II. Surveillance policies
National security, government surveillance and law enforcement
Wiretapping, access to, and interception of communications
Under the criminal code, interception of electronic communications requires a court order.1 There have been several scandals in Spain over illegal wiretapping by the intelligence services. In 1995, Deputy Prime Minister Narcis Serra, Defence Minister Julian Garcia Vargas, and military intelligence chief Gen. Emilio Alonso Manglano were forced to quit following revelations that they had monitored the conversations of hundreds of people, including King Juan Carlos.2 More recently, Juan Alberto Perote, the former head of operations of the Centro Superior de Información de la Defensa (CESID, the Spanish secret service, which was part of the armed forces until it was replaced by the CNI in 2002), was found guilty on 12 April 2005, and sentenced to four months in prison. In the first trial in 1999, Manglano and Perote both received six-month sentences and five CESID officers were sentenced to six months, although the Constitutional Tribunal annulled this ruling on 29 March 2004 after it deemed that the judge who heard the case was not impartial. Charges brought against Emilio Alonso Manglano and the five CESID officers by private individuals and groups placed under surveillance were dropped. Perote criticised the decision against him, claiming that his director, Manglano, and members of the Socialist Party government of the time knew about "this activity," which was carried out between 1983 and 1991.3
An exclusionary rule applies to evidence collected by means of illegal wiretaps or bugs, and in November 2000, the Barcelona High Court (Audiencia de Barcelona) threw out a case because the evidence was so tainted.4 In May 2001, prosecutors asked for 12-year sentences for each of two detectives accused of placing illegal wiretaps.5 In December 2004, the Supreme Court claimed that "the approval of an adequate regulation for telephone interceptions" cannot be postponed, after acquitting two suspected drug traffickers because telephone interceptions used to sentence them in the Audiencia Nacional were deemed to be irregular. The Court added that Spain has already been condemned by the European Court of Human Rights for failing to specify the nature of offences that can give rise to these interceptions and to fix a time limit for them.6
The 2003 General Telecommunications Act (LGT) guaranteed the right of individuals to use strong cryptography but also contained a provision – Article 36 –allowing for a key recovery system.7 Previous versions of this provision were strongly opposed by civil liberties advocates.8 The new Article 36 does not change much from the former Article 52 that compelled the notification of the algorithms used, but still remains ambiguous with regard to any reference to the creation of a key escrow system.9
In early 2004, the National Police Corps (Cuerpo Nacional de Policía) and the Civil Guard (Guardia Civil) reportedly started using a new software program, SINTEL, that still enables them to directly tap into telephonic communications without the need to get prior court authorisation. SINTEL, which was designed in an October 2001 secret agreement, works in real time. In addition to recording the content of the communication, the software also provides the identity of both callers and the places from which they are calling.10
SINTEL has generated a controversial debate about the necessity of some of the tools used to fight against crime in Spain while defending citizens' fundamental rights. The Spanish Internet Users Association (Asociación de Internautas) filed a motion11 before the court of the National Audience (Audiencia Nacional)12 in order to assess whether the police may get access to the SINTEL database of personal data without any judge's consent and without sufficient evidence of wrongdoing. The motion was rejected.13
At the beginning of 2010, the Supreme Court decided that police can access certain data (telephone numbers, names and surnames) from the mobile agenda of arrested people without a judicial order, but not the content of calls, since they are protected by the constitutional right to secrecy of communications.
National security legislation
The terrorist attack on a Madrid commuter line on 11 March 2004 was followed by announcements of a raft of measures to be introduced with regard to the problem of Islamist terrorism; most notably measures concerning the placement of "radical" imams and former mujahedins (Muslims who fought in Afghanistan or the Balkans) under surveillance, and of establishing databases in order to establish their numbers.14
The draft National Defence Law,15 published on 31 March 2005, seeks to expand the scope of activities of the National Intelligence Centre (Centro Nacional de Inteligencia, or CNI),16 by directing it to "contribute . . . in obtaining, evaluating and interpreting the necessary information to prevent and avoid any risk or threat that affects the independence and integrity of Spain, national interests and the stability of the State of law and its institutions" (Article 26). The Law was finalised on 17 November 2005.17 The words "risk or threat" alter the wording of the decree that established the CNI, which considered its scope as preventing and avoiding "danger, threat or aggression against," which cannot be interpreted as widely. Experts cited in El País newspaper suggested that "risk that affects the integrity of Spain" is so ambiguous as to be liable to be interpreted as giving the intelligence service a role in countering political proposals such as the so-called Plan Ibarretxe, proposed by the lehendakari (head of the Basque government) to change the status of the Basque autonomous region.18
In 2007, the Parliament passed the Data Retention Law (Law No. 25/2007 Law of 18 October 2007),19 that implements the EU Data Retention Directive (2006/24/EC).20 It provides that the retention period is 12 months and bans the anonymity of prepaid card mobile phone users.
