The Belgian data protection authority (BDPA) has published a decision of 17 December 2019 of its litigation chamber in a case that relates entirely to cookies and that may have an impact on the way in which website operators approach cookie consent.

The decision is currently only available in Dutch, though a French translation will likely soon be published.

It is a long decision that covers mainly five topics:

  • The jurisdiction of the BDPA itself and of its litigation chamber in particular, in relation to cookies;
  • The interplay between the concepts and provisions of the General Data Protection Regulation (GDPR) and the rules on cookies;
  • Transparency & information obligations
  • Consent-related obligations
  • Fine & calculation

For ease of implementation, we have transformed the findings of the BDPA on the last third and fourth points into do's and don'ts.

Note: the decision specifically relates to website cookies, but the relevant rules and the findings of the BDPA are technologically neutral. Any reference to "cookies" must therefore also be understood as covering e.g. HTML5 storage and similar technologies.

1. Jurisdiction of the BDPA in relation to cookies

In Belgium, cookie rules can be found in one specific article of the Belgian Act on Electronic Communications (BAEC). The entity in charge of enforcing the BAEC rules is the Belgian Institute for Postal services and Telecommunications (BIPT).

However, the cookie rules themselves contain references to data protection rules, which creates a potential conflict of jurisdiction between the BIPT and the BDPA, which is tasked with (notably) enforcing the GDPR and other data protection rules in Belgium.

In its decision, the BDPA's litigation chamber justifies its own power to examine the case on the basis of the BDPA's general jurisdiction over compliance with the GDPR. As a result of this general jurisdiction, says the litigation chamber, the BDPA has the power to verify whether the requirement to obtain consent prior to placing cookies (where applicable) is implemented in accordance with the GDPR, as well as to check whether the other requirements of the GDPR (e.g. transparency & information) are met.

Note: the BDPA does not examine here the question of where its power stops if certain cookies do not relate to personal data. It hints at a broad interpretation of its jurisdiction, however.

2. Interplay between GDPR & cookie provisions

Under the GDPR, any processing of personal data must be based on an appropriate legal ground to be permitted, and Article 6 GDPR contains the list of legal grounds (additional requirements apply to the processing of special categories of personal data). Under the cookie rules, the use of cookies requires consent, unless one of two exemptions applies:

  • The "communication" exemption: storage or access for the sole purpose of carrying out the transmission of a communication over an electronic communications network
  • The "service" exemption: storage or access as strictly necessary in order for the provider of a service (according to the e-Privacy Directive: an "information society service") explicitly requested by the subscriber or user to provide the service

In other words, the cookie rules provide for three possible legal grounds (consent and two exemptions), and the GDPR provides for legal grounds that do not always overlap neatly with those "cookie" legal grounds.

In its decision, the litigation chamber of the BDPA initially appears to suggest that the assessment of legal grounds under the cookie rules replaces the assessment of legal grounds under Art. 6 GDPR, by considering that Art. 5(3) of the e-Privacy Directive (the origin of the cookie rules) is a "lex specialis" provision that deviates from (and prevails over) Art. 6 GDPR. However, later in its decision, the litigation chamber suggests that it is more a combination (e.g. the "service" exemption under the cookie rules could be combined with "legitimate interests" as a legal ground under the GDPR).

The litigation chamber of the BDPA does state that the criterion of "necessity" ("strictly necessary") in the "service" exception is to be interpreted in accordance with data protection rules (and more specifically – mutatis mutandis – in accordance with paras 23-25 of the EDPB guidelines on processing in relation to online services).

