Abstract
The Spanish Data Protection Authority (in Spanish, the Agencía española de protección de datos or AEPD) has traditionally been considered as one of the best examples of a supervisory authority effectively enforcing national data protection legislation. Since the adoption of the first data protection law in Spain in 1992 until very recently, the volume of investigations, sanctions and fines imposed by the AEPD has grown progressively to around 25 million euro annually, which is substantially beyond that of its counterparts in other European Union Member States collectively. However, the reform of the Spanish law on data protection in 2011 demonstrates a significant change in the Spanish strategy, which now seeks to reduce the previous reactive strategy and to focus on new, proactive instruments that encourage compliance but avoid sanctions and fines.
This is a preview of subscription content, log in via an institution.
Buying options
Tax calculation will be finalised at checkout
Purchases are for personal use only
Learn about institutional subscriptionsNotes
- 1.
The AEPD has received numerous invitations to explain its enforcement experience. See, for example, the papers presented by the author: “The role of the Spanish DPA in safeguarding privacy and its influence in the wider world”, 21st Annual International Conference, St. John’s College, Cambridge, 9 July 2008; “Sanction mechanisms against any breach of data protection rules”, VIII Data Protection Latin American Meeting, Mexico City, 29–30 September 2010; “Audit ing and enforcement at the Spanish DPA”, Conference on Cross-Border Data Flow & Privacy, Washington, DC, 15 October 2007; “The AEPD, independent authority for the protection of personal data ”, Journée d’ études sur le droit à protection des données au Maroc et en Espagne”, University of Rabat, 2010; “What is in the National and International Data Protection Agenda?”, presentation at the Computers, Privacy & Data Protection conference, Brussels, 25–27 January 2011, published in Serge Gutwirth, Ronald Leenes, Paul De Hert and Yves Poullet (eds.), European Data Protection: in good health?, Springer, Dordrecht, 2012; “What’s on the regulatory agenda: hear from the regulators”, 32nd International Conference of Data Protection and Privacy Commissioners, Jerusalem, 2010.
- 2.
The best example is the resolution of the AEPD 2892/2013, which imposed a fine on Google of €900,000 in a case involving the unification of its privacy policies in 2012. Identical facts drove the French data protection authority (Commission nationale de l’informatique et des libertés, CNIL) to impose a €150,000 fine on Google on 8 January 2014. Then European Justice Commissioner Viviane Reding described both fines as “pocket money” for Google. See Reding, Viviane, “The EU Data protection reform: helping businesses thrive in the digital economy”, 19 January 2014. http://europa.eu/rapid/press-release_SPEECH-14-37_en.htm
- 3.
LORTAD = Ley Orgánica 5/1992, de 29 de octubre, de Regulación del Tratamiento Automatizado de los Datos de Carácter Personal.
- 4.
Calvo Rojas, Eduardo, “El régimen sancionador de la Ley Orgánica 15/1999, de 13 de diciembre, de protección de datos de carácter personal. El principio de proporcionalidad”, La potestad sancionadora de la Agencia Española de Protección de Datos, Cizur Menor (Navarra), AEPD-Aranzadi, 2008, pp. 20–21.
- 5.
The Ley Orgánica 15/1999 de Protección de Datos de Carácter Personal ( LOPD, the Data Protection Law 15/1999) superseded the LORTAD .
- 6.
For a detailed description of this procedure, see López Calvo, J., “Actividad inspectora y procedimiento administrativo sancionador en materia de protección de datos personales”, La potestad sancionadora de la Agencia Española de Protección de Datos, AEPD-Aranzadi, Cizur Menor (Navarra), 2008, pp. 253–267.
- 7.
On the difficulty of managing the growing flood of claims and complaints to the AEPD, see Rallo, Artemi, “Strengths and weaknesses of enforcement: the Spanish case”, London Initiative Workshop: “selective to be effective”, London, 13 Dec 2007.
- 8.
However, in favour of the AEPD adopting a “selective” approach are E. Espín Templado (referencing the Public Prosecutor’s Office), J. Tornos Mas (pointing to the limited resources of the AEPD) and A. Huergo Lora in La potestad sancionadora de la Agencia Española de Protección de Datos, AEPD-Aranzadi, Cizur Menor (Navarra), 2008, pp. 132, 135 and 158.
- 9.
“filed” means the AEPD closed the case because it lacked evidence or did not merit an investigation .
- 10.
Rebollo Puig, Manuel, La potestad sancionadora de la Agencia Española de Protección de Datos (AAVV), Cizur Menor (Navarra), AEPD-Aranzadi, 2008, p. 105.
- 11.
The AEPD uses these criteria to “modulate” fines; in other words, the level of fines depends on the circumstances of each case.
- 12.
High Court Judgments of 7 March 2006 and 17 April 2007. The High Court Judge E. Espín Templado wrote in favour of this restrictive application in La potestad sancionadora de la Agencia Española de Protección de Datos, AEPD-Aranzadi, Cizur Menor (Navarra), 2008, p. 131.
- 13.
Related cases highlighting various examples of the application of section 45.5 LOPD can be found in the AEPD Annual Reports from 2007 to 2010 (www.agpd.es).
- 14.
In fact, as J.M. Fernández López and J. Tornos Mas explain, a phenomenon resulting from the severity of the sanctions regime has been the blackmail pathology to the LOPD infringer demanding economic compensation to avoid complaints in the AEPD, La potestad sancionadora de la Agencia Española de Protección de Datos, AEPD-Aranzadi, Cizur Menor (Navarra), 2008, pp. 90, 91 and 137.
- 15.
A recurrent question about the applicability of this downgrading clause was if this “guilt qualified reduction” could be applied to subsequent infringement behaviour. In favour, M. Rebollo Puig recalls the existence of the criminal mitigation circumstance of spontaneous remorse. See La potestad sancionadora de la Agencia Española de Protección de Datos, AEPD-Aranzadi, Cizur Menor (Navarra), 2008, p. 117.
- 16.
As J.M. Fernández Lopez, former AEPD Director, remembers in La potestad sancionadora de la Agencia Española de Protección de Datos, AEPD-Aranzadi, Cizur Menor (Navarra), 2008, p. 90.
- 17.
As shown in the Landwell Report on proposed amendment to the LOPD drawn up at the behest of the Spanish Federation of E-commerce and Direct Marketing (FECEM) in March 2007. See also the speech of L. Llairó Canal, representative of FECEM, in La potestad sancionadora de la Agencia Española de Protección de Datos, AEPD-Aranzadi, Cizur Menor (Navarra), 2008, pp. 123–126.
- 18.
J. Jané Guash, Convergència i Unió parliamentary spokesman in the Congreso de los Diputados, set out his party’s position, which is outlined in La potestad sancionadora de la Agencia Española de Protección de Datos, AEPD-Aranzadi, Cizur Menor (Navarra), 2008, pp. 120, 230–232.
- 19.
The Catalan Parliamentary Group justified this reduction by comparing it to figures from other European countries: in Spain , an unlawful transfer of data for advertising could reach from €300,001 to €600,000 (although mitigating circumstances could reduce this range to €60.001–€300.000). In Germany , a similar offence could be penalised at a maximum of €50,000; in France, it would only be sanctioned if it failed to fulfil the warning in writing from the CNIL with a fine exceeding €60,000 – because a first breach is only fined up to €150,000; in the Netherlands, to €4,537; in Belgium, a fine not exceeding €100,000; in Portugal, €9,975; in Italy, between €10,000 and €60,000. See Boletín Oficial de las Cortes Generales, Congreso de los Diputados, A, No. 60–14, 11/10/2010, pp. 364–367.
- 20.
The qualified opinion of the High Court judge, E. Calvo Rojas, claimed that “the risk of sanction is not as dissuasive as it should be… the amount of fines, while not negligible, does not guarantee that it will be entirely neutralized by the illegal profit… particularly relevant in the data protection field is the black figure of unpunished infringements”. See “El régimen sancionador de la Ley Orgánica 15/1999, de 13 de diciembre, de protección de datos de carácter personal: El principio de proporcionalidad”, op. cit., p. 30.
- 21.
J. Tornos Más had already advanced a range of cases for the application of this downgrading clause – partially coincident with AEPD – for their inclusion in the Spanish Data Protection Regulation . See “Potestad sancionadora de la Agencia Española de Protección de Datos y principio de proporcionalidad”, La potestad sancionadora de la Agencia Española de Protección de Datos, AEPD-Aranzadi, Cizur Menor (Navarra), 2008, pp. 49–50.
- 22.
Casino Rubio, M., La potestad sancionadora de la Agencia Española de Protección de Datos, AEPD-Aranzadi, Cizur Menor (Navarra), 2008, p. 87.
- 23.
Section 45 of the French Act 1978-17 on Computing and Freedoms, last amended by Act 2011-334, includes the following sanctioning mechanism: “1. La formation restreinte de la Commission nationale de l’informatique et des libertés peut prononcer, après une procédure contradictoire, un avertissement à l’égard du responsable d’un traitement qui ne respecte pas les obligations découlant de la présente loi. Cet avertissement a le caractère d’une sanction.”
- 24.
