AEPD - PS/00299/2019

From GDPRhub
AEPD - PS/00299/2019
LogoES.jpg
Authority: AEPD (Spain)
Jurisdiction: Spain
Relevant Law: Article 7 GDPR
Article 13 GDPR
22(2) of Spanish Law on Information Society Services (LSSI)
Type: Complaint
Outcome: Upheld
Decided: n/a
Published: 09.06.2020 [[Category:]]
Fine: 30.000 EUR
Parties: Twitter International Company (Twitter Spain, S.L.)
National Case Number/Name: PS/00299/2019
European Case Law Identifier: n/a
Appeal: Unknown
Original Language(s): Spanish
Original Source: AEPD decision (in ES)
Initial Contributor: Miguel Garrido de Vega

9 June 2020 - The Spanish Data Protection Agency (AEPD) decided to impose a fine up to 30,000 € on Twitter International Company (Twitter Spain, S.L.) for the infringement of its information duties related to cookies, as per Article 22(2) of the Spanish Law on Information Society Services (LSSI) —this is the Spanish law regulating cookies, connected to Article 13 of the GDPR.

English Summary[edit | edit source]

Facts[edit | edit source]

The decision is the consequence of a complaint submitted by a Spanish citizen stating that Twitter (i) provides inadequate information about the cookies it uses, and that affects users and non-users of the social network, that (ii) does not clearly identify all uses and partners of Twitter that could use information obtained from the cookies, and (iii) uses cookies that are directly loaded without action any by the person accessing the home page.

Dispute[edit | edit source]

The defendant did not answer to any AEPD investigation requests, so the AEPD started the corresponding sanction procedure. During its investigations, the AEPD discovered that (i) the Twitter website loads cookies on the browser automatically, and without any kind of action by the user, that (ii) the cookies banner only refers that "as long as you use Twitter, you accept our cookies policy", but it does not include any kind of link to a second layer of information in order to avoid cookies nor in order to customize the cookies settings, and that (iii) although there is link at the bottom of the home page (but outside the banner) with the title "Cookies" that redirects to the cookies policy, and that it includes some methods in order to control or refuse cookies through the different browsers, there is no possibility to do it granularly.

Holding[edit | edit source]

Thus, the AEPD understood that Twitter has infringed its information duties in relation to cookies as per Article 22(2) LSSI, according to which, digital services providers may use data storage and retrieval devices on computers terminals of the recipients, provided that such recipients have given their consent after they have been provided with clear and complete information on their use and, in particular, on the purposes of data processing according to the data protection laws. Consequently, after considering some aggravating circumstances [(i) the existence of intentionality, (ii) the period of time Twitter has been infringing its duties taking into account that the claim is dated May 2018, (iii) nature and volume of damages caused as more than four millions of users are registered in Spain, (iv) the advantages obtained by Twitter with such infringement, and (v) the sales volume of Twitter], the AEPD decided to impose a fine of 30,000 € to Twitter.

Comment[edit | edit source]

3 July 2020 - After the holding above, the claimant submitted an internal administrative appeal ("recurso de reposición") stating that, prior to this claim, he/she had also submitted another claim against the defendant (dated 5 July 2017) reporting that the privacy policy of Twitter had some weaknesses, but such "primary" claim was filed because the resolution period by the AEPD expired. This internal administrative appeal was denied for formal reasons in 31 July 2020: the AEPD understood that the appellant is not discussing the substance of this case (PS/00299/2019), but requiring the AEPD to solve another claim he/she had previously submitted.

Further Resources[edit | edit source]

Share blogs or news articles here!

English Machine Translation of the Decision[edit | edit source]

The decision below is a machine translation of the Spanish original. Please refer to the Spanish original for more details.

