Digitaliseringsstyrelsen - Decision against Google of 30 October 2023

From GDPRhub
Revision as of 13:47, 22 November 2023 by Riealeksandra (talk | contribs)
Digitaliseringsstyrelsen - Decision against Google of 30 October 2023
Courts logo1.png
Court: Digitaliseringsstyrelsen (Denmark)
Jurisdiction: Denmark
Relevant Law: Article 4(11) GDPR
Article 2(8) Cookiebekendtgørelsens
Article 3 Cookiebekendtgørelsens
Decided: 30.10.2023
Published:
Parties: Google LLC
National Case Number/Name: Decision against Google of 30 October 2023
European Case Law Identifier:
Appeal from:
Appeal to:
Original Language(s): Danish
Original Source: Digitaliseringsstyrelsen (in Danish)
Initial Contributor: ar

The Danish Agency for Digital Government found that Google had violated the national implementation of Art. 5(3) of the ePrivacy Directive and ordered them to make several changes.

English Summary

Facts

The Danish Business Authority was formerly responsible for supervising compliance with the Danish cookie rules. Due to reorganisation, the supervision was transferred to the Danish Agency for Digital Government on 15 December 2022, who is the authority making the decision in this case.

On 1 and 16 September 2022, Google LLC was sent consultation letters regarding the use of cookies on their website, based on how the banner looked at that time.

The Agency for Digital Government (Agency) pointed out that the website did not allow users to give granular consent. The text on the first layer of the cookie banner stated that by selecting "accept all", users agreed that Google could use cookies to process their data for four purposes. Users would also be given the option of dividing their consent under "More choices" on the second layer of the cookie banner. However, users were only given the option to split their consent over two purposes, different to the ones in the first layer. Secondly, the Agency found that Google did not provide users with adequate information about all cookies used on the website. It also pointed out that the information was not considered to be permanently available through direct and marked access on the website, as it was difficult for users to retrieve information when clicking away the cookie banner.

On 13 September and 6 October 2022, Google Denmark ApS, Google LLC and Google Ireland Limited submitted comments to the letters. They argued that the material scope of the Danish Cookie Law is limited to the website operator, which in their cases is Google Ireland Limited. In light of this, they contested the Agency’s territorial competence to supervise Google Ireland Limited.

Holding

Firstly, the Agency affirmed that the website owner is subject to the obligations regarding the use of cookies under the Danish Cookie Law. Meaning that Google LLC, as the website owner, was subject to its requirements. Henceforth, on the territorial scope, the Agency, citing the EDPB Internal Document 04/2021, reiterated that a supervisory authority is competent to handle a case when the controller or processor is established in that Member State and when the processing of personal data is carried out as part of the establishment's activities. Hence, the Agency confirmed to have territorial jurisdiction given that Google Denmark ApS, a subsidiary of Google LLC, has its registered office in Copenhagen, and because the placing of cookies on users’ terminal equipment was part of the activities carried out by Google Denmark ApS in the Danish market on behalf of Google LLC.

Secondly, on the Cookie banner, the Agency assessed that the four purposes described in the first layer of the cookie banner were not sufficiently similar to be grouped under the two overall purposes of the second layer. Since users should give separate consent for each general purpose under Articles 2(8) and 3(1) of the Cookie Law , the condition for voluntary and specific consent (as also described in Article 4(11) GDPR) was not met. In connection with this, the Agency acknowledged that the website allowed users to withdraw their consent. However, it was not immediately accessible and it was unclear how consent could be withdrawn, breaching Articles 3(2), (4) and (5) of the Cookie Law. Hence, the Agency ordered Google LLC to change the consent solution and provide users with immediate access to withdraw their consent to cookies.

Thirdly, the Agency assessed that users did not have access to a cookie policy with clear, precise and easily understandable language under Article 3(1) and (2) of the Cookie Law. This was because the information was given as examples, and the adequate explanation was only given in English, while the recipient group primarily spoke Danish. Additionally, the Agency found that the required information was not permanently available through direct access on the website, as it was difficult for users to retrieve information after clicking away the cookie banner - contrary to Articles 3(1), (2) and (5) of the Cookie Law. The Agency recognized this had been changed and now required fewer clicks for users to access the information. However, it still believed it was not easy for users to reach it. Therefore, the Agency required Google LLC to provide all the information in clear, precise and easily understandable language and for the information to be made always accessible.

In conclusion, the Agency ordered Google LLC to comply with the above requirements no later than 27 November 2023, and by the same date, explain how it complied with the orders.

Comment

The rules on the use of cookies stem from the Danish Telecommunications Act, with more detailed requirements for consent solutions regarding cookies laid down in the Danish Cookie Law. These provisions originate from the ePrivacy Directive implementation and specify and supplement the GDPR. In Denmark, the Danish Agency for Digital Government is the supervisory authority for cookie rules. They solely supervise cookie rules, explaining why their decision doesn't concern personal data processing as per the GDPR, which falls under the Danish Data Protection Authority, Datatilsynet.

Further Resources

Share blogs or news articles here!

English Machine Translation of the Decision

The decision below is a machine translation of the Danish original. Please refer to the Danish original for more details.

The Digital Agency · Landgreven 4 · PO Box 2193 · 1013 København K
Google LLC October 30, 2023

1600 Amphitheater Parkway
Mountain View, CA 94043

United States

Sent per email to Plesner Advokatpartnerselskab








Decision in case about the use of cookies on https://google.dk
The Danish Business Authority sent on 1 September and 16 September 2022 respectively
consultation letters to Google LLC regarding the use of cookies on

https://google.dk (hereinafter the Website), based on how the solution looked
out at this time.


Google Denmark ApS, Google LLC and Google Ireland Limited (hereinafter Google)
have respectively on 13 September and 6 October 2022 submitted comments on the case.


The supervision of compliance with the cookie decree has until 15 December
2022 located at the Danish Business Authority. Due to the reorganization of the department, the supervision is included

compliance with these rules has been transferred to the Digital Agency. It's there-
for the Digital Agency, which makes a decision in the case.


The Digital Agency finds, on the basis of the information available in the case,
occasion to make the decision below.


    1. Decision
The Digital Agency hereby makes a decision pursuant to section 20, subsection of the Telecommunications Act. 2.


Google LLC's use of cookies and similar technologies on the Website is in
contrary to section 3, subsection of the Cookie Order. 1.


Google LLC is ordered no later than November 27, 2023 to bring the information below
conditions present at the Website's consent solution in accordance with co-

section 3, subsection of the kie executive order 1, cf. § 2, no. 8. Google LLC is also requested




1Executive order no. 1148 of 9 December 2011 on requirements for information and consent when storing or ad-
access to information in end-user terminal equipment.
2 Legislative Decree No. 955 of 17 June 2022 on electronic communication networks and services.



                        The Digital Agency · Landgreven 4 · PO Box 2193 · 1013 Copenhagen K Page 2 of 16






no later than the same date to explain how Google LLC has complied with
the bids.


It should also be noted that the data protection rules, including data protection
ses regulation, applies when collecting or otherwise processing
personal data. The Danish Agency for Digitization only supervises the rules in cookie

the executive order, and the Danish Agency for Digitalisation has therefore not taken a position on
processing of the personal data collected via cookies and similar technologies

on the website.

Option to give granular consent

Google LLC is ordered to change the consent solution for the Website so that no
one collective consent is obtained for several different general purposes. non-consensual
the provision must give the end user the opportunity to give a separate consent to each

kelt overall purpose, cf. section 3, subsection of the cookie executive order 1, cf. section 2, no. 8.


Option to withdraw consent
Google LLC is required to give the user an immediate access to withdraw his compa-
thick for cookies and similar technologies left. This access must be clear to

the user. Access for the user to withdraw consent and guidance
must also be continuously available by a direct and clearly marked

restricted access to the Website, cf. section 3, subsection of the cookie executive order 1, cf. § 3, subsection 2,
No. 4 and 5.


Access to information about the cookies and similar technologies used
Google LLC is required to give the user access to information about all used

cookies and similar technologies, cf. section 3, subsection of the cookie executive order 1, cf. § 3, subsection
2, no. 1-3 and no. 5, cf. § 2, no. 8. The information must be continuously available,
and the description must be in clear, precise and easily understandable language.


    2. Legal basis

The rules on the use of cookies and similar technologies are found in the Telecommunications Act, and the
more requirements for consent solutions regarding use of cookies and similar technologies is
determined in the cookie executive order.


The rules in the Telecommunications Act and the cookie decree originate in the e-data protection directive
     4
tive. The e-data protection directive contains special regulations on data protection for



3Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons
ner in connection with the processing of personal data and on the free exchange of such information and on
4repeal of Directive 95/46/EC (General Data Protection Regulation).
and protection of privacy in the electronic communications sector (Directive on data protection in-
that for electronic communication) Page 3 of 16






electronic communication services. These rules specify and supplement the ge-
neral rules on data protection in the data protection regulation.

The rules on the use of cookies are intended to protect the end user from the use of

cookies and similar technologies on websites without the end user having given one
valid consent to this. Through cookies and similar technologies, data can be collected
information about the end user's online behavior and a detailed user profile is created about it

this. Information that can be collected via cookies and similar technologies constitutes
therefore part of the end user's private sphere, which requires effective protection.

Use of cookies and similar technologies that are not technically necessary, for

therefore postpones obtaining the end users' consent to the use of these cookies and
similar technologies in accordance with section 3, subsection of the cookie executive order. 1.

Section 2, no. 8 of the Cookie Order states that a consent constitutes "Any volunteer, spe-

cific and informed declaration of intent whereby the end user consents to information being stored
or access is gained to information already stored in the end user's terminal equipment.”

The concept of consent in section 2, no. 8 of the cookie executive order must be understood in agreement

mel with the definition of the concept of consent in the data protection regulation article
4, No. 11.

Article 4 of the Data Protection Regulation, no. 11 states that consent must be understood

"any voluntary, specific, informed and unequivocal declaration of intent by the data subject whereby
the data subject by declaration or clear confirmation agrees that personal data relating to
the person in question is made the subject of treatment”.


It appears, among other things, of recital 32 of the data protection regulation, that "Consent
should cover all processing activities carried out for the same purpose. After treatment
serves multiple purposes, consent should be given to all of them”.

Recital 32 is supplemented by recension 43, of which i.a. it appears that "Consent forms

not to have been given voluntarily if it is not possible to give separate consent to different ones
processing activities regarding personal data, even if it is appropriate in the individual case
case, or if the fulfillment of a contract, including the provision of a service, is made dependent on
consent, even if such consent is not necessary for its fulfillment.”

As far as cookies and similar technologies, which are technically necessary, apply

there is no requirement to obtain consent, as these fall outside the rules
in the cookie executive order, cf. section 4 of the cookie executive order.

For further information on the requirements, see the agency's guidance:

https://digst.dk/sikkerd/digitale-tilsyn/tilsyn-med-cookieomraadet/cookievej- Page 4 of 16






the wire/. The Danish Agency for Digitalisation can also refer to the Council for Digital Security
kerhed's quick guide to setting cookies: https://www.digitalsikkerd.dk/wp-con-

tent/uploads/2021/04/Quickguide-2.pdf.

    3. The Digitalisation Agency's assessment and justification

Google has claimed in the consultation responses that it is not Google LLC, but there-
against Google Ireland Limited, which is the proper subject of duty according to the rules in e-data protection
data protection directive and the cookie decree, and contested that the Danish Agency for Digitalisation

has territorial jurisdiction to supervise Google Ireland Limited. other than that
has Google raised objections to the shortcomings that the Danish Business Authority has pointed out
in the consultation letters regarding the cookie solution on the Website.


The Digitalization Agency requested, among other things, Google to explain the cookies and
similar technologies that are placed before the end user has consented to their use.

In the consultation letter of 6 October 2022, Google has confirmed that only tech-
nologies, which can be categorized as either technically necessary cookies, cf. cookie
§ 4 of the executive order, or simple statistical cookies. The board will therefore not undertake

say more about this point.

The board also complained that the company did not provide adequate information about

third parties in the first layer of the cookie banner if third party content is used
on the service. Google has stated in the consultation letter of 6 October 2022 that this is not the case
the case. The Danish Agency for Digitization will thus not take further action in

stick to this point, as the solution in that case complies with the rules in the cookie declaration
the rail.


However, the Digital Agency maintains its assessment of the other shortcomings. The board
will elaborate and justify the board's decision in the case in the following sections.


3.1. The Digitization Agency's territorial competence
In both its consultation response of 13 September 2022 and 6 October 2022, Google has
stated, that the subject of the cookie decree is limited to website op-

the rater, i.e. the natural or legal person who places and/or allows cookies
and similar technologies.


In this connection, Google has stated that it is Google LLC, which is established in the USA,
who owns the Website, but that it is only Google Ireland Limited that acts as
The operator of the website, in that it is Google Ireland Limited that places cookies

and offers the search service on the Website. Google has therefore claimed that
use of cookies on the Website alone is covered by the Irish implementation of


5Cookies and similar technologies that collect statistics exclusively for the service's own use, and where one
third parties do not have the opportunity to use the data for their own purposes. The Digitalization Agency does not prioritize so-
form in its supervision, and therefore does not address conditions related to this type of cookies. Page 5 of 16






e-Data Protection Directive, subject to the Irish Data Protection Authority
supervision, and that the Digital Agency therefore does not have competence to supervise
use of cookies and similar technologies on the Website.


3.1.1. The subject of the obligation for the cookie notice
It is not elaborated either in the e-data protection directive's article 5, paragraph 3, or cookie be-
the notification of who is the subject of the rules' obligations.


"Natural or legal persons may not store information or gain access to information that
already stored, in an end user's terminal equipment or allow third parties to store information or obtain
access to information if the end user does not consent to this after receiving full

providing information about the storage of or access to the information.” (Digitalisation Board-
sen's underlining).

According to its wording, the provision covers all natural or legal persons who:


    1) Stores information
    2) Gains access to information
    3) Allows third parties to store or gain access to information

With reference to the wording of the cookie executive order § 3, subsection 1, and the purpose

behind the rules in the cookie executive order and the e-data protection directive, it is Digita-
The licensing authority's view is that the owner of the website is subject to the Swedish Tax Agency. the use
of cookies and similar technologies on the website in question, as the owner of

the website has final control over the content on the website, including
the use of cookies and similar technologies.

The owner is of course free to outsource the practical and technical location

etc. of cookies and similar technologies to an operator within a group or to
a third party. However, this does not change the fact that the owner remains responsible for ensuring that
that the requirements in the cookie executive order are complied with.


