AEPD (Spain) - EXP202301323
AEPD - EXP202301323 | |
---|---|
Authority: | AEPD (Spain) |
Jurisdiction: | Spain |
Relevant Law: | Ley 34/2002, de 11 de julio, de servicios de la sociedad de la información y de comercio electrónico (LSSI) (Spanish ePrivacy Law) |
Type: | Complaint |
Outcome: | Rejected |
Started: | 10.08.2021 |
Decided: | 15.03.2024 |
Published: | |
Fine: | n/a |
Parties: | Turner Broadcasting System España |
National Case Number/Name: | EXP202301323 |
European Case Law Identifier: | n/a |
Appeal: | Appealed - Confirmed AEPD - Internal Appeal [1] |
Original Language(s): | Spanish |
Original Source: | AEPD (in ES) |
Initial Contributor: | lm |
The DPA dismissed an internal appeal challenging its decision that it was not necessary for a controller to provide a reject button on its webpage, finding that the question arose under Spain’s ePrivacy Law rather than the GDPR.
English Summary
Facts
In May 2021 a data subject accessed a website that, in their view, did not offer a reject button in the first layer of the cookie banner, used a deceptive link design for certain options in the cookie banner, used colors and contrast to nudge users regarding their options in the cookie banner and did not provide for an option to withdraw consent that would be as easy to use as the option to give consent.
The data subject, represented by noyb (European Centre for Digital Rights), lodged a complaint with the Austrian DPA in August 2021. After an initial investigation the Austrian DPA forwarded the case to the Spanish DPA (AEPD) in January 2023, considering that a Spanish controller (Turner Broadcasting System España, S.L.) operated the website.
Through its own investigation of the webpage, the AEPD confirmed that the website the data subject initially visited now redirected to another one. On the redirected page, only technical or necessary cookies were used. As the website only uses necessary cookies, no option to withdraw consent was necessary. Additionally, it noted that the information in the cookie banner and the cookie policy was accurate. Consequently, in its decision the AEPD found no violation of applicable law.
The data subject filed an internal appeal focusing on three claims. First, the data subject argued that it would have been for the Austrian DPA under Article 60(8) GDPR to adopt and notify the decision (not the AEPD). Second, the data subject argued that the AEPD failed to consider the data subject’s website visit and instead decided the case based on its own interaction with the webpage. Third, the data subject claimed that upon selecting ‘accept’ on the cookie banner of the redirected website, Google Analytics cookies, which are not strictly necessary, are installed. These cookies can only be installed where valid consent has been obtained – the cookie banner, however, offered no permanently visible option to withdraw consent. Revoking consent required multiple steps, including opening the privacy policy in order to find a link within this policy to an English-language portal and sending the controller an email requesting to withdraw consent. According to the data subject this is not an easy way to withdraw consent and violates Article 7(3) GDPR.
Holding
The AEPD dismissed the appeal, concluding that only the Spanish ePrivacy Law is relevant to the case, not the GDPR.
First, the AEPD rejected the data subject’s argument that the complaint should have been heard by the Austrian DPA. The AEPD noted that the Spanish ePrivacy Law regulates information society services established in Spain. Since the controller’s headquarters and website domain were in Spanish territory, the ePrivacy Law applied and the AEPD was competent to hear the case. Further, the AEPD concluded that only the ePrivacy Law, not the GDPR, applied in this case because it was more specific to the facts at issue.
The AEPD also rejected the data subject’s second argument. It noted that the presumption of innocence protects entities from sanctions not based on prior evidentiary activity ‘on which the competent body can base a reasonable judgment of guilt.’ This presumption, the DPA reasoned, obliged it to prove the controller’s offence and guilt. The AEPD’s visit to the page was an attempt to verify the veracity of the data subject’s claims, and it was insufficient to do so.
Finally, the DPA dismissed the third argument because it was not raised in the initial claim.
Comment
Share your comments here!
Further Resources
Share blogs or news articles here!
