I. Legal framework
Constitutional privacy and data protection framework
The Spanish Constitution recognises the right to personal privacy, secrecy of communications, and the protection of personal data. Article 18 of the Constitution states, "(1) The right of honour, personal, and family privacy and identity is guaranteed. (2) The home is inviolable. No entry or search may be made without legal authority except with the express consent of the owners or in the case of a flagrante delicto. (3) Secrecy of communications, particularly regarding postal, telegraphic, and telephone communication, is guaranteed, except in the case of infractions, and only by judicial order. (4) The law shall limit the use of data processing to guarantee personal and family honour, the privacy of citizens, and the full exercise of their rights."1
The first Spanish Data Protection Act (LORTAD) was enacted in 1992, and was succeeded in 1999 by an amended Data Protection Act (LOPD) that brought Spanish law in line with the European Union Data Protection Directive.2 The LOPD applies to information held by the public and private sectors. The law establishes the right of citizens to know what personal data is contained in electronic records, and grants citizens the right to correct or delete incorrect or false data in those records. Additionally, the LOPD also restricts the disclosure of personal information to a third party by requiring the consent of the individual to the specific purpose for which the data was collected. Additional protections are also provided for sensitive personal data. Consumer groups, however, are concerned about the law's provisions allowing use of information without consent unless the consumer has opted out of such use. In 1999, regulations on the secondary measures required to be taken to protect electronic data systems were issued in accordance with the LOPD.3
A new Royal Decree of 19 January 2008, which entered into force on 19 April 2008, implements the LOPD to prevent the use of personal data without the data subject's knowledge and prior consent. The data subject will be able to exercise his right to access, rectify, cancel or oppose the information, and revoke his consent with the data controller easily and free of charge. The Decree also establishes higher security measures for several types of personal data.4
Royal Decree 1720/2007 implements the Organic Law 15/1999 of Data Protection and introduces some novelties: it regulates minors' consent (under 14 years of age, it is necessary to get the parents' consent) and establishes the security measures that must be followed to process personal data in non-computerised databases. The new decree also establishes the administrative procedure a data controller must follow to avoid providing data subjects access to their personal data, the procedure to register codes of conduct, and the conditions upon which a data controller is authorised to process personal data for historic, statistical or scientific purposes. The Royal Decree also addresses other issues that were previously regulated in other royal decrees and instructions,5 such as international transfers of personal data, the enforcement process by the Spanish Data Protection Authority, the data subject's exercise of his right to access his personal data, as well as cancellation, rectification and objection rights.
Another Royal Decree of 8 January 2010 modified the LOPD to prevent the exchange and matching of personal data between databases without data subject consent.6
Organic Law 4/2007 of 12 April 2007 about Universities7 allows the publication on the Internet of the grades of university students. Law 30/2007 of 30 October 2007 about Public Contracts8 regulates the conditions under which public bodies may contract data processors to process personal data.
Data protection authority
The Spanish Data Protection Authority (Agencia Española de Protección de Datos, or AEPD) is charged with enforcing the LOPD.9 In 2000, the country's data protection laws and the AEPD's authority to enforce those laws were challenged and the Constitutional Tribunal of Spain issued three judgments clarifying the issues at stake.10 The first was a constitutional challenge against the 1992 law, for breach of the provisions of the country's constitution relating to distribution of power between the State and other agencies (in this case the AEPD). The court rejected this challenge. The second concerned another constitutional challenge which was originally brought against the 1992 law but which carried over to the 1999 law. This judgment upheld the constitutionality of the law generally, although the court struck down certain provisions allowing government agencies to transfer personal information about Spanish citizens without their permission. The court ruled that these provisions infringed on the privacy rights guaranteed to citizens by Title 18 of the Spanish Constitution.11 The third case concerned an employer's processing of an employee's health data. The court ruled that the applicant's constitutional privacy rights were breached when the employer noted the employee's medical diagnosis on his sick leave records.