It is against this background that the Digital Agency's assessment is that Google LLC as
owner of the homepage is subject to the pre-rules in the cookie executive order regarding use
of cookies and similar technologies on the Website and thus subject to the requirements,

which follows from this.

3.1.2. Territorial scope of application of the rules
The e-data protection directive does not contain any regulation of the territory of the rules

all field of application.

It follows solely from the nature of the e-data protection directive. 15 a, subsection 4, that: "The relevant na-

national supervisory authorities can take measures to ensure effective cooperation across
the borders to enforce the national laws adopted pursuant to this Directive and to Page 6 of 16






provide harmonized conditions for the provision of services that entail data flows across

the borders. […]”.

Since no measures have been taken in accordance with the e-data protection directive art.

15 a, subsection 4, it is basically up to the individual Member States to determine
the framework for the supervisory authorities' territorial supervisory competence.


However, neither the Telecommunications Act nor the Cookie Decree contain any regulations
ring of the question of territorial supervisory competence and thus also contains

no limitation of the Digitalisation Agency's territorial supervisory authority. Coo-
The kie executive order also does not contain any obligation to cooperate with or
transfer cases to supervisory authorities of other Member States.


Since the e-data protection directive does not contain any regulation of the framework for
supervisory authorities' territorial supervisory competence, published the European

Danish Data Protection Board in 2021 a note with a view to aligning the national
supervisory authorities' practice in the area. 6


The European Data Protection Board concludes in the note that a supervisory authority
is competent to deal with a case when

     the data controller or data processor is established in the relevant co-
        Member State, and

     the processing of personal data is carried out as part of the establishment's activities,
        although the sole responsibility for the collection and processing of personal data in-
        it for the EU belongs to another establishment in the group which is located

        in another Member State.

These conditions were derived by the European Data Protection Board from the European Court of Justice
                                                                              7
practice regarding the interpretation of the repealed data protection directive article
4, including in particular case C-210/16 (Wirtschaftsakademie Schleswig-Holstein).


It is against this background that the Digitalization Agency is of the opinion that the limits for Di-
the digitization agency's territorial competence should be interpreted accordingly

with the two conditions laid down by the European Data Protection Board and EU-
The Court's practice regarding Article 4 of the Data Protection Directive and data protection
Article 3, subsection of the regulation 1, which replaces and continues the data protection di-

article 4 of the directive, and that the Digital Agency is not covered by data protection
the regulation's rules on cooperation and coherence mechanisms.




6Internal EDPB Document 04/2021 on criteria of territorial competence of supervisory authorities to en-
7orce article 5(3) of the ePrivacy Directive.
in connection with the processing of personal data and on the free exchange of such data.e persons in Page 7 of 16






3.1.3. Establishment in Denmark
As far as the European Data Protection Board's condition that the data controller
equal or the data processor must be established in the Member State in question, has EU

The Court of Justice in case C-230/14 (Weltimmo) emphasized that the concept of establishment re-
includes any, even minimal, real and actual activity carried out via a permanent
         8
structure.

Google Denmark ApS, which is a subsidiary of Google LLC, has registered the

office address in Copenhagen and, according to the CVR register, has 151 employees in Denmark.

On this basis, the Digital Agency assesses that Google LLC is established in

Denmark through Google Denmark ApS.

3.1.4. The processing is carried out as part of the establishment's activities

The EU Court of Justice has, among other things, commented on the European Data Protection Board's
declaration that the processing of personal data is carried out as part of the establishment's activities

vites, in cases C-131/12 (Google Spain SL and Google) and C-210/16 (Wirtschaf-
tsakademie Schleswig-Holstein).


In case C-131/12 (Google Spain SL and Google), the European Court of Justice ruled that: ”[…]
a processing of personal data carried out for a search engine such as Google Search, which
is offered by a company with its registered office in a third country, which however has a company or a

body in a Member State, is carried out 'as part of activities' carried out by that undertaking or
this body if this company or this body in this Member State is to provide advertising and

sale of advertising space offered by the search engine, which helps to make the service which
the search engine offers, profitable.


In such circumstances, the activities of the search engine provider and the activities carried out by
by the company or body of the search engine provider in the Member State in question, namely
closely linked, since the activities relating to the means of creating advertising space, which handle

lead search engine economically profitable, and this search engine at the same time is the means that makes it
possible to carry out the activities.” (Digitalisation Agency's emphasis).


Against this background, the EU Court of Justice concluded that: ”[…] a processing of personal data
are carried out as part of activities carried out within the territory of a Member State by a registered

responsible company or body as referred to in the provision, when a search engine provider loses
lers a branch or a subsidiary in a Member State that must provide for advertising and the sale of advertising
                                                                                      10
space in the search engine and whose activity is aimed at the inhabitants of this Member State. ” (Digi-
talization agency's underlining).



