Privacy International defends the right to privacy across the world, and fights surveillance and other intrusions into private life by governments and corporations. Read more »


II. Surveillance policies

National security, government surveillance and law enforcement

Wiretapping, access to, and interception of communications

Under the criminal code, interception of electronic communications requires a court order.1 There have been several scandals in Spain over illegal wiretapping by the intelligence services. In 1995, Deputy Prime Minister Narcis Serra, Defence Minister Julian Garcia Vargas, and military intelligence chief Gen. Emilio Alonso Manglano were forced to quit following revelations that they had monitored the conversations of hundreds of people, including King Juan Carlos.2 More recently, Juan Alberto Perote, the former head of operations of the Centro Superior de Información de la Defensa (CESID, the Spanish secret service, which was part of the armed forces until it was replaced by the CNI in 2002), was found guilty on 12 April 2005, and sentenced to four months in prison. In the first trial in 1999, Manglano and Perote both received six-month sentences and five CESID officers were sentenced to six months, although the Constitutional Tribunal annulled this ruling on 29 March 2004 after it deemed that the judge who heard the case was not impartial. Charges brought against Emilio Alonso Manglano and the five CESID officers by private individuals and groups placed under surveillance were dropped. Perote criticised the decision against him, claiming that his director, Manglano, and members of the Socialist Party government of the time knew about "this activity," which was carried out between 1983 and 1991.3

An exclusionary rule applies to evidence collected by means of illegal wiretaps or bugs, and in November 2000, the Barcelona High Court (Audiencia de Barcelona) threw out a case because the evidence was so tainted.4 In May 2001, prosecutors asked for 12-year sentences for each of two detectives accused of placing illegal wiretaps.5 In December 2004, the Supreme Court claimed that "the approval of an adequate regulation for telephone interceptions" cannot be postponed, after acquitting two suspected drug traffickers because telephone interceptions used to sentence them in the Audiencia Nacional were deemed to be irregular. The Court added that Spain has already been condemned by the European Court of Human Rights for failing to specify the nature of offences that can give rise to these interceptions and to fix a time limit for them.6

The 2003 General Telecommunications Act (LGT) guaranteed the right of individuals to use strong cryptography but also contained a provision – Article 36 –allowing for a key recovery system.7 Previous versions of this provision were strongly opposed by civil liberties advocates.8 The new Article 36 does not change much from the former Article 52 that compelled the notification of the algorithms used, but still remains ambiguous with regard to any reference to the creation of a key escrow system.9

In early 2004, the National Police Corps (Cuerpo Nacional de Policía) and the Civil Guard (Guardia Civil) reportedly started using a new software program, SINTEL, that still enables them to directly tap into telephonic communications without the need to get prior court authorisation. SINTEL, which was designed in an October 2001 secret agreement, works in real time. In addition to recording the content of the communication, the software also provides the identity of both callers and the places from which they are calling.10

SINTEL has generated a controversial debate about the necessity of some of the tools used to fight against crime in Spain while defending citizens' fundamental rights. The Spanish Internet Users Association (Asociación de Internautas) filed a motion11 before the court of the National Audience (Audiencia Nacional)12 in order to assess whether the police may get access to the SINTEL database of personal data without any judge's consent and without sufficient evidence of wrongdoing. The motion was rejected.13

At the beginning of 2010, the Supreme Court decided that police can access certain data (telephone numbers, names and surnames) from the mobile agenda of arrested people without a judicial order, but not the content of calls, since they are protected by the constitutional right to secrecy of communications.

National security legislation

The terrorist attack on a Madrid commuter line on 11 March 2004 was followed by announcements of a raft of measures to be introduced with regard to the problem of Islamist terrorism; most notably measures concerning the placement of "radical" imams and former mujahedins (Muslims who fought in Afghanistan or the Balkans) under surveillance, and of establishing databases in order to establish their numbers.14

