As part of a broadcast on the results of the European Data Protection Board (EDPB), Ulrich Kelber made a statement that is likely to lead to controversy: “A well-made and fair website does not need a cookie banner because it only uses technically necessary cookies .” In doing so, he does not ignore the fact that there are commercial websites that rely on precisely those cookies and the associated advertising business in order to finance their content.
He tells you in the press release: “But if website operators absolutely want to collect personal data, then they must not obtain consent by unfair or illegal means.” The indication that something is not allowed if it is illegal can safely be described as obvious and therefore superfluous. It should at least be mentioned that the website of the European Data Protection Board uses more than just functional cookies, and thus has a cookie banner. What is missing is an explanation of how commercial sites are supposed to make money – without third-party cookies and without having turned the entire advertising business on its head.
EDSA on dark patterns and cloud services
The EDPB meeting dealt, among other things, with the guidelines on deceptive design patterns, i.e. dark patterns that are intended to induce users to do something specific. In this case, accept third-party cookies. The resulting final report is intended to regulate uniform handling at European level. According to the Federal Commissioner for Data Protection and Freedom of Information, the results of the “Cookie Banner Task Force” and the report correspond to the “Telemedia Orientation Guide” that is already in force in Germany. This is a practical guide for cookie banners, written by the Data Protection Conference (DSK). It is actually intended as a guide, but ultimately courts decide on cookie banners or compliance with the Telemedia Act (TTDSG).
At its meeting, the European Data Protection Board otherwise mainly dealt with the area of cloud services in public institutions, as stated in the English-language press release. It has a first coordinated enforcement action given. Among other things, the use of learning software from Google and cloud services provided by the city of Helsinki was looked at. Discussions between the German data protection conference with Microsoft on the use of Microsoft 365 are also part of this.
Kelber: “My authority advises the federal government, for example, on the subject of sovereign clouds, including in the committees of the IT Council and the IT Planning Council. We emphasize again and again that, especially with a view to the difficulties of international data transfers in cloud projects, the Data protection must be taken into account from the outset.”
(emw)