8Case C-230/14 (Weltimmo) paragraph 31.
9C-131/12 (Google Spain and Google), paragraphs 55 and 56.
10C-131/12 (Google Spain and Google), paragraph 60. Page 8 of 16






The EU Court subsequently clarified in C-210/16 (Wirtschaftsakademie
Schleswig-Holstein), that the fact that: ”[…] strategic decisions with regard to in-

collection and processing of personal data relating to persons residing in the Union's
decide, is made by a parent company which is established in a third country […], there can be no doubt that

the supervisory authority governed by the law of a Member State is competent in relation to it
controller's business, which is located on the territory of this Member State." (Digitalize-
Ringingstyrelsen's emphasis).


In the case, the European Court of Justice determined that: "[…] where a company established outside the Union

nen, has several companies or bodies in different Member States, the supervisory authority is in one
Member State competent to exercise the powers conferred on it in accordance with directive
vet's article 28, subsection 3, against one of this company's companies or bodies that are located

on the territory of this member state, even if this company or this body according to the group internals
division of tasks is exclusively tasked with selling advertising space and handling other marketing

measures on the territory of this Member State, and the sole responsibility for the collection and processing of per-
personal information in the entire territory of the EU belongs to a company or body which is located in
                      12
another Member State. ” (Digitisationstyrelsen's emphasis).

In addition, it appears both from C-131/12 (Google Spain SL and Google) and C-

210/16 (Wirtschaftsakademie Schleswig-Holstein), that the requirement that the treatment
must be carried out "as part of the establishment's activities", must not be interpreted restrictively, and

that it is not a requirement that the processing be carried out by the establishment in the Member State,
as the processing must only be carried out as part of the establishment's activities. 13


This line was subsequently upheld by the European Court of Justice in case C-645/19 (Fa-
cebook Belgium) . 14


From this it can be deduced that a company established in Denmark is subject to Di-

The digitalisation agency's supervisory competence, even if the parent company is registered in a
third country, and regardless of the fact that the establishment in Denmark, according to the group's internal tasks
distribution is solely tasked with selling advertising space and handling other mar-

chain measures. This applies accordingly, even if the sole responsibility for placing
cookies and similar technologies and in this connection collect and process personal

information within the EU belongs to another establishment in the group, which is
situated in another Member State.


According to the CVR register, Google Denmark ApS' core tasks are the following: "The company's
purpose is mediation of the sale of online advertisements, marketing of online advertisements and mediation of



11C-210/16 (Wirtschaftsakademie Schleswig-Holstein), paragraph 63
12C-210/16 (Wirtschaftsakademie Schleswig-Holstein), paragraph 64
13C-131/12 (Google Spain and Google), paragraphs 52 and 53, C-210/16 (Wirtschaftsakademie Schleswig-
Holstein), paragraphs 56 and 57 and C-645/19 (Facebook Belgium), paragraphs 91 and 93.
14C-645/19 (Facebook Belgium), paragraphs 92 to 95. Page 9 of 16






sales and direct marketing of other products and services, as well as all business, professional
technical and financial, transactions as well as activities and transactions relating to research and

development as well as real estate or movable property that is directly or indirectly related to said purpose
or contributes to promoting the fulfillment thereof.”.


The activities carried out by Google Denmark ApS include e.g. sale and dissemination of
advertisements and advertising space on the search service, which i.a. can be accessed via Home-
since, to Danish customers. As the sale of advertising also contributes considerably to

to make the information services provided by Google on the Website economical
misc profitable, it is the opinion of the Danish Agency for Digitalisation that marketing activities
terns carried out by Google Denmark ApS are inextricably linked with the location of

cookies and similar technologies on Danish users' terminal equipment via the Website
the 5th


It is therefore the Danish Agency for Digitalisation's assessment that the location of cookies and similar
new technologies on the end users' terminal equipment via the Website takes place as part of
the activities that Google Denmark ApS carries out on behalf of the Danish market

by Google LLC.

3.1.5. Conclusion in relation to the Digitization Agency's territorial competence
It is the opinion of the Danish Digital Agency that:

     The website owner Google LLC is established in Denmark through Google
        Denmark ApS

     The placement of cookies and similar technologies on the end users' terminal
        equipment via the Website takes place as part of the activities of Google Denmark
        ApS performs on the Danish market on behalf of Google LLC.


Based on the above, it is the Danish Agency for Digitalisation's assessment that the agency
has territorial competence in the case.


It must also be emphasized that the agency would also have territorial competence
to enforce the cookie notice if the website was owned by Google

Limited Ireland. As Google Limited Ireland is part of the Google Group,
and constitutes the group's European headquarters, it is the board's assessment that Google
Denmark ApS can also be considered to be an establishment of Google Limited Ire-

country, and that the agency would therefore also have territorial competence in this situation
in the case.







15C-645/19 (Facebook Ireland Limited and others v Gegevensbeschermingsautoriteit) recitals 92 to 95 Page 10 of 16






3.2. Obtaining valid consent on the Website
The Danish Business Authority has stated in the consultation letter of 1 September 2022 that the website
does not allow the user to provide a sufficiently granular consent.