When the Parliament was preparing to implement that Directive, Internet and civil liberties organisations posed a strong reaction to it and all of them fully endorsed the European-wide campaign "Data Retention is no Solution".21
National databases for law enforcement and security purposes
As a result of the terrorist attacks of 2001 in the United States and of 2004 in Madrid, two new laws were enacted to fight against terrorism. These two laws are written to complement each other and directly impact the field of data protection by creating new databases in public ownership.
The first law aims at preventing and freezing terrorism funding.22 It sets up the Commission for Monitoring the Funding of Terrorist Activities. This institution has the authority to freeze funds, bank accounts, and other financial assets belonging to entities or persons linked to terrorist activities. It develops its findings within the administrative sphere and collaborates with the judiciary to transmit its conclusions to the judge in criminal trials. The law establishes the obligations of financial entities (e.g., banks, credit entities, exchange bureaus) and all subjects referred to in the law against money laundering (Law 19/2003, described below) to collaborate in providing all the information required (including personal data) in relation to frozen funds. This law also provides that, with regard to the provisions of the LOPD, the files created by the Monitoring Commission will be considered files in public ownership, and therefore exempt with regard to the rights of access, rectification, and cancellation. However, this law was recently modified by Law 10/2010 of 28 April 2010 on the prevention of money laundering and funding of terrorism.23 One of its provisions allows the creation of a database of persons with public responsibility, including their relatives' name and surnames, and its purpose is to prevent money laundering and the funding of terrorism. The law implements Directives 2005/60/EC and 2006/70/EC.
The second regulation is Law 19/2003 regulating the movement of money and international transactions, enacted in July 2003.24 This law works to prevent money laundering and is closely linked with the law regarding the funding of terrorist activities. It was approved as a modification to the law of 1993 preventing money laundering. The new rule also incorporates Directive 2001/97 on the prevention of money laundering into national legislation.25
This law applies not only to terrorist crimes, illegal drug trafficking, and organised crime (current situation) but also to all other serious crimes (punishable with more than three years in prison) and related money-laundering activities. The law also imposes new obligations on subjects, such as auditors, external accountants (not only internal company accountants), and tax advisors. Notaries, lawyers, and attorneys must also collaborate with full respect to professional secrecy and without prejudice to the constitutional right to defence.
Organic Law 10/2007 of 8 October 2007 regulates the police's DNA database the controller of which is the Department of Interior. In this database are included DNA records obtained from criminal investigations (without data subject's consent) and from the identification of corpses. This law establishes that the DNA record will be deleted when the crime falls within the limitation period. If the data subject is guilty, deletion will occur according to the law of criminal records; but if she is not guilty, her DNA will be deleted.
National and international data disclosure agreements
There is nothing to report under this section.
On 3rd June 2010, Spain ratified the Council of Europe's Convention of Cybercrime.
There is nothing to report under this section.
Organic Law 4/199726 regulates the use of surveillance by police and to control traffic, while Law 19/2007 against Racism and Xenophobia in Sports27 regulates its use at sports events. The Law about the Private Security of 199228 and the Royal Decree of Private Security29 regulate their use by security companies and in banks.
In December 2006, the AEPD published a new regulation on video surveillance.30 Images obtained from cameras located in public places are to be considered personal data, and the files containing both images and data derived from them are to be protected. Cameras will only be used when other, proportionate means of surveillance are not easily available. A distinctive label must be placed in a visible place, and the derived data will be erased after one month. This regulation includes recording, transmission, conservation and storage, including real-time reproduction and broadcasting. Personal recording for home use, and image use by law enforcement agencies are exempted.