The new EU Data Protection Regulation points out in its sanction regime that “in case of a first breach , a written warning may be sent and it shall not impose any sanction, if: (a) a physical person carries out the processing of personal data without commercial interest, (b) or a company or organization employing less than 250 workers processes personal data only as ancillary activity of its main activity.”
- 25.
AEPD, Memoria Anual, 2011 and 2012. www.agpd.es
- 26.
AEPD, Memoria Anual, 2011, p. 23.
- 27.
Diario de Sesiones del Congreso de los Diputados, Committees, 2004, No. 154, p. 28.
- 28.
For an introductory analysis, see Gómez-Juarez Sidera, “Estudio del régimen sancionador de la LOPD”, Revista Española de Protección de Datos, No. 4, January-June, 2008, pp. 159–173.
References
Agencia Española de la Protección de Datos (AEPD), Memoria Anual, 2012. www.agpd.es
Calvo Rojas, Eduardo, “El régimen sancionador de la Ley Orgánica 15/1999, de 13 de diciembre, de protección de datos de carácter personal. El principio de proporcionalidad”, in AEPD (ed.), La potestad sancionadora de la Agencia Española de Protección de Datos, Aranzadi, Cizur Menor (Navarra), 2008, pp. 20–21.
Casino Rubio, M., in AEPD (ed.), La potestad sancionadora de la Agencia Española de Protección de Datos, Aranzadi, Cizur Menor (Navarra), 2008.
Congreso de los Diputados, Boletín Oficial de las Cortes Generales, A, No. 60–14, 11/10/2010, pp. 364–367.
Espín Templado, E., in AEPD (ed.), La potestad sancionadora de la Agencia Española de Protección de Datos, Aranzadi, Cizur Menor (Navarra), 2008.
Fernández López, J.M., and J. Tornos Mas, in AEPD (ed.), La potestad sancionadora de la Agencia Española de Protección de Datos, Aranzadi, Cizur Menor (Navarra), 2008.
Gómez-Juarez Sidera, “Estudio del régimen sancionador de la LOPD”, Revista Española de Protección de Datos, No. 4, January-June 2008, pp. 159–173.
Gutwirth, Serge, Ronald Leenes, Paul De Hert and Yves Poullet (eds.), European Data Protection: in good health?, Springer, Dordrecht, 2012.
López Calvo, J., “Actividad inspectora y procedimiento administrativo sancionador en materia de protección de datos personales”, in AEPD (ed.), La potestad sancionadora de la Agencia Española de Protección de Datos, Aranzadi, Cizur Menor (Navarra), 2008, pp. 253–267.
Rallo, Artemi A., “Strengths and weaknesses of enforcement: the Spanish case”, London Initiative Workshop: “Selective to be effective”, London, 13 Dec 2007.
Rallo, Artemi A., “Data Protection in Europe: the Spanish Data Protection Agency”, Georgetown University Law Center, Washington, DC, April 2010, pp. 10–12.
Rallo, Artemi A., “Development of the Agency’s audit and sanctions policy in Spain: Trends regarding investigations, fines and other sanctions”, 23rd Annual International Privacy Laws and Business Conference, St. John’s College, Cambridge, 5–7 July 2010.
Rebollo Puig, Manuel, in AEPD (ed.), La potestad sancionadora de la Agencia Española de Protección de Datos (AAVV), Aranzadi, Cizur Menor (Navarra), 2008.
Reding, Viviane, “The EU Data protection reform: helping businesses thrive in the digital economy”, 19 January 2014. http://europa.eu/rapid/press-release_SPEECH-14-37_en.htm
Tornos Más, J., “Potestad sancionadora de la Agencia Española de Protección de Datos y principio de proporcionalidad”, in AEPD (ed.), La potestad sancionadora de la Agencia Española de Protección de Datos, Aranzadi, Cizur Menor (Navarra), 2008.
Author information
Authors and Affiliations
Corresponding author
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2016 Springer International Publishing Switzerland
About this chapter
Cite this chapter
Lombarte, A.R. (2016). The Spanish Experience of Enforcing Privacy Norms: Two Decades of Evolution from Sticks to Carrots. In: Wright, D., De Hert, P. (eds) Enforcing Privacy. Law, Governance and Technology Series(), vol 25. Springer, Cham. https://doi.org/10.1007/978-3-319-25047-2_6
Download citation
DOI: https://doi.org/10.1007/978-3-319-25047-2_6
Published:
Publisher Name: Springer, Cham
Print ISBN: 978-3-319-25045-8
Online ISBN: 978-3-319-25047-2
eBook Packages: Law and CriminologyLaw and Criminology (R0)