It appears from the text on the front of the cookie banner that by selecting "accept
everyone" consents to Google using cookies to:


     "Develop and improve new services",
     “Deliver and measure the effectiveness of advertisements”,
     “Show customized content (depending on your settings)”, and

     “Show customized ads (depending on your settings)”

The user is given the opportunity to divide (granulate) his consent under "More choices-
options” on the second layer of the cookie banner. The end user was at the time of the

the ring letter, however, only given the opportunity to divide (granulate) his consent on
background of two overall objectives:

     "Search customization", and
     "Ad customization in Search"


In its consultation response, Google has described that "The GDPR definition of consent in Article
4(11) requires that it be "specific" and "informed". The ePrivacy Directive/Executive Cookie
Order likewise requires that users be provided with "clear and comprehensive information" prior
tomakingtheirselection.However,GooglenotesthatneithertheGDPRortheExecutiveCookie

Order mandate that a separate consent must be sought for each cookie. Indeed, Recital 32 of the
GDPR clearly anticipates a single consent being obtained for multiple purposes, with the statement
"Consent should cover all processing activities carried out for the same purpose or purposes" (our

emphasis). In accordance with Recital 43 of the GDPR, a separate consent only needs to be given for
different processing operations where “appropriate in the individual case”. We note that the Danish
Business Authority Cookie Guidelines make no mention of requiring a separate consent for each
cookie and/or purpose, provided information is given about each purpose”.


At the outset, it should be noted that it is not the opinion of the Danish Agency for Digitalisation that there
separate consent must necessarily be obtained for each individual cookie or similar
technology.


In its guidelines, the European Data Protection Board has consent to
team to the data protection regulation commented on the interpretation of recital 43

and 32. From this it appears that "In consideration 43 it is explained that consent is not supposed to be
given voluntarily, if the process/procedure for obtaining consent does not allow the registered mu-
equality to give separate consent to various processing activities regarding personal data
nings (e.g. for some of the treatment operations and not for others), even if appropriate Page 11 of 16






in the individual case. Recital 32 states that "Consent should cover all processing
activities carried out for the same purpose or purposes. When treatment serves multiple purposes, it should be given
consent to them all”.


If the data controller has several processing purposes and has not attempted to obtain separate con-
thick for every single purpose, freedom is out of control. This granularity is closely related to
the requirement that consent must be specific, as mentioned in point 3.2 below. When personal data

processes for several different purposes, the solution is to comply with the conditions
for valid consent in granularity, i.e. separation of purposes and obtaining consent to
each purpose.”


It is therefore the opinion of the European Data Protection Board that if cookies
and similar technologies are used for multiple purposes, a separate agreement must be obtained
thick for each of these purposes. A consent will thus neither be considered to

be voluntary or specific, if the end user, in connection with the provision of co-
tykke has not had the opportunity to divide his consent according to the individual purposes.

Considering the European Data Protection Board's interpretation of recital 32 and

43 to the data protection regulation, the Digital Agency cannot agree that
separate consent must only be obtained when it is appropriate in the individual case
coincidence. It is, on the other hand, the Danish Agency for Digitalisation's assessment that it must be obtained
separate consent when cookies and similar technologies are used for several different purposes

overall purpose, so that a consent can be considered to fulfill the requirement to be
voluntarily and specifically. This applies regardless of whether it would be appropriate to collect
the consent for different overall purposes in one overall consent.


When consent is obtained for several different overall purposes, the end-use must
therefore the opportunity is given to specifically opt-in or opt-out of consent to each
single overall purpose.


If, for example, several cookies or similar technologies are used for the same
ordered purposes, it will be in accordance with the rules to pool these under
one consent. Are cookies or similar technologies used for various over-

orderly purposes, on the other hand, it will not live up to the rules to collect these in one consent.

In relation to the location of the function that allows the end user to access
or opt out of consent to the individual overall purposes (granularity), that is

The Danish Agency for Digitalisation's assessment that it will be in accordance with the rules,
that this function is placed in the cookie banner's second information layer, as long as the final
the user is informed about this in the cookie banner's first information layer. Access to

this function must also be clear and easily accessible. Page 12 of 16






It is based on the above assessment of the Danish Digital Agency that the four
described purposes in the first layer of the cookie banner are not sufficiently similar to remain
collected under two general objectives. The end user is thus not given an adequate

freedom of choice between the various overall purposes, and the condition preferred voluntarily
and specific consent is hereby not fulfilled. It is therefore the agency's assessment that
the solution does not meet the consent requirement in section 3, subsection of the cookie executive order. 1, cf. §
2, No. 8.


It should be noted that, since the time of the consultation letter, an
dring in the formulation of the second granularity field, so that according to consent can

choose from:
     Search customization
     Personalization of ads in Search


However, it is still the agency's assessment that this does not meet the existing regulations
described in the consultation letter.


3.3. Lack of access to withdrawal of consent
In the consultation letter of 1 September 2022, the Danish Business Authority stated that the Website
does not contain an immediately available access for the user to be able to return
Withdraw your consent to cookies and similar technologies.


In the consultation response of 6 October 2022, Google has described three different ways,
upon which the user can withdraw his consent.


Google has explained that the first layer of the cookie banner states that the
Searchers can at any time access g.co/privacytools and from there - with one click - revisit
the cookie banner, where the user can decide on his consent. Google has too

explained that the second layer of the cookie banner contains a clear guide on how to
geren sets cookies in Chrome and that the guide can be accessed via the 'cookies' link there
appears at the top of the cookie banner's first and second layer.


Google has also explained in the response to the consultation that the visitor can withdraw
consent under 'settings' on Google's front page and 'your data in search'. Thus
however, it requires more clicks than Google has described. Wants the user to withdraw his

consent back - after deciding on consent in the cookie banner - required
that at the time of the hearing, that the user clicked on the following:
     Settings on the front page of Google

     Your data in search
     Ad customization

     Manage your cookies Page 13 of 16






The Danish Agency for Digitization has noted that there have subsequently been changes to this
solution, so it only requires three clicks in the solution as it looked per on September 19
2023. It now requires the user to click on the following:

     Settings on the front page of Google
     Your data in search

     Search customization and cookies

The Danish Agency for Digitalisation acknowledges that access is thus given on the Website to,
that the user can withdraw his consent. It is, however, the Digitalisation Agency's
assessment that access to this is not immediately available to the user, as they

ways in which consent can be withdrawn are not presented in a clear and useful
kind way. In this way, the two first described functions do not meet the requirement
that the right to withdraw consent must be immediate and continuous

accessible to the visitor via a direct and clearly marked access on the home
mesiden, cf. section 3, subsection of the cookie executive order 2, no. 4-5, including that it must be
as easy to withdraw consent as to give it.


It is also the agency's assessment that the third solution does not live up to it either
the requirements in section 3, subsection of the cookie executive order. 2, No. 4-5. This is because the way to
manage cookies (the titles of the displayed links) is not described on a sufficiently

comprehensible way that the average user will be able to discern that it is
through this, that his consent can be withdrawn. This has not changed with it
updated solution, as the user still has to go through "Settings" on the front page
of the Website as well as "Your data in search" before the user meets with it more

comprehensible title "search customization and cookies".

3.4. Insufficient information about cookies and similar technologies

The Danish Business Authority has stated in the consultation letter of 1 September 2022 that Google does not
provides the user with adequate information about all cookies and similar technologies
nologies which are used on the Website, cf. section 3, subsection of the cookie executive order. 1, cf.
§ 3 pieces. 2. The board has also stated in the same consultation letter that the information

about this is not considered to be continuously available by a direct and clear
marked access on the Website, as it is difficult for the user to find
clears when the user has clicked away the cookie banner. These two lack re-

are explained separately below.

3.4.1. Lack of adequate information about all cookies and similar technologies
In the consultation response of 1 September 2022, Google has claimed that Google informs

engages users in a meaningful and easy-to-read way so that users don't stay
overwhelmed by technical details. Google explains that the information about the used
cookies appear in these places:

   The cookie policy (https://policies.google.com/technologies/cookies?hl=en) Page 14 of 16






   Cookie declaration (https://business.safety.google/adscookies/?hl=da)

In their consultation response, Google has also contested that an exhaustive one must be given

list of cookies and similar technologies. Google writes that "We do not, however,
accept that a table or list format – or for that matter an individual description of the function of
each cookie, where multiple cookies are used for the same purpose(s) – is mandated either by the

GDPR, the ePrivacy Directive, or Danish law.” Furthermore, Google has, in relation to the English
language cookie declaration stated that the user has the option in the cookie banner
to choose the language yourself, and that the solution is basically presented in that language,
to which the terminal equipment is set.


Under 'cookies' on the website, Google has a cookie policy which describes
Google's use of cookies in prose text. However, only examples are given

individual cookies used on Google services. The cookie policy contains
thus not an exhaustive description of the cookies and similar technologies used
nologies. In the cookie policy, however, there is a link to a cookie declaration which contains
information about all the cookies used, i.e. for functional, analytical and marketing

property-related purposes, on a number of Google websites, including on Hjem-
meside. This declaration is presented in English only.


It is therefore the Danish Digital Agency's assessment that the user does not have access to one
cookie declaration in a clear, precise and easy-to-understand language, cf.
sens § 3, subsection 2, no. 1. Since the recipient group primarily speaks Danish, and that Hjemme-
since it is otherwise designed in Danish, the website should present a Danish-language version

cookie declaration.

The Digitization Board notes that there are no form requirements for how the
relevant information is presented to the user, but that the information must

is presented in clear, precise and easy-to-understand language, cf. section of the cookie decree
3 pieces. 1, cf. § 3, subsection 2, no. 1. However, the information must, as a minimum, be
adequately contain information about the provider of and the purpose of the

reversed cookies, cf. § 3, subsection 2, no. 2-3. In addition, the agency considers that in order to in-
the formation, cf. section 3, subsection 1, can be said to be adequate, shall
information is also given on the expiry date of the technologies used and given
information about these three conditions in relation to all of the cookies used.


