The Belgian data protection authority (BDPA) has published a decision of 17 December 2019 of its litigation chamber in a case that relates entirely to cookies and that may have an impact on the way in which website operators approach cookie consent.

It is a long decision that covers mainly five topics:

  • The jurisdiction of the BDPA itself and of its litigation chamber in particular, in relation to cookies instead of the telecom sector regulator;
  • The interplay between the concepts and provisions of the General Data Protection Regulation (GDPR) and the rules on cookies;
  • Transparency & information obligations
  • Consent-related obligations
  • Fine & calculation

The decision specifically relates to website cookies, but the relevant rules and the findings of the BDPA are technologically neutral. Any reference to «cookies» must therefore also be understood as covering e.g. HTML5 storage and similar technologies. We will not cover the point on jurisdiction because in Luxembourg it is clear that the data protection authority, the CNPD, has powers to enforce the rules on cookies that are contained in the Luxembourg ePrivacy Act of 30 May 2005.

1. Interplay between GDPR & cookie provisions

Under the GDPR, any processing of personal data must be based on an appropriate legal ground to be permitted, and Article 6 GDPR contains the list of legal grounds (additional requirements apply to the processing of special categories of personal data).

Under the cookie rules laid down e-Privacy Directive 2002/58/EC, the use of cookies requires consent, unless one of two exemptions applies:

  • the «communication» exemption: storage or access for the sole purpose of carrying out the transmission of a communication over an electronic communications network
  • the «service» exemption: storage or access as strictly necessary in order for the provider of a service (according to the e-Privacy Directive: an «information society service») explicitly requested by the subscriber or user to provide the service

In other words, the cookie rules provide for three possible legal grounds (consent and two exemptions), and the GDPR provides for legal grounds that do not always overlap neatly with those «cookie» legal grounds.

In its decision, the litigation chamber of the BDPA initially appears to suggest that the assessment of legal grounds under the cookie rules replaces the assessment of legal grounds under Art. 6 GDPR, by considering that Art. 5(3) of the ePrivacy Directive (the origin of the cookie rules) is a «lex specialis»provision that deviates from (and prevails over) Art. 6 GDPR. However, later in its decision, the litigation chamber suggests that it is more a combination (e.g. the «service» exemption under the cookie rules could be combined with «legitimate interests» as a legal ground under the GDPR).

The litigation chamber of the BDPA does state that the criterion of «necessity» («strictly necessary») in the «service» exception is to be interpreted in accordance with data protection rules (and more specifically – mutatis mutandis –in accordance with paras 23-25 of the EDPB guidelines on processing in relation to online services*).

2. Do's & don'ts of transparency / information

The decision contains various forms of criticism by the BDPA's litigation chamber of the kind of information that the relevant organisation provided to users. We have distilled this into a few do's and don'ts:

  1. Be technically accurate: Any inaccuracy in the cookie policy (e.g. a discrepancy between the text and the actual technical functioning) can be viewed as an infringement of the transparency requirements under Art. 12-13 GDPR
  2. Be consistent in terms of languages used: The cookie policy (and privacy policy) must be available in the language of the target audience (which in a Luxembourg context is a challenging question !).
  3. Adapt default cookie policies of plug-ins: If a website integrates a cookie consent plug-in, the website operator is liable for the content of the cookie policy (e.g. any default references to the California Privacy Protection Act are useless if the website is purely meant for a Belgian audience).
  4. A professional audience doesn't exempt you from transparency:Even if your audience consists mainly of lawyers, for example, the transparency obligations still apply and a «summary» privacy policy will be insufficient if it does not cover all of the information in Art. 12-13 GDPR.
  5. Identify the controller clearly:Stating «an initiative of X» does not clearly tell data subjects that X is the controller. f) Talk about consent withdrawal: Data subjects must be clearly informed of the right to withdraw consent.

Finally, a last «do» could be to test Cookiebot on your website. The BDPA's inspection service uses the third-party service Cookiebot to carry out its analysis of websites' use of cookies. If they find cookies you have failed to identify, this can be used against you, so it can be useful to first check on your own what Cookiebot's findings are. The CNPD will use without any doubt a similar tool.

We have seen this in other proceedings as well, but have certain reservations in relation to reliance on Cookiebot, in particular as regards the classification of cookies (as this classification is made by a third party, not by actual authorities, and cannot be modified by the website operator; moreover, the classification may depend on the nature of the online service itself).

3. Do's & don'ts of cookie consent

As with transparency and information, the litigation chamber's decision contains various pointers on what organisations should or should not do in relation to the manner of obtaining consent.

  1. Allow consent to be given or withdrawn per category: don't see cookie consent as «all or nothing», but as «all, some or nothing». Cookie consent (and withdrawal of consent) must therefore be possible by category of cookie (e.g. «marketing cookies»).
  2. First / second layer:The BDPA suggests that «on a second informational layer» (typically in the cookie policy) there could be consent per cookie (rather than per category). While it is not explicit on this point, the litigation chamber therefore appears to require or at least prefer seeing a form of consent per category on the first layer (i.e. within the cookie banner in practice).
  3. Consent also for first-party analytics:the law (currently) makes no difference between first-party cookies (accessible only to the website operator) & third-party cookies (accessible only to a given third party), and consent will be required for both unless they fall within a specific exemption.
  4. Analytics sometimes strictly necessary: the litigation chamber «does not exclude» that under certain cases statistical cookies must be strictly necessary for the provision of a service (and the litigation chamber explicitly refers to the example of information services), «for instance to detect navigational problems». It does not expand on this, merely stating that this is not applicable in the case at hand.
  5. Sharing aggregated information isn't exempt: the provision of aggregated information to third parties exceeds the scope of the «service» exemption.

4. Fine & calculation

The outcome of the decision is that the litigation chamber of the BDPA handed down a fine of 15,000 EUR for infringements to data protection rules & cookie consent rules.

It states in its decision that the fine takes the following elements into account:

  • Duration of the infringement: multiple infringements only corrected after a second notice from the Inspection service
  • Number of affected data subjects: monthly readership of 35,000 users
  • Negligent (or bad faith) nature of the infringement taken into account
  • Measures taken: the improvements carried out later to the website did not negate the infringements observed beforehand
  • Turnover of the organisation: 1.7 million EUR during the last year

While this fine may seem limited in the light of the organisation's turnover, it is important to note that the organisation had taken steps to improve its solution, and that the nature and scope of the infringement was in practice deemed to be limited.

In other words, if you have a larger audience or do not take steps to improve your solution, do not expect the fine to have the same amount.

Closing remarks

This decision is important as it is the first new official position on cookies published by the BDPA since several years, and it hints at the direction in which the BDPA will be headed in the coming months. While there is still the possibility of appeal, and there are other proceedings pending before the litigation chamber in relation to cookies, website administrators would do well to take heed and review their processes. It is quite likely that this enforcement of the Belgian authorities may have knock-on effect and will lead to more actions of the CNPD in this field as well.

So now that when the snow has settled and the festive period is over, don't forget to check up on your cookies.

* https://edpb.europa.eu/our-work-tools/our-documents/guidelines/ guidelines-22019-processing-personal-data-under-article-61b_fr

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.