The case was related to the way an Austrian newspaper managed cookie-based consent to access its services. The user was given the choice to access the service either without paying with a legal tender in exchange of the cookie consent or to access the site with no advertising cookies but by paying a subscription fees.
While saluted as a “good news” for online marketing, this decision is actually a cause of concern.
A cookie installed on an anonymous user is not subjected to the GDPR if the owner of the website is unable to identify the individual
Firstly, if a user is anonymous, there is no GDPR relevant processing.
A cookie can help tracking users’ activity, but as soon as the owner of the website can’t identify the individual there is no processing that falls within the scope of the GDPR.
There are no danger for freedom and other fundamental rights of the individual
Secondly, even if we were talking about identified individuals the involved data are of almost insignificant danger for “freedom and fundamental rights”. Therefore – in the
balancement judgement that the GDPR requires – the scale should have favoured the
newspaper .
It is not a power of a Data Protection Authority to decide what is matter of contract law and what is not, as this is a task for the Court
Thirdly, an administrative authority cannot have the power to invade the
jurisdiction of a Court by saying what can be done and what cannot in
contractual matters.
To power to assert or limit a right – especially a fundamental right – is an exclusive prerogative of a Court and cannot, even indirectly, be hold by an authority of a lesser degree.
Conclusion
While, on a short term, this Austrian DPA decision can be pragmatically exploited to get rid of the GDPR consent provisions, on the long term it reinforces the notion that processing of personal data can actually be part of an agreement, therefore weakening its status as a fundamental right.