English Machine Translation of the Decision
The decision below is a machine translation of the Spanish original. Please refer to the Spanish original for more details.
1/8 Procedure No.: EXP202301323 (AI/00057/2023) Replacement Appeal No. RR/00111/2024 Examined the appeal for reconsideration filed by A.A.A. through the COMMISSION EUROPEAN INTERNAL MARKET EXCHANGE SYSTEMS (IMI-Austria), against the resolution issued by the Director of the Spanish Agency for the Protection of Data in the procedure AI/00057/2023, for violation of the provisions of the Law 34/2002, of July 11, on Information Society Services and Commerce Electronic (LSSI) and based on the following: FACTS FIRST: On 01/25/24, the Director of the Spanish Agency for the Protection of Data issued Resolution to File Actions in procedure AI/00057/2023, open to the entity TURNER BROADCASTING SYSTEM ESPAÑA, S.L. with CIF.: B82320227, owner of the website https://www.canaltnt.es, for the alleged violation of article 22 of the LSSI. The resolution was notified to the EUROPEAN COMMISSION SYSTEMS OF INTERNAL MARKET EXCHANGE (IMI-Austria) on 01/29/24, as recorded on the record. SECOND: As proven facts of the aforementioned procedure, there was evidence of the following: - When trying to enter the website that is the subject of the claim, https://www.canaltnt.es, It was found that this no longer existed, redirecting the user to a new page website, https://www.warnertv.es whose owner is the entity Discovery Networks SL, with CIF B-86815560, different from the entity initially claimed, (Turner Broadcasting System España, with CIF.: B82320227). THIRD: On 02/14/24, this Agency has received a written appeal for replacement presented by the appellant, in which it stated the following: FIRST – Lack of notification by the DSB 1. On January 24, 2024, the AEPD adopted its resolution, which was notified to this part on January 29, 2024. However, according to the article 60(8) GDPR is the supervisory authority to which the claim, i.e. the DSB, who should have adopted and notified the resolution to the person interested in this case. 2. Therefore, the resolution adopted by the AEPD must be considered null of right, as provided in article 47(1)(b) LPACAP. SECOND – The AEPD did not consider the facts or the petition of the claim 3. The AEPD did not consider the specific circumstances of the visit of the website of this party, set forth in the claim in detail. In fact, C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es 2/8 It seems that the AEPD decided based on the banner that appeared on the website of the controller during your own visit. 4. However, the control authority must provide an effective response to the individual situation of the interested party, taking into account the circumstances individuals and the facts about which the claim presented by the interested. This follows from Considering 141 GDPR, from Article 77. RGPD and Article 65(3)(b) of the LOPDGDD. 5. In addition, this party requested in its complaint various measures to be adopted by the AEPD (see First Fact). The formulated petitum determines specifically requested and underlines the need for an evaluation of the individual situation of this part. In particular, the person responsible continues to try the personal data of this party unlawfully. 6. In light of the configuration of the claim ex article 77(1) GDPR that “is conceived as a mechanism capable of effectively protecting the rights and interests of the interested parties” it is beyond any doubt that the AEPD should have responded to what was requested by this party. It directly agrees with the provisions of article 88(2) LPACAP. No However, the AEPD resolution does not provide a concrete response to this petition. part. 7. Therefore, the resolution must be annulled in accordance with art 48(1) LPACAP. B. MATERIAL ASPECTS THIRD – The AEPD applies an erroneous criterion 8. As stated above, this party visited the website of the controller and, in addition to not having an equivalent option to reject the use of the cookies in the first layer of the banner (violation type A, C, D, E), checked that there was no easy possibility to withdraw consent awarded (type K violation). 9. On the other hand, in the appealed resolution the AEPD states that during its own visit the person responsible only installed strictly necessary cookies, so no It was not necessary to offer an option to reject cookies, nor an option to withdraw consent. 10. However, upon checking this part again on the website https://www.warnertv.es/, it is observed that after selecting “Accept” in the banner the cookies “_ga” and “_ga_1PMD2PL02L” from Google are installed Analytics. These are cookies that can only be installed in the case of have obtained valid consent (Annex 1). 