The draft National Defence Law,15 published on 31 March 2005, seeks to expand the scope of activities of the National Intelligence Centre (Centro Nacional de Inteligencia, or CNI),16 by directing it to "contribute . . . in obtaining, evaluating and interpreting the necessary information to prevent and avoid any risk or threat that affects the independence and integrity of Spain, national interests and the stability of the State of law and its institutions" (Article 26). The Law was finalised on 17 November 2005.17 The words "risk or threat" alter the wording of the decree that established the CNI, which considered its scope as preventing and avoiding "danger, threat or aggression against," which cannot be interpreted as widely. Experts cited in El País newspaper suggested that "risk that affects the integrity of Spain" is so ambiguous as to be liable to be interpreted as giving the intelligence service a role in countering political proposals such as the so-called Plan Ibarretxe, proposed by the lehendakari (head of the Basque government) to change the status of the Basque autonomous region.18

Data retention

In 2007, the Parliament passed the Data Retention Law (Law No. 25/2007 Law of 18 October 2007),19 that implements the EU Data Retention Directive (2006/24/EC).20 It provides that the retention period is 12 months and bans the anonymity of prepaid card mobile phone users.

When the Parliament was preparing to implement that Directive, Internet and civil liberties organisations posed a strong reaction to it and all of them fully endorsed the European-wide campaign "Data Retention is no Solution".21

National databases for law enforcement and security purposes

As a result of the terrorist attacks of 2001 in the United States and of 2004 in Madrid, two new laws were enacted to fight against terrorism. These two laws are written to complement each other and directly impact the field of data protection by creating new databases in public ownership.

The first law aims at preventing and freezing terrorism funding.22 It sets up the Commission for Monitoring the Funding of Terrorist Activities. This institution has the authority to freeze funds, bank accounts, and other financial assets belonging to entities or persons linked to terrorist activities. It develops its findings within the administrative sphere and collaborates with the judiciary to transmit its conclusions to the judge in criminal trials. The law establishes the obligations of financial entities (e.g., banks, credit entities, exchange bureaus) and all subjects referred to in the law against money laundering (Law 19/2003, described below) to collaborate in providing all the information required (including personal data) in relation to frozen funds. This law also provides that, with regard to the provisions of the LOPD, the files created by the Monitoring Commission will be considered files in public ownership, and therefore exempt with regard to the rights of access, rectification, and cancellation. However, this law was recently modified by Law 10/2010 of 28 April 2010 on the prevention of money laundering and funding of terrorism.23 One of its provisions allows the creation of a database of persons with public responsibility, including their relatives' name and surnames, and its purpose is to prevent money laundering and the funding of terrorism. The law implements Directives 2005/60/EC and 2006/70/EC.

The second regulation is Law 19/2003 regulating the movement of money and international transactions, enacted in July 2003.24 This law works to prevent money laundering and is closely linked with the law regarding the funding of terrorist activities. It was approved as a modification to the law of 1993 preventing money laundering. The new rule also incorporates Directive 2001/97 on the prevention of money laundering into national legislation.25

This law applies not only to terrorist crimes, illegal drug trafficking, and organised crime (current situation) but also to all other serious crimes (punishable with more than three years in prison) and related money-laundering activities. The law also imposes new obligations on subjects, such as auditors, external accountants (not only internal company accountants), and tax advisors. Notaries, lawyers, and attorneys must also collaborate with full respect to professional secrecy and without prejudice to the constitutional right to defence.

Organic Law 10/2007 of 8 October 2007 regulates the police's DNA database the controller of which is the Department of Interior. In this database are included DNA records obtained from criminal investigations (without data subject's consent) and from the identification of corpses. This law establishes that the DNA record will be deleted when the crime falls within the limitation period. If the data subject is guilty, deletion will occur according to the law of criminal records; but if she is not guilty, her DNA will be deleted.

National and international data disclosure agreements

There is nothing to report under this section.


On 3rd June 2010, Spain ratified the Council of Europe's Convention of Cybercrime.

Critical infrastructure

There is nothing to report under this section.

Territorial privacy

Video surveillance

Organic Law 4/199726 regulates the use of surveillance by police and to control traffic, while Law 19/2007 against Racism and Xenophobia in Sports27 regulates its use at sports events. The Law about the Private Security of 199228 and the Royal Decree of Private Security29 regulate their use by security companies and in banks.

