October GDPR Updates: Judgment and Penalty on Cookies, Proposed ePrivacy Regulations and More

CJEU holds cookie consent must be active and explicit.  The Court of Justice of the European Union (the “CJEU”) issued a decision in a case discussing companies’ use of cookies under the European General Data Protection Regulation (the “GDPR”) and the ePrivacy Directive. The CJEU held that a pre-ticked statement of users’ consent to cookies does not qualify as a proper consent mechanism under the GDPR and that the users’ consent to cookies on their device must be active and explicit. The CJEU further clarified that according to the ePrivacy Directive, explicit consent is required even where the cookies do not collect or process the users’ personal information. It also held that users must be notified of the duration of storage of the cookies on the device and whether their information will be transferred to third parties.

CLICK HERE to read the CJEU’s decision in Bundesverband der Verbraucherzentralen und Verbraucherverbände — Verbraucherzentrale Bundesverband eV v. Planet49 GmbH

Spanish privacy regulator imposes a fine for infringing cookie consent practices. The Privacy Protection Authority in Spain imposed an €18,000 fine on Vueling Airlines for violating both the GDPR and the Spanish ePrivacy law that adopted the EU ePrivacy Directive, in Vueling’s practices relating to personal data collected via cookies on its website. The company informed its website users of the cookies used through a banner. The banner stated that by continuing to view the website, the users agree to the use of cookies. The company’s privacy policy notified users that they may block the use of cookies through their browser settings. The Privacy Authority in Spain found that the practice of implicit consent instead of the explicit consent runs afoul of the GDPR. It also determined that the company should have applied a consent mechanism that allows users to choose the type of cookies they wish to consent to. 

CLICK HERE to read the Spanish Privacy Protection Authority’s decision (in Spanish). 

A new draft for the ePrivacy Regulation. The Council of the European Union (the “CEU”) released its latest draft of the proposed ePrivacy Regulation. The Regulation is intended to replace the ePrivacy Directive. It will have an extra-territorial scope similar to the GDPR’s. It will apply to the protection of information collected from end-users’ terminal equipment (for example, through the use of cookies) and to the transmission of direct marketing communications to end-users who are in the EU. The Regulation will impose consent and notification obligations on companies that use cookies to collect information about end-users in the EU. It will also require companies, among other things, to ensure that the processing is compatible with the purpose for which the data was originally collected, to implement certain safeguards such as anonymizing such data before sharing it with third parties, and provide the end-users with information of any processing activities meant to monitor the behavior of a specific end-user or draw conclusions concerning the private life of the end-user.

CLICK HERE for the ePrivacy Regulation’s latest draft from October 4, 2019. 

EDPS investigates Microsoft for GDPR violations. Earlier this year, the European Data Protection Supervisor (EDPS) launched an investigation into the use of Microsoft products and services by EU institutions. Though the investigation is still ongoing, the EDPS released a statement this month indicating that preliminary results reveal serious concerns over the compliance of the relevant contractual terms with data protection rules and the role of Microsoft as a processor for EU institutions using its products and services. The EDPS called for a discussion on creating standard contracts that will replace the terms and conditions provided by large IT service providers such as Microsoft and ensure that these outsourcing services comply with the GDPR. 

CLICK HERE for the EDPS’s press release.  

UK Court of Appeal approves class action against Google for secretly tracking Safari users. A class action brought against Google in the UK alleges that the Internet giant secretly tracked users using an exception in Apple’s Safari browser, enabling it to collect considerable amounts of information of Safari users without their knowledge or consent. The lawsuit alleges that Google then sold that information to advertisers to present users with direct advertising. The plaintiff alleged that in doing so, Google violated the UK Data Protection Act 1998 (which was replaced by the GDPR in 2018). Although the lower court dismissed the class action in the absence of damage suffered, the Court of Appeals reversed and approved the class action. Inspired by the GDPR’s perception of data as property, the Court of Appeals held that the fact that a person’s data has been sold indicates that it has economic value. Accordingly, a person’s control over that data does have a value, and the loss of that control necessarily must also have a value. 

CLICK HERE for the decision of the Court of Appeals in Richard Lloyd v, Google LLC. 

EDPS offers open source software for privacy protection inspection of websites. The European Data Protection Supervisor (EDPS) has published a tool that collects evidence of personal data processing by websites, such as cookies or data requests to third parties. The collected evidence, structured in a human and machine-readable format, allows website controllers, data protection officers, and end-users to better understand what information is transferred and stored during a visit of a website. 

CLICK HERE for the EDPS’s press release.