The Constitution recognizes the right to privacy, secrecy of communications and data protection. Article 18 states, "(1) The right of honor, personal, and family privacy and identity is guaranteed. (2) The home is inviolable. No entry or search may be made without legal authority except with the express consent of the owners or in the case of a flagrante delicto. (3) Secrecy of communications, particularly regarding postal, telegraphic, and telephone communication, is guaranteed, except for infractions by judicial order. (4) The law shall limit the use of information, to guarantee personal and family honor, the privacy of citizens, and the full exercise of their rights."[2488]
The first Spanish Data Protection Act (LORTAD) was enacted in 1992. The LORTAD was succeeded in 1999 by an amended Data Protection Act (LOPD) which brought Spanish law into line with the European Union Data Protection Directive.[2489] It covers files held by the public and private sectors. The law establishes the right of citizens to know what personal data is contained in computer files and the right to correct or delete incorrect or false data. Personal information may only be used or disclosed to a third party with the consent of the individual and only for the purpose for which it was collected. Additional protections are provided for sensitive data. Questions still remain about citizens who do not wish to be included in the "promotional census." Consumer groups are also concerned about the law's provisions allowing use of information without consent unless the consumer has opted out of the use. In 1999 regulations on the secondary measures to be taken to protect filing systems were issued.[2490]
The Agencia de Protección de Datos (APD) is charged with enforcing the LOPD.[2491] The Agency maintains the registry and can investigate violations of the law. The agency has issued several decrees setting out in more detail the legal requirements for different types of information. In December 2000 it issued guidance on international transfers of data.[2492] As of December 2001, the number of registered databases was 271,875.[2493] In 2001, the agency conducted 405 investigations most of which were carried out on the basis of individual complaints. 363 complaints were received regarding the refusal of data controllers to grant subjects access to their files.[2494] In September of 2000, the agency fined Telefónica, the Spanish telephone company, EUR 60,000 for a glitch in its computer systems that allowed improper access to customer files.[2495] A ESP 180 million (EUR 1 million) fine was issued in January of 2001 to Zeppelin, the television company producing the Spanish version of the show "Big Brother," for releasing personal information on those who tried out for the show.[2496] A 100,000 peseta fine was issued to Caja Insular de Ahorros de Canarios in February 2001, and Microsoft Iberica was fined 10 million pesetas in April for improper use of client information.[2497] The agency has recently opened an investigation against the University of Zaragoza on allegations that the university sold alumni information without permission.[2498] Appeals against decisions of the APD may be brought before an administrative court. In 2000, 54 such appeals were brought. The court upheld the decisions of the Authority in the majority of these cases.[2499] In 2002, the APD considered the case of the company Inlander that was accused of storing personal data of Spanish citizens on a US-based database and failing to take security measures to protect private data.[2500]
In 2000 the Constitutional Tribunal of Spain issued three judgments relating to data protection.[2501] The first was a constitutional challenge against the 1992 law for breach of the provisions relating to distribution of powers between the State and other agencies (in this case the APD). The court rejected this challenge. The second concerned another constitutional challenge which was originally filed against the 1992 law but which carried over to the 1999 law. Upholding the constitutionality of the law generally, the court struck down certain provisions allowing government agencies to transfer personal information on Spanish citizens inter se without citizen permission. The court ruled that these provisions infringed the privacy rights guaranteed to citizens by Title 18 of the Spanish Constitution.[2502] The third case concerned an employer's processing of an employee's health data. The court ruled that the applicant's constitutional privacy rights were breached when the employer noted the employee's medical diagnosis on the sick leave records.
An important debate took place in 2003 regarding employers' access to employees' e-mails. A first case involved a Deutsche Bank employee who was dismissed for spending too much time sending private e-mails during working hours. The employer had obtained the list of private e-mails the employee had sent. That list had been obtained without any adequate authorization from a judge. The Deutsche Bank employee claimed that his employer intruded upon his privacy. The Superior Court of Justice of Catalunya held that electronic mail is the employer's tool that is lent to the employee from which the employee cannot expect any privacy. In other cases, however, the court has found in favor of the employee. In January 2003, the trade union Comisiones Obreras requested from the bank "La Caixa" that it withdraw from its internal rules a rule that allowed the bank to monitor its employees' e-mails to check whether they were working.
Under the criminal code interception of communications requires a court order.[2503] There have been several scandals in Spain over illegal wiretapping by the intelligence services. In 1995, Deputy Prime Minister Narcis Serra, Defense Minister Julian Garcia Vargas and military intelligence chief Gen. Emilio Alonso Manglano were forced to quit following revelations that they had monitored the conversations of hundreds of people, including King Juan Carlos.[2504] An exclusionary rule applies to evidence collected by means of illegal wiretaps or bugs, and in November of 2000, the Audiencia of Barcelona threwout a case because the evidence was so tainted.[2505] In May of 2001, prosecutors asked for 12-year sentences for each of two detectives accused of placing illegal wiretaps.[2506]
The 1998 Telecommunications Act guarantees the rights of individuals to use strong cryptography but also contains a provision allowing for a mandatory key recovery system. This provision was strongly opposed by civil liberties advocates.[2507] It has, so far, not been enforced. There are also additional laws in the penal code, and relating to credit information[2508] video surveillance,[2509] and automatic tellers.[2510] The government issued a decree on digital signatures in September 1999.
Important changes took place recently with regard to cryptography. The General Telecommunications Law (LGT) was the only law that restricted the use of cryptography. Article 52, although it allows using cryptography to protect information that is circulating on networks, also imposed a few restrictions for encryption products manufacturers, network operators and end users by, e.g., compelling them to notify the General Administration of the State of the encryption means used. A new telecommunications law has recently been enacted that is clearer and makes it more likely that a key escrow be created soon, even though the government had promised in April 2003 that such a modification in the law would not occur. In its final version, the law is sufficiently ambiguous for it not to be directly applicable, although it still could become the basis for a law creating a key escrow system. The new Article 36 does not change much former Article 52 which compelled the notification of the algorithms used, but without reference to the keys.[2511]
In June 2002, the Parliament approved the controversial Law of Information Society Services and Electronic Commerce (LSSICE).[2512] The law prohibits the distribution of spam, requires web hosting companies to police content and shut down websites involved in illegal activities, and mandates retention for one year of Internet users traffic data.[2513] This latter requirement was a late addition to the proposal, which had been under consideration for nearly two years. It was introduced following the approval, in May 2002, by the European Parliament of the Privacy in Electronic Communications Directive (2002/58/EC), which contained a provision allowing for data retention. Following Royal assent, the law has to be published in the Official Gazette. It will take effect three months after this publication. Prior to passage, the APD, in a formal submission to the Government, expressed its opposition to the routine storage of traffic data.[2514] Opponents have vowed to challenge the law before the Constitutional Court arguing that it breaches constitutional rights to privacy, freedom of expression and the presumption of innocence.[2515]
A bill that would establish an electronic identification card is currently being discussed, with an implementation date fixed to 2004. The card would allow to digitally sign documents, as well as include more data than the regular ID. Privacy groups say this proposal would create a huge database of citizens' personal data and would be subject to serious security risks. They have urged that the project be revised to ensure the full protection of Spanish citizens' privacy.[2516]
On September 10, 2002, the Computer Professionals for Social Responsibility Spain (CPSR-ES)[2517] organized the first Big Brother Awards event in Spain.[2518] The Law of November 26, 1992 provides for access to government information.[2519] The law was amended in 1998 by Law No. 29/1998 of July 13, 1998. Under Article 37 (2), the right of access and correction can be denied if reasons of public interest prevail.
Spain is a member of the Council of Europe and has signed and ratified the Convention for the Protection of Individuals with Regard to Automatic Processing of Personal Data (ETS No. 108) ("Convention No. 108").[2520] It has signed and ratified the European Convention for the Protection of Human Rights and Fundamental Freedoms.[2521] In November 2001, Spain signed the CoE Convention on Cybercrime.[2522] It is a member of the Organization for Economic Cooperation and Development and has adopted the OECD Guidelines on the Protection of Privacy and Transborder Flows of Personal Data.