As mentioned in the introduction to our blog series on ePrivacy Regulation in the EU, the EU Council has reached a compromise agreement on its position on the new ePrivacy Regulation.
A similar trend to that observed in France is currently ongoing in Spain where the Spanish Data Protection Authority (the AEPD) is also playing a very active role. Latest developments include the adoption of guidelines on the use of cookies as well as a landmark resolution by which the AEPD imposed a multi-million euro fine.
Guidance on the use of cookies
The latest guidance on the use of cookies was adopted in July 2020, and intends to reflect the new criteria laid down by the European Data Protection Board in its Guidelines 05/2020 on consent under GDPR.
The AEPD clarified its position with respect to the “keep browsing” feature and so-called cookie walls. It also stressed the importance of keeping track of future developments such as the ePrivacy Regulation for the purpose of the design of cookies policies, since the ePrivacy Regulation is bound to govern the protection of information stored within end users’ terminal equipment.
A record-setting fine
On 11 February 2021, the AEPD issued a record-setting fine of EUR 8.15 million against a company in the telecom sector.
The AEPD found that the company had breached several provisions of GDPR, the Law implementing the ePrivacy Directive (LSIS) and the General Act on Telecommunications.
In particular, the AEPD found that the delivery of marketing communications via SMS and email had not been expressly authorized by the addressees. Additionally, addressees of SMS communications were not provided with the possibility to object to the processing of their personal data and, once this was done, their requests were not handled properly. The AEPD came to similar conclusions regarding processing of personal data in the context of direct marketing activities via phone calls.
Furthermore, the AEPD noted that the company failed to ensure that data processors implement appropriate technical and organisational measures. Additionally, the company was not aware of the identities of certain sub-processors which were conducting marketing activities on its behalf.
In setting such a high fine, importance was attached by the AEPD to factors such as the seriousness and continuity of the infringements; the large size of the telecom company’s business, with an annual turnover above EUR 1,600 million and more than 4,000 employees in Spain; the high number of affected individuals and the great social repercussion of the marketing activities conducted through phone calls (around 200 million of marketing actions in the name of the company were reported from May 2018 to March 2019).
The resolution is not yet final and has been challenged by the telecom company. If confirmed, it will become the highest fine ever issued in Spain for violations of data protection laws.
What’s next?
The three largest fines ever imposed by the AEPD have arisen from resolutions published within the last few months. Caixabank, S.A. was the subject of a EUR 6 million fine in January 2021 and Banco Bilbao Vizcaya Argentaria, S.A. was fined EUR 5 million in November 2020.
After ceasefire within the months that followed the entry into force of GDPR, it seems that the AEPD is now pushing the accelerator. A common theme of these three resolutions is controller’s failure to obtain a specific, informed and unambiguous consent from data subjects, especially in the area of direct marketing communications.
The ePrivacy Regulation proposal’s emphasizes the need to obtain consent for these purposes from end-users who are natural persons. Customers should also be given the opportunity to object, free of charge and in an easy manner where their emailing contact details are obtained in the context of a sale or product of service.
Whilst the final text of the ePrivacy Regulation remains to be seen, its proactive implementation within organisations is of utmost importance, even more so considering the AEPD’s active role in enforcing rules relating to issues such as marketing communications and cookies.
Other post in this series include:
- EU's ePrivacy reforms inch forward (introduction)
- EU’s ePrivacy reforms: a UK perspective
- EU’s ePrivacy reforms: a French perspective
- EU’s ePrivacy reforms: a Belgian perspective
- EU’s ePrivacy reforms: a Russian perspective
- EU’s ePrivacy reforms: a Spanish perspective
- EU’s ePrivacy reforms: an Austrian perspective
- EU’s ePrivacy reforms: a Dutch perspective