The Belgian data protection authority (BDPA) has published a decision of 17 December 2019 of its litigation chamber in a case that relates entirely to cookies and that may have an impact on the way in which website operators approach cookie consent.
The decision is currently only available in Dutch, though a French translation will likely soon be published.
It is a long decision that covers mainly five topics:
- The jurisdiction of the BDPA itself and of its litigation chamber in particular, in relation to cookies;
- The interplay between the concepts and provisions of the General Data Protection Regulation (GDPR) and the rules on cookies;
- Transparency & information obligations
- Consent-related obligations
- Fine & calculation
For ease of implementation, we have transformed the findings of the BDPA on the last third and fourth points into do's and don'ts.
Note: the decision specifically relates to website cookies, but the relevant rules and the findings of the BDPA are technologically neutral. Any reference to "cookies" must therefore also be understood as covering e.g. HTML5 storage and similar technologies.
1. Jurisdiction of the BDPA in relation to cookies
In Belgium, cookie rules can be found in one specific article of the Belgian Act on Electronic Communications (BAEC). The entity in charge of enforcing the BAEC rules is the Belgian Institute for Postal services and Telecommunications (BIPT).
However, the cookie rules themselves contain references to data protection rules, which creates a potential conflict of jurisdiction between the BIPT and the BDPA, which is tasked with (notably) enforcing the GDPR and other data protection rules in Belgium.
In its decision, the BDPA's litigation chamber justifies its own power to examine the case on the basis of the BDPA's general jurisdiction over compliance with the GDPR. As a result of this general jurisdiction, says the litigation chamber, the BDPA has the power to verify whether the requirement to obtain consent prior to placing cookies (where applicable) is implemented in accordance with the GDPR, as well as to check whether the other requirements of the GDPR (e.g. transparency & information) are met.
Note: the BDPA does not examine here the question of where its power stops if certain cookies do not relate to personal data. It hints at a broad interpretation of its jurisdiction, however.
2. Interplay between GDPR & cookie provisions
- The "communication" exemption: storage or access for the sole purpose of carrying out the transmission of a communication over an electronic communications network
- The "service" exemption: storage or access as strictly necessary in order for the provider of a service (according to the e-Privacy Directive: an "information society service") explicitly requested by the subscriber or user to provide the service
In other words, the cookie rules provide for three possible legal grounds (consent and two exemptions), and the GDPR provides for legal grounds that do not always overlap neatly with those "cookie" legal grounds.
In its decision, the litigation chamber of the BDPA initially appears to suggest that the assessment of legal grounds under the cookie rules replaces the assessment of legal grounds under Art. 6 GDPR, by considering that Art. 5(3) of the e-Privacy Directive (the origin of the cookie rules) is a "lex specialis" provision that deviates from (and prevails over) Art. 6 GDPR. However, later in its decision, the litigation chamber suggests that it is more a combination (e.g. the "service" exemption under the cookie rules could be combined with "legitimate interests" as a legal ground under the GDPR).
The litigation chamber of the BDPA does state that the criterion of "necessity" ("strictly necessary") in the "service" exception is to be interpreted in accordance with data protection rules (and more specifically – mutatis mutandis – in accordance with paras 23-25 of the EDPB guidelines on processing in relation to online services).
3. Do's & don'ts of transparency / information
The decision contains various forms of criticism by the BDPA's litigation chamber of the kind of information that the relevant organisation provided to users. We have distilled this into a few do's and don'ts:
e) Identify the controller clearly: Stating "an initiative of X" does not clearly tell data subjects that X is the controller.
f) Talk about consent withdrawal: Data subjects must be clearly informed of the right to withdraw consent.
Note: we have seen this in other proceedings as well, but have certain reservations in relation to reliance on Cookiebot, in particular as regards the classification of cookies (as this classification is made by a third party, not by actual authorities, and cannot be modified by the website operator; moreover, the classification may depend on the nature of the online service itself).
4. Do's & don'ts of cookie consent
As with transparency and information, the litigation chamber's decision contains various pointers on what organisations should or should not do in relation to the manner of obtaining consent.
a) Allow consent to be given or withdrawn per category: don't see cookie consent as "all or nothing", but as "all, some or nothing". Cookie consent (and withdrawal of consent) must therefore be possible by category of cookie (e.g. "marketing cookies").
c) Consent also for first-party analytics: the law (currently) makes no difference between first-party cookies (accessible only to the website operator) & third-party cookies (accessible only to a given third party), and consent will be required for both unless they fall within a specific exemption.
d) Analytics sometimes strictly necessary: the litigation chamber "does not exclude" that under certain cases statistical cookies must be strictly necessary for the provision of a service (and the litigation chamber explicitly refers to the example of information services), "for instance to detect navigational problems". It does not expand on this, merely stating that this is not applicable in the case at hand.
e) Sharing aggregated information isn't exempt: the provision of aggregated information to third parties exceeds the scope of the "service" exemption.
5. Fine & calculation
The outcome of the decision is that the litigation chamber of the BDPA handed down a fine of 15,000 EUR for infringements to data protection rules & cookie consent rules. It states in its decision that the fine takes the following elements into account:
- Duration of the infringement: multiple infringements only corrected after a second notice from the Inspection service
- Number of affected data subjects: monthly readership of 35,000 users
- Negligent (or bad faith) nature of the infringement taken into account
- Measures taken: the improvements carried out later to the website did not negate the infringements observed beforehand
- Turnover of the organisation: 1.7 million EUR during the last year
While this fine may seem limited in the light of the organisation's turnover, it is important to note that the organisation had taken steps to improve its solution, and that the nature and scope of the infringement was in practice deemed to be limited.
This decision is important as it is the first new official position on cookies published by the BDPA since several years, and it hints at the direction in which the BDPA will be headed in the coming months. While there is still the possibility of appeal, and there are other proceedings pending before the litigation chamber in relation to cookies, website administrators would do well to take heed and review their processes. Cookies are also one of the topics that the BDPA intends to look at more closely in the next few years, based on the strategic plan it published recently and which is subject to public consultation (in Dutch and in French). So when the snow has settled and the festive period is over, don't forget to check up on your cookies.