The APDCM published Instruction 1/200731 about the use of video surveillance for security purposes, to control restricted areas or traffic, and for other health-related, investigative, or scientific purposes. The data controller has to justify that video surveillance is necessary and report about it to the APDCM in order to assess its proportionality. The data protection authority of Catalonia also elaborated an Instruction about video surveillance in 2009 that mandates the data controller to report its video surveillance system to the authority.32
Location privacy (GPS, mobile phones, location based services, etc.)
Google's Street View service started capturing information from 2008 from individuals connected through their WiFi wireless networks. According to the AEPD, the facts might constitute a violation of the Organic Law of Protection of Information.33 On 16 August 2010, a judge started to investigate the complaint of an Internet users association (APEDANICA) according to which Google illegally captured and stored data from users connected to WiFi networks when it collected photos for its Street View service.34
Travel privacy (travel identification documents, biometrics, etc.)and border surveillance
Since August 2006, all passports issued by Spain are electronic ones that contain an RFID tag.35 Holding an e-passport is compulsory for citizens from countries that belong to the Visa Waiver Program (all countries belonging to the European Economic Area (EU member states, plus Norway, Iceland, and Liechtenstein), Switzerland, New Zealand, Australia, and Brunei) for travelling to the United States, and therefore all comply with the same technical specifications.36 In 2006, the private watchdog Commission on Liberties and Information Technology (Comisión Libertades e Informática, or CLI) and other groups expressed concerns about the adoption of RFID technologies in passports, noting that RFID-enabled passports have been hacked in some countries.37
National ID and smart cards
On 11 December 2003, the Parliament enacted the Law on Digital Signatures.38 The legislation established an electronic identification card (DNI electrónico) that includes a certificate used to generate a digital signature.39 The card had to be fully rolled out by 2007, but it is still ongoing. It allows individuals and businesses to digitally sign documents, and provides the same value as a regular handwritten signature. The government seeks to encourage the development of electronic commerce and promote consumer confidence in Internet-based transactions.40 The electronic ID card includes two elements: a chip with information relating to the citizen's identity and electronic signature, as well as biometric data (fingerprint and photograph). Privacy groups criticise the law because, as they assert, it would make the card compulsory for all and would create a huge database of citizens' personal data that would be subject to serious security risks. They have urged that the project be revised to ensure the full protection of Spanish citizens' privacy.41 In mid-February 2006, the Ministry of Interior announced that root keys had been generated.42 The first e-DNI was issued on 16 March 2006,43 and after a trial testing period e-DNIs were routinely being issued.44 By March 2010, the number of e-DNI issued had raised to 9 million.45 However, according to the National Institute of Statistics, as of October 2009, only 3.4 percent of people had actually used their e-DNI to digitally sign electronic transactions.46
The Commission on Liberties and Information Technology (CLI) complained about the lack of debate with regards to the introduction of the planned electronic ID card,47 warning that measures that are to be introduced may contravene fundamental rights, such as the rights to privacy and to the protection of personal data.48 It also stressed that it will be important for adequate security measures to be adopted in relation to the introduction of this identification document, as it may contain elements that will make it possible to access sensitive personal information about cardholders, such as race and religious affiliation in the case of photographs. The CLI has warned about the possibility that DNA details be included, and that it would be illegal for the national electronic ID card to include medical information – or to turn the ID card into a multipurpose document required to access health services, as was suggested in February 2004 by the former Minister of Public Administration, Julia García Valdecasas.49
Since 2009 the Spanish government has launched information campaigns about the electronic ID card, stressing its benefits for citizens.50 On 3 November 2009 a Royal Decree modified some of the requirements to obtain digital identification certificates for the national ID card.51
In 2006, the CLI and other groups expressed concerns about the adoption of RFID technologies in passports, noting that RFID-enabled passports had been hacked in some countries.52
There is nothing to report under this section.
- 1. Ley Orgánica 10/1995, de 23 de noviembre, del Código Penal. http://www.boe.es/g/es/bases_datos/doc.php?coleccion=iberlex&id=1995/25444, Penal Code, Sections 197-199.
