Belgium – European Center for Digital Rights (noyb) v. Mediahuis N.V.
On 6 September 2024, the Belgian Data Protection Authority (DPA) ruled on the unlawful use of cookie banners on four Mediahuis news sites. The complaint highlighted issues such as the absence of a “reject all” option on the first banner layer and misleading button colors.
What: Administrative decision
Impactscore: 1
For who: Media sector, website developers, privacy professionals, website visitors
Key takeaways for Flanders/Belgium
The ruling directly affects four major, popular Flemish news websites —De Standaard, Gazet van Antwerpen, Het Belang van Limburg, and Het Nieuwsblad— owned by Mediahuis. Despite years of adjustment time, Mediahuis did not comply with the applicable cookie rules under the GDPR. To do so, Mediahuis should be able to rely on a legal basis for lawful processing of related personal data. For the use of non- necessary analytical cookies, this basis should always be the consent of the website user, whereby the consent must be freely given. In the present case, this proved not to be the case according to the Belgian DPA.
As a consequence of the ruling of the Litigation Chamber, visitors of these (and other) websites should benefit from improved transparency and control over their data. This decision reinforces that companies operating in the Flanders must prioritize transparent and fair handling of user data.
Summary
On 6 September 2024, the Litigation Chamber of the Belgian Data Protection Authority (BE DPA) (Gegevensbeschermingsautoriteit (GBA) / Autorité de protection des données (APD)) published its decision regarding cookie banners on four Mediahuis news websites (De Standaard, Gazet van Antwerpen, Het Belang van Limburg, Het Nieuwsblad). The complainant was represented by noyb (www.noyb.eu), the Austrian non-profit privacy rights organisation initiated by Max Schrems. The identity of the defendant is also important, given the considerable size and social reach of the media company. The decision concerns four complaints, all stemming from the same complainant, regarding the unlawful use of cookie banners on four Mediahuis websites. As the use of cookies is considered to be one of the top priorities of the BE DPA (see for example the 2023 annual report), this ruling by the Litigation Chamber fits in perfectly with the BE DPA’s focus on the correct use of cookies. Examples of good cookies can be found in the BE DPA cookie checklist.
Proceedings
Prior to the proceedings on the merits, the Litigation Chamber made a settlement proposal. This proposal was not enitrely accepted, which led the Litigation Chamber to withdraw the proposal and commence proceedings on the merits.
During the proceedings, Mediahuis questioned the representation mandate given by the complainant. Noyb has several projects related to the filing of complaints regarding cookies and cookie banners. In principle, according to the Litigation Chamber's dismissal policy, it is required to have a direct and personal interest in order to be able to file a complaint. However, under Article 80.1 GDPR, it is possible for the complainant to mandate an organisation to take over the complaint handling. In addition, Article 80.2 GDPR provides a possibility to national legislators to give organisations such as noyb their own right to complain, without requiring a direct and personal interest. However, this provision has not been transposed into Belgian law, meaning that noyb cannot file a complaint itself. Therefore, noyb, allegedly, would instruct its staff members to file complaints and then appoint themselves as representatives. In contrast to previous cases where the Litigation Chamber deemed the mandate invalid, considering it a hidden complaint by noyb, it ruled differently in this case. However, in this instance, the complainant, an intern at noyb, confirmed that they were not encouraged by noyb. As a result, the Litigation Chamber concluded that the complainant had a direct, personal interest in the data processing, and the representation was lawful under Article 80.1 GDPR.
The file is based on four combined complaints, namely:
- A ‘refuse all’ option on the first layer of the cookie banner: Analytical cookies for marketing purposes, as in this case, are not strictly necessary, which requires them to have consent as a legal basis under Article 6 of the GDPR. The data subject's consent must be free, specific, informed and unambiguous before it can serve as a legal basis for the setting of such non-strictly necessary cookies. Consent is only free when the choice between the 'refuse all' option and the 'accept all' option is equivalent, which was not the case in the current proceedings. In addition, in the current case, consent was not unambiguous, because the 'refuse all' option only appears on a later screen. As a result, the data subject was not immediately informed that they could refuse the cookies. Consequently, the BE DPA ordered that the necessary adjustments are being made by providing a 'refuse all' option on the correct layer within 45 days after the notification of the decision. A penalty of 25,000 euros per day and per non-compliant website is imposed from the 46th day that the sites are not compliant.
- Misleading button colours: The second complaint concerns a breach of the duty of propriety, which also further jeopardises the legal validity of the consent (i.e. the free nature of the consent). The duty of propriety is breached by the misleading use of colour for the cookie banners. A more striking colour is used for the ‘accept all’ button, which induces the data subject to choose the most data-processing option. The BE DPA orders Mediahuis not to use misleading button colours and imposes a penalty of 25,000 euros per day and per non-compliant website from the 46th day.
- Withdrawal of consent: At the time of filing the complaint, it was not as easy for the data subject to withdraw the consent given as it was to give consent. This was only possible after a relatively large number of clicks. Because Mediahuis had already addressed the shortcoming during the procedure, the BE DPA will only issue a reprimand for this complaint.
- Reference to legitimate interest: According to the defendant, the legal basis used for setting a cookie was either the consent of the data subject or the legitimate interest. However, the BE DPA reiterates that using different legal grounds to base a processing on, referring to an alternative legal ground (in this case, legitimate interest) if the first (in this case, consent) fails, is unlawful. If the data subject rejects the cookie, the legitimate interest should not be used as a backup legal ground. The BE DPA limited this complaint to a reprimand, stating that Mediahuis placed cookies on the basis of legitimate interest when there was no exceptional situation that justified this.
The complaints in relation to the transparency and information obligations and the exercise of the right to object were dismissed.
Conclusion
The BE DPA’s ruling on cookie banner compliance underscores, despite over six years since GDPR came into effect, persistent challenges in achieving adherence to GDPR requirements, even among major media players like Mediahuis. The misuse of cookies under the GDPR remains a widespread problem and regulators are increasingly strict, as evidenced by recent fines, such as the one imposed by the Dutch Data Protection Authority. Importantly, non-analytical cookies cannot be used without consent, and relying on multiple legal grounds for processing is not allowed. This case serves as a reminder that selecting multiple legal bases, such as switching to another legal basis when one fails, is not allowed. The decision illustrates that these rules will continue to be enforced, particularly in the areas of consent management, misleading design practices and proper legal bases for cookies.
What’s next?
Mediahuis can appeal against this decision to the Market Court within 30 days of notification, with the BE DPA as defendant.