Skip to main content
SpringerLink
Log in
Book cover

Enforcing Privacy pp 123–144Cite as

The Spanish Experience of Enforcing Privacy Norms: Two Decades of Evolution from Sticks to Carrots

  • Chapter
  • First Online:

  • 1428 Accesses

Part of the book series: Law, Governance and Technology Series ((ISDP,volume 25))

Abstract

The Spanish Data Protection Authority (in Spanish, the Agencía española de protección de datos or AEPD) has traditionally been considered as one of the best examples of a supervisory authority effectively enforcing national data protection legislation. Since the adoption of the first data protection law in Spain in 1992 until very recently, the volume of investigations, sanctions and fines imposed by the AEPD has grown progressively to around 25 million euro annually, which is substantially beyond that of its counterparts in other European Union Member States collectively. However, the reform of the Spanish law on data protection in 2011 demonstrates a significant change in the Spanish strategy, which now seeks to reduce the previous reactive strategy and to focus on new, proactive instruments that encourage compliance but avoid sanctions and fines.

This is a preview of subscription content, log in via an institution.

Chapter
USD   29.95
Price excludes VAT (USA)
  • Available as PDF
  • Read on any device
  • Instant download
  • Own it forever
eBook
USD   149.00
Price excludes VAT (USA)
  • Available as EPUB and PDF
  • Read on any device
  • Instant download
  • Own it forever
Softcover Book
USD   199.99
Price excludes VAT (USA)
  • Compact, lightweight edition
  • Dispatched in 3 to 5 business days
  • Free shipping worldwide - see info
Hardcover Book
USD   199.99
Price excludes VAT (USA)
  • Durable hardcover edition
  • Dispatched in 3 to 5 business days
  • Free shipping worldwide - see info

Tax calculation will be finalised at checkout

Purchases are for personal use only

Learn about institutional subscriptions

Notes

  1. 1.

    The AEPD has received numerous invitations to explain its enforcement experience. See, for example, the papers presented by the author: “The role of the Spanish DPA in safeguarding privacy and its influence in the wider world”, 21st Annual International Conference, St. John’s College, Cambridge, 9 July 2008; “Sanction mechanisms against any breach of data protection rules”, VIII Data Protection Latin American Meeting, Mexico City, 29–30 September 2010; “Audit ing and enforcement at the Spanish DPA”, Conference on Cross-Border Data Flow & Privacy, Washington, DC, 15 October 2007; “The AEPD, independent authority for the protection of personal data ”, Journée d’ études sur le droit à protection des données au Maroc et en Espagne”, University of Rabat, 2010; “What is in the National and International Data Protection Agenda?”, presentation at the Computers, Privacy & Data Protection conference, Brussels, 25–27 January 2011, published in Serge Gutwirth, Ronald Leenes, Paul De Hert and Yves Poullet (eds.), European Data Protection: in good health?, Springer, Dordrecht, 2012; “What’s on the regulatory agenda: hear from the regulators”, 32nd International Conference of Data Protection and Privacy Commissioners, Jerusalem, 2010.

  2. 2.

    The best example is the resolution of the AEPD 2892/2013, which imposed a fine on Google of €900,000 in a case involving the unification of its privacy policies in 2012. Identical facts drove the French data protection authority (Commission nationale de l’informatique et des libertés, CNIL) to impose a €150,000 fine on Google on 8 January 2014. Then European Justice Commissioner Viviane Reding described both fines as “pocket money” for Google. See Reding, Viviane, “The EU Data protection reform: helping businesses thrive in the digital economy”, 19 January 2014. http://europa.eu/rapid/press-release_SPEECH-14-37_en.htm

  3. 3.

    LORTAD = Ley Orgánica 5/1992, de 29 de octubre, de Regulación del Tratamiento Automatizado de los Datos de Carácter Personal.

  4. 4.

    Calvo Rojas, Eduardo, “El régimen sancionador de la Ley Orgánica 15/1999, de 13 de diciembre, de protección de datos de carácter personal. El principio de proporcionalidad”, La potestad sancionadora de la Agencia Española de Protección de Datos, Cizur Menor (Navarra), AEPD-Aranzadi, 2008, pp. 20–21.

  5. 5.

    The Ley Orgánica 15/1999 de Protección de Datos de Carácter Personal ( LOPD, the Data Protection Law 15/1999) superseded the LORTAD .

  6. 6.

    For a detailed description of this procedure, see López Calvo, J., “Actividad inspectora y procedimiento administrativo sancionador en materia de protección de datos personales”, La potestad sancionadora de la Agencia Española de Protección de Datos, AEPD-Aranzadi, Cizur Menor (Navarra), 2008, pp. 253–267.

  7. 7.

    On the difficulty of managing the growing flood of claims and complaints to the AEPD, see Rallo, Artemi, “Strengths and weaknesses of enforcement: the Spanish case”, London Initiative Workshop: “selective to be effective”, London, 13 Dec 2007.

  8. 8.

    However, in favour of the AEPD adopting a “selective” approach are E. Espín Templado (referencing the Public Prosecutor’s Office), J. Tornos Mas (pointing to the limited resources of the AEPD) and A. Huergo Lora in La potestad sancionadora de la Agencia Española de Protección de Datos, AEPD-Aranzadi, Cizur Menor (Navarra), 2008, pp. 132, 135 and 158.

  9. 9.

    “filed” means the AEPD closed the case because it lacked evidence or did not merit an investigation .

  10. 10.

    Rebollo Puig, Manuel, La potestad sancionadora de la Agencia Española de Protección de Datos (AAVV), Cizur Menor (Navarra), AEPD-Aranzadi, 2008, p. 105.

  11. 11.

    The AEPD uses these criteria to “modulate” fines; in other words, the level of fines depends on the circumstances of each case.

  12. 12.

    High Court Judgments of 7 March 2006 and 17 April 2007. The High Court Judge E. Espín Templado wrote in favour of this restrictive application in La potestad sancionadora de la Agencia Española de Protección de Datos, AEPD-Aranzadi, Cizur Menor (Navarra), 2008, p. 131.

  13. 13.

    Related cases highlighting various examples of the application of section 45.5 LOPD can be found in the AEPD Annual Reports from 2007 to 2010 (www.agpd.es).

  14. 14.

    In fact, as J.M. Fernández López and J. Tornos Mas explain, a phenomenon resulting from the severity of the sanctions regime has been the blackmail pathology to the LOPD infringer demanding economic compensation to avoid complaints in the AEPD, La potestad sancionadora de la Agencia Española de Protección de Datos, AEPD-Aranzadi, Cizur Menor (Navarra), 2008, pp. 90, 91 and 137.

  15. 15.

    A recurrent question about the applicability of this downgrading clause was if this “guilt qualified reduction” could be applied to subsequent infringement behaviour. In favour, M. Rebollo Puig recalls the existence of the criminal mitigation circumstance of spontaneous remorse. See La potestad sancionadora de la Agencia Española de Protección de Datos, AEPD-Aranzadi, Cizur Menor (Navarra), 2008, p. 117.

  16. 16.

    As J.M. Fernández Lopez, former AEPD Director, remembers in La potestad sancionadora de la Agencia Española de Protección de Datos, AEPD-Aranzadi, Cizur Menor (Navarra), 2008, p. 90.

  17. 17.

    As shown in the Landwell Report on proposed amendment to the LOPD drawn up at the behest of the Spanish Federation of E-commerce and Direct Marketing (FECEM) in March 2007. See also the speech of L. Llairó Canal, representative of FECEM, in La potestad sancionadora de la Agencia Española de Protección de Datos, AEPD-Aranzadi, Cizur Menor (Navarra), 2008, pp. 123–126.

  18. 18.

    J. Jané Guash, Convergència i Unió parliamentary spokesman in the Congreso de los Diputados, set out his party’s position, which is outlined in La potestad sancionadora de la Agencia Española de Protección de Datos, AEPD-Aranzadi, Cizur Menor (Navarra), 2008, pp. 120, 230–232.

  19. 19.

    The Catalan Parliamentary Group justified this reduction by comparing it to figures from other European countries: in Spain , an unlawful transfer of data for advertising could reach from €300,001 to €600,000 (although mitigating circumstances could reduce this range to €60.001–€300.000). In Germany , a similar offence could be penalised at a maximum of €50,000; in France, it would only be sanctioned if it failed to fulfil the warning in writing from the CNIL with a fine exceeding €60,000 – because a first breach is only fined up to €150,000; in the Netherlands, to €4,537; in Belgium, a fine not exceeding €100,000; in Portugal, €9,975; in Italy, between €10,000 and €60,000. See Boletín Oficial de las Cortes Generales, Congreso de los Diputados, A, No. 60–14, 11/10/2010, pp. 364–367.

  20. 20.

    The qualified opinion of the High Court judge, E. Calvