//by Xavier Seguí López//
In regard to the January 2022 resolution of the EDPS against the European Parliament about the use of third-party analytical Cookies (Google Analytics) on its website about Covid-19 (https://europarl.ecocare.center/), I am going to discuss the current point of view in regard to the use of analytical and/or advertising Cookies from third parties outside the European Union and the obligation of public entities to have a Cookie Policy on their web pages. Or, at least, as we wait to see how the current affairs evolve, I will mention some notes about what we know so far.
Each country has its own peculiarities in terms of data protection regulations. In Europe, while we do have transversal regulations that affect every member of the EU (the General Data Protection Regulation 679/2016), each country is given its own space to clarify issues regarding the regulations. Nevertheless, the main point in regard to data protection regulation is that the countries must comply with it.
In Spain there is a peculiarity regarding data protection regulations, the Information Societies Law 34/2002 (“LSSI”) and the use of Cookies on the web pages of public entities, and the information that is to be given to citizens about their use, especially those that revert importance in informing (due to their characteristics) such as analytical and advertising Cookies.
In fact, the use of analytical or advertising Cookies on public web pages is not new. The issue resides in the fact that there is no official site (at least none that I have found) that states if it is necessary for Public Administration web pages to require a Cookie Policy or not. The closest possible item is found on the state website dedicated to the LSSI 34/2002 (https://lssi.mineco.gob.es/la-ley/Paginas/preguntas-frecuentes.aspx) where it is stated that the LSSI should not be applied to public administration websites, except for websites that carry out economic activities, such as a public website dependent on the administration that sells tourist books:
“In general terms, the LSSI does not apply to Public Administrations, as they don’t work as an information society service provider, which is defined in its annex. Furthermore, certain typical activities of Public Administrations such as the online management of tax recollection or the information about the services of a third party (as could be the information on the website of a City Council regarding the different rural houses in its municipality) are considered public activities or to be of general interest which differentiates them from the “economic activity” that is mentioned in the LSSI. However, when the activity of an Administration does have an economic background (for example, the selling of tourist books by a public entity dependant on a City Council), the LSSI will apply to it”.
In short, what it indicates is that the LSSI will not be applied to the mentioned websites and these, therefore, will not need to have a Cookie Policy. Due to this, these websites will neither need to inform users about the use of Cookies nor give them the possibility to choose which ones to use (except for those cases in which there is an online economic activity involved). Certainly, it is a situation that clearly conflicts with the right to inform of the GDPR.
Recently, in November 2021, a resolution was published by the Spanish Data Protection Authority (PS/00219/2021: https://www.aepd.es/es/documento/ps-00219-2021.pdf) which expands the activities carried out by the Public Administration, and can now be considered as a “Service Provider” (in which case, the LSSI would apply to it). Specifically, if the web page has a job bank with a form that allows its users to attach a CV.
To sum up, Public Administrations must have a Cookie Policy on their websites if:
• They carry out an economic activity (selling books or tickets for public events, renting rooms in public buildings, etc.)
• They carry out recruitment activities (as, according to resolution PS/00219/201 of the AEPD, this activity would fit into the previous economic activity, as it is a “Service Provider”)
Moreover, despite not being mentioned explicitly on any website (as I have previously mentioned), in my point of view, a Cookie Policy should be required in the following circumstance:
• They use third-party Cookies for analytical or advertising purposes (the most used examples would be Cookies from Google, Facebook, etc.)
Regarding this last point, the public entities’ obligation of having a Cookies Policy on its website would no longer be required for by the LSSI, in my opinion, but rather from the data protection regulation. Having Cookies from third parties located outside the EU comes into conflict with the articles 13.1.f GDPR (the obligation of informing about international data transfer) and 13.2f GDPR (informing about the existence of automated decisions, including profiling).
In the case that the previously mentioned analytical and/or advertising Cookies were not from third parties located outside the EU (not likely, as the use of Cookies from these providers is widely generalized) said Cookies would still carry out international data transfers and would be used to create user profiles to whom to offer services or products. That is why Public Administrations that use these types of Cookies on their web pages should inform the users about their existence and their use, so as to comply with article 13.2.f GDPR. And what better way to inform about this than through a Cookie Policy?
The aforementioned resolution against the European Parliament seems to be, at least partially, in line with these thoughts. And I say partially because, after all, it is likely that in the following months the issue dealt with here may be called into question, either because the use of these types of resources will be prohibited in public web pages or because a new EU-USA bilateral agreement will be approved, known as the “Trans-Atlantic Data Privacy Framework”.
Xavier Seguí López is Lawyer specialized in Data Protection, IT & IP