In December 2019, as people were gearing up for the festive season, the Belgian Data Protection Authority (DPA) issued a decision to the operator of a website. This decision should have everyone with an online presence sit up and take notice, particularly if they have not given due consideration to how consent is provided for when it comes to data processed using cookies and similar technologies.
This decision takes into account the recent Planet 49 Court of Justice of the European Union (CJEU) judgement. In issuing a fine of €15,000, it demonstrates that DPAs have an eye on this very public transgression of regulation. Having issued guidance on the topic (although with some discrepancies between jurisdictions), and informed by decisions of the courts, they have signalled that it is time to pursue proportionate enforcement measures against organisations that do not adapt their practices.
In this article, we explore the decision of the Belgian DPA, which is particularly interesting for the depth that it goes into with reference to previous guidance, interplay of legislation and providing clarity on commonly misunderstood areas. We look at the key lessons that can be leaned from this case, and build on our previous analysis of data protection authority guidance.
INSPECTION
The DPA initiated this inspection of its own volition, without a complaint having been made. While the decision does not name the website operator in question, it does note that the purpose of the website is to provide legal advice, which is all the more striking considering why the action was taken.
Problems identified as a result of the inspection included:
- Transparency (Art 12 GDPR) – The website was aimed at Dutch and French-speaking individuals but only had a privacy policy available in English that made reference to US privacy law;
- Information to be provided to data subjects (Art 13 GDPR) – Key information such as the details of the Data Controller, the rights that individuals can invoke, the legal basis or purposes for processing and the retention period for cookies were not present;
- Consent (Art 4, 6, 11 and Recital 32 GDPR) – consent did not meet the GDPR standard required for processing cookies on the basis of consent.
The DPA made three inspections of the website in question, each a month a part, to see if the operator had made changes to accommodate concerns. None of the updates achieved the required level of compliance.
DEFENCE
As part of the dispute resolution process, the operator of the website made some interesting claims in their defence:
- With regards to transparency and information that should be provided to users of the site, the operator claimed that given the nature of the website (providing legal advice), the cohort of visitors (lawyers, tax specialists, lawyers, notaries, bailiffs, paralegals, magistrates or law students) could be expected to be well-versed in data protection legislation and as such, would be aware of their rights, therefore a more concise privacy statement would suffice;
- The operator claimed that the tool used to manage cookies on the website did not provide the features needed to meet compliance requirements (e.g. fully listing cookies in use), and that this was a barrier for them in achieving compliance;
- The operator considered certain cookies such as analytics to fall under the category of ‘strictly necessary’ for the delivery of the service;
- The lawful basis of legitimate interest was claimed for the processing of statistical cookies (i.e., those used to provide website analytics);
The Belgian DPA did not accept the position of the website operator on these items, finding that they did not comply with their transparency and consent obligations. In addition, the DPA found that legitimate interest was not an appropriate lawful basis for the processing of statistical cookies.
PROPORTIONATE & DISSUASIVE
In determining an appropriate fine, the DPA considered the annual turnover of the company and fined them €15,000, which is close to 1% of annual turnover.
Other factors contributing to the determination of the fine include:
- The duration of the infringement;
- The number of individuals affected (there is a monthly self-declared readership of 35,000);
- The repeated nature of the infringement, given the input of the Authority and lack of adequate resolution for a period of months;
It can be surmised that the fact that several infringements were found may have factored into the calculation. The fact that the organisation co-operated with the supervisory authority may also have contributed to limiting the fine; however, it did still result in the imposition of a monetary penalty.
KEY LESSONS
Data Protection Authorities are taking notice
The GDPR has been in place for a year and a half and related information governance frameworks have been in place for even longer than that. As such, supervisory authorities are increasing their enforcement activities, confident that organisations should be aware of their obligations and acting on them.
A carrot and stick approach can still cost
Co-operation with the authority is not a guard against a monetary fine being imposed. It may contribute to the determination of the proportionality of the final figure, but it is not a panacea.
Your website is a window on your compliance
If an organisation does not have the basics covered on their website by having adequate notices, policies and cookie consent management in place, it can be a sign that there may be larger systemic compliance issues that need addressing. Trilateral offers gap analyses and audit and assessment services to review your organisation’s data governance structures in order to identify existing gaps and develop a roadmap for ongoing compliance.
Review your cookies, not your excuses
Considering guidance issued by data Protection Authorities, subsequent CJEU decisions such as the Planet 49 case and enforcement actions such as in this instance, there is further clarity on the expectations of authorities and the obligations of organisations. These should be taken into account and result in changes to how consent for the use of cookies and related technologies are managed.
Another interesting observation arising from this case is that while consent per individual cookie is not required (consent per category of cookie would suffice), a consent choice per individual cookie would be preferable. Trilateral offers compliance support services to help your organisation review existing cookie consent preferences, and ensure these are up to date with the latest data protection standards.
KNOW YOUR COOKIES
Many organisations are using cookie scanning tools to determine what cookies their website processes. However, these tools should not be relied on to be 100% accurate as they are not always successful in providing a full account of cookies in use. If your organisation needs to rely on a scanning tool to provide such information, this should be a signal that the right change management controls are not currently in place to enable you to have confidence in the current configuration of your web property. Trilateral offers outsourced DPO and DPO assist services, to support your organisation’s data protection team in understanding and assessing best practices for change management control and cookie compliance.
NOT JUST BIG TECH
Data Protection Authorities are responsible for ensuring that data protection legislation is implemented and enforced for all who come within its scope. In some jurisdictions, there has been the perception that only large organisations such as Facebook and Google will come in the sight of those enforcing these data protection legislation. As evidenced in this instance, that is not the case, and organisations should expect that authorities will increasingly exercise their oversight in this area.
For more information on how Trilateral can support you, please refer to our list of services or get in touch with one of our advisors for support on your compliance journey.
