Political party convicted for violating GDPR by using Google’s reCAPTCHA on its website
An Austrian political party has been convicted by the court for violating the privacy of a user by implementing Google’s reCAPTCHA on the party’s website.
A user filed a complaint against a political party for using Google reCAPTCHA on their website. He claimed that personal information, such as his IP address, was collected and shared with Google without his consent.
The data transfer occurred when visiting the page on how to become a member. By simply visiting this page, Google would learn about the visitor’s political affiliation, the complainant said.
An Austrian privacy regulator investigated the case and stated that by implementing reCAPTCHA and processing IP address, certain unique identifiers, and browser data without consent, the complainant’s privacy had been violated.
The political party appealed to the regulator’s decision, arguing that users have control over what information is collected via their operating system’s or web browser’s cookie settings. Furthermore, the party said that Google’s reCAPTCHA was implemented as a safety measure to protect the party’s website from abuse.
The Bundesverwaltungsgericht (BVwG), Austria’s Federal Administrative Court, dismissed the political party’s appeal. According to the verdict, there was no technical necessity for any of the reCAPTCHA cookies. Therefore, the user should have given his explicit consent.
In addition, even though external parties were involved in the technical implementation, the court ruled that the political party could be held accountable for the data processing on its website.
Lastly, the political party claimed it processed the personal information of its visitors for ‘legitimate interest.’ However, the court ruled that the party could not invoke ‘legitimate interest’ as a legal basis. As a result, the party had no basis for the data processing and thus violated privacy laws.
In short, the Austrian Federal Administrative Court ruled that the user’s complaint was valid, as the political party didn’t explicitly inform visitors about what data was collected via non-essential cookies. It also failed to provide users with an option to opt out of the data processing.
Therefore, the political party must revise its practices to align with GDPR standards, including implementing transparent cookie banners, and adding an opt out option. If the party refuses to do so, it could receive a fine in the future.
Your email address will not be published. Required fields are marked