Unlawful Cookie Banners: Belgian DPA Allows News Outlets to Buy Themselves Free from GDPR Compliance

The Belgian Data Protection Authority (DPA) has come under fire for allowing news outlets to buy themselves free from GDPR compliance. In a questionable settlement, several Belgian news sites paid €10,000 each to the DPA, effectively freeing themselves from the duty to comply with the GDPR.

Among the news outlets involved in the settlement are major TV channels like RTL Belgium and VRT, as well as newspapers like Het Laatste Nieuws and L’Avenir. Despite previous investigations into their unlawful cookie banners, the DPA closed the cases without ordering them to fix the banners, citing the settlements as the resolution.

Critics, including data protection lawyer Felix Mikolasch from noyb, have raised concerns about the lack of proper enforcement of the GDPR in Belgium. Mikolasch stated, “It seems that in Belgium you can just pay a fee to avoid compliance with the GDPR. This is not compliant with EU law, which requires proper enforcement of the law.”

In response to the questionable settlement, noyb has filed complaints against the 15 news sites with the Belgian DPA. The complaints aim to force the news outlets to change their deceptive cookie banners to comply with the minimum requirements set by the European Data Protection Board (EDPB).

Lisa Steinfeld, a legal trainee at noyb, expressed shock at the news sites’ failure to respect basic principles for designing cookie banners despite clear requirements. Steinfeld emphasized the importance of respecting user privacy, especially for websites with a large number of visitors.

The complaints filed by noyb will require the Belgian DPA to investigate the cases once again and order the news sites to change their unlawful cookie banners. Failure to comply could result in fines of up to 4 percent of the companies’ annual turnover. The case highlights the ongoing challenges of enforcing GDPR compliance and the importance of protecting user privacy in the digital age.