Who: Agencia Española de Protección de Datos, Navas Joyeros Importadores, S.L. and Privilegia Luxury Experience, S.L.
Where: Spain
When: 14 January 2014
Law stated as at: 6 February 2014
What happened:
On 14 January 2014 the Spanish Data Protection Authority “Agencia Española Protección De Datos” (Spanish DPA) was the first data protection authority in Europe to issue fines for breach of EU cookie laws.
Two jewellery companies were fined a total of €5,000. Navas Joyeros was fined €1,500 for an infringement of Article 5.1-2 of Spanish Data Protection Act and €3,000 for breach of Article 22.2 of the Spanish E-commerce Act as per the cookie regime.
Privilegia Luxury Experience received a €500 fine, also on grounds of a breach of Article 22.2 of the Spanish E-commerce Act.
The proceedings were based on a user’s complaint filed in 2012 related, among others, to an alleged failure to comply with the duty to inform about, and collect consent for, the use of cookies on their websites.
And indeed, back in 2012 neither company had provided any cookie usage policy on its website. In their defence, the complaint came quite early after implementation of cookie laws in Spain. However, it must be borne in mind that in the period right after the cookie regime implementation the Spanish DPA granted an “informal” period of time for service providers to implement the necessary modifications into their websites.
Delay in launching investigation whilst compliance guidelines drawn up
This might explain why the Spanish DPA did not start its penalty proceeding until July 2013. Before this, the Spanish DPA and the relevant sector stakeholders had been discussing how the cookie regime should be applied in Spain. Following these consultations, in March 2013, the Spanish DPA published its guidelines on how to comply with Spanish cookie regulations. These took into account the different approaches adopted by other DPAs in Europe as well as by the industry.
At a first glance the fines might seem quite moderate considering that the Spanish DPA has the power to impose fines of up to €30,000 for even minor infractions and up to €150,000 for serious breaches related to the cookie regime. But both fines must be analysed in the light of the early stage of the cookie regime implementation in Spain in which the infringements happened. Moreover, both companies subject to the proceedings apparently cooperated and adopted compliance after the complaint was filed.
Why this matters:
The case is probably the first EU cookie law enforcement action involving fines. It shows that any grace period following the implementation of Directive 2009/136/EC is well and truly over. Considering the early stage of cookie regulation in Spain at which the investigation began, the case also proves that once their guidelines were in place, the Spanish authorities took the enforcement of the cookie regulations seriously.
Another point to be made on the matter is based on the fact that the Spanish DPA is actually fining Navas Joyeros both on grounds of Article 22.2 of the Spanish E-commerce Act and Article 5 of the Spanish Data Protection Act.
The Spanish E-commerce Act does not empower, as of today, the Spanish DPA to impose fines specifically for failure to obtain consent for the installation and use of cookies (the infringement would only be related to the lack to inform about the installation and use of cookies).
However, it should be emphasized that the penalty imposed for the infringement of the Spanish Data Protection Act does not seem to be directly related to the duty to inform about the actual installation of cookies. In any case, further decisions of the Spanish DPA should be awaited in order to fully confirm that an infringement of the cookie regime does not necessarily imply an infringement of the Spanish Data Protection Act insofar as it refers to the compulsory provision of information and the subsequent collection of consent.
Before this case, fines for failing to comply with the obligation to obtain express consent for the sending of commercial communications have normally been based only on Article 21 of the Spanish E-commerce Act, and are not necessarily “complemented” by Article 6 of the Spanish Data Protection Act, which regulates the obligation of collecting consent for the processing of personal data.
But for how long?
This situation may not continue for long, however, because the upcoming enactment of the new Spanish General Telecommunications Act should correct the flaw in the E-Commerce Act by introducing changes to the cookie regime which will finally implement completely Directive 2009/136/EC.
This will widen the range of tools that the Spanish DPA has at hand to enforce the cookie regime and, therefore, companies will see themselves being pursued on grounds which could not be used in the past.
Overall, it can therefore be concluded that it remains to be seen whether the Spanish DPA continues to apply “reinforcement” mechanisms as the one deployed in this case and how readily service providers adapt their cookie policies to the upcoming legislative changes, which could really mean a whole new scenario.