It is the Danish Agency for Digitalisation's assessment that fulfillment of the above requirements pre-
states that the information is presented in a way and in a language so that the average

the user understands what consent is given to, cf. section 3 of the cookie executive order,
PCS. 1, cf. § 3, subsection 2. This has also been established by the EU Court of Justice in Planet49-
case (C-673/17), where it follows from paragraph 74 of the judgment that "[…] the user [must

be] able to determine without difficulty the consequences of any consent and to ensure that this
consent is given with full knowledge of the consequences”. It is the agency's assessment that this alone Page 15 of 16






is fulfilled where the service provides the user with a comprehensive list of all used
cookies and similar technologies. The user must receive the information during
view to the language in which the website is presented, which on the Website

is Danish. In this connection, the Danish Agency for Digitization must note that the cookie declaration
the ration at https://business.safety.google/adscookies/?hl=da does not provide this
option, as it is only displayed in the English language.


The Danish Digital Agency thus assesses that Google's solution does not meet the
vein in § 3, subsection of the Cookie Executive Order 1, cf. § 3, subsection 2, No. 1-3. It is because
the information about the cookies used (purpose, provider and functional duration),

cannot be considered to be adequate, as this information is only stated as
examples, and as the adequate explanation is only given in English.

3.4.2. The required information is not continuously available in a direct and clear manner

marked access on the Website
The information about the use of cookies and similar technologies must be
permanently available on the website through direct and clearly marked access,

cf. section 3, subsection of the cookie executive order 1, cf. § 3, subsection 2, No. 5.

The Digital Agency does not consider that this has been met on the Website, since
it is difficult for the user to retrieve the information after the visitor

has decided on consent in the cookie banner.

At the time of the consultation letter, it required the following steps for the user to access

Google's cookie policy (and thus the required information), after consent-
the kebanner has disappeared:
    1) That the user on the front page of the website clicks on "settings"
    2) That the user clicks on "Your data in Search"

    3) That the user clicks on "Ad customization"
    4) That the user in the box entitled "Do you want to customize your ads in Google Search
        without logging in" click on "manage your cookies"

    5) That the user clicks "privacy policy" at the bottom of the second layer of the cookie ban-
        downright
    6) That the user clicks on "technologies" in the header
    7) That the user in the left margin clicks on "how to use Google cookies"


If the user wishes to access Google's cookie declaration, the user must then:
    8) Click on "Cookie types and other technologies that Google uses"

    9) Click on the link in "See more information about cookies used for advertising,
        here." under the section "Advertising" Page 16 of 16






This solution has since been changed in the agency's consultation letter, so it is in the solution
per 19 September 2023 alone requires the following steps for the user to access these
information:

         Privacy on the front page
         How Google uses cookies (the link is very far down, and
            under the heading "Other useful resources")

         "See more information about cookies used for advertising here"

It is the Danish Agency for Digitalisation's assessment that the number of clicks – and the ratio that
the real clicks are very difficult to identify – implies that the information that

in the opinion of the Danish Digital Agency, is required by the cookie executive order
§ 3 pieces. 1, are not accessible to the user via a clearly marked access on
The website, why the solution does not meet the requirements of the cookie notice

sens § 3, subsection 1, cf. § 3, subsection 2, no. 5. The Digital Agency recognizes that now
requires fewer clicks for the user to access the information. However, it is still the board's responsibility
assessment that the deficiencies have not been resolved with the adjusted solution, as the above
three "clicks" are still difficult to identify because the text is not sufficiently comprehensible

available to the end users, and that the second link is hidden far down in the text.

3.5 Complaints guidelines

This decision can be appealed to the Teleklagenævnet, Toldboden 2, 8800 Viborg, tel.:
72 40 56 00, e-mail: tkn@naevneneshus.dk.

A possible complaint must be received by the Telecomplaints Board no later than four weeks after that

The Digital Agency has made this decision. Attention is drawn
that pursuant to § 3, subsection 2, in executive order no. 838 of 21 April 2011 re
The Telecom Complaints Board's company does not have to pay a fee for handling complaints
this type in the Telecommunications Complaints Board. A possible complaint must be submitted via Digitalise-

Ringingstyrelsen at digst@digst.dk, or the Digitalization Agency, Landgreven 4, Post-
box 2193, 1017 København K. It can be stated for information that if Digi-
If the Danish Agency for talization maintains the decision, the Agency will forward it as soon as possible

and as a starting point within 7 working days after receiving the complaint the case and
its documents to the Telecommunications Complaints Board, cf. Section 37 of the Public Information Act.


With best regards


Allan Villadsen
Chief consultant, cand. jur.
T +45 21604635

Email allvil@digst.dk