As part of their enforcement of the country's data protection laws, the AEPD maintains a registry of information databases in Spain and can investigate violations of the LOPD. As of December 2007,12 there were 1,017,266 registered information databases, of which 61,553 were held by private entities, and 955,713 were held by public entities, compared to 815,093 databases registered as of December 2006, of which 56,138 were held by private entities and 758,955 were held by public entities.13
In 2007 the number of queries to the Citizen Services of the AEPD followed a growth trend that has resulted in an increase of 30 percent (for a total of 47,741 consultations). Access to the AEPD website has increased from 1,518,714 in 2006 to 2,230,120 hits in 2007.14
During 200715 AEDP staff grew to 103, from 99 in 2006.16 In 2007, 849 defence of citizens' rights procedures (procedimientos de tutela de derechos) were defended,17 compared to 556 in 2006 and 579 in 2005.18 Also in 2007, there were 879 defence of citizen's rights procedures, 617 regarding the right to access one's personal data, 545 on the right of cancellation, 26 on the right to modify one's personal data and 32 regarding the right of opposition. There were 849 resolutions, of which 617 were admitted and 155 dismissed.19 The AEPD has issued 396 penalties in 2007, compared to 326 in 2006.20
Between 2008 and 2010, the AEPD published various guides about how to implement the LOPD: a "Data Protection Guide for Database Owners" that includes tools and rules to administer databases in compliance with the LOPD;21 a "Guide on Data Security";22 a report on children's rights and parents' duty;23 a guide about how to use video surveillance while complying with the LOPD for companies, associations and individuals;24 and a last one, in 2009, about how to protect workers' personal data.25 The AEPD also developed its website: a new web section now includes practical information about data protection on the Internet.26
In November 2009, the AEPD organised the 31st International Conference of Data Protection and Privacy Commissioners. At the conclusion of this meeting, commissioners presented the Joint Proposal for a Draft of International Standards on the Protection of Privacy with regard to the processing of Personal Data. The purpose of the document is to define a set of principles and rights guaranteeing the effective and internationally uniform protection of privacy with regard to the processing of personal data, together with the facilitation of international flows of personal data around the world.27
The AEPD's annual reports in 2008 and 2009 show that Internet, video surveillance, and lists of defaulters constitute the bulk of data protection-related complaints.
In October 2008, the AEPD's Director made an appearance before the Constitutional Commission of the Spanish Lower Chamber to report the results of the AEPD's 2007 Annual Report. In his speech, the Director said that the priority of the AEPD is the citizens, so it is necessary to raise awareness among citizens regarding the right to data protection by providing more information and supporting their complaints and appeals when they realise that their rights have been violated. He also said that the themes of interest to the AEPD are video surveillance, mobile and Internet advertising, the dissemination of images through the Internet or YouTube or, for example, search engines.28 He stressed: "The conclusion is clear: public awareness in Spain is above the European average."29
In April 2008, the AEPD organised a public briefing to discuss the new developments incorporated into the LOPD. The meeting gathered more than 2,000 people from the public and private sectors.30
The AEPD's 2007 Annual Report includes a section with recommendations that came out of the experience the authority gained, that are particularly relevant to the general public. At the legal level, it affirmed the need to regulate the anonymous online or offline publication of court decisions and regulations of internal reporting systems, managed by workers within a company, in order to ensure the complainant's confidentiality and the rights of the accused. It also stressed the need for a "Plan for the Promotion of Good Practices" as a guarantee of privacy.
The AEPD also noted in its 2007 Annual Report that in the case of peer-to-peer (P2P) litigation, where the legal subjects of privacy and copyright merge, only a law could define which personal data can be used and for which purposes, as well as define the right balance between data protection and intellectual property.31 In that regard, the AEPD recommended an initiative to promote special precautions to avoid the unwanted exchange of sensitive personal data on the Internet via P2P networks.32
(See more details under the "E-commerce" section.)
In January 2005, the AEPD decided that in the interest of transparency and to promote public knowledge of its decisions, it would publish all of its resolutions on its website within a month from the day after the persons concerned had been informed of a decision.33 The only exception would be with regard to the registration of databases in its record of authorised information databases.
Two issues on which the AEPD has been particularly active in 2004 and 2005 is the fight against "spam", and the encouragement of small- and medium-sized businesses (pequeñas y medianas empresas, or PYMES) to register their databases in the General Register of Personal Data (Registro General de Protección de Datos, or RGPD). Although registry of information databases is compulsory, only 10 percent of PYMES that are active in the Spanish territory are complying with the law.34 With regard to "spam", the AEPD announced the signing of a Memorandum of Understanding on 23 February 2005 with the US Federal Trade Commission. This memorandum is aimed at establishing administrative cooperation between Spain and the United States in order to combat the problem of "spam". The AEPD also announced that almost a hundred investigations had been launched in relation to this phenomenon, and these investigations had given rise to 14 legal actions for breaches of data protection rules, of which six have been resolved. Of these six resolved cases, two were classified as "serious breaches", two as "minor breaches", and in the remaining two, proceedings were discontinued.35 In general, however, fines of up to €30,000 are applicable for breaches of anti-spam regulations.
In the 2004 opinion on "The Qualification of the IP Address as Personal Data,"36 the AEPD ruled that IP addresses can be considered "personal data" and therefore, that every data controller that processes such information has to comply with the LOPD requirements. Failure to comply may subject the violator to fines of up to €300,000).37
Major privacy and data protection case law
On 16 August 2010, a judge started to investigate the complaint of an Internet users association (APEDANICA) according to which Google illegally captured and stored from 2008 data from users connected to WiFi networks when it collected photos for its Street View service.38 According to the AEPD, the facts might constitute a violation of the Organic Law of Protection of Information.39
(See more details under the "Location privacy" section.)
An important case the Supreme Court decided in 2008 is the one where the defendant, the "Association against Torture" (Asociación Contra la Tortura), had published on the Internet a list of the names and surnames of people being investigated for torture. In a 26 June 2008 decision, the Court confirmed the AEPD's resolution that had considered that the association had published personal data on the Internet without the data subject's consent, and had fined it. The Supreme Court considered that freedom of speech was not a defence.40
On 28 January 2008, the Court of Justice decided that the "copyright directives do not require the disclosure of personal data in civil proceedings, and that Member States' competent authorities should take measures to ensure the balance between copyright and intellectual property, on the one hand, and privacy and personal data protection, on the other."41 (See more details under the "E-commerce" section.)
The Supreme Court does not support the cancellation of one's personal data in baptismal records: it revoked the Decision of the Audiencia Nacional of 10 October 2007 that had endorsed the view held by the AEPD since 2004. The AEPD had ruled that baptismal records are files that contain personal data; therefore data protection principles, such as the principle of data quality and accuracy should apply to them.42
In 2007, the Supreme Court decided two cases about privacy in the workplace, one involving an employer's use of his employees' fingerprints to control their activities at work, the second dealing with an employer's use of email and Internet monitoring tools in the workplace.
(See more details under the "Major privacy and Data Protection Case Law" section.)
In December 2004, 12 persons from different social movements in the region of Catalonia filed a complaint with the AEPD as a result of the alleged inclusion of their personal data and photographs in an illegal database of a "political" nature held by the National Police Force's Provincial Information Brigade (Brigada Provincial de Información). The plaintiffs had no criminal records, but were part of a group of 30 people whose photographs had been shown to three persons accused of throwing Molotov cocktails at the police station of Sants (a neighbourhood in Barcelona) during their interrogation on 3rd October 2004. This procedure would have been legal if the people whose photographs were shown had had criminal records. A further concern is that the photographs that were shown were not from their national ID cards (DNI), but had been taken during their participation in public activities. The plaintiffs claimed that Article 7.4 of the 1999 LOPD was contravened, as it forbids "databases created with the exclusive scope of storing personal data that reveal the ideology, trade union membership, religion, beliefs, racial or ethnic origin, or sexual preferences." The police denied holding a database to identify people related to social movements, and stated that it only maintains a database of citizens with judicial precedents, although it also admitted using a database for investigations, which operates under the control of the Data Protection Authority.43
- 1. Constitution of Spain, as amended August 1992, available at http://www.constitucion.es/constitucion/lenguas/ingles.html.
- 2. See Organic Law 5/1992 of 29 October 1992 Regulating the Automated Processing of Personal Data), Ley Orgánica 5/1992 de 29 de Octubre 1992, de Regulación del Tratamiento Automatizado de los Datos de Carácter Personal (LORTAD), enacted on 14 January 2000, available at http://www.boe.es/g/es/bases_datos/doc.php?coleccion=iberlex&id=1992/24189; see also Organic Law 15/1999 of 13 December 1999 on the Protection of Personal Data (LOPD), (Ley Orgánica 15/99 de 13 de Diciembre 1999 de Protección de Datos de Carácter Personal (LOPD), available at http://www.boe.es/g/es/bases_datos/doc.php?coleccion=iberlex&id=1999/23750.
