While the General Data Protection Regulation (GDPR) is regularly discussed, both in the press and in the literature, an essential aspect of personal data processing is still not sufficiently addressed and yet is of major importance for companies : the issue of cookies and online advertising.
What is a cookie?
A cookie is traditionally defined as information deposited on the hard drive of an Internet user by the server of the website he or she is visiting. The cookie contains several pieces of data such as the name of the server that deposited it, an identifier in the form of a unique number and an expiration date.
It allows companies to track the activities and movements of Internet users browsing the website. The cookie allows, among other things, to use the information collected to profile the visitors and thus to offer them personalized products or services during their navigation on Internet.
However, cookies that allow a natural person to be identified, directly or indirectly, are considered to constitute a personal data processing activity within the meaning of the GDPR. As of May 25, companies must have a legal basis for processing personal data.
By default, the legal basis for the processing of personal data by means of cookies will undoubtedly be the consent of the persons concerned. However, great care must be taken to ensure that this consent meets the conditions set out in the new regulation.
Consent must therefore be given freely, specifically, in an informed manner and without ambiguity. The consent collection device shall be of the type ” Positive Opt-in : consent should not be deduced from silence, pre-checked boxes or inactivity of the individual as it is still too often the case !
This was notably the case for the sites carrefour-banque.fr and carrefour.fr, held by the companies Carrefour Banque and Carrefour France. Indeed, during checks carried out during May and July 2019 following numerous complaints, the CNIL found that when a user connected to the sites, advertising cookies were automatically deposited on the terminal, even before the user gave his consent. It is notably for this breach, among others, that the CNIL then ordered the companies Carrefour Banque and Carrefour France to pay a fine of 3 million euros (800 000 and 2 250 000 respectively).
In addition, the consent of the data subject must be obtained for each processing activity. Therefore, consent cannot be given generally for any processing activity.
In addition, data subjects must be able to easily withdraw their consent whenever they wish.
To remain compliant with the GDPR on this point, companies will have to choose :
- Stop using cookies ;
- Determine a new legal basis for processing ;
- Obtain consent from data subjects in accordance with the GDPR.
It is therefore clear that the consent of data subjects to data processing operations in the context of cookies will be more difficult to obtain under the RGPD.
A possible solution: “legitimate interest”
The solution to this new problem could be found in the still very unclear concept of processing personal data ” for the purposes of legitimate interests pursued by the controller “. This notion could allow the data controller to override the consent of the data subjects.
According to the GDPR, a legitimate interest may exist where there is ” a relevant and appropriate relationship between the data subject and the controller in situations such as those where the data subject is a customer of the controller or is in the service of the controller “
For example, processing aimed at guaranteeing the security of the network and information, or improving internal administrative management within the company, may be considered legitimate.
In addition, the GDPR expressly recognizes that processing carried out for commercial prospecting purposes may be considered as ” being carried out to meet a legitimate interest “, but in practice this will depend on the balancing of interests.
Indeed, this legal basis is subject to the condition that the interest pursued does not disregard the rights and interests of the persons concerned.
Thus, in order to benefit from this legal basis, companies must first weigh their own legitimate interests against the interests or fundamental rights and freedoms of the data subjects, including the harm that could result from the processing. As set out in the opinion of 9 April 2014 (Opinion 06/2014 on the concept of legitimate interest pursued by the data controller within the meaning of Article 7 of Directive 95/46/EC), the question may arise most frequently in certain contexts, such as :
- In the media or the arts, where freedom of expression or information is at stake ;
- Within the framework of trade, for processing for commercial prospecting purposes ;
- Within the company, regarding the monitoring of employees for security or internal management purposes ;
- In general, processing for historical, scientific, statistical or research purposes.
The legitimacy of the interest pursued therefore depends on the analysis of the interests present, the nature of the processing, the probable infringements of the rights of the data subject, as well as any additional guarantees implemented by the company.
Where the interests of the data subject prevail, the company must resort to other legal bases to justify the processing of personal data, which is, most often, to obtain the prior consent of the data subjects.
Furthermore, according to the opinion 06/2014 of the Working Group ” Article 29 “, to be considered legitimate, the interest pursued by the company must:
- Be lawful under the law ;
- To constitute a real and present interest, i.e. not hypothetical ;
- Be formulated in sufficiently clear terms to ” enable the balancing test to be applied against the interest and fundamental rights of the person concerned“.
Finally, as the CNIL explains (L’intérêt légitime : comment fonder un traitement sur cette base légal ? – December 02, 2019, CNIL), the company that pursues personal data processing must also verify that it ” actually achieves the objective pursued, and not, in reality, other objectives ” and ” ensure that there is no less privacy-intrusive way to achieve this objective “.
In conclusion, although Article 6(1)(f) of the Regulation appears to be a solution to the problem of consent, legitimate interest is not so easy to implement, let alone predict. Its application in practice remains unclear, as the regulation has not really defined the concept, and case law has not yet particularly supported it.
Thus, it is advisable to remain particularly attentive to the evolution of this notion of legitimate interest as jurisprudence is applied.
