D.A.A.A., and D. B.B.B. (Claimants) v. Asociación de Víctimas por Arbitrariedades Judiciales (JAVA)

€ 8000 in fines

Excerpt

The Spanish DPA (AEPD) fined Asociación de Víctimas por Arbitrariedades Judiciales (JAVA) for publishing illegal recordings on its website and dropping Google Analytics cookies without user consent. Additionally, there was no second layer on the cookie banner enabling the user to refuse to consent to all cookies.

Our analysis

The complainants raised concerns that illegal recordings of witness statements were being used on the website of Asociación de Víctimas por Arbitrariedades Judiciales (JAVA). These recordings were obtained by a lawyer in a corruption case, and the complainants argued that the publication of these recordings on the website was an infringement of Article 6(1)(a) of the General Data Protection Regulation (GDPR), which states that personal data shall be processed lawfully, fairly, and in a transparent manner. Moreover, the Spanish Data Protection Agency (DPA) found that upon accessing JAVA's website, several Google Analytics cookies were dropped without the user's consent. The DPA also noted that the cookie banner displayed on the website lacked clarity and did not provide the user with an option to refuse all cookies. These actions were considered to be a violation of Article 22(2) of the Spanish national law on the Information Society and eCommerce (LSSI). The issue of concern in this case is whether publishing illegal recordings on a website constitutes an infringement of Article 6(1)(a) GDPR. The answer is yes, as the GDPR prohibits the processing of personal data obtained unlawfully. In this case, the recordings were obtained illegally, and therefore, publishing them on the website without the consent of the individuals recorded was a violation of the GDPR. Additionally, the placing of cookies without user consent and the lack of a "Refuse all" option on the cookie banner are violations of Article 22(2) LSSI. The lack of clarity in the cookie banner message further emphasises the use of deceptive patterns, forcing the user to take action, as users would assume that by continuing to use the website, they are giving their consent to the use of cookies.

Outcome

JAVA was fined €8000 by the Spanish DPA (AEPD) for violating Article 6(1)(a) and Article 22(2) of the Spanish national law on the Information Society and eCommerce (LSSI) related to their use of illegal recordings and unclear and insufficient cookie policy. The DPA found that the wording of the cookie banner lacked clarity and that Google Analytics cookies were being placed without user consent. Moreover, the absence of a "Refuse all" button in the cookie banner was also deemed a violation of LSSI. The fine of €5000 was imposed for publishing recordings obtained illegally, while an additional fine of €3000 was imposed for the violations related to the cookie policy.

Parties

D. A.A.A., and D. B.B.B. (Claimants) and Asociación de Víctimas por Arbitrariedades Judiciales (JAVA)

Case number

PS/00141/2020

Related deceptive patterns

Related laws

Legal enforcement database by Leiser, Santos and Doshi

The information about laws and cases on this website is brought to you by the Leiser, Santos and Doshi enforcement database.

About us