- 3. See Royal Decree No. 994/1999 of June 11, which Approves the Regulation on Mandatory Security Measures for the Computer Files which Contain Personal Data (Real Decreto 994/1999, del 11 de junio, por el que se Aprueba el Reglamento de Medidas de Seguridad de los Ficheros Automatizados que Contengan Datos de Carácter Personal), available at http://noticias.juridicas.com/base_datos/Admin/rd994-1999.html.
- 4. Real Decreto 1720/2007 por el que se aprueba el Reglamento de desarrollo de la Ley Orgánica 15/1999, de 13 de diciembre, de Protección de Datos de Carácter Personal, 21 December 2007, BOE No. 17, 19 January 2008 (Royal Decree No. 1720/2007, 21 December 2007), available at https://www.agpd.es/portalweb/canaldocumentacion/legislacion/estatal/com....
- 5. An Instruction ("instrucción") is a legal document elaborated by the AEPD that is binding for data controllers and regulates a specific area related to data protection (e.g., surveillance or international transfers).
- 6. Real Decreto 3/2010 Disposición adicional cuarta. Modificación del Reglamento de desarrollo de la Ley Orgánica 15/1999 de Protección de Datos de Carácter Personal aprobado por Real decreto 1/20/2007, 8 January 2010 (Royal Decree 3/2010), available in Spanish at https://www.agpd.es/portalwebAGPD/canaldocumentacion/legislacion/estatal....
- 7. Ley Orgánica 4/2007, de 12 de abril, por la que se modifica la Ley Orgánica 6/2001, de 21 de diciembre, de Universidades, BOE Núm. 89, 13 abril 2007 (Organic Law 4/2007 of 12 April 2007 that amends Organic Law 6/2001 about Universities of 21 December 2001), BOE No. 89, 13 April 2007.
- 8. Ley 30/2007, de 30 de octubre, de Contratos del
Sector Público (Law 30/2007 about Public Contracts, 30 October 2007), BOE núm., 31 octubre 2007, available at http://www.cert.fnmt.es/legsoporte/Ley%2030-2007.pdf.
- 9. See Spanish Data Protection Authority https://www.agpd.es/index.php?idSeccion=8; see also https://www.agpd.es (in Spanish).
- 10. Judgments Nos. 290/2000 http://www.tribunalconstitucional.es/jurisprudencia/Stc2000/STC2000-290...., 292/2000 http://www.tribunalconstitucional.es/jurisprudencia/Stc2000/STC2000-292...., and 202/1999 http://www.boe.es/g/es/bases_datos_tc/doc.php?coleccion=tc&id=SENTENCIA-....
- 11. Judgment No. 292/2000, supra.
- 12. In 2005, 387 penalisation proceedings were started, compared with 148 in 2002. Preliminary investigations increased 60%, from 723 in 2002 to 1158 in 2005. Proceedings against public authorities increased threefold, from 13 in 2002 to 52 in 2005. AEDP, 2005 Annual Report, Summary 18, available at http://www.agpd.es/upload/English_Resources/RESUMEN%20MEMORIA_2005.pdf.
- 13. AEPD, 2007 Annual Report, available at https://www.agpd.es/portalweb/canaldocumentacion/memorias/memorias_2007/....
- 14. Id. at 57.
- 15. During 2005 AEDP staff grew from 89 to 98. AEDP, 2005 Annual Report, Summary 18, supra at 2.
- 16. AEPD, 2007 Annual Report, supra.
- 17. AEDP, 2007 Annual Report, supra at 49.
- 18. Email from Esperanza Zambrano Gómez, Spanish Data Protection Agency, to Guilherme Roschke, Skadden Fellow, Electronic Privacy Information Center, 2 August 2007 (on file with EPIC).
- 19. AEPD, 2007 Annual Report, supra at 49.
- 20. AEPD, 2007 Annual Report, supra at 41.
- 21. Guia de Protección de Datos para Responsables de Ficheros, available at https://www.agpd.es/portalwebAGPD/canaldocumentacion/publicaciones/commo... (only in Spanish).
- 22. Guía de Seguridad de Datos, available at https://www.agpd.es/portalwebAGPD/canaldocumentacion/publicaciones/commo... (only in Spanish).
