Data Protection and Privacy
Data Protection, privacy and technology developments continued to dominate the headlines last year. In this briefing, we consider some of the most noteworthy developments of which organisations should be aware, and look at what is coming down the tracks in 2023.
The importance of fair, transparent and lawful processing has been in the spotlight as the Irish Data Protection Commission ("DPC") recently imposed three significant fines on a leading technology company for unlawful reliance on contractual necessity as a lawful basis for certain processing activities. International transfers continues to be a hot topic, as the EU Parliament, EDPB and a Committee of EU Member States review the draft EU-US Data Privacy Framework ("DPF").
In addition, the extent and scope of the right to compensation for non-material damage under Article 82 GDPR has been subject to scrutiny as a number of national court decisions concerning this matter are filtering up to the Court of Justice of the European Union ("CJEU"). All of these matters are considered in more detail in this commentary.
We also consider the CJEU decision in the case of X-Fab (Case C-453/21) which provides guidance on how to determine whether a conflict of interest could arise for an organisation's Data Protection Officer. In addition, the European Data Protection Board ("EDPB") has finalised a number of Guidelines to assist organisations to comply with their GDPR obligations including, amongst others, Guidelines on what constitutes an international transfer of data under Chapter V GDPR, and Guidelines on deceptive design patterns in social media platform interfaces.
Legislation surrounding data protection, privacy and technology continues to develop at a rapid pace. These technologies and developments present new challenges for companies and consumers alike. As a result, 2023 will undoubtedly be an exciting and busy year for all.
EDPB Cookie Banner Taskforce Publishes Report
The EDPB Cookie Banner Taskforce has published a Report, which provides guidance on how to comply with the cookie rules in the ePrivacy Directive 2002/58/EC. It discusses topical issues such as the absence of reject buttons, pre-ticked boxes, misleading banner design, and withdrawal of consent solutions.
The EDPB notes in a "disclaimer" to the Report, that the positions taken by the Taskforce reflect the common denominator agreed by Supervisory Authorities in their interpretation of the applicable provisions of the ePrivacy Directive 2002/58/EC, as amended, and the GDPR when handling cookie banner complaints received from NYOB. The positions taken do not constitute stand-alone recommendations or findings to obtain a greenlight from a competent supervisory authority, rather they should be read in conjunction with national laws transposing the ePrivacy Directive.
In this article we look at the key highlights of the Report.
Background
In September 2021, the EDPB set up the Cookie Banner Taskforce to coordinate the response to complaints concerning the design of cookie banners made to multiple data protection supervisory authorities by the privacy advocacy group, NOYB. The aim of the Taskforce was to promote cooperation, information sharing and best practices.
Applicable Legal Framework – ePrivacy Directive and GDPR
The Taskforce note that the applicable legal framework for the placement of cookies is only the national law of each Member State which transposes Article 5(3) of the ePrivacy Directive, and reminds us that the GDPR's one-stop-shop mechanism does not apply in relation to cookies. However, the ePrivacy Directive's reference to consent includes reference to the definition of consent under Article 4 of the GDPR, and the conditions for consent set out in Article 7 GDPR. The GDPR will apply to any subsequent processing of data which takes place after storing or gaining access to information on a user’s device.
Key Highlights of Report – Designing Cookie Banners
Following a coordinated review of cookie banners which were the subject of complaints to multiple supervisory authorities by NYOB, the Taskforce provided commentary on a variety of violations, as summarised below.
- No "reject" button on first layer: The majority of supervisory authorities consider that a cookie banner should contain a refuse/reject option alongside an accept option. They consider the absence of a reject option is not in line with the requirements for valid consent, and is an infringement of the ePrivacy Directive.
- Pre-ticked Boxes: The Taskforce confirmed that pre-ticked boxes are not a valid way to obtain consent under Article 5(3) of the ePrivacy Directive.
- Link Design: The Taskforce considered deceptive “Link Design” practices, noting that some cookie banners contain a link, not a button, as an option to reject the placement of cookies. The Taskforce agreed on two non-exhaustive examples that do not lead to valid consent:
- the only alternative action offered (other than granting consent) consists of a link behind wording such as ‘refuse’ or ‘continue without accepting’ embedded in a paragraph of text in the cookie banner, in the absence of sufficient visual support to draw an average user’s attention to this alternative action;
- the only alternative action offered (other than granting consent) consists of a link behind wording such as ‘refuse’ or ‘continue without accepting’ placed outside the cookie banner where the buttons to accept cookies are presented, in the absence of sufficient visual support to draw the users’ attention to this alternative action outside the frame.
- "Deceptive Button Colours" and "Deceptive Button Contrast": The Taskforce agreed that the design of cookie banners, in terms of colour and contrast of the buttons, can mislead users and result in an unintended, and thus invalid, consent. For example, cookie banners often highlight the “accept all” button over other available options. Whilst this design choice is considered problematic, the Taskforce noted that each specific cookie banner needs to be assessed on a case-by-case basis to assess whether it is misleading.
- Legitimate interests insufficient legal basis: The Taskforce confirm that the legal basis for the placement of cookies pursuant to Article 5(3) cannot be the legitimate interests of the controller.
- Inaccurately classified essential cookies: The Taskforce recognises that the assessment of cookies to determine which ones are 'essential' raises practical difficulties. The Taskforce recalls that the Article 29 Working Party Opinion 4/2012 includes criteria to assess which cookies are essential, and the fact that cookies allowing website owners to retain the preferences expressed by users, regarding a service, should be deemed essential.
- Withdrawal of consent icon: The Taskforce recommend that website owners should put in place easily accessible solutions that allow users to withdraw their consent to the use of cookies at any time. For example, by showing a small hovering and permanently visible icon or a link on all pages of the website that allows users to return to their privacy settings, where they can withdraw their consent.
Comment
Website operators should review their cookie banners to ensure there is nothing misleading in terms of colour and contrast used, that the banner contains both an accept and a reject button, and that consent is as easy for users to give as it is for them to reject. It is worth noting, as mentioned in the report, that any unlawful placement of cookies in contravention of Article 5(3) of the ePrivacy Directive (in particular where no valid consent is obtained where required), means that any subsequent processing of the data collected cannot be compliant with the GDPR.