In December 2006, the AEPD published a new regulation on video surveillance.30 Images obtained from cameras located in public places are to be considered personal data, and the files containing both images and data derived from them are to be protected. Cameras will only be used when other, proportionate means of surveillance are not easily available. A distinctive label must be placed in a visible place, and the derived data will be erased after one month. This regulation includes recording, transmission, conservation and storage, including real-time reproduction and broadcasting. Personal recording for home use, and image use by law enforcement agencies are exempted.

The APDCM published Instruction 1/200731 about the use of video surveillance for security purposes, to control restricted areas or traffic, and for other health-related, investigative, or scientific purposes. The data controller has to justify that video surveillance is necessary and report about it to the APDCM in order to assess its proportionality. The data protection authority of Catalonia also elaborated an Instruction about video surveillance in 2009 that mandates the data controller to report its video surveillance system to the authority.32

Location privacy (GPS, mobile phones, location based services, etc.)

Google's Street View service started capturing information from 2008 from individuals connected through their WiFi wireless networks. According to the AEPD, the facts might constitute a violation of the Organic Law of Protection of Information.33 On 16 August 2010, a judge started to investigate the complaint of an Internet users association (APEDANICA) according to which Google illegally captured and stored data from users connected to WiFi networks when it collected photos for its Street View service.34

Travel privacy (travel identification documents, biometrics, etc.)and border surveillance

Since August 2006, all passports issued by Spain are electronic ones that contain an RFID tag.35 Holding an e-passport is compulsory for citizens from countries that belong to the Visa Waiver Program (all countries belonging to the European Economic Area (EU member states, plus Norway, Iceland, and Liechtenstein), Switzerland, New Zealand, Australia, and Brunei) for travelling to the United States, and therefore all comply with the same technical specifications.36 In 2006, the private watchdog Commission on Liberties and Information Technology (Comisión Libertades e Informática, or CLI) and other groups expressed concerns about the adoption of RFID technologies in passports, noting that RFID-enabled passports have been hacked in some countries.37

National ID and smart cards

On 11 December 2003, the Parliament enacted the Law on Digital Signatures.38 The legislation established an electronic identification card (DNI electrónico) that includes a certificate used to generate a digital signature.39 The card had to be fully rolled out by 2007, but it is still ongoing. It allows individuals and businesses to digitally sign documents, and provides the same value as a regular handwritten signature. The government seeks to encourage the development of electronic commerce and promote consumer confidence in Internet-based transactions.40 The electronic ID card includes two elements: a chip with information relating to the citizen's identity and electronic signature, as well as biometric data (fingerprint and photograph). Privacy groups criticise the law because, as they assert, it would make the card compulsory for all and would create a huge database of citizens' personal data that would be subject to serious security risks. They have urged that the project be revised to ensure the full protection of Spanish citizens' privacy.41 In mid-February 2006, the Ministry of Interior announced that root keys had been generated.42 The first e-DNI was issued on 16 March 2006,43 and after a trial testing period e-DNIs were routinely being issued.44 By March 2010, the number of e-DNI issued had raised to 9 million.45 However, according to the National Institute of Statistics, as of October 2009, only 3.4 percent of people had actually used their e-DNI to digitally sign electronic transactions.46

The Commission on Liberties and Information Technology (CLI) complained about the lack of debate with regards to the introduction of the planned electronic ID card,47 warning that measures that are to be introduced may contravene fundamental rights, such as the rights to privacy and to the protection of personal data.48 It also stressed that it will be important for adequate security measures to be adopted in relation to the introduction of this identification document, as it may contain elements that will make it possible to access sensitive personal information about cardholders, such as race and religious affiliation in the case of photographs. The CLI has warned about the possibility that DNA details be included, and that it would be illegal for the national electronic ID card to include medical information – or to turn the ID card into a multipurpose document required to access health services, as was suggested in February 2004 by the former Minister of Public Administration, Julia García Valdecasas.49

Since 2009 the Spanish government has launched information campaigns about the electronic ID card, stressing its benefits for citizens.50 On 3 November 2009 a Royal Decree modified some of the requirements to obtain digital identification certificates for the national ID card.51

RFID tags

In 2006, the CLI and other groups expressed concerns about the adoption of RFID technologies in passports, noting that RFID-enabled passports had been hacked in some countries.52

Bodily privacy

There is nothing to report under this section.