Home | Databases | WorldLII | Search | Feedback Privacy Laws and Business International Report

Spain's new law has several deficiences [2000] PLBIRp 14; (2000) 53 Privacy Laws and Business International Report 9

Spain's new data law has several deficiencies

A report by Javier Fernández-Samaniego

SPAIN'S NEW DATA PROTECTION LAW entered into force on 14th January after a long Parliamentary debate. The new law does not solve all the problems posed by the 1992 Act, and implements the EU Data Protection Directive inadequately, writes Javier Fernández-Samaniego.

On 14th January 2000, Organic Law 15/1999 of 13th December on Personal Data Protection (hereinafter the LOPD) entered into force in Spain, repealing Organic Law 5/1992, of 29 October, which governed the automated processing of personal data (known as the LORTAD).

The passing of this new law has again given rise to debate in Spain about the proper balance between the protection of the privacy of citizens and the legitimate interests of all those who require personal data in order to engage in their activities in the new "e-conomy". Unfortunately, since it does not seem that Spain's new law is going to ensure the balance of the interests involved required by Directive 95/46/EC, in our opinion, a valuable opportunity to improve and rectify the deficiencies in the LORTAD of 1992 has been missed.

WHY A NEW LAW INSTEAD OF AN AMENDMENT TO THE 1992 ACT?

The parliamentary progress of the new law has been a highly questionable legal soap opera. It started in August 1998, when the Government submitted to Parliament a draft law amending the LORTAD in which, after acknowledging that the LORTAD largely complied with the requirements of Directive 95/46/EC, certain amendments were proposed. However, faced with 114 amendments proposed to the initial draft, the members of the Lower House entrusted with the task of drawing up the report on the draft law, decided to propose a completely new text repealing the previous law. After a lengthy controversial parliamentary procedure, the Lower House approved the wording of the new law at the end of November 1999.

The new law contains no Preamble explaining the reasons for its enactment, although the LORTAD had been passed only seven years earlier. It does not even bother to mention Directive 95/46/EC (as required by Art. 32.1 of the Directive), the implementation of which is the "rationale" for the enactment of this legislation.

The reason for the enactment of the new law is certainly not the implementation of the requirements of the Directive. The new law reflects the "trauma" caused by the application of the LORTAD of 1992 and an - unfortunately unsuccessful - attempt to solve all the problems caused by that law. In this sense the new law is the result of the lobbying by all of the business sectors affected by the 1992 law (marketing firms, credit bureaus, financial and insurance institutions), of the peculiar features of the Spanish system of regional government and, finally, of the Parliamentary agreements required by a Government, which did not then have the majority in the Houses of Parliament to pass this law.

Unfortunately, having analysed the provisions of the new law, we do not believe that the difficulties posed by the 1992 law will be overcome. However, we move on to specify below the aspects of the new law, which will probably be of most interest to readers.

SCOPE OF THE LAW WIDER THAN BEFORE

The scope of the new law is extended to all data files, whether or not computerised. Like Art. 32.2 of the Directive, the First Additional Provision of the LOPD establishes a 12-month period within which manual files and processing must be brought into conformity with the requirements of the new law.

Art. 2.1 defines more clearly the territorial scope of the law by establishing, for example, that the Spanish law will regulate processing where "the controller not established in Spanish territory is subject to Spanish legislation by virtue of the rules of Public International Law" and where "the controller is not established in the territory of the European Union and uses for the purpose of processing data equipment situated in Spanish territory, unless such equipment is used only for purposes of transit."

THE LAW INTRODUCES THE CONCEPT OF THE "PROCESSOR"

Although the 1992 law contained the concept of the "controller", the new law introduces the concept of the "processor" which is defined in the same way as in Art. 2.e) of Directive 95/46/EC. It should be borne in mind that the "processor" must adopt the security measures, which may be required of him and may be held liable and penalised by the Data Protection Agency. Up to now, penalties could only be imposed on "controllers".