3. Do's & don'ts of transparency / information

The decision contains various forms of criticism by the BDPA's litigation chamber of the kind of information that the relevant organisation provided to users. We have distilled this into a few do's and don'ts:

a) Be technically accurate: Any inaccuracy in the cookie policy (e.g. a discrepancy between the text and the actual technical functioning) can be viewed as an infringement of the transparency requirements under Art. 12-13 GDPR

b) Be consistent in terms of languages used: The cookie policy (and privacy policy) must be available in the language of the target audience.

c) Adapt default cookie policies of plug-ins: If a website integrates a cookie consent plug-in, the website operator is liable for the content of the cookie policy (e.g. any default references to the California Privacy Protection Act are useless if the website is purely meant for a Belgian audience).

d) A professional audience doesn't exempt you from transparency: Even if your audience consists mainly of lawyers, the transparency obligations still apply and a "summary" privacy policy will be insufficient if it does not cover all of the information in Art. 12-13 GDPR.

e) Identify the controller clearly: Stating "an initiative of X" does not clearly tell data subjects that X is the controller.

f) Talk about consent withdrawal: Data subjects must be clearly informed of the right to withdraw consent.

Finally, a last "do" could be to test Cookiebot on your website. The BDPA's inspection service uses the third-party service Cookiebot to carry out its analysis of websites' use of cookies. If they find cookies you have failed to identify, this can be used against you, so it can be useful to first check on your own what Cookiebot's findings are.

Note: we have seen this in other proceedings as well, but have certain reservations in relation to reliance on Cookiebot, in particular as regards the classification of cookies (as this classification is made by a third party, not by actual authorities, and cannot be modified by the website operator; moreover, the classification may depend on the nature of the online service itself).

4. Do's & don'ts of cookie consent

As with transparency and information, the litigation chamber's decision contains various pointers on what organisations should or should not do in relation to the manner of obtaining consent.

a) Allow consent to be given or withdrawn per category: don't see cookie consent as "all or nothing", but as "all, some or nothing". Cookie consent (and withdrawal of consent) must therefore be possible by category of cookie (e.g. "marketing cookies").

b) First / second layer: The BDPA suggests that "on a second informational layer" (typically in the cookie policy) there could be consent per cookie (rather than per category). While it is not explicit on this point, the litigation chamber therefore appears to require or at least prefer seeing a form of consent per category on the first layer (i.e. within the cookie banner in practice).

c) Consent also for first-party analytics: the law (currently) makes no difference between first-party cookies (accessible only to the website operator) & third-party cookies (accessible only to a given third party), and consent will be required for both unless they fall within a specific exemption.

d) Analytics sometimes strictly necessary: the litigation chamber "does not exclude" that under certain cases statistical cookies must be strictly necessary for the provision of a service (and the litigation chamber explicitly refers to the example of information services), "for instance to detect navigational problems". It does not expand on this, merely stating that this is not applicable in the case at hand.

e) Sharing aggregated information isn't exempt: the provision of aggregated information to third parties exceeds the scope of the "service" exemption.

5. Fine & calculation

The outcome of the decision is that the litigation chamber of the BDPA handed down a fine of 15,000 EUR for infringements to data protection rules & cookie consent rules. It states in its decision that the fine takes the following elements into account:

  • Duration of the infringement: multiple infringements only corrected after a second notice from the Inspection service
  • Number of affected data subjects: monthly readership of 35,000 users
  • Negligent (or bad faith) nature of the infringement taken into account
  • Measures taken: the improvements carried out later to the website did not negate the infringements observed beforehand
  • Turnover of the organisation: 1.7 million EUR during the last year

While this fine may seem limited in the light of the organisation's turnover, it is important to note that the organisation had taken steps to improve its solution, and that the nature and scope of the infringement was in practice deemed to be limited.

Closing remarks

This decision is important as it is the first new official position on cookies published by the BDPA since several years, and it hints at the direction in which the BDPA will be headed in the coming months. While there is still the possibility of appeal, and there are other proceedings pending before the litigation chamber in relation to cookies, website administrators would do well to take heed and review their processes. Cookies are also one of the topics that the BDPA intends to look at more closely in the next few years, based on the strategic plan it published recently and which is subject to public consultation (in Dutch and in French). So when the snow has settled and the festive period is over, don't forget to check up on your cookies.