11. Although the person responsible has implemented two equivalent options in its banner cookie, does not offer a permanently visible option that allows withdrawal of consent. At the bottom of the main page there is only one link C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es 3/8 to the privacy policy, in which there is a link to the “Portal of request for individual rights” (in English). On this portal you can then send an email to withdraw consent. This does not represent a possibility to “revoke consent easily” and “at any time” moment” as required by article 7(3) GDPR and as provided in the AEPD in relation to the withdrawal of consent.2 12. From the above it follows that the AEPD is based on a verification which turns out to be wrong. The controller uses Google Analytics cookies that do not They are strictly necessary. However, the person responsible still does not offer a simple possibility to withdraw consent once given. 13. From what is stated in this FJ it follows that the criterion adopted in the resolution appealed is contrary to the legal system and must be annulled. By virtue of what is stated in this writing, and in accordance with the mentioned provisions, this part REQUESTS: I. That an APPEAL OF REPLACEMENT against the resolution of the Director of the Spanish Agency of Data Protection of January 24, 2024 within the framework of the procedure with file number EXP202301323, and, after admitting it, the investigative actions that are necessary, in accordance with the applicable procedural and material standards. II. That the nullity be declared of the resolution appealed for the reason stated in the legal basis first and that the continuation of the procedure. III. That, if full nullity is not declared, the appealed resolution is annulled for the reasons set out in the grounds. FOUNDATIONS OF LAW Yo Competence. The Director of the Spanish Agency is competent to resolve this appeal. of Data Protection, in accordance with the provisions of article 123 of the Law 39/2015, of October 1, of the Common Administrative Procedure of the Public Administrations (LPACAP) and art. 43.1, second paragraph, of the LSSI. II Response to the allegations In relation to the statements made by the appellant, it is worth noting the following: First: The appellant alleges in the section “First, points 1-2”, of the FJ of his writing that the resolution should have been made by the Austrian supervisory authority, in accordance with article 60(8) RGPD and therefore, the resolution adopted by the AEPD must be considered null and void, according to article 47(1)(b) LPACAP. C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es 4/8 Well, with respect to this allegation, it must be clarified that Spanish Law governs the “Principle of Regulatory Specialty”, which, in essence, refers to the fact that, There is a special standard (LSSI) and a general standard (RGPD) that regulate a concrete fact, the first prevails over the second. This principle does not mean that, in the event of application of both standards (one general rule and another special one), the first is repealed, but the simultaneous validity of both rules, although the special rule will be applied with preference to the general rule in those cases contemplated in it. Regarding the case at hand, there is such a coincidence, that is, in the Ordinance Spanish Legal System, two regulations coexist, one of a general nature such as the RGPD and another of a special nature, such as the LSSI that regulates the same facts. If we look at what Article 1 of the GDPR establishes, its purpose is the following: 1.This Regulation establishes the rules relating to the protection of natural persons with regard to the processing of personal data and rules relating to the free circulation of such data. 2.This Regulation protects the fundamental rights and freedoms of natural persons and, in particular, their right to data protection personal. 3.The free circulation of personal data in the Union may not be restricted or prohibited for reasons related to the protection of natural persons with regard to the processing of personal data. While the object of the LSSI, established in its article 1, indicates that: 1. The object of this Law is the regulation of the legal regime of the services of the information society and contracting via electronic, regarding the obligations of service providers including those who act as intermediaries in the transmission of content through telecommunications networks, commercial communications via electronic, information before and after the conclusion of contracts electronic devices, the conditions relating to their validity and effectiveness and the regime sanction applicable to service providers of the society of the information. 