- 2. "Spain Socialists Seek Opposition Apology on Bugging," Reuters, 6 February 1996.
- 3. "Perote, Condenado a Cuatro Meses de Arresto por Las Escuchas del Cesid," El País, 13 April 2005; and "Cuatro Meses de Prisón para Perote por las Escuchas del Cesid," El País, 4 April 2005.
- 4. "Secreto Comunicaciones Audiencia Invalida Pruebas Obtenidas por "Pinchazo" Teléfono," Spanish Newswire Services, 23 November 2000.
- 5. "Pinchazos Telefónicos: Fiscalía Pide 24 Años Para Detectives por Pinchar Teléfonos," Spanish Newswire Service, 7 May 2001.
- 6. "El Supremo Cree Inaplazable Regular El Control de Teléfonos," El País, 13 December 2004.
- 7. Ley 32/2003, de 3 de noviembre, General de Telecomunicaciones., http://www.boe.es/g/es/bases_datos/doc.php?coleccion=iberlex&id=2003/20253, partial English translation at https://www.agpd.es/upload/Ley_32-2003_LGT.pdf.
- 8. See Global Internet Liberty Campaign, "New Spanish Telecommunications Law Opens a Door to Mandatory Key Recovery Systems," July 1998, available at http://www.gilc.org/crypto/spain/gilc-crypto-spain-798.html.
- 9. See"No al Articulo 36 Restricciones a La Criptografía: La Nueva Ley General de Telecomunicaciones Impone la Obligación de Revelar Las Claves de Cifrado," March 2003, available at http://www.spain.cpsr.org/02042003.php; Mercé Molist, "El Congreso no Aclara El Depósito del Cifrado en La Ley de Telecomunicaciones," El País, 12 June 2003.
- 10. Policía y Guardia Civil Pueden Pinchar Los Teléfonos Informáticamente," 19 February 2004, available at http://www.nodo50.org/tortuga/article.php3?id_article=204.
- 11. Internet Users Association motion available at http://www.internautas.org/archivos/pdf/STS_interceptacion_comunicacione....
- 12. Audiencia Nacional, homepage http://www.audiencianacional.es/.
- 13. Tribunal Supremo, Sala de lo penal, Sentencia Nº 1078/2009, available at http://www.audiencianacional.es/.
- 14. "Censo de Ex Muyahidines e Imanes Radicales", El País, 30 May 2004.
- 15. Proyecto de Ley Orgánica de la Defensa Nacional 121/000031, Boletín Oficial de las Cortes Generales, 31 March 2005.
- 16. Spain's secret service agency.
- 17. Ley Orgánica 5/2005, de 17 de noviembre, de la Defensa Nacional, available at http://www.boe.es/g/es/bases_datos/doc.php?coleccion=iberlex&id=2005/18933.
- 18. "El Borrador Permite al Servicio Secreto Investigar Cualquier Riesgo que Afecte a La Integridad de España," El País, 18 March 2005.
- 19. Ley 25/2007, de 18 de octubre, de Conservación de Datos Relativos a las Comunicaciones Electrónicas y a las Redes Públicas de Comunicaciones (Law 25/2007 on the Retention of Data Related to Electronic Communications and Public Communications Networks, 18 October 2007), BOE núm. 251, 19 octubre 2007 (BOE No. 251, 19 October 2007), available at http://noticias.juridicas.com/base_datos/Admin/l25-2007.html.
- 20. Directive 2006/24/EC of the European Parliament and of the Council of 15 March 2006 on the Retention of Data Generated or Processed in Connection with the Provision of Publicly Available Electronic Communications Services or of Public Communications Networks and Amending Directive 2002/58/EC http://eur-lex.europa.eu/LexUriServ/LexUriServ.do?uri=OJ:L:2006:105:0054....
- 21. "Data Retention is no Solution," http://www.dataretentionisnosolution.com. See also CPSR-ES, "¿Cómo Te Afecta La Retención de Datos?", 27 September 2005 http://wiki.dataretentionisnosolution.com/index.php/Texto_cpsr_es.