 Procedure No.: PS / 00299/2019938-051119RESOLUTION OF PENALTY PROCEDUREIn the sanctioning procedure PS / 00299/2019, instructed by the Spanish Agency ofData Protection, to the entity TWITTER INTERNATIONAL COMPANY (TWITTERSPAIN, SL), with CIF. B86672318, owner of the website: www.twitter.com , (in addition tolante "the entity claimed"), for alleged violation of Law 34/2002, of July 11,of information society services and electronic commerce (LSSI), and inbased on the following,BACKGROUNDFIRST: dated 05/04/18, DAAA , (hereinafter, “the claimant”), presented this-crito before the Spanish Agency for Data Protection, in which, among others, denounce-ciaba:“The Twitter network provides inadequate information about the cookies it uses, whatthat affects users and non-users of the social network. Twitter does not identify withclarity all uses and partners of Twitter that could use this informationof cookies. There are also cookies that are loaded directly, without ac-any action on the part of the person accessing the home page ”.SECOND: On 04/10/18 and 06/13/19, by the Inspection Services of theSpanish Agency for Data Protection, investigative procedures are carried out, te-being aware of the following:a) .- By accessing the website www.twitter.com , (welcome page), and without having madeOnce any type of action has been taken, it is verified that they are automatically stored in thebrowser, the following cookies:cookiepermanentUse_ga2 yearsIt is associated with Google Universal Analytics, which is a major update to theAnalysis service most commonly used by Google. This cookie is used to dis-Take unique users by assigning a randomly generated number as an identifier.client client. It is included in every page request on a site and is used to cal-Calculate visitor, session and campaign data for site analysis reports.uncles. . The main purpose of this cookie is: Performance._gat1 minuteThis cookie name is associated with Google Universal Analytics, in accordance withdocumentation that is used to regulate the application fee, which limits the collectiontion of data in high traffic sites. It expires after 10 minutes. The main purpose ofThis cookie is: Performance._gid1 dayThis cookie name is associated with Google Universal Analytics. This seems to bea new cookie and since spring 2017 there is no information available aboutGoogle. It seems to store and update a unique value for each page visited. Pro-main purpose of this cookie is: Performance._twitter_sessIt expires onsignaling theZionThis cookie allows website visitors to use related functionswith Twitter from the page they visit. The main purpose of this cookie is: Functions-nality.Ct06 hoursThere is no general information about this cookie based solely on its name yet. Themain purpose of this cookie is: Unknown.C / Jorge Juan, 6www.aepd.es28001 - Madridsedeagpd.gob.es
Page 2
2/6Guest_id2 yearsThis cookie is set by Twitter to identify and track the site visitorWeb. The main purpose of this cookie is: targeting / advertising.Personalization_id2 yearsThis cookie carries information about how the end user uses the website andAny advertising that the end user has seen before visiting said website. Themain purpose of this cookie is: targeting / advertising.b) .- On that first page (first layer), the banner about cookies is as follows:“By using Twitter services, you accept our cookie policy. Twitter andits partners operate globally and use cookies for analysis, customization,tion and announcements among other things ”.There is no type of link, within the previous banner, that enables the rejection of thecookies or redirect to a second layer for the management and configuration ofcookies.c) .- In order to manage the cookie policy, there is a link at the bottom of thehome page, with the title of "cookies", but outside the banner indicated in the pointprevious. By clicking on this link, you access the cookie policy, where you can informmore than:- What are cookies, pixels and local storage.- Why and where do they use these technologies.- What are the privacy options. Several options are indicatedTo control or limit the use of cookies:-To control whether Twitter will store information about other websites onyou've seen Twitter content, adjust the Register where you see settingTwitter content on the web in Personalization and data settings.If you have this setting disabled, or if you are in the European Union-pea or in one of the member states of the European Free AssociationCommerce, Twitter will not store or use visits to these web pages toimprove your experience in the future. If we previously stored your historyweb browsing, your experience can continue to be personalized on thebased on the information that was already inferred from said history.-If you don't want Twitter to show you interest-based ads inside orOutside of Twitter, there are several ways to disable this feature: In your settings,ration of Twitter, go to the Personalization and data settings and modify the optionPersonalize ads. From the web, you can visit theDigital Advertising Alliance consumer preferences at optout.a-boutads.info to disable interest-based Twitter adsin your current browser.-If you don't want Twitter to show you interest-based ads on theTwitter application for iOS on your current mobile device, activate the option"Limit ad tracking" in your iOS phone settings.C / Jorge Juan, 6www.aepd.es28001 - Madridsedeagpd.gob.es
Page 3