2. The provisions contained in this Law will be understood without prejudice to the provided in other state or regional regulations outside the regulatory scope coordinated, or that have as their purpose the protection of health and safety public, including the safeguarding of national defense, the interests of the consumer, the tax regime applicable to the services of the society of the information, the protection of personal data and the regulations governing competition defense. For its part, article 2 of the aforementioned standard (LSSI) establishes that: C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es 5/8 1. This Law will apply to the service providers of the society of the information established in Spain and the services provided by them. It will be understood that a service provider is established in Spain when your residence or registered office is in Spanish territory, as long as these coincide with the place where it is actually centralized administrative management and direction of its businesses. In other case, the place where said management or direction is carried out will be taken into account. Therefore, in application of the “Principle of Regulatory Specialty”, the application of the specific standard, that is, the LSSI, on the general standard, the RGPD, by having the entity TURNER BROADCASTING SYSTEM ESPAÑA, S.L. with CIF.: B82320227, its headquarters in Spanish territory, as well as the domain of its website (.es). Regarding the jurisdiction to hear the case, article 43.1 of the LSSI, establishes the following: (…) Likewise, it will be up to the Human Rights Protection Agency Data on the imposition of sanctions for the commission of infractions classified in the articles 38.3 c), d) and i) and 38.4 d), g) and h) of this Law (…). and what is established in the articles 47, 48.1, 64.2 and 68.1 of the LOPDGDD, While article 63.2 of the LOPDGDD determines that: "The procedures processed by the Spanish Data Protection Agency will be governed by the provisions in Regulation (EU) 2016/679, in this organic law, by the provisions regulations dictated in its development and, insofar as they do not contradict them, with a subsidiary, by the general rules on administrative procedures." And the fourth additional provision of said standard establishes, with respect to the powers attributed to the AEPD by other laws, which: "The provisions of Title VIII and in its development regulations will be applicable to the procedures that the Agency Spanish Data Protection Agency had to process in exercise of its powers that were attributed to it by other laws." Therefore, since the claimed entity has its registered office in Spanish territory, it is competent to hear the claim, the Spanish Data Protection Agency, based on the provisions of 43.1 of the LSSI, article 63.2 of the LOPDGDD and Fourth additional provision of said rule to the detriment of the control authority Austrian Second: The appellant states in the section “Second, points 3-7” of the FJ of his appeal brief, in essence, that, “the AEPD did not consider the circumstances specific to the visit to the appellant's website, based solely, for the resolution of the file, in the verification that the AEPD itself made of the information banner that appears on the website, without responding to what was requested in the claim, forgetting the requests made by the appellant…” To respond to this allegation, we must start from the principle that governs all judicial or administrative procedure such as the “Principle of Presumption of Innocence”, which guarantees, in Spanish law, not to suffer a sanction that does not is based on a previous evidentiary activity on which the body competent person can base a reasonable judgment of guilt, and entails, among C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es 6/8 other demands, that of the Administration proving and, therefore, motivating, not only the facts constituting the infringement, participation in such facts and the circumstances that constitute a graduation criterion, but also guilt that justifies the imposition of sanction (among others, SSTC 76/1990, of April 26; 14/1997, January 28; 209/1999, of November 29 and 33/2000, of November 14 February). Likewise, the STS of July 10, 2007 (rec.306/2002) specifies that it must be the administration that proves guilt because "it is not the interested party who has to prove lack of guilt." The presumption of innocence, a fundamental right of citizenship according to art 24.2 of the Spanish Constitution and art. 6.2 of the European Convention on Human Rights, It is expressly included in our regulations for the procedures administrative sanctions where among the rights of the interested party in the disciplinary administrative procedure will have the right "To the presumption of not existence of administrative responsibility until the contrary is proven." And as the STS 04/28/2016 (RC 677/2014) said: "it may mean that the right to the presumption of innocence, which applies without exception in the field of administrative sanctioning procedure, according to the Constitutional Court in ruling 66/2007, of March 27, means that "no sanction can be imposed "any that is not based on a previous lawful evidentiary activity", and implies also the recognition of the right to an administrative sanctioning procedure due or with all the guarantees, that respects the principle of contradiction and in which the alleged perpetrator has the opportunity to defend his own positions, prohibiting the initiation of disciplinary proceedings when it is appreciable unequivocally or manifests the absence of rational indications that it has been committed an infringing conduct, or in which illegality or illegality is absent. culpability" What the Public Administration cannot is raise administrative responsibility in the facts presented by the complaining party, without first verifying the veracity of the themselves. In the case at hand, this verification was based on the review of the website object of the claim (https://www.canaltnt.es), where it was verified that it no longer existed, redirecting the user to a new web page belonging to a different owner. Third: The appellant states in the section “Third.