Week ending – 11/10/19
In this week blog I have selected three articles of interest, firstly on the issue of using Consent as you main legal basis for processing. An interesting case recently investigated by the Belgian Data Protection Authority for requiring the use of electronic ID cards to receive a Loyalty Card. The second article is about Cookies and mainly looks at the pre-ticked boxes currently found on some websites.
The final article is again about cookies, and the compliant use of them.
Cookies are a big topic at the moment and changes are being made to the requirements of organisations and their responsibilities to website visitors. Propelfwd in conjunction with Critical.Media are developing a cookie preference centre. This will be available shortly on a subscription basis. We will scan you site and categorise your cookies, allowing the visitor to turn the on and off. This gives total control to the visitor and provides you with the required consent logs. We will keep you informed on the progress of this development.
Propelfwd is still offering discounts to local Charities to help them with their data protection compliance. We have opened our office in Ireland and now looking into the possibility of one in the UK. Both of these will allow us to offer our clients the required Representative service in the EU and post-Brexit, in the UK. We will keep you posted on this development.
Our re-brand has received very positive comments, people like our logo, colour and our new website. Thank you for the support of all out clients with this process.
We have provided the link to the original articles in our references down below.
Belgian Data Protection Authority Finds Merchant Violated GDPR
Executive summary
On September 17, 2019, the Belgian Data Protection Authority (DPA) issued a fine of EUR 10,000 for a breach of the General Data Protection Regulation’s (GDPR). The case related to a merchant who required the use of an electronic identity card as the sole means for the issuance of loyalty cards.
The DPA found that this practice did not comply with GDPR’s standards on (a) data minimization, as the electronic identity card contains much more information about the holder than is necessary for the purposes of creating a loyalty card; and (b) consent, because customers were not offered a real choice on whether they should provide access to the data on their electronic identity card in exchange for a loyalty card. As a result, the customers’ consent was not considered as freely given and therefore invalid.
The DPA also found that the merchant had not done enough to inform customer about its data processing activities, and thereby violated its information duties under the GDPR.
The facts
On August 28, 2018, a customer filed a complaint with the DPA concerning the merchant’s procedure for issuing loyalty cards. The merchant requires that customers first provide their electronic identity card before they can receive a loyalty card. The merchant provided no alternative means for acquiring the loyalty card.
The DPA’s Inspection Service Finalized its investigation was on May 10, 2019, and the Dispute Chamber held proceedings on the matter from the end of May until the end of July. The Dispute Chamber issued its final decision on September 17, 2019, and the parties have 30 days to appeal.
The assessment of the Belgian DPA
The Dispute Chamber first held that the merchant’s practice for the creation of loyalty cards violates the principle of data minimization, as it entails the processing of personal data that is not relevant for the creation of a loyalty card. By reading the barcode on the electronic identity card, the merchant processed the card holder’s national registry number, gender, and date of birth, all of which the Dispute Chamber found were not necessary for the creation of a loyalty card.
The Dispute Chamber further held that the merchant violated the principle of lawfulness of processing. The Belgian law regarding the use of the electronic identification card[1] specifically states that, unless a legal exception applies, an electronic identity card can only be read or used following the freely given, specific and informed consent of the card holder. The law further states that, where a benefit or service is offered to a citizen via his electronic identity card as part of an IT application, an alternative that does not require the use of the electronic identity card must be offered.
Because the merchant did not provide an alternative to the provision of the electronic identity card for the creation of a loyalty card, the Dispute Chamber found that the merchant has failed to obtain a valid consent for the collection of the personal data. The Dispute Chamber therefore found that the customers’ consent was not “freely given” as required under the GDPR.
Although not raised by the parties, the Dispute Chamber further investigated whether such processing could have been based on the legitimate interest of the controller. Here, it concluded that the interests of the data subject would prevail and that the balance of interests tilts in the favour of the customer. As a result, the legitimate interest of the controller could also not have been invoked as lawful basis for the processing.
Because the Dispute Chamber considers the violation of these obligations’ gross negligence with far-reaching impact on the rights of the customers, it punished the merchant with an administrative fine of EUR 10,000.
In addition, the Dispute Chamber found that the merchant had also not sufficiently informed the customer regarding the transfer of data to third parties, the lawful basis of the collection of the personal data, and the retention period of the personal data. Here, however, the Dispute Chamber simply took note of these violations as well with the mitigating measures the merchant has promised to undertake.
Important take-aways / Relevance for businesses
First, the decision illustrates the DPA’s complaint handling procedure. In a fairly straightforward case, it takes the DPA just over a year to go from complaint to final decision.
Second, the decision is an insightful application of the GDPR principles in a niche area of personal data processing. More specifically, to what extent and under what conditions companies can make use of electronic identity cards of individuals.
In general, companies can use, read or record the data on the electronic identity card, both those visible to the naked eye and those that can be read with a card reader, as long as they respect the basic principles of data protection law.