- 22. Ley 12/2003, de 21 de mayo, de Prevención y Bloqueo de la Financiación del Terrorismo, (Law 12/2003 of 21st May 2003 on Preventing and Freezing Terrorism Funding), available at http://www.boe.es/g/es/bases_datos/doc.php?coleccion=iberlex&id=2003/10289; see also http://www.igsap.map.es/cia/dispo/26927.htm.
- 23. Ley 10/2010, de 28 de abril de Prevención del Blanqueo de Capitales y de la Financiación del Terrorismo, available at http://noticias.juridicas.com/base_datos/Admin/l10-2010.html.
- 24. Ley 19/2003, de 4 julio, sobre Régimen Jurídico de los Movimientos de Capitales y de las Transacciones Económicas con el Exterior y sobre Determinadas Medidas de Prevención del Blanqueo de Capitales, available at http://www.boe.es/g/es/bases_datos/doc.php?coleccion=iberlex&id=2003/13471.
- 25. Directiva 2001/97/CE del Parlamento Europeo y del Consejo, de 4 de diciembre de 2001 sobre Blanqueo de Capitales: Prevención de la Utilización del Sistema Financiero (European Parliament and Council Directive 2001/97/EC of 4 December 2001 related to Money Laundering: Preventing Use of the Financial System), available at http://europa.eu.int/scadplus/leg/es/lvb/l24016.htm.
- 26. Ley Orgánica 4/1997, de 4 de agosto, por la que se Regula la Utilización de Videocámaras por las Fuerzas y Cuerpos de Seguridad en Lugares Públicos (Law 4/1997 of 4 August 1997 that Regulates the Use of Video Surveillance by Security Forces and Authorities in Public Places), available at http://noticias.juridicas.com/base_datos/Admin/lo4-1997.html.
- 27. Ley 19/2007, de 11 de julio, contra la Violencia, el Racismo, la Xenofobia y la Intolerancia en el Deporte (Law 19/2007 of 11 July 2007 against Violence, Racism, Xenophobia, and Intolerance in Sports), available at http://noticias.juridicas.com/base_datos/Admin/l19-2007.html.
- 28. Ley 23/1992, de 30 de julio, de Seguridad Privada (Law 23/1992 of 30 July 1992 about Private Security), available at http://noticias.juridicas.com/base_datos/Admin/l23-1992.html.
- 29. Real Decreto-ley 2/1999, de 29 de enero, por el que se modifica la Ley 23/1992, de 30 de julio, de Seguridad Privada (Royal Decree 2/1999 of 29 January 1999), available at http://noticias.juridicas.com/base_datos/Admin/rdl2-1999.html.
- 30. Agencia Española de Protección De Dados, Instrucción 1/2006, de 8 de noviembre sobre el Tratamiento de Dados Personales con Fines de Vigilancia a través de Sistemas de Cámaras o Videocámaras, 12 December 2006, available in Spanish at http://www.agpd.es/upload/Canal_Documentacion/legislacion/Estatal/Instru..., available in English at https://www.agpd.es/upload/English_Resources/Instruccion%20videovigilanc....
- 31. APDCM, Instrucción 1/2007 de 16 mayo 2007 sobre el Tratamiento de Datos Personales a través de los Sistemas de Cámaras o Videocámaras en el Ámbito de los Órganos y Administraciones Públicas de la Comunidad de Madrid" (Instruction 1/2007 of 16 May 2007 on the Processing of Personal Data through Photo or Video Surveillance by the Public Bodies and Administrations of the Community of Madrid).
- 32. The report must include the number of cameras used, if cameras are fixed or moving, if they are placed less than 50 metres from a hospital, church, or school, and justify the proportionality of their use.
- 33. AEPD, "La AEPD Abre Una Investigación a Google por La Captación de Datos de Redes WiFi en España", available here.
