Tietosuojavaltuutetun toimisto - 8040/163/2019

From GDPRhub
Tietosuojavaltuutetun toimisto - 8040/163/2019
LogoFI.png
Authority: Tietosuojavaltuutetun toimisto (Finland)
Jurisdiction: Finland
Relevant Law: Article 4(11) GDPR
Article 6(1) GDPR
Article 7 GDPR
Article 58(2)(d) GDPR
Type: Complaint
Outcome: Upheld
Decided: n/a
Published:
Fine: None
Parties: n/a
National Case Number/Name: 8040/163/2019
European Case Law Identifier: n/a
Appeal: Not appealed
Original Language(s): Finnish
Original Source: Finlex (in FI)
Initial Contributor: n/a

Finnish DPA holds that the controller’s method of obtaining consent for the storage and use of cookies on their website was contrary to Art 4 (11) GDPR. Finnish DPA also holds that withdrawing and refusing consent should be as easy as giving consent.

English Summary[edit | edit source]

Facts[edit | edit source]

Data subject filed a complaint with the Finnish DPA regarding a company’s website cookie consent banner. According to the data subject, the banner made the refusal of cookie storage and use difficult. Cookies were used for, inter alia, targeted advertising.

The cookie banner stated that the website visitor accepts cookies by continuing to use the website. The banner had two options: “OK” and “additional information”. The latter took the website visitor to the website’s privacy statement, where the visitor was informed that cookies could be blocked by adjusting their browser settings and that third parties’ cookies could be blocked via the third parties’ websites.

Dispute[edit | edit source]

1. Whether controller’s method of obtaining consent for cookie storage was in accordance with Art 4(11) GDPR.

2. Whether the obtained consent fulfils the conditions under Art 7 GDPR, especially the conditions for withdrawing consent under section 3.

Holding[edit | edit source]

The Finnish DPA ruled that the consent obtained through the cookie banner cannot be considered as voluntary under Article 4 (11) GDPR. Consent is not voluntary if it cannot be refused or withdrawn without prejudice. The cookie banner had no option for the data subject to refuse the storage and the use of cookies. Also, data subject’s ability to withdraw consent was not seen as easy as giving consent. Furthermore, consent must always be active and cannot be given through, silence, pre-ticked boxes or inactivity. Informing data subjects that cookies could be blocked by changing browser settings is not in accordance with the ‘affirmative action’ requirement under Art 4 (11) GDPR.

In accordance with Art 58(2)(d), the Finnish DPA instructs the controller to align its process to obtain consent with the GDPR provisions.

The decision is not final, and can be appealed in the Finnish administrative courts.

Comment[edit | edit source]

The controller argued that it followed Finnish Transport and Communications Agency's (Traficom) instructions for cookie consent banners. In Traficom's consent guide, it is possible to consent to non-essential cookies by changing browser settings.

The Finnish DPA decision goes against Traficom's cookie consent guidelines.

Further Resources[edit | edit source]

Share blogs or news articles here!

English Machine Translation of the Decision[edit | edit source]

The decision below is a machine translation of the Finnish original. Please refer to the Finnish original for more details.

THING

Applicant 's claims and reasons

The applicant has contacted the Office of the Data Protection Officer because the applicant considers that the ban on cookies on the controller's website has been made very difficult.

Statement received from the controller

In addition to the applicant's complaint, the EDPS deals with a number of other complaints concerning the controller's activities, in which the applicants consider that the consent obtained by the controller for the storage and use of cookies does not meet the conditions of the General Data Protection Regulation. As a result of the complaints, the Office of the Data Protection Commissioner has requested clarification from the data controller with a request for clarification dated 26 November 2019. The registrar has submitted his report on 19 December 2019.

According to the statement provided by the registrar, it follows Traficom's instructions regarding the consent to be given to cookies. According to this guide, consent to non-essential cookies can be given using your browser settings. The registrar informs users about the use of cookies and the possibility of influencing them through browser settings in their privacy statement.

In addition, the data controller states that he has introduced a so-called cookie banner, the purpose of which is to increase the transparency related to the use of cookies and to make the use of influence as easy as possible. By clicking on the “More information” section of the banner, the user can access the privacy statement, which contains information about cookies and the potential impact on them.

Applicant 's reply

No reply has been requested from the applicant, as it has been considered manifestly unnecessary within the meaning of section 34 (2) (5) of the Administrative Procedure Act (434/2003). Obtaining a response would not change the way the matter is resolved. The matter may be resolved on the basis of the contact of the Office of the Data Protection Officer and any other information received on the matter.