- 23. Children Rights and Parent’s Duty, available at https://www.agpd.es/portalwebAGPD/canal_joven/common/pdfs/recomendacione....
- 24. Guide on Video Surveillance, available at https://www.agpd.es/portalwebAGPD/canaldocumentacion/publicaciones/commo....
- 25. Guía de la protección de datos en las Relaciones Laborales, available at https://www.agpd.es/portalwebAGPD/canaldocumentacion/publicaciones/commo....
- 26. AEPD Web portal https://www.agpd.es/portalwebAGPD/jornadas/dia_internet_2010/index-ides-....
- 27. Propuesta Conjunta de Estándares Internacionales de Protección de Datos y Privacidad, available at https://www.agpd.es/portalwebAGPD/internacional/Estandares_Internacional....
- 28. Appearance before the Constitutional Commission of the Low Chamber of the Director of the AEPD to report on the 2007 Annual Report of the AEPD, 1 October 2008, available at https://www.agpd.es/portalweb/canaldocumentacion/comparecencias/common/p....
- 29. Id. at 3.
- 30. I Sesión Anual Abierta de la AEPD, 22 April 2008, available at https://22.214.171.124/portalweb/jornadas/1_sesion_abierta/index-ides-i....
- 31. AEPD, 2007 Annual Report, available at https://www.agpd.es/portalweb/canaldocumentacion/memorias/memorias_2007/....
- 32. Id.
- 33. Instrucción 1/2004, de 22 de diciembre, de la Agencia Española de Protección de Datos sobre la publicación de sus resoluciones https://www.agpd.es/upload/Canal_Documentacion/legislacion/Estatal/Instr....
- 34. "Solo El 10% de Las PYMES Españolas Cumple La Ley de Protección de Datos", Atlántico, 13 April 2005.
- 35. AEPD, press statement, 23 February 2005, available at https://www.agpd.es/upload/Prensa/Nota%20eeuu.pdf.
- 36. Agencia Española de Protección de Datos, "Carácter de Dato Personal de La Dirección IP," (Informe 327/03), available at https://www.agpd.es/index.php?idSeccion=390 (in Spanish).
- 37. Marta Escudero & Javier Maestre, "Como Consecuencia, Muchos Webmasters Deberán Registrar Sus Ficheros en la Agencia," 5 July 2004, available at http://www.kriptopolis.com/more.php?id=201_0_1_0_M.
- 38. AFP, "Spanish Judge Probes Complaint over Google's Street View," 16 August 2010 http://www.google.com/hostednews/afp/article/ALeqM5j2pPKEWPkNBcWqrYYj-BU.... See also "Spanish DPA Opens Infringement Procedures for Google Streetview", EDRi-gram - Number 8.20, 20 October 2010 http://www.edri.org/edrigram/number8.20/spanish-dpa-streetview-infringem... "Google Street View Faces Citizens' Reservation in EU", EDRi-gram - Number 8.16, 25 August 2010, http://www.edri.org/edrigram/number8.16/google-streetview-rejected-germa... Fiona Govan, "Spain Takes on Google over Privacy Violations in Street View", Daily Telegraph, 17 August 2010 http://www.telegraph.co.uk/technology/google/7950503/Spain-takes-on-Goog....
- 39. AEPD, "La AEPD Abre Una Investigación a Google por La Captación de Datos de Redes WIFI en
España", available in Spanish at https://www.agpd.es/portalwebAGPD/revista_prensa/revista_prensa/2010/not....
- 40. AEPD, "Desestima el Recurso de Casación Interpuesto por la Asociación Contra la Tortura. El TS Confirma el Criterio de la AEPD al Sancionar y Cancelar La Difusión de Datos de Funcionarios en la Web de la Asociación contra la Tortura", available at https://www.agpd.es/portalwebAGPD/revista_prensa/revista_prensa/2008/not....
- 41. Id.
- 42. AEPD, "El Tribunal Supremo no Admite La Cancelación de Datos en Libros de Bautismo." [The Supreme Court Does not Support The Cancellation of Data in Baptism], available at https://www.agpd.es/portalweb/revista_prensa/revista_prensa/2008/notas_p....
- 43. "12 Activistas de Barcelona Denuncian que La Policía Les Incluye en Un Fichero Ilegal", El País, 30 December 2004.