red padlock with email symbol

Celebrating Data Protection Day

  • Benny Bogaerts, Partner |

Each year on 28 January, we celebrate Data Protection Day - when stakeholders come together to raise awareness about citizen’s rights concerning data protection and privacy. Outside Europe, today is referred to as Privacy Day.

Let’s face it: when it comes to the processing of personal data, most people are unaware of their rights, let alone whether or not their rights are being impeded. That is why today is so important and why I’d like to draw your attention to a recent judgement passed by the Belgian Data Protection Authority (DPA).

On 17 December 2019, the Belgian Data Protection Authority (DPA) imposed an administrative fine of 15.000 EUR on a company that manages a website with legal news and information.[1] The website has about 35.000 monthly visitors including many lawyers, law students and paralegals. It is the first decision that is published by the DPA regarding an online platform.

The investigation was initiated by the DPA’s inspection service which concluded that several breaches were made by the company on the provisions of the General Data Protection Regulation (GDPR) and the provisions of the ePrivacy regulation.

Here’s what the DPA’s inspection service concluded:

1. Cookie requirements

Cookies are small pieces of data that are sent from a website and stored on a visitor’s computer through his web browser. These pieces of data are used to keep track of the visitor’s online activity and to store information about the user’s website interaction.

Initially, the company’s website made use of cookies without asking for a valid consent. Subsequently, the company’s website did ask its users for consent, however, by using a cookie banner with pre-ticked boxes. Therefore, the visitors needed to untick the boxes (i.e. opt-out) in case they wanted to disable the cookies. This practice has already been found unlawful by the European Court of Justice in the past as it does not qualify as an ‘active consent’ (i.e. active action such as ticking the box).[2] Furthermore, there was no possibility for the data subject to easily withdraw his/her consent.

2. Information requirement

The information to be provided to the visitors of the website, i.e. where personal data is collected directly from the data subject, was found to be incomplete. Among other things, the data controller’s identity and contact information as well as the data subjects’ rights and the retention period for personal data collected by the cookies were not specified. 

3. Transparency

The information concerning the processing of personal data was not found to be adequately transparent. In practice, the company’s website is directed at Dutch and French-speaking data subjects. However, the company’s privacy policy was initially only available in English. Furthermore, the policy made reference to the privacy legislation of the USA which does not apply to European citizens. Lastly, the policy (incorrectly) stated that IP-addresses do not qualify as personal data. 

The DPA has stated that the company’s website fulfills a role function with respect to GDPR compliance, given its main objective is providing legal news and information. With its 15.000 EUR fine, the DPA has taken a clear position that all website providers have to respect the applicable privacy (and cookie) legislation.

With data playing a huge role in our lives on a day-to-day basis, data protection is a topic we should all be concerned with – how compliant is your data?

 

Benny Bogaerts

Tim Fransen

  1. DPA Decision 17 December 2019 n° 12/2019, www.gegevensbeschermingsautoriteit.be
  2. CJEU 1 October 2019 n° C-673/17, Planet 49, www.curia.europa.eu