There are, however, three important considerations that companies must keep in mind when using electronic identity cards:
- If a company wishes to read the identity card of an individual, it can rely only on the consent of the individual concerned as a lawful basis. As this case illustrates, companies must provide an alternative procedure in which the electronic identity of the data subject is not processed. Without such a valid alternative for individuals, consent cannot be considered freely given.
- Not all data on the identity card is free for companies to use. Specifically, the photograph of the holder of the identity card, the National Registry Number, and the digital image of the fingerprints that is on the ID (or at least will be, in the case of the digital fingerprints) may only be used if authorised to do so, or by virtue of a law, a decree or an ordinance.
- The DPA applies a very strict interpretation on the principle of data minimisation. Even if companies have acquired a valid – and freely given – consent in accordance with the GDPR, they must also consider whether the data gathered through a read-out of the identity card is relevant for the processing purposes pursued. Remarkably, the DPA not only scrutinized the use of the national registry number, but also the use of gender and birthdate, two commonly used data categories in client relationship management. This decision should urge companies to be extra vigilant when determining relevant data categories for a certain data processing purpose.
Court of Justice of the European Union Finds that Pre-Ticked Checkboxes Are Not Valid Consents under GDPR
On October 1, 2019, the Court of Justice of the European Union (CJEU) issued a final ruling in the Planet49 case (case C-673/17 – available here).
The Court made it clear that the placing and reading of tracking cookies on a user’s terminal equipment requires an active and unambiguous consent of the user. A pre-ticked checkbox does not meet these requirements and therefore does not constitute a valid consent. Also, the Court underlined that consent must be specific. In the case at hand, the act of selecting a button to participate in a promotional online lottery cannot be construed as consent of the user to the storage of cookies.
Moreover, the Court clarified that these requirements regarding the consent of the user for usage of cookies are applicable regardless of whether the information stored or consulted on the user’s device constitutes “personal data.”
Finally, the Court held that cookie consent must be “informed” as per the GDPR, which means that service providers must also provide information on the duration of the operation of cookies, as well as in relation to any third-party access to those cookies.
The facts
Planet49, an online gaming company, organized an online promotional lottery. Before participating, website users were provided two checkboxes. The first was unchecked and solicited consent for receiving promotional materials from sponsors and partners of Planet49. Participation in the lottery is possible only if at least the first checkbox is ticked. The second, pre-checked box solicited consent for the installation of cookies for advertising purposes on the terminal equipment of the website user.
These consent gathering practices were challenged before a regional court in Frankfurt am Main by a consumer rights organisation – the Verbraucherzentrale Bundesverband. Following an appeal, the case eventually made its way to the German Federal Court of Justice. The latter refers the case to the CJEU for a preliminary ruling asking for clarification on (a) the legality of obtaining consent for the use of cookies with a pre-ticked checkbox under the e-Privacy Directive in light of the Data Protection Directive and the GDPR; and (b) what information a service provider has to provide to end users when making use of cookies.
The judgement of the Court
Under the e-Privacy Directive, storing information or gaining access to information already stored on a user’s terminal equipment (i.e., placing and reading cookies)[1] requires the informed consent of the user. Such consent must be interpreted in accordance with the Data Protection Directive – now the GDPR. From this, it follows that that consent must be “actively given,” “unambiguous,” and “specific.”
“Unambiguous”
Because a pre-ticked checkbox does not involve active behavior by the user, it also cannot be considered unambiguous under the Data Protection Directive and the GDPR. Indeed, the Court stated that only active behaviour on the part of the data subject with a view to giving his or her consent may be considered as unambiguous consent. With a pre-ticked checkbox, ambiguity remains, as a user might as well have overlooked the checkbox before continuing his or her browsing session. There is also no way of verifying whether such consent was “informed.”
“Specific”
The Court found that consent gathered through a pre-ticked box also cannot be considered specific. Consent must be tied directly to the processing of the data in question and cannot be inferred from the data subject’s wishes for other purposes. The fact that a user selects a button to participate in the promotional lottery organized by Planet49 is not by itself evidence that the user validly gave his or her consent to the storage of cookies.
“Freely given”
The referring court did not raise the issue of whether a user’s consent to the processing of personal data for advertising purposes is considered “freely given” when it is a prerequisite to the user’s participation in a certain information society service (in the case at hand, a promotional lottery). The CJEU could therefore not pass judgement on this interesting topic.
Important take-aways / Relevance for businesses
First, the obligation to obtain consent under the e-Privacy Directive is not limited to personal data. The requirement concerns “the storing of information” or “the gaining access to information already stored in the terminal equipment of a subscriber or user.” . As stated in the Opinion of Advocate General Szpunar, this provision aims to protect the user from interference with his or her private sphere, regardless of whether or not that interference involves personal data.
Second, the e-Privacy Directive requires that a user giving his or her consent to the placing and reading of cookies has been provided with “clear and comprehensive information, in accordance with [the Data Protection Directive – now the GDPR].” The Court now clarifies that this information provided to the user must also include the duration of the operation of cookies, and whether or not third parties may have access to those cookies.
The reasoning of the court is in line with the prevailing view that cookie consent requires an active behaviour of the user.
