EDPS - 2019-0878

From GDPRhub
- 2019-0878
LogoEDPS.png
Authority: EDPS
Jurisdiction: European Union
Relevant Law: Article 7 GDPR
Regulation (EU) 2018/1725
Directive 2002/58/EC
Type: Complaint
Outcome: Partly Upheld
Started:
Decided: 03.05.2021
Published: 03.05.2021
Fine: None
Parties: Court of Justice of the European Union
National Case Number/Name: 2019-0878
European Case Law Identifier: n/a
Appeal: Not appealed
Original Language(s): English
Original Source: On file with complainant (in EN)
Initial Contributor: Michael Veale

The EDPS found that the CJEU had breached data protection requirements in relation to web tracking. They were found to have insufficient information on their site, and a banner which did not allow users to reject cookies.

English Summary

Facts

A data subject complained around cookies and similar technologies used in connection to audiovisual material on the website of the Court of Justice of the European Union (CJEU), as well as websites displaying the Court's branding that the Court linked to (two firms, Companywebcast and Connectedviews, to host a conference recording), claiming that they did not correctly inform the user or obtain required consent before data processing or storage of information on a terminal device.

Dispute

The complaint was decided under the data protection regime applying to EU institutions, rather than the GDPR (Regulation (EU) 2018/1725). The dispute concerned:

- did the laying of cookies by the CJEU violate Article 37 of the Regulation, implementing the requirements of the e-Privacy Directive?

- did the laying of cookies and the lack of transparent information on a third party website, with CJEU branding, linked to by the CJEU to provide it with services, breach the transparency (art 14) and consent (art 7) requirements of Regulation (EU) 2018/1725?

- were the conditions for consent met by the CJEU?

Holding

The EDPS held that there had been violations by the CJEU, on its own webpages of several provisions of Regulation (EU) 2018/1725.

- Article 37 (accessing and storage of information on a terminal device), on the basis that the CJEU did not inform the user about the potential for YouTube cookies to be set if they accepted, nor did they provide a mechanism to refuse all cookies on the website.

- Article 7 (conditions for consent), "as the CJEU did not provide its website users with a way to withdraw their consent regarding the use of cookies as easily as giving it - such as a ‘reject’ button displayed in the same place and in the same manner as the ‘accept’ button. Instead, in order to reject cookies, users had to click on the button ‘more information’ and go almost to the bottom of the page to withdraw their consent."

It held that there were partial violations of

- Article 14 (transparency), in relation to the CJEU's website's own YouTube cookies. In relation to the third party websites, Fashion ID applied, as the CJEU had no obligation to inform users of cookies laid by a website linked to by that website, regardless of whether it was a service the CJEU were using to deliver material or the branding on the site.

The CJEU rectified all breaches following the complaint, in co-operation with the EDPS. As a result, the EDPS did not use any of its corrective powers. The EDPS also used the complaint to deploy its Website Evidence Collector (WEC).

In relation to linked pages of third party services that the CJEU used to host branded conference videos, which laid Google and DoubleClick cookies without information or a possibility to reject, these were in breach of the law but did not fall within EDPS jurisdiction, and the CJEU had no obligation to provide information on cookies on pages it linked to (Fashion ID applied). This case clarified and confirmed that a withdraw button is needed to be placed as clearly as an accept button in order for consent to be valid to cookies and similar technologies. The EDPS took no formal action as the CJEU engaged rapidly with the organisation and rectified all breaches following the complaint.

Comment

This complaint is most interesting due to its use of Fashion ID and the controllership jurisprudence. Even though the CJEU branded a website they paid to host videos relating to conferences, and that website was illegally configured, the EDPS did not seek to hold the CJEU liable for breaches on that website. The EDPS could have argued that the CJEU was a joint controller with that website and more explicitly considered liability that follows, or examined whether that website was acting as controller or processor, but declined to do so.

Further Resources

Share blogs or news articles here!

English Machine Translation of the Decision

The decision below is a machine translation of the English original. Please refer to the English original for more details.