3/6-If you don't want Twitter to show you interest-based ads on theTwitter application for Android on your current mobile device, activate the optiontion “Disable ad personalization” on your Android phone.-To control personalization on all devices on Twitter, go toPersonalization data settings and modify Personalize settingson all your devices. This setting determines whether we can link youryou have other browsers or devices different from the ones you use tolog in to Twitter (or, if you didn't log in, if we can link thebrowser you are using with other browsers or devices).-If you want to control the segmented ads based on the interests thatyou get from certain external advertising partners, you can get moreinformation on how to stop receiving this type of ads on optout.abou-tads.info and at www.networkadvertising.org/choices. If you are in the web version,You can also disable Google Analytics if you install the plugindisabling for Google browsers, and you can cancel the serviceGoogle interest-based ads by setting adsGoogle companies.-To control cookies, you can modify your settings in mostweb browsers to accept or reject cookies, or to request yourauthorization every time a website tries to set a cookie. Even ifCookies are not necessary in some parts of our services, it is possible toTwitter and Periscope may not work properly if you disable them forfull. For example, you will not be able to log in to twitter.com or pscp.tv ifYou deactivated the use of cookies completely.THIRD: On 09/13/19, the Director of the Spanish Agency for the Protection ofData agreed to initiate sanctioning procedure against the claimed entity, underof the powers established in article 43.1 of Law 34/2002, of July 11,Information Society Services and Electronic Commerce (LSSI), for infractionstion of article 22.2. of the aforementioned rule, setting an initial penalty of 30,000 euros(thirty thousand euros), without prejudice to what will result in the course of theprocess.FOURTH On 09/24/19, the opening of the file was notified to the entity claimingMada, who has not submitted to this Agency, any brief or allegation, within thethe period granted for this purpose.PROVEN FACTSFrom the information and documentation obtained from the website www.twitter.com , it has beencould check the following:1.- When accessing the website and without having carried out any other type of action,They launch various cookies in the browser, including some of unknown type and others ofadvertising.2º.- The message that appears in the first layer only indicates “When using theTwitter users, you accept our cookie policy. Twitter and its partners operate at theglobal and use cookies for analysis, personalization and announcements among other things ”,There is no message or link that enables the rejection or configuration of thethemselves.C / Jorge Juan, 6www.aepd.es28001 - Madridsedeagpd.gob.es
Page 4
4/63º.- However, there are, at the bottom of the page, several links, includingFind one with the title of "cookies". Through this link you access the page of“Cookie policy”, where cookies are reported and how to manage them is indicatedthrough the configuration in the different browsers, not offering the possibilityto reject cookies or manage them in a granular way.FUNDAMENTALS OF LAWIIn accordance with the provisions of art. 43.1, second paragraph, of the LSSI,is competent to initiate and resolve this Sanctioning Procedure, the Director ofthe Spanish Data Protection Agency.IIIn the present case, if the website www.twitter.com is accessed , and without having madeAfter no other type of action, it has been verified that cookies are not necessary.arias. In addition, the message that is edited to warn about cookies only indicatesca that "if you continue browsing you accept the use of cookies" but no information is giventraining on how to reject cookies or how to manage them in a granular way.If there is a link at the bottom of the page with the title of "cookies", throughfrom which the cookies policy is accessed (second layer), but also in this layerthe action of rejecting cookies or doing it in a granular way is possible. The page-na is limited to informing how to configure the different browsers for managingthe cookies.IIIThe exposed facts suppose, on the part of the entity claimed, the commission of theinfringement of article 22.2 of the LSSI, according to which: “The service providersmay use data storage and recovery devices on computersterminals of the recipients, provided that they have given their consentafter they have been provided with clear and complete information about theiruse, in particular, for the purposes of data processing, in accordance with theprovided in Organic Law 15/1999, of December 13, on the protection of data frompersonal character.When technically possible and effective, the recipient's consent toAccepting the data processing may be facilitated by using the parametersbrowser or other applications.The above will not prevent possible storage or technical access to the solopurpose of transmitting a communication over a communication networkelectronic or, to the extent strictly necessary, for the provision ofan information society service expressly requested by the recipient-River.This Infringement is classified as mild in article 38.4 g) of the aforementioned Law, whichconsiders as such: “Use data storage and recovery deviceswhen the information has not been provided or the consent of the destination has been obtainedcustomer of the service in the terms required by article 22.2. ”, and may be sanctionednothing with a fine of up to € 30,000, in accordance with article 39 of the aforementioned LSSI.C / Jorge Juan, 6www.aepd.es28001 - Madridsedeagpd.gob.es