- 34. AFP, "Spanish Judge Probes Complaint over Google's Street View," 16 August 2010 http://www.google.com/hostednews/afp/article/ALeqM5j2pPKEWPkNBcWqrYYj-BU... See also "Spanish DPA Opens Infringement Procedures for Google Streetview", EDRi-gram - Number 8.20, 20 October 2010 http://www.edri.org/edrigram/number8.20/spanish-dpa-streetview-infringem... "Google Street View Faces Citizens' Reservation in EU", EDRi-gram – Number 8.16, 25 August 2010, http://www.edri.org/edrigram/number8.16/google-streetview-rejected-germa... Fiona Govan, "Spain Takes on Google over Privacy Violations in Street View", Daily Telegraph, 17 August 2010 http://www.telegraph.co.uk/technology/google/7950503/Spain-takes-on-Goog....
- 35. Home Office (Ministerio de Interior), Información sobre Trámites / Pasaporte / Pasaporte Electrónico http://web.archive.org/web/20080614191030/http://www.mir.es/SGACAVT/pasa....
- 36. Visa Waiver Program (VWP) http://travel.state.gov/visa/temp/without/without_1990.html.
- 37. Asociación de Internautas, "La CLI Se Opone a que Se Incrusten RFID en El Futuro Pasaporte Electrónico y, Posteriormente, en El DNI Electrónico, 7 March 2006, http://www.internautas.org/privacidad/html/3517.html. Kriptopólis, Pasaporte hacia la Inseguridad, 19 November 2006 http://www.kriptopolis.org/pasaporte-hacia-la-inseguridad.
- 38. Ley 59/2003, de 19 de diciembre, de Firma Electrónica http://www.boe.es/g/es/bases_datos/doc.php?coleccion=iberlex&id=2003/23399.
- 39. See generally http://www.dnielectronico.es.
- 40. "La Ley de La Firma Electrónica Entra en Vigor," Redes and Telecoms, 12 December 2003, available at http://www.redestelecom.com/Actualidad/Noticias/Comunicaciones/Legislaci....
- 41. "El DNI Electrónico Se Tramitará en España El Próximo Año," El País, 5 May 2003.
- 42. Dirección General de la Policía y de la Guardia Civil, El Ministro del Interior Pone en Marcha el Sistema de Certificación del Nuevo DNI Electrónico, 16 February 2006 http://www.dnielectronico.es/oficina_prensa/noticias/noticia04.html.
- 43. Dirección General de la Policía y de la Guardia Civil, El Ministro del Interior Entrega el Primer Ejemplar del Nuevo DNI Electrónico a Una Ciudadana de Burgos, 16 March 2006 http://www.dnielectronico.es/oficina_prensa/noticias/noticia09.html.
- 44. Dirección General de Relaciones Informativas y Sociales, "Comienza la Expedición del Nuevo DNI Electrónico en Trece Ciudades Españolas, 5 July 2006 http://www.mir.es/DGRIS/Notas_Prensa/Policia/2006/np070504.html (last checked in 2007).
- 45. Asociación de Internautas, "El Uso del DNI Electrónico Sigue Siendo Escaso a pesar de Haber Casi 15 Millones de Documentos Nuevos Expedidos", 29 March 2010 http://www.internautas.org/html/6078.html.
- 46. "Casi Diez Millones de Españoles Tienen DNI Electrónico, pero Pocos Lo Usan", Expansión.com, 13 April 2009, available at http://www.expansion.com/2009/04/13/funcion-publica/1239603801.html.
- 47. "El DNI Electrónico no Puede Incluir Datos Personales Ajenos a La Identificación," IBLNEWS, 4 October 2004.
- 48. "La CLI Advierte que el Contenido del DNI Electrónico no Puede Incluir Datos de Carácter Personal," Asociación de Internautas, 20 May 2005, available at http://www.internautas.org/html/1/2934.html.
- 49. Comisión de Libertades e Informática, press statement, 19 February 2004.
- 50. At http://www.dnielectronico.es/.
- 51. Real Decreto 1586/2009, available in Spanish at http://www.dnielectronico.es/marco_legal/RD_1586_2009.html.
- 52. Asociación de Internautas, "La CLI Se Opone a que Se Incrusten RFID en El Futuro Pasaporte Electrónico y, Posteriormente, en El DNI Electrónico, 7 March 2006, http://www.internautas.org/privacidad/html/3517.html. Kriptopólis, Pasaporte hacia la Inseguridad, 19 November 2006 http://www.kriptopolis.org/pasaporte-hacia-la-inseguridad.