NEW DEFINITION OF "SOURCES ACCESSIBLE TO THE PUBLIC"

In the Spanish system one of the exceptions to the general principle of "consent" required for the processing of data is the situation where the data appears in sources accessible to the public.

In contrast to the definition of sources accessible to the public, which existed in Spain in the form of an unrestricted list of examples, the new Law limits "sources accessible to the public" exclusively to the "promotional census", to which we refer later, telephone directories, lists of registered professionals, official journals and gazettes, and the media.

The fact that, under the new law, the sources accessible to the public will become a closed category will pose considerable problems. This applies especially to companies in the marketing and advertising sectors, which, in order to carry on their activities, must use data appearing in sources accessible to the public, or data furnished by the data subjects themselves, or data obtained with their consent.

PRINCIPLES OF DATA PROTECTION

Part II of the Spanish law (Articles 4 to 12) is devoted to the so-called "principles of data protection." The following are the most notable changes introduced by this part of the law.

1. The new law, more in keeping with the provisions of Art. 6.1.b) of the Directive, provides that data processed may not be used for purposes "incompatible" (the 1992 law referred to "different" purposes) with those for which the data had been collected. We are sure that this change in the "principle of purpose" will solve many practical problems which have arisen up to now.

2. Art. 5.4 of the LOPD regulates in the same way as Art. 11 of the Directive the right to information where the data was not obtained from the data subject.

3. The "right to object" regulated by Article 14 of the Directive is included in the Spanish legislation in a rather inadequate manner, since a separate article is not devoted to it, but it is included in the article regulating the "principle of consent" and the exceptions to this principle.

4. Article 7 of the LOPD, unlike the 1992 Law, includes among the socalled "specifically protected data" that relating to trade union membership, thus complying with the provisions of Article 8 of the Directive.

5. Finally, a new Article 12 (access to data on behalf of third parties) is introduced. The predecessor of this article was Art. 27 of the 1992 law. The new Article 12 is based on Articles 17.3 and 17.4 of the Directive, according to which access to the data of a third party, where such access is necessary for the provision of a service for the controller, is not considered a disclosure of data. This article will solve many problems raised by the provision of outsourcing services.

Despite the considerable criticism attracted by the different rules existing for public and private files under the LORTAD (for which no justification is to be found in the Directive), the new law continues to maintain this distinction which, among other things, gives rise to a different and, in our opinion unjustified, system of penalties: infringements committed by the controllers of public files are not necessarily punished by fines.

INTERNATIONAL TRANSFERS OF DATA

The new law, like the 1992 law, states that in order to carry out a temporary or final transfer of data to countries which do not provide a level of protection comparable to that provided by the Spanish law, the requirements imposed by the law must be observed, and prior "authorisation" of the Director of the Data Protection Agency must also be obtained.

However, unlike the 1992 law, Articles 33 and 34 of the LOPD improve the regulation of international transfers of data and implement the rules established by Articles 25 and 26 of the Directive.

Unlike the obscure rules which existed in relation to transfers of data to other countries of the European Union, the new Art. 34 k) rightly provides that it is not necessary to obtain the prior authorisation of the Director of the Data Protection Agency "where the transfer is made to a Member State of the European Union, or to a State declared by the Commission of the European Communities, pursuant to its powers, as ensuring an adequate level of protection."

In the light of the provisions of the Directive and of the rules of the Treaty of Rome, it is clear that a transfer of data between Madrid and Barcelona must be treated in the same way as a transfer of data between Madrid and London. Therefore, the only preventive measure to be adopted before engaging in this type of operations between countries of the European Union will be the observance of the general rules on "communication or disclosure of data" established by Article 11 of the LOPD.

The problem continues to arise with international transfers of data to the United States, which at present does not provide a level of protection comparable to that existing in Spain. In fact, most of the applications for prior authorisation of international transfers of data considered by the Data Protection Agency have related to transfers of data to the USA.

THE DATA PROTECTION AGENCY

The Spanish supervisory authority (Art. 28 of the Directive) is the Data Protection Agency, which was established by the 1992 law. It is an institution enjoying full independence of the Public Administration, and acts as controller and supervisor of the application of the law and has powers to investigate and impose penalties. The Agency is managed and represented by a Director, who has extensive powers.

