Rb. Amsterdam - C/13/747646 / KG ZA 24-191

From GDPRhub
Rb. Amsterdam - C/13/747646 / KG ZA 24-191
Courts logo1.png
Court: Rb. Amsterdam (Netherlands)
Jurisdiction: Netherlands
Relevant Law: Article 5(1)(a) GDPR
Article 6(1) GDPR
Decided: 22.04.2024
Published: 01.07.2024
Parties: Criteo SA
National Case Number/Name: C/13/747646 / KG ZA 24-191
European Case Law Identifier: ECLI:NL:RBAMS:2024:3095
Appeal from:
Appeal to:
Original Language(s): Dutch
Original Source: Rechtspraak.nl (in Dutch)
Initial Contributor: ec

A court imposed a penalty of €500 per day on Criteo until it stops placing tracking cookies on the data subject’s devices. If otherwise not possible, by ceasing to place tracking cookies at all.

English Summary

Facts

The controller is Criteo SA, a global technology company operating in media and entertainment that does consultancy, provides software and services in relation to digital marketing, media advertising and real time ads bidding. The controller places tracking cookies for targeted advertising on computers and mobile devices of users visiting certain third party websites. The controller uses the Real Time Bidding (RTB) System to recognise a user within seconds and to show personalised ads.

In another case against the controller on 15 June 2023 , the French DPA ("CNIL") fined the controller €40 million for violating various articles of the GDPR, in particular for failing to verify that the persons from whom it processed data had given their consent.

On 8 August 2023, the data subject wrote to the controller that the placing of tracking cookies on the data subject’s devices without the data subject’s consent, violates Article 11.7a(1) Dutch telecommunications law (“Telecommunicatiewet – TW”) and Articles 5(1)(a), 6(1), 7, 13 and 14 GDPR.

The controller responded that it is the responsibility of the third party websites to obtain consent.

The data subject filed an urgency procedure (“kort geding”) under Dutch civil law at the Amsterdam District Court (“Rechtbank Amsterdam”) against the controller.

The court prohibited the controller from placing tracking cookies on the devices of the data subject and imposed a penalty of €250 for every day they fail to comply with the decision (with a maximum of €25.000).

The controller appealed this decision on 30 October 2023. The Court of Amsterdam (“Gerechtshof Amsterdam”) found that tracking cookies were placed by the controller and that the data subject’s personal data was processed in violation of the GDPR. The court therefore prohibited the controller from placing tracking cookies and upheld the imposed penalty of the District Court after the judgement came into effect.

In January 2024, the controller voluntarily complied with the penalty of €25.000 before the judgement came into effect.

On 17 April 2024, the controller initiated proceedings on the merits at the Amsterdam District Court, because it disagreed with the judgement in the urgency procedure.

The controller argued that it did not place the cookies themselves, but that they were placed by third party websites. The controller argued that it did not have factual control or power over the way these websites design their websites and how they ask for consent. They can only contractually obligate these websites to obtain consent. If it appears these third party websites do not obtain consent, the controller can give a written warning. The controller also argued it is factually impossible to comply with the prohibition of the court as it cannot single out the devices of the data subject to stop placing tracking cookies.

As the unlawful processing continued, the data subject requested the court to impose a penalty of €1.500 per violation or €5.000 per day the controller continues to place tracking cookies. By complying with the maximum amount of the penalty, the data subject argued that it appears that the business model of the controller is that lucrative that the imposed penalty is an insufficient financial incentive to stop the unlawful processing. Also the fine of 40 million by the French DPA did not change the behaviour of the controller.

Holding

The court held that the controller already complied with the maximum penalty but paying the the penalty does not release the controller from the duty to comply with the prohibition.

The court further held that it is the responsibility of the controller to check whether it complies with the prohibition to place tracking cookies on the data subject's devices. Although the controller made steps in the right direction by writing warnings and ending contracts with websites that did not comply, the prohibition is still not complied with.

By paying the maximum penalty, the court held that the controller also knew it was not complying with the imposed prohibition. Therefore, the imposed penalty is an insufficient financial incentive to comply with the judgement and there are sufficient arguments to impose a new and higher penalty.

The court also dismissed the argument of the controller that it cannot prevent that tracking cookies are placed on the devices of the data subject and can only comply with the prohibition by not placing tracking cookies at all irrespective of the device. The court held that this argument cannot relieve the controller from its obligation to comply with the judgement.

Thus, the court imposed an additional penalty of €500 per day (with a maximum of €50.000) against the controller until it complies with the prohibition of placing tracking cookies on the data subject's devices.

Comment

Share your comments here!

Further Resources

Share blogs or news articles here!

English Machine Translation of the Decision

The decision below is a machine translation of the Dutch original. Please refer to the Dutch original for more details.