- points 8 to 13” that at check the new website https://www.warnertv.es/, it is observed that after Select “Accept” in the banner and the cookies “_ga” and “_ga_1PMD2PL02L” are installed of Google Analytics, which are not strictly necessary and that there is no possibility of withdrawing consent once given. First of all, we must mention that the website https://www.warnertv.es, to which which the appellant mentions in her appeal for reconsideration, the website was not the object of initial claim, so its analysis is not appropriate within the scope of this appeal. replacement. C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es 7/8 However, having said the above, it is worth remembering that, although this new website (https://www.warnertv.es) comes up due to the fact that when trying to access the web page that was the subject of the initial claim https://www.canaltnt.es, this redirected to the user to the new page. Now, the appellant states that, on this new web page https://www.warnertv.es observes that, when the user gives consent, the website begins to use two new cookies that are not of a technical nature (“_ga” and “_ga_1PMD2PL02L”) whose domain belongs to Google Analytics, and that the possibility of withdrawing consent once given by requesting this Agency that the investigative actions that are necessary to be carried out clarify the facts you claim. Therefore, this is a new fact not mentioned in the initial claim. The The appellant cannot claim that at the appeal stage the facts that he did not express in a previous procedural phase. The LPACAP provides in its article 118 the following procedural rule: “No account in the resolution of the resources, facts, documents or allegations of the appellant, when, having been able to provide them in the processing of allegations, he does not I've done. Nor may the taking of evidence be requested when the lack of realization in the procedure in which the appealed resolution was issued outside attributable to the interested party.” This standard contains a rule that is nothing more than the positive concretion for the common administrative sphere of the general principle that the The law does not protect the abuse of rights (article 7.2 of the Civil Code). This principle Its purpose, among others, is to prevent the processing of allegations from being useless and evidence of the application procedures, as would result if the interested parties could choose, at their discretion, the moment at which to present evidence and allegations, since this would be contrary to an elementary procedural order. All of this, without prejudice to the possibility of submitting a new claim if you consider that such events violate regulations that confer powers on the Spanish Agency of Data Protection. III Conclusion Consequently, in the present appeal for reconsideration, the appellant has not provided new facts or legal arguments that allow reconsideration of the validity of the contested resolution. Considering the aforementioned precepts and others of general application, the Director of the Agency Spanish Data Protection RESOLVES: FIRST: DISMISS the appeal for reconsideration filed by A.A.A., through THE EUROPEAN COMMISSION INTERNAL MARKET EXCHANGE SYSTEMS (IMI- Austria), against the archiving resolution issued by the Director of the Agency Spanish Data Protection Agency on 01/25/24, in procedure AI/00057/2023, C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es 8/8 SECOND: NOTIFY this resolution to A.A.A. and to the EUROPEAN COMMISSION INTERNAL MARKET EXCHANGE SYSTEMS (IMI-Austria), in accordance with the art. 77.2 of the GDPR. In accordance with the provisions of article 50 of the LOPDGDD, this Resolution will be made public once it has been notified to the interested parties. Against this resolution, which puts an end to the administrative route, it may be filed in the period of two months counting from the day following the notification of this act as provided in article 46.1 of Law 29/1998, of July 13, regulating the Contentious-administrative jurisdiction, contentious-administrative appeal before the Contentious-administrative Chamber of the National Court, in accordance with the provided in article 25 and in section 5 of the fourth additional provision of the referred legal text. Sea Spain Martí Director of the Spanish Data Protection Agency. C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es