It would have been desirable, as demanded by various groups, for the new law to have taken the opportunity to make the Data Protection Agency a collective body (similar, for example, to that of the Spanish Competition Court, which is formed by a Chairman and eight Members). This would have ended the concentration of power in the hands of a single person, the Director.

This is one example of a missed opportunity in terms of the new law. New decision-making models requiring opinions of other persons could have been adopted.

INFRINGEMENTS AND PENALTIES

This is another of the aspects of the new law where advantage was not taken of the opportunity to rectify the errors contained in the LORTAD of 1992. The new law introduces certain amendments such as the application of the system of liability not only to controllers but also to processors. Another improvement is the more effective classification of certain infringements.

However, we consider that this is another example of a "missed opportunity" in the new law, since it maintains the system of totally disproportionate and excessive fines. Minor infringements are still punished by fines of between 100,000 and 10,000,000 pesetas (601 to 60,100 euros), serious infringements by fines of between 10,000,000 and 50,000,000 pesetas (60,100 to 300,500 euros) and very serious infringements by fines of between 50,000,000 and 100,000,000 pesetas (300,500 to 601 000 euros).

The disproportionate amount of these fines makes Spain the country with the most stringent system of penalties in the entire European Union and, in our opinion, places Spanish companies at an unfair disadvantage compared with their European competitors. In fact, such excessive fines are contrary to the spirit of the Directive, which lists among its objectives the elimination of barriers to intra-Community business activities.

OTHER CHANGES IN THE NEW LAW

Finally, we wish to mention another of the major changes made by the law, namely the creation by Article 31 of the so-called "promotional census". The "promotional census", the result of lobbying by the marketing and advertising sector, will be drawn up and commercialised by the National Statistics Institute. It will contain data appearing in the electoral register, namely the names, surnames and addresses of citizens who do not object to being included in this promotional census.

With the creation of the new "promotional census," marketing firms can engage in their lawful activities, and citizens who do not wish to appear in this census can opt-out. The promotional census will resolve the contradiction between the Spanish Retail Trade Law and the Electoral Law. The former considered names, surnames and addresses appearing in the electoral register to be "public" data that could be used by marketing firms without having to seek citizens' consent. However, the Electoral Law considered such data to be confidential. Up to now, the Data Protection Agency had adopted the view that penalties were to be imposed on marketing firms, which used such data drawn from the electoral register.

Another noteworthy change is the amendment of the Private Insurance Law included in the Sixth Additional Provision of the LOPD, whereby, among other things, insurance companies may establish common files for the purpose of preventing insurance fraud without the consent of data subjects.

CONCLUSIONS

As mentioned at the beginning of this report, in order to incorporate the requirements of Directive 95/46/EC into Spanish law, it would have been sufficient to amend the LORTAD of 1992. The decision to enact a new law was adopted for the purpose of overcoming all the problems, which had been caused by the application of the LORTAD. This, however, has not been achieved by the new LOPD.

Among other matters, the new Spanish LOPD has wasted the opportunity to eliminate the unjustified distinction between the legal rules governing public and private files (not envisaged in the Directive). It has also failed to reform the Data Protection Agency into a collective body, thus avoiding the concentration of power in the hands of the Director. Lastly, it has failed to amend the disproportionate amount of the fines for infringements of the law, which are the highest in the European Union (reaching up to 100,000,000 pesetas or 601,000 euros).

We hope that the Data Protection Agency is able to make up for the technical deficiencies in this new law in order to achieve the balance between the interests involved required by Directive 95/46/EC.

© Javier Fernández-Samaniego

Javier Fernández-Samaniego is Associate Lawyer with a Spanish law firm,

Cuatrecasas Abogados,

Velázquez 63, 28001 Madrid, Spain.

E-mail: javier_fdezsam@

cuatrecasas.com, Internet:

http://www.cuatrecasas.com

Tel: + 34 91 5247136

Fax: + 34 91 5247163