Excerpt
The Belgian DPA issues a reprimand to a government agency for failing to provide website visitors with clear information and a means to refuse non-strictly necessary cookies.
Our analysis
The Inspection Service of the Belgian DPA initiated an investigation into a regional government agency for tourism, which collects personal data of Airbnb hosts through Airbnb as an intermediary. The controller's legal task of monitoring the quality of Airbnb hosts forms the legal basis for the collection of personal data. However, the Inspection Service found that the controller's interpretation of its legal obligations was too broad and that its privacy policy contained wrong and missing information, violating Article 12(1), Article 13, and Article 14 GDPR. The controller admits to having previously had issues with its privacy policy but has since resolved them. Additionally, the Inspection Service found that the website had non-strictly necessary cookies and lacked clear information on how to refuse them. The DPA confirms the violations of the privacy policy and the cookie policy but dismisses the report on non-strictly necessary cookies. The DPA also determines that the controller did not proactively involve the DPO, resulting in a breach of Article 38(1) and Article 39(1) GDPR. However, the DPA concludes that the controller can rely on legal obligation under Article 6(1)(c) GDPR to process the personal data of Airbnb hosts as the purpose is clear, necessary, and proportional.
Outcome
The DPA issued a reprimand to the controller for past breaches of GDPR, but dismissed any parts that did not constitute GDPR infractions. The DPA also clarified that it did not have the authority to impose a fine on a governmental agency.
Parties
Belgian DPA and Toerisme Vlaanderen
Case number
162/2022
Decision
Related deceptive patterns
The trick wording deceptive pattern takes advantage of user expectations and ambiguous language to mislead and deceive users. It is normal for users to scan-read when they are online, as a way to cope with the sheer volume of information they are faced with. This means they don't read and dwell on every word on every page. Trick wording usually takes advantage of the scan reading strategy, by making a piece of content look like it is saying one thing, when in fact it is saying something else that is not in the user's best interests.
Forced action involves a provider offering users something they want - but requiring them to do something in return. It may be combined with other deceptive patterns like sneaking (so users don't notice it happening) or trick wording (to make the action seem more desirable than it is). Sometimes an optional action is presented as a forced action, through the use of visual interference or trick wording. In cookie consent interfaces, forced action is sometimes carried out through "bundled consent". This involves combining multiple agreements into a single action, and making it hard or impossible for a user to selectively grant consent.
Related laws
Consent is a voluntary agreement by an individual for their personal data processing, after being informed of its specific purposes and conditions.
Requires personal data to be processed lawfully, fairly, and transparently.
Legal basis for processing personal data are performance of contract, legal obligations compliance, protection of vital interests, controller's legitimate interests, and data subject's consent.
Valid consent conditions include being freely given, specific, informed, and unambiguous, and the data subject should be able to withdraw it anytime.
Requires data controllers to implement appropriate measures to ensure data protection and to demonstrate compliance with GDPR.
Mandates that data protection must be incorporated into the design of systems, and that privacy must be a default setting for all data processing activities.