On cross - border assessment

The controller is part of an international group, which is why it has been assessed whether the data protection officer or the data protection authority of another country is the competent supervisory authority. In its report, the registrar has stated that decisions concerning the purposes and means of processing personal data are made in Finland. The EDPS Office has also read the controller 's privacy statement to ensure that the controller defines the purposes and means of the processing himself.

On the basis of the report, the Assistant EDPS considers that he is competent to deal with the matter in accordance with Article 55 of the General Data Protection Regulation.

Powers of the EDPS and applicable law

Cookies and other data stored on a subscriber's or user's terminal equipment and their use are covered by the so-called Electronic Communications Data Protection Directive (Directive 2002/58 / EC of the European Parliament and of the Council of 12 July 2002 concerning the processing of personal data and privacy in the electronic communications sector). That Directive has been amended by Directive 2009/136 / EC (Directive 2009/136 / EC of the European Parliament and of the Council of 25 November 2009 on universal service and users' rights relating to electronic communications networks and services),

According to Article 5 (3) of the ePrivacy Directive, Member States shall ensure that the storage of data or the use of data stored on a subscriber's or user's terminal is permitted only with the consent of the subscriber or user. In accordance with the EC. This shall not preclude technical storage or use the sole purpose of which is the transmission of communications on electronic communications networks or which is strictly necessary for the provision of a service to the information society service specifically requested by the subscriber or user.

Article 2 (2) (f) of the ePrivacy Directive defines the consent of the user or subscriber. Consent in the ePrivacy Directive has the same meaning as the data subject's consent in Directive 95/46 / EC of the European Parliament and of the Council on the protection of individuals with regard to the processing of personal data and on the free movement of such data (Personal Data Directive). The Personal Data Directive has been repealed by the General Data Protection Regulation (Regulation (EU) 2016/679 of the European Parliament and of the Council on the protection of individuals with regard to the processing of personal data and on the free movement of such data and repealing Directive 95/46 / EC).

The Court of Justice of the European Union has on 1 October 2019, among other things, the so-called In paragraphs 42 and 63 of its judgment in the Planet49 case (Planet49 GmbH, C-673/17, EU: C: 2019: 246 (judgment of 1.10.2019, EU: C: 2019: 801)), the Electronic Communications Data Protection Directive and the General Data Protection Directive the conditions for the consent of the Regulation must be read together and that references in the ePrivacy Directive to Directive 95/46 must be construed as references to the General Data Protection Regulation.

According to Article 4 (11) of the General Data Protection Regulation, the consent of the data subject is any voluntary, specific, informed and unambiguous expression of intent by which the data subject consents to the processing of his or her personal data by giving a statement of consent or by taking an explicit consent.

Article 6 of the General Data Protection Regulation contains an exhaustive list of situations in which the processing of personal data may be considered lawful. According to paragraph 1 (a) of that Article, one of those situations is that the data subject has consented to the processing of his or her personal data for one or more specific purposes.

The conditions for consent are set out in Article 7 of the General Data Protection Regulation. According to paragraph 1 of that Article, where the processing is based on consent, the controller must be able to demonstrate that the data subject has consented to the processing of his or her personal data. Under Article 7 (3) of the General Data Protection Regulation, the data subject has the right to withdraw his or her consent at any time. Withdrawal of consent must be as easy as giving it.

Pursuant to Article 5 (3) of the ePrivacy Directive, the storage and use of cookies requires the consent of the subscriber or user. This requirement has been enforced in Finland by providing for the matter in section 205 of the Act on Electronic Communications Services (7 November 2014/917). According to the Act on Electronic Communications Services, this provision is supervised by the Finnish Transport and Communications Agency Traficom.

The ePrivacy Directives (2002/58 / EC and 2009/136 / EC) were transposed nationally by placing the storage and use of cookies under the control of the then FICORA, now Traficom. The provision on cookies was incorporated into national law at that time as part of the confidentiality of communications. This solution was made possible by the possibility provided for in those directives to implement them in the manner desired at national level.

The General Data Protection Regulation came into force on 25 May 2018. In that case, no changes were made to section 205 of the Act on Electronic Communications Services. It should be noted, however, that the General Data Protection Regulation as such is the applicable law insofar as it does not involve national discretion. Articles 4 (11) and 7 of the General Data Protection Regulation on consent are provisions which do not contain national discretion and therefore cannot be subject to national regulation.

