how visitors use dmi.dk,
  • behavior-based marketing, where personal data collection takes place to follow visitors across websites to personalize ads to each visitor through profiling.

Thus, it is Datatilsynet's assessment that the collection of personal data for different purposes on the basis of a single consent does not give the visitors a sufficient free choice in relation to being able to identify and opt out or opt out of the purposes for which the visitor really wants to give his consent.

Datatilsynet has noted that it is possible to select or deselect the collection of personal data for various purposes by selecting "Show details", but that this option is located "one-click-away" and thus it is not possible to initial interaction with the consent solution.

On informed

In order to ensure that the consent is informed, the data subject should at least be aware of the identity of the data controller and the purposes of the processing for which the personal data is to be used.   The information to be provided to the data subject must be provided in a simple, easily understood and easily accessible form, and the information must be provided to the data subject before consent is given.

The consent solution implemented on dmi.dk shows which cookies are used on the website and these are divided into different categories. The category “Marketing” also states that cookies are used by the provider DoubleClick, and the purpose of this is “online marketing by collecting information about users and their activity on the website. The information is used to target advertising to the user across different channels and devices.”

In the opinion of Datatilsynet, the consent obtained by DMI through the implemented solution is not sufficiently informed.

In particular, Datatilsynet emphasizes that there is not sufficiently clear information about the (joint) data controllers, including Google, in collaboration with whom personal data is collected and to which personal data is disclosed, and that the data subject is not clear enough, that is collected and transmitted to these (joint) data controllers, including Google.

In this connection, Datatilsynet considers that - with regard to consent for the processing of personal data - it is necessary that a consent solution or declaration in an easily understandable and easily accessible form and in a clear and simple language states which data controllers, for example, personal information is passed on. It should be noted here that it is the identity of the data controller that must appear and not the data provider's any websites, nicknames or product names used by the data controller as it is not easily understandable and easily accessible to the data subject.

On the construction of the consent solution

Of the basic principle of Article 5(1)(a) on legality, reasonableness and transparency, it follows in the opinion of Datatilsynet that it should be equally easy to refrain from giving consent to the processing of personal data as it is to provide it.

In the opinion of Datatilsynet, the current structure of the DMI's consent solution, where the first-time visitor is presented with two choices in relation to the processing of personal data – "OK" and "Show details" – do not meet this transparency requirement.

In this connection, Datatilsynet has emphasized that it is not possible for a visitor to the website to refuse processing of personal data during the initial visit on dmi.dk. It requires the visitor to select “View details” and then select “Update consent”. Such a “one click away” approach is, in the opinion of Datatilsynet, not transparent, since it requires an additional step for the data subject to refuse to consent to the processing of personal data and partly not for the data subject to be possible to omit to consent to the processing of personal data by selecting “Show details”, just as the wording "Update consent" can cause confusion.

Similarly, in the opinion of Datatilsynet, it is not in accordance with the principle of transparency that the possibility of refraining from giving consent to the processing of personal data in DMI's solution does not have the same communication effect - that is, it does not appear as clear - as the possibility of to give consent, thereby pushing the data subject indirectly towards giving consent for the processing of personal data.

[1] Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of individuals with regard to the processing of personal data and on the free movement of such information and repealing Directive 95/46/EC (General Data Protection Regulation).

[2] https://policies.google.com/technologies/partner-sites?hl=en-GB

[3] https://policies.google.com/technologies/ads?hl=en-GB

[4] https://policies.google.com/privacy/key-terms?hl=en-GB#toc-terms-server-logs

[5] Article 29 Group Opinion No 4/2007 on the concept of personal data, p. 10f.

[6] Article 29 Group Opinion No 2/2010 on Behavioral Advertising on the Internet, p. 9f.

[7] In Google's own example mentioned in section 2.3. above, the cookie identifier is "740674ce2123e969"

[8] Judgment of the European Court of Justice of 29 July 2019 in Case C-40/17Fashion ID, paragraph 78.

[9] Judgment of the European Court of Justice of 29 July 2019 in Case C-40/17Fashion ID, paragraph 80.