Compliant use of cookies
They can be found on nearly any website: Tracking and retargeting cookies. Small text files that help to track surfing behaviour of visitors to and beyond one’s own website. This tracking for example enables ad-networks to address the visitor with personalised advertising for one’s own or other products or services. Despite the popularity of the use of such cookies, many companies are still insecure on how to implement them in compliance with data protection regulations, in particular, on when and how consent has to be obtained.
In a recent and highly anticipated decision on the scope of consent requirements with respect to cookie compliance, the CJEU (Court of Justice of the European Union, C-673/17, Bundesverband der Verbraucherzentralen und Verbraucherverbände/Planet49 GmbH) clarified, inter alia that
- consent must be obtained through active behavior (eg it cannot be obtained through the use of pre-checked boxes);
- consent requirements may also apply to the processing and storage of information that is not personal data;
- users must be provided information on cookie duration and access by third parties.
Current cookie solutions range from simple “cookie banners” (which are usually displayed at the top or bottom of the screen) to the use of so-called “cookie walls” (which request the visitor to agree in order to access the website content in the first place). In many cases they are implemented in a way that banners and walls are displayed correctly, but tracking and retargeting cookies are still activated automatically and independently from any consent given. Another common problem: Website visitors do not have free choice whether to accept or reject cookies. It also regularly happens that the visitor is not provided with sufficient transparent information about the purpose(s) and mean(s) of the cookies related processing of user information.
The following points are intended to provide guidance on how to avoid pitfalls when using and implementing cookies:
1. Not all cookies are delicious.
Cookies are a common component of websites. For instance, they help to properly display website content, to efficiently use online shops and to support customer satisfaction by logging language and display preferences. Cookies are useful; some do not interfere with the privacy of the website visitor, others do.
If cookies are used on a website, one has to distinguish whether cookies are indispensable for the operation of the website or not (technically necessary cookies on a website usually don’t require a website visitor’s consent). In addition, there may be cookies that are not necessarily indispensable for the operation of the website, but which enable the person concerned to use the functionality desired from the website (ie expected by the user in respect of the service offered). Other Cookies require the website visitor’s consent.
First step: Define and classify all cookies used or meant to be used on your website.
2. Privacy by default.
When a visitor accesses your website, only those cookies may be automatically activated which are technically necessary for the operation of the website or which are expected by the visitor for the purpose of functionality. The website visitor (“data subject”) must nevertheless be informed of this in advance.
Second step: Check the correct implementation on your website and, if necessary, make adjustments.
3. Information to be provided to the data subject.
Cookie banners and cookie walls are intended to inform website visitors (“data subjects”) about how user information is processed through cookies while visiting a website and may ask the visitor for consent if required. Cookie banners must not hide either the imprint, the link to detailed privacy information or other relevant information on a website before being clicked. A detailed privacy information must be provided on every website.
Website visitors must thus be provided information on who is processing which cookies for which purpose and whether this gives third parties access to user information. The processing must be explained in detail. Therefore, all cookies, the respective (third-party) provider and the specific function of each cookie and its duration should be listed separately. Art 13 GDPR also provides for additional – more detailed – requirements for information. A current decision of the Austrian data protection authority triggers the conclusion that website operators must offer all relevant information transparently to the data subject before the actual consent is given.
Third step: A comprehensive privacy information and lawful implementation of cookie banners/walls are essential pillars for data protection compliance. We recommend a detailed listing and description of all cookies in use.
4. Use of consent-free-cookies.
If cookies are not absolutely necessary for the (technical) operation of the website, they may nevertheless be used without a website visitor’s consent in case they serve the website visitor to use the functionalities of the website that he or she expects from it. Whether this is the case must be assessed on a case-by-case basis.
There are examples of cookie implementation that could potentially be seen as consent-free-cookies: The integration of a shopping cart cookie in a web shop for efficiency and comfort reasons; cookies to ensure enhanced integrity and security of the website or fraud prevention.
Fourth step: We recommend the exact examination, whether such consent-free-cookies are present. Take sufficient time to accurately define the cookies, to demonstrate their necessity and to reflect the interests and expectations of the website visitor.
5. Opt-in
If cookies are neither indispensable for the operation of a website nor can they be justified by the expectations of the website visitor, the consent of the respective website visitor is regularly required.
An active consent is required before setting the respective cookies by clicking on a banner or the wall or other button. The website visitor must be able to activate the cookies individually. The blanket consent or a simple “OK” on the cookie banner without an alternative option is not sufficient, neither is the use of pre-checked boxes to get the user’s consent.
We recommend the use of a professional cookie banner solution which contains the necessary text information and at the same time enables the website visitor to individually activate cookies requiring consent (opt-in).
References:
- https://www.crowelldatalaw.com/2019/10/why-consent-is-the-weakest-link/#page=1
- https://www.crowelldatalaw.com/2019/10/court-of-justice-of-the-european-union-finds-that-pre-ticked-checkboxes-are-not-valid-consents-under-gdpr/#page=1
- https://www.lexology.com/library/document.ashx?g=98c60038-f0e5-4350-9761-33f036c15c10
