Autor: AlexEichler

One of the important questions in data privacy is, if a third party, not being the data subject, can sue controllers e.g. under competition law.

In the actual case a consumer protection association is acting against Facebook. The subject matter is on games in form of apps to be used on facebook. There is a button “play game” and below (!) that button there was a sentence saying that the ‘general information, your email address, on you, your status messages, are stored and that the app may post in the name of the data subject including the score and more’.

There is a decision by European Court of Justice (July 29th, 2019 – C-40/17) that the former data privacy directive 95/46/EU is not hindering associations to sue.

In the moment this question is discussed. Some say that GDPR is final and therefore one can only sue if it is allowed under GPDR. Others say that GDPR is open and base there argument on Art. 80 GPDR, where it is said, that claims by organizations are allowed subject to local law allowing such organizations to sue.

It is now up to the European Court of Justice to verdict if associations can also sue under GDPR (see Art. 80 sec. 1 GDPR and Art. 84 sec. 1 GDPR).

If you are using processors, as defined in Art. 28 GDPR, you need to list them in transparency information, Art. 13 section 1 lit. e GDPR. Consequentially your website privacy policy must list them, as privacy policies for websites are written along Art. 13 GDPR, provided your website is subject to GDPR as given in Art. 3 GDPR.

Processors are recipients as defined in Art. 4 Nr. 9 GDPR and therefore Art. 13 section 1 lit. e GDPR obligates you to list them. This is in line with the general principle in GDPR, that your actions as controller shall enable the individual (called ‚data subject‘ in GDPR) to use its rights, e.g. Art. 15 to Art. 22 GDPR.

If your processor is engaging another processor (and so on) you will need to list them also in your transparency information and in your privacy policy as otherwise the individual can‘t fully use its rights.

See also: page 2 bottom left DSK short paper on processing and Art. 28 GDPR (in German)

Alexander is great to work with. He is responsive, professional and full of good ideas. He has a commercial approach to everything he does, and is truly creative in how he finds legal solutions to your problems. He is extremely knowledgable and knows how to communicate this knowledge in a way that makes sense. He had an amazing insight into what it means to run an international technology company. A pure delight to work with!

In the new guideline on consent under GDPR the European Data Protection Board (EDPB) has stated that so called „cookie walls“ invalidate consent. Users can‘t freely give consent in case the content or functionality is hidden behind e.g. an overlay which only allows users to accept the use of cookies to get to the content.

EDPB sates:

Paragraph 39: „In order for consent to be freely given, access to services and functionalities must not be made conditional on the consent of a user to the storing of information, or gaining of access to information already stored, in the terminal equipment of a user (so called cookie walls).“

Paragraph 40: „… A website provider puts into place a script that will block content from being visible except for a request to accept cookies and the information about which cookies are being set and for what purposes data will be processed. There is no possibility to access the content without clicking on the “Accept cookies” button. Since the data subject is not presented with a genuine choice, its consent is not freely given. „

Paragraph 41: „This does not constitute valid consent, as the provision of the service relies on the data subject clicking the “Accept cookies” button. It is not presented with a genuine choice.“

According to EDPB this also applies to situations in scope of the e-Privacy Directive (see footnote 25 on page 11 of EDPB guideline on consent).

Consequences:
– check your websites for such cookie walls as far as they are subject to GDPR, see Art. 3 section 2 GDPR
– in case you have applied cookie walls and your website is in scope of GDPR, change cookie banner or whatever you use to a legal possible version,
– in case your website in not in scope of GDPR check the applicable law in this regard and repeat this regular, as it is to expect that other jurisdictions will develop in the same direction

Risk
If you use cookie walls and users click on e.g. „accept“ or „accept cookies“ you do not have consent and therefore your processing in this regard is not allowed (see Art. 6 sec. 1 GDPR: „Processing shall be lawful only if…“).

Competent authorities therefore can use their powers to change this situation up to „to impose a temporary or definitive limitation including a ban on processing“, see Art. 58 section 2 lit. f GDPR. Which in essence would mean your website is off the internet.

Competent authorities also could impose administrative fines under Art. 83 GDPR. We all have learned in the past two years that authorities do use this power and fines are heftier than before GDPR. As cookie walls are easily detectable by automatic software checking on websites (e.g. crawlers), and authorities for long have learned to use them, it is foreseeable that some data protection authorities in Europe will use these tools to check on websites in their jurisdiction and act.

Any person (not only users or data subjects) potentially has a right to compensation and liability under Art. 82 GDPR.

In the moment it is still debatable if warning letters or cease and desist orders by competitors are possible, the courts – at least here in Germany – do have different opinions on that in the moment. Still it seems that a slight majority of courts say that these legal instruments are possible.

November 26th the 2nd adaption of German law to GDPR was published and is therefore in act. It changes around 156 laws and adapts them to GDPR.

Official publication here.

European Court of Justice has decided October 1st, 2019 on consent requirements for cookies.

Text of the decision here.

Consequences for website providers

• All use of cookies need consent by user. More abstract: if you intend to store something on the terminal device of the user, you need consent (see point 46 of decision).
• If you want to access information already stored at users device, e.g. in cookies, you need consent (see point 62 decision)
• Do not use pre-checked checkboxes for consent under GDPR or e-commerce directive as the do not give valid consent (see point 57 decision).
• Content and form of consent needs to be in line with applicable data privacy law, see requirements by Art. 7 GDPR (see point 61 and 62 decision).
• Same applies if you want to access data stored on the user’s device, e.g. in cookies, stored either through your service or by a third party service on the device.
• These rules apply wether or not the information stored or access qualifies as personal data or not (see point 71 decision).
• You need to inform websites users on (i) the duration and (ii) if third parties have access to the information stored by your service on the end user’s device (see point 81 decision). As you know other information is also to provide.