It follows from the primacy of EU law that, in this case, consent must be interpreted in accordance with the General Data Protection Regulation.

According to section 8 of the Data Protection Act (5 December 2018/10), the data protection commissioner is the national supervisory authority referred to in the Data Protection Decree. The tasks and powers of the EDPS are set out in Articles 55-59 of the General Data Protection Regulation. In accordance with Article 55, each supervisory authority shall have the powers to carry out the tasks and exercise the powers conferred on it under this Regulation in the territory of its own Member State. Under Article 57, each supervisory authority must, inter alia, monitor and enforce the application of this Regulation in its territory, promote the knowledge of controllers and processors of their obligations under this Regulation and deal with complaints from the data subject.

In view of the above and the fact that the present case concerns the assessment of whether the consent requested by the controller for the storage and use of cookies complies with the General Data Protection Regulation and the fact that the EDPS is the only national supervisory authority supervising the General Data Protection Regulation in Finland, considers itself competent to deal with the matter and to exercise the powers defined in Article 58 of the General Data Protection Regulation. The Assistant EDPS notes that Traficom still has the competence to supervise Article 205 of the Electronic Communications Services Act, which, however, will not apply in this decision outside the competence of the EDPS.

In addition to the above, the EDPS draws attention to paragraph 71 of the judgment of the Court of Justice of the European Union in Planet49, according to which Articles 2 (f) and 5 (3) of Directive 2002/58, read in conjunction with Article 2 (h) of Directive 95/46 and Regulation 2016/679 4 Article 6 (11) and Article 6 (1) (a) do not have to be interpreted differently depending on whether or not the data stored on or retrieved from the user terminal of the website constitute personal data within the meaning of Directive 95/46 and Regulation 2016/679.

Legal question

The question is whether the applicant has been asked to consent to the storage of cookies and the use of the data stored on his terminal in accordance with Article 4 (11) of the General Data Protection Regulation, ie whether the applicant's consent can be by giving a statement of consent or by taking a clear act of consent. In addition, the question is whether the consent given by the applicant fulfills the conditions of Article 7 of the General Data Protection Regulation, and in particular the conditions for withdrawal of consent in paragraph 3 of that Article.

The Assistant EDPS shall decide whether an order should be made to the controller in accordance with Article 58 (2) (d) of the General Data Protection Regulation to bring the processing operations in line with the provisions of the General Data Protection Regulation. In addition, the Assistant EDPS will assess whether other powers of the EDPS should be exercised.

DECISION

Regulation

The Assistant EDPS shall instruct the controller in accordance with Article 58 (2) (d) of the General Data Protection Regulation to amend its processing operations in order to obtain consent in accordance with the provisions of the General Data Protection Regulation.

The Assistant Data Protection Officer will leave the appropriate measures to the discretion of the controller, but will order a report on the measures taken to be submitted to the Data Protection Supervisor's office by 1.9.2020.

Assessment of the validity of consent

Article 4 (11) of the General Data Protection Regulation defines the data subject's consent. It means any voluntary, individualized, informed and unambiguous expression of intent by which the data subject consents to the processing of his or her personal data by giving a statement of consent or by taking a clear act of consent.

According to recital 32 of the General Data Protection Regulation, consent should be given by means of an explicit consent, such as a written, including electronic, or oral statement indicating the data subject's voluntary, specific, informed and unambiguous consent to the processing of his or her personal data. An action could be, for example, for the data subject to tick the box when visiting a website, to choose the technical settings for information society services or to make any other statement or act in a way that clearly indicates in this context that he or she agrees to the processing of his or her personal data. Consent should therefore not be given by silence, pre-ticked boxes or omission.

The Data Protection Working Party WP29, which preceded the European Data Protection Board (EDPS), has issued the Guidance on Consent “Guidelines on Consent under Regulation 2016/679, WP259 rev. 01”, which has been endorsed by the European Data Protection Board. On 4 May 2020, the European Data Protection Board has published an updated version of this Guideline “Guidelines 05/2020 on consent under Regulation 2016/679, Version 1.0, Adopted on 4 May 2020”, hereinafter the Guideline on the consent of the EDPB.

