Digital Law Up(to)date: Interesting points in a DPA decision based on a cross-border complaint relating to cookies

BE Law
EU Law

The Belgian Data Protection Authority (the "DPA") published an interesting decision of its Litigation chamber. The content of the decision (available here) is not completely new, but it provides (or recalls) some relevant elements for personal data practitioners.

Four points can be highlighted:

  1. The competence of the DPA. The DPA is competent to monitor the respect of the regulations on personal data protection, not only the GDPR. The ePrivacy Directive, which aims to complement and clarify the provisions of the GDPR, can also be monitored by the DPA with regard to personal data protection issues. The fact that another authority is the controller of the electronic communication law (the Belgian Institute for Postal Services and Telecommunications, “BIPT”) has no impact on the competence of the DPA.
  2. The use of cookies without prior information of the user. Before a cookie is placed, the Internet user must be informed. In the case, the website placed a cookie on terminal of the user without prior information because it did not yet know the language in which it should provide this information on cookie placement. Concretely, when a user connects to a website and has to choose the language and/or the country, the cookie is already placed without prior information. According to the DPA, in this circumstance, “it was therefore appropriate to display the warning of the use of the cookie in English, a widespread language commonly used by other websites, before the user's language was selected”.
  3. The respect of the principle of transparency. Firstly, a simple reference to the Privacy Policy page (or general conditions) is not sufficient to clarify what happens to personal data in cookies. The DPA relies on CNIL guidelines to state that the user must have access to a range of information before giving its consent (the identity of the data controller; the purpose of the processing; how to accept or reject the trackers; the consequences of refusing or accepting the trackers; the existence of the right to withdraw consent). Secondly, talking about “undesirable consequences” if the user decides to block strictly necessary cookies (which therefore do not require consent) is, according to the DPA, clear and transparent enough. The user is able to understand the concrete potential negative consequences on the functioning of the site. 
  4. The processing register. The DPA strongly recommends (but does not require), based on the Schrems II judgment of the CJEU, to indicate in the register the third countries to which several categories of personal data are transmitted.

This article was co-authored by Edouard Cruysmans in his capacity of Professional Support Lawyer at Stibbe.