Filenews 27 June 2021 - by Xenia Turki
For the past three years, the General Data Protection Regulation, better known as GDPR, has entered our lives for good. Its implementation was a milestone for the European Union, which seems to understand the importance of personal data, even taking important steps to protect them. One of the main impacts of GDPR is the power with which it has forced businesses, governments, organisations and ordinary users to take privacy into account. That is why the EU's example was followed by other countries that have implemented similar regulations.
But things are not rosy and many businesses are looking for any kind of loophole to break the law. Despite the clear limits that exist, countless violations of European and domestic cookie privacy laws are recorded, as found by the non-profit organization Noyb, which promotes respect for and protection of privacy.
GDPR was meant to ensure that users have complete control over their data, but being online has become a complicated and frustrating experience, Nyob argues. Annoying cookie banners appear constantly at every step, often making it extremely complicated for a user to press anything other than the "accept" button. Companies use so-called dark patterns to convince over 90% of users to "agree" when industry statistics show that only 3% of users actually want to give their consent.
Under European law, users must be given a clear 'yes or no' option throughout their browsing of a website. As most banners do not comply with GDPR requirements, Noyb has developed a software that recognizes the various types of illegal cookie banners and automatically generates related complaints. The non-governmental organisation then gives companies a one-month grace period to comply with EU laws before making the formal complaint. Speaking to The Liberal, Ala Krinickytė, a Nyob researcher, explained how the organisation works and why it places so much emphasis on the protection of personal data and the implementation of GDPR.
Noyb will use the software it has developed to ensure that up to 10,000 of the websites visited in Europe comply over the course of a year. If it succeeds, users should see simple and clear "yes or no" options on more and more websites in the coming months.
-Why are companies desperately trying to get us to press the accept button to accept cookies? What do they get out of it?
-Companies use cookies for a variety of reasons, for example to enable the operations of their websites, to remember their preferences e.g. users' language, but also to allow users to be tracked online or to serve personalized ads. Obviously, for businesses, this is an easy way to get us to consent by offering us personalized ads so we can click on them and they can make money. Companies have developed a whole "science" on how to motivate users to achieve as high an acceptance rate as possible.
-What responsibilities do companies have under the GDPR? Are they fulfilling their responsibilities?
-Companies are required to have valid GDPR consent from individuals before they set a cookie. Such consent must meet a set of requirements and above all, cannot be obtained in a sneaky way or that deceives the user. Among other things, a user must have a clear understanding of the expected consequences of such consent, the purposes for which his personal data will be collected and who will use it. In addition, GDPR gives users the right to freely decide whether to accept cookies or not. This means that companies must give the user the same option to click "ok" or "not ok", using the same design for each of these options (for example, buttons must be the same, using the same colour or font size). In the same way, even if the user accepts cookies, he must at any time be able to withdraw his consent as easily as he was to give it at the beginning.
-Why did noyb decide to deal with the compliance of banners with regard to GDPR?
- It was something that's been on our radar since day one. How companies get users' consent is a problematic issue, which is why we are making efforts to facilitate user consent in a way that has not been misled since GDPR came into force. The first time we targeted cookies was in December 2019. This project we're running now is just a massive campaign that aims to really change how people move and use the internet. This is a matter of great concern to the EU. Several data protection regulators in all Member States have issued guidance on this issue. At the same time, the EU Supreme Court has issued a ruling on cookie banners in October 2019. Nevertheless, companies seem to be ignoring European rules and that is why we have decided to act to bring justice to this area.
-Why did Noyb decide to proceed with the development of a software that illegally detects cookie banners? What are you trying to achieve?
-To effectively address the issue of cookie banners, we have developed our own system, which has the ability to automatically scan websites and detect any violations. Noyb's legal team checks every website at the same time that the system automatically complains of a GDPR breach. Companies caught breaking the law are sent an unofficial complaint via email, while at the same time receiving a step-by-step guide on how to change their settings and harmonize with the law. If companies choose not to change their arrangements within a month, we file a complaint with the competent authority. The reason why this process was adopted was to ensure that we covered as many websites as possible and violations.
- What are the next steps if a company doesn't comply?
- As I've already said, we're notifying a company of any violations. We give them a month to comply and we can even help them with that. If they do not change the settings of their websites, we register a formal complaint with the competent authority of each Member State, which can punish a company with a large monetary fine, up to a maximum of EUR 20 million.
-What can users do to protect both their data and their privacy?
-It is very important to say that, in the main, the obligation to comply with the law weighs much more he on the part of companies. Cheating users through cookie banners is clearly a violation of the law. What users themselves need to do is be vigilant and use alternatives when they are available. They may have to reject cookies instead of accepting them effortlessly, not press accept all with the greatest ease, and regularly clean the cookie history.
- Do you have data on Cyprus as well? Can you tell us about Cyprus? What kind of violations did you detect on Cypriot websites?
-At this stage, we cannot name specific companies that have been found to be illegal, but we have detected violations on websites belonging to entities registered in Cyprus. In all cases we found a problem with the design of banners that used misleading colours or the graphical presentation to influence the user to click to press accept all. Banners also failed to give users a real and just as strong option to reject cookie settings, which should normally appear in exactly the same way and at the same level, next to the acceptance option.
Another important breach we found on one of the websites is that he did not even ask the user to take a clear affirmative action to consent to the cookie settings, but merely vowed that if the user continues to browse the site, he also consents to that arrangement, which in our view is absolutely outrageous.
Positive result for the implementation of GDPR
May 25, 2018 meant the end of a multi-year and arduous preparation process. It also meant, in the same way, the beginning of a new period for personal data and internet use in Europe. The GDPR has been implemented by modernising the laws that protect the personal data of European users. After three years, despite the steps made, the road to full privacy is still long and difficult. Implementation and corresponding enforcement of the European Regulation has been slow. However, seeing everything that has been achieved, both by regulators and by companies, to understand the legislation and everything it requires, in some ways, GDPR has so far had a rapid and lasting positive impact.
One of the main impacts of GDPR is the power with which it has forced both businesses and other lawmakers to become aware of privacy, some for the first time historically. Like, for example, the United States. The GDPR changed the terms of privacy, garnering legislative attention, both at the state and federal level. The same has happened with Australia, which has recently tightened its own legislation. Almost every country now deals with privacy, and indeed some, such as Brazil, have adopted European legislation, incorporating it into their own.
Businesses have borne the brunt of compliance, as they all, to some extent, process and manage personal data (customers, suppliers, employees, visitors, etc.). In practice, there is no business with an activity in the EU, regardless of sector and size, that is not bound by the relevant rules.
The greatest power that lawmakers get through GDPR is the ability to impose higher fines on those who break the law. This applies both to those who are within Europe and to those who are outside but also active in it. The amount of fines can be as high as €10 million or 2% of the annual revenue of an offending company or organisation, and can be doubled in the event of more significant violations.
It is estimated that more than €300 million in fines have been imposed so far, with the European Union having issued around 650 sanctions decisions against organisations and companies that break the law. According to statistics from the GDPR Enforcement Tracker Report Cyprus is in 22nd place on the list of European countries that have been fined for violations of the law with the amounts paid amounting to €114,000. According to the same source, the heaviest fines have been imposed by Italy, with the total amount amounting to €70 million, corresponding to 77 cases of infringements of European law.
The most famous case of a fine came from France, when the National Data Protection Commission fined Google €50m and Amazon €35m for using cookies without seeking users' approval. Next year Amazon faces an even bigger fine, as the EU's private data regulator proposed imposing a $425m fine on the US company.