In its Guidance on Consent, EDPB states that consent can only be an appropriate legal basis if the data subject is given the opportunity to control the use of his data and a genuine opportunity to freely choose whether or not to accept the conditions offered and not to his detriment. Requests for consent to the processing of a person should be subject to strict requirements, as this is a fundamental right of data subjects and because the controller wants to carry out a processing operation that would be illegal without the data subject's consent.

According to the EDPB Consent Guidance, in order for consent to be considered voluntary, this presupposes a real possibility of free choice and control for data subjects. The General Data Protection Regulation generally provides that consent is not valid if the data subject does not have a real freedom of choice, if he or she feels compelled to give his or her consent or if he or she has the negative consequences of not giving his or her consent. Consent shall not be considered voluntary if the data subject cannot refuse or withdraw his consent without prejudice.

Article 7 of the General Data Protection Regulation defines the conditions for consent. According to Article 7 (1), where the processing is based on consent, the controller must be able to demonstrate that the data subject has given his or her consent to the processing of personal data. According to paragraph 3 of that Article, the data subject has the right to withdraw his consent at any time. The data subject must be informed before consent is given. Withdrawal of consent must be as easy as giving it.

In its Guidance on Consent, the EDPS emphasizes that the condition of easy withdrawal of consent is considered in the General Data Protection Regulation to be a necessary element of a valid consent. However, when consent is obtained electronically with just one mouse click, screen swipe or keystroke, data subjects must be able to withdraw their consent with equal ease. In addition, the data subject should be able to withdraw his consent without prejudice. This means, among other things, that the controller must be able to withdraw consent free of charge or without reducing the level of service.

In the present case, the consent referred to by the controller is collected, first, through a box on its website, known as a banner. The following text reads on the screen: “In order to make the use of the website smooth and interesting to you, the registrar and his partners use cookies on the website. By continuing, you accept the use of cookies. ” The screen contains a “OK” button on the green and a “More Information” button. Selecting “More Information” opens the Privacy Statement for the controller and its website.

The section on cookies in the privacy statement states, inter alia:

We may use cookies to collect information about a user's terminal. Cookies are used, among other things, to develop services and to target marketing and advertising. In addition, third parties set cookies on the service. If you do not want to receive cookies, you can change your browser settings.

Next, the privacy statement on the controller's website states, inter alia:

Third parties may set cookies on the user's terminal, for example, to provide the user with targeted advertising. You can learn more from the links below and you can opt out of targeted advertising by visiting their sites.

The Privacy Statement then includes a list of the registrar's partners and links to the privacy sites and advertising choices of those partners. There are a total of 11 affiliates listed.

As stated above, consent does not have to be considered valid and voluntary unless the data subject has been offered a genuine opportunity to freely choose whether to accept or reject the terms offered. Consent shall not be considered valid if the data subject does not have a real freedom of choice, if he / she feels compelled to give his / her consent or if he / she has the negative consequences of not giving his / her consent. The consent procedure shall not be considered valid and in accordance with the General Data Protection Regulation, even if the right to withdraw the consent does not meet the requirements of the General Data Protection Regulation and the withdrawal of the consent is not as easy as giving it.

As indicated above, the Office of the EDPS is competent to take a position on the consent based on the exercise of informed sovereignty under the General Data Protection Regulation.

In this case, the registrar obtains consent to the storage and use of cookies by the user clicking the OK button on the so-called banner. However, the banner does not offer the possibility to refuse the storage and use of cookies. For example, in order to refuse third-party cookies, the user must, as described in the registrar's privacy statement, visit the website of each partner mentioned in that statement and prohibit the use of cookies for each partner individually. In this respect, the EDPS also draws attention to the fact that that by doing so, the controller does not allow the user to consent or refuse or withdraw his consent to the use of cookies on the controller's website in the controller's own service. In addition, the Privacy Statement leaves it unclear which third party cookies other than designated partners may be used on the registrar's website and how these cookies may be refused.

In view of the above, the EDPS considers that the consent requested from the applicant through the so-called banner should not be considered as voluntary under Article 4 (11) of the General Data Protection Regulation, nor can the consent be considered as Article 7 (3) of the General Data Protection Regulation. is not as easy as administering it as described above.

In addition to the consent collected through the so-called banner, the registrar states that it complies with Traficom's instructions regarding the consent to be given to cookies, according to which the consent can be given by means of browser settings. The data protection statement of the controller is worded as follows:

“If you do not want to receive cookies when using our services, you can change your browser settings. However, please note that if you block the use of cookies, you may not be able to fully use the services or all of their features. For apps, you can reset the ad tag or restrict ad tracking from device settings. ”

As stated above, according to recital 32 of the General Data Protection Regulation, consent should be given in the form of an explicit consent, indicating the voluntary, specific, informed and unambiguous expression of intent of the data subject to consent to the processing of his or her personal data. An action could be, for example, for the data subject to tick the box when visiting a website, to choose the technical settings for information society services or to make any other statement or act in a way that clearly indicates in this context that he or she agrees to the processing of his or her personal data. Consent should therefore not be given by silence, pre-ticked boxes or omission.

The conditions for consent have also been assessed in the Planet49 judgment, which concerned, inter alia, the assessment of the validity of consent to the storage and use of cookies. In paragraph 63 of the judgment, the Court held that consent within the meaning of Articles 2 (f) and 5 (3) of Directive 2002/58, read in conjunction with Articles 4 (11) and 6 (1) (a) of Regulation 2016/679, was not valid where: permission to save the data or to use the data already stored on the website user 's terminal is given in a pre - ticked box, from which the user must uncheck to refuse consent. The Court explicitly refers in this respect to recital 32 of the General Data Protection Regulation, which excludes the possibility that

According to Article 7 (1) of the General Data Protection Regulation, where the processing is based on consent, the controller must be able to demonstrate that the data subject has given his or her consent to the processing of his or her personal data. According to the EDPB Consent Guidance, it is the controller's responsibility to demonstrate that valid consent has been obtained from the data subject. The controller must be able to demonstrate that the data subject was provided with the necessary information and that the controller 's workflow met all relevant criteria for valid consent. Underlying this obligation under the General Data Protection Regulation is that controllers must be responsible for obtaining valid consent from data subjects as well as the consent procedures they have put in place.

The EDPS considers that the current approach of the controller to modifying browser settings by referring to the requirements of Article 4 (11) and Article 6 (1) (a) of the General Data Protection Regulation does not meet.

The registrar's privacy statement states that the user can refuse the use of cookies by changing their browser settings. However, consent that fulfills the conditions of the General Data Protection Regulation means an act of consent which expresses an expression of intent by which he or she expressly consents to the use of his or her personal data. The fact that the controller states how the user may refuse to store or use cookies shall in no way be construed as a voluntary, specific, informed and unambiguous expression of intent by which he or she consents to the storage and use of cookies. It should also be noted that consent cannot be given by failing to take any action. Thus,

If the controller wishes to use browser settings to request consent, it must take care and be able to demonstrate that all the conditions for giving consent under the General Data Protection Regulation are met. In its consent guide, the EDPB has also opted for obtaining the consent of Internet users through their browser settings. According to the EDPS, the development of such regulations should take into account the conditions for valid consent set out in the General Data Protection Regulation, such as the need for explicit consent for each intended purpose and the designation of controllers in the information provided.

The EDPS further notes that according to Article 95 of the General Data Protection Regulation, the General Data Protection Regulation does not impose additional obligations on processing related to the provision of publicly available electronic communications services in public communications networks in the Union in relation to the provisions of the 2002 58 / EC with the same objective. Recital 173 of the General Data Protection Regulation states that the Data Protection Regulation should apply to all aspects of the protection of fundamental rights and freedoms with regard to the processing of personal data which are not subject to the specific obligations laid down in the ePrivacy Directive, having the same purpose, including the obligations of the controller and the rights of natural persons. The General Data Protection Regulation will therefore in principle apply in so far as the Electronic Communications Data Protection Directive does not provide for this.

In the light of the above, the EDPS notes that the EDPS has explicitly stated in its consent instructions that the consent requirements of the General Data Protection Regulation are not considered as "additional obligations" but rather as conditions for lawful data processing. situations covered by the ePrivacy Directive.

In the light of the above, the Assistant EDPS instructs the controller to modify its procedures for requesting consent in accordance with Articles 4 (11), 6 (1) (a) and 7 of the General Data Protection Regulation.

Order for the collection of consent contrary to the conditions of the General Data Protection Regulation

The EDPS considers that, although the controller's conduct in breach of the provisions of the General Data Protection Regulation is in itself reprehensible, the infringement as a whole does not, at this stage, require a heavier sanction than the remark, as the legal situation was not clear since the General Data Protection Regulation came into force. However, it must be borne in mind that the shortcomings described above have affected the rights of several data subjects. There are several similar complaints pending in the Office of the EDPS.