Page 5
5/6IIIAfter the evidence obtained in the preliminary investigation phase, and without prejudice toWhatever results from the instruction, it is considered that the sanction should be graduatedner in the amount of 30,000 euros in accordance with the following criteria established byce the art. 40 of the LSSI:- The existence of intentionality, an expression to be interpreted asequivalent to the degree of guilt according to the Hearing Judgmentcia Nacional of 12/11/2007 relapse in Resource no. 351/2006, correspondinggiving the denounced entity the determination of a obtaining systeminformed consent that is in accordance with the LSSI mandate.- Period of time during which the offense has been committed, as it is theclaim of May 2018, (section b).- The nature and amount of the damage caused, in relation to the volumeof users affected by the infringement, having currently more than 4 mi-llones of profiles registered in Spain, (section d).- The benefits obtained for the infringement, in relation to the volume of user-rivers affected by the offense (section e).- Billing volume affected by the infraction committed, (section f).Having seen the aforementioned precepts and others of general application, the Director of the AgencySpanish Data ProtectionRESOLVESFIRST: TO IMPOSE the entity TWITTER INTERNATIONAL COMPANY (TWITTERSPAIN, SL), with CIF. B86672318, owner of the website: www.twitter.com , a san-tion of 30,000 euros (thirty thousand euros), for violation of article 22.2) of the LawLSSI, typified as “slight” in article 38.4.g) of the aforementioned Law.SECOND: REQUIRING the entity TWITTER INTERNATIONAL COMPANY (TWI-TTER SPAIN, SL), so that, within a month from this act of notification,proceed to take the appropriate measures to adapt your website to what is stipulatedin article 22.2 of the LSSI, for which you can follow the public recommendations-You give, by this AEPD, in its "Guide on Use of Cookies", November 2019.THIRD: NOTIFY this resolution to the entity TWITTER INTERNATIO-NAL COMPANY (TWITTER SPAIN, SL). and, and INFORM the claimant about theresult of the claim.Warn the sanctioned that the imposed sanction must be effective once it isexecutive this resolution, in accordance with the provisions of article 98.1.b)of law 39/2015, of October 1, of the Common Administrative Procedure of the Ad-Public ministries (LPACAP), in the period of voluntary payment indicated in the article68 of the General Collection Regulation, approved by Royal Decree 939/2005,of July 29, in relation to art. 62 of Law 58/2003, of December 17, me-by entering the restricted account no. ES00 0000 0000 0000 0000 0000 , openedC / Jorge Juan, 6www.aepd.es28001 - Madridsedeagpd.gob.es
Page 6
6/6on behalf of the Spanish Agency for Data Protection at Banco CAIXABANK,SA or otherwise, will be collected in the executive period.Notification received and once executive, if the date of enforcement is foundBetween the 1st and 15th of each month, both inclusive, the deadline for making the vo-luntary will be until the 20th of the following month or immediately the next business day, and ifbetween the 16th and last day of each month, both inclusive, the payment termIt will be until the 5th of the second month following or immediately following business.In accordance with the provisions of article 82 of Law 62/2003, of December 30,On fiscal, administrative and social order measures, this Resolution iswill make public, once the interested parties have been notified. The publication is made-will be in accordance with the provisions of Instruction 1/2004, of December 22, of the AgencyData Protection Law on the publication of its Resolutions.Against this resolution, which ends the administrative route, and in accordance with theestablished in articles 112 and 123 of the LPACAP, the interested parties may interpo-ner, optionally, appeal for reversal to the Director of the Spanish Agencyof Data Protection within a month from the day after the notificationfication of this resolution, or, directly administrative contentious appeal before theContentious-administrative Chamber of the National Court, in accordance with the provisionsset forth in article 25 and in section 5 of the fourth additional provision of the Law29/1998, of 07/13, regulator of the Contentious-Administrative Jurisdiction, in thetwo months from the day after notification of this act, according tothe provisions of article 46.1 of the aforementioned legal text.Finally, it is pointed out that in accordance with the provisions of art. 90.3 a) of the LPACAP,may provisionally suspend the final resolution in administrative proceedings if the interested-do express your intention to file a contentious-administrative appeal. Of beingIn this case, the interested party must formally communicate this fact in writing.addressed to the Spanish Agency for Data Protection, presenting it through the Re-Electronic Registry of the Agency [https://sedeagpd.gob.es/sede-electronicaweb/], orthrough any of the remaining records provided in art. 16.4 of the aforementioned Law39/2015, of October 1. You must also transfer the documentation to the Agencythat proves the effective filing of the contentious-administrative appeal. If theAgency had no knowledge of the filing of the contentious-administrative appealtreatable within two months from the day following notification of thisresolution, would terminate the precautionary suspension.

Mar España Martí
Director of the Spanish Agency for Data Protection