Tracking cookies may only be placed if permission is given. However, this is far from always the case. According to research by Microsoft itself, cookies are also placed if users refuse to give permission. In this blog, Menno Weij, privacy and technology legal expert at BDO Netherlands, discusses a recent ruling in summary proceedings against Microsoft.
Recently, "Goliath" Microsoft in summary proceedings received a slap on the wrist from the Amsterdam Interlocutory Court in connection with the placement of tracking cookies without permission with an anonymous plaintiff ("David"). The anonymous plaintiff brought the case against 6 parties, all part of the large Microsoft group: Microsoft US, Microsoft Ireland, Microsoft Netherlands, LinkedIn Ireland, LinkedIn Netherlands and Xandr US. As previously in the Criteo case, the anonymous plaintiff is being represented by law firm AKD.
Salient: in another, recent interim relief proceedings in Breda of an anonymous plaintiff who, with the assistance of AKD, is also fighting against Criteo, the latter expressed suspicions that the plaintiff "is merely acting as a straw man in these proceedings and that the initiative for these proceedings emanates from and is financed by another, as yet unknown party with unknown interests." Criteo therefore claimed access to, among other things, the agreements this anonymous plaintiff allegedly made with third parties. The interim relief judge finds it "insufficiently determined" and dismisses Criteo's claim. Also interesting to note: the claimant's claims regarding tracking cookies are also rejected by the interim relief judge in this Breda matter.
All right, back to the case against Microsoft. The battle begins with jurisdictional defenses on the part of Microsoft. Microsoft's defenses relate, among other things, to the lack of a claim for damages. The preliminary injunction court rejects the defense as follows:
"Contrary to what the defendants have argued, it does not follow from the legislative history and case law that jurisdiction based on the 'Erfolgsort' is only at issue when an action for damages is brought. Already from the fact that the ground of jurisdiction also applies when the harmful event "may occur" in the Erfolgsort, it follows that this ground is not limited to compensation claims. Moreover, Microsoft et al.'s interpretation would have the incongruous consequence that an action to stop unlawful conduct, or to ask for a ruling as to whether such conduct is present, could not be brought before the same court as an action for payment of the resulting damage. That, among other things, is contrary to a judgment of the Court of Justice EU of October 25, 2012, as [plaintiff] rightly argued."
In this case, too, Microsoft hints at a larger, underlying interest, and thus attempts to undermine the anonymous plaintiff's compelling interest. According to Microsoft, plaintiff is ' possibly concerned with a broader than just its own interest,' because plaintiff is 'going to war against Tracking cookies and the so-called real Time Bidding system as such.' The plaintiff thereby, according to Microsoft, 'pursues an 'activist goal. But according to the preliminary injunction judge, "[this] does not take away from the fact that he has an individual interest in respecting his privacy rights." Accordingly, he may submit a dispute about this to the court for review.
Plaintiff leans on an expert report by the English company Collective Shift. This states that 27 of the 30 websites visited by the plaintiff placed and/or read cookies without permission, and as many as 24 of those sites even after his explicit refusal. According to Microsoft's own research, the numbers are substantially lower. (The plaintiff's report, by the way, is qualified by Microsoft as "hot air," according to the ruling.)
According to the preliminary injunction court, the mere placement of a tracking cookie already processes personal data, even if the cookies are not read.
Next, the question arises whether Microsoft can be considered a data controller. The court in preliminary relief proceedings is of the opinion that it can, because Microsoft "have developed the tracking cookies and may or may not make them available to the website operators, with whom they make agreements about privacy rules, among other things. They are therefore the (legal) persons who exercise influence on the relevant processing of personal data and thus participate in the determination and the purpose and means of this processing."
However, this does not apply to Microsoft Netherlands and LinkedIn Netherlands, because, according to Microsoft, they do not play any role in this. The preliminary injunction court goes along with this, dismissing all claims against these two entities.
Since Microsoft itself also acknowledges that some tracking cookies were placed without consent, the court is quick on this point. Next, the question arises on whom lies the obligation to obtain consent. The interim relief judge ruled that Microsoft cannot hide behind its partners here:
"The defendants involved cannot hide behind their partners for obtaining consent. They have contractually outsourced the obtaining of consent to its partners and that is allowed. This means that áf the partner provides information about and obtains consent to the placement of cookies, defendants do not have to do so as well. However, the defendants involved remain (also) responsible themselves as data controllers for ensuring that consent is obtained in a legally valid and lawful manner for the placement and reading of the tracking cookies, and they can also be held liable for this on the basis of Article 26 (3) AVG, regardless of what is stated in the contract with its partners."
Finally, it is considered that Microsoft has not done enough to fulfill its obligations. To this end, the preliminary injunction court reasoned as follows. If Microsoft makes tools available to its contract partners "making it impossible to place tracking cookies without permission and ensures that this actually leads to a corresponding practice," there will be no unlawful conduct.
But this is not the case according to the interim relief judge. Thus: "Defendants therefore cannot claim that they have done everything necessary, or at least everything that can be required of them, to prevent the placement of tracking cookies on [plaintiff's] devices without his consent. That this would be technically impossible has not become plausible for the time being either".
In terms of content, there is little new under the sun here. Tracking cookies are placed without consent, and even after refusal. It follows from the ruling that Microsoft itself does acknowledge this. Microsoft's litigation line seems more focused on keeping the case small, and thus undermining the interest. To no avail. So anonymous plaintiff "David" rightly wins here over "Goliath" Microsoft.
Mark Jansen notes in his blog another possible problem about the enforceability of the judgment:
"An equally interesting question is whether the judgment is factually compliant. After all, the judgment prohibits "the placing or reading of tracking cookies or other cookies requiring consent on [plaintiff's] computer and/or devices without his consent," but neither the judgment nor the operative part makes clear how plaintiff's computer and/or devices should be recognized. This raises the question of how to comply with the sentence. Should the man now start making identifying data known to the defendants (so that, paradoxically, he can be tracked not to be tracked)? Or does the judgment in fact extend to stopping tracking cookies altogether? And if so, is the latter proportionate? "
I don't see this problem myself. In the earlier Amsterdam judgment against Criteo this was not specified either, and I have not heard anything about problems in the execution of this judgment.
Plus: with no consent, tracking cookies may not be placed at all. I don't see why you would then have to identify yourself. I know our field is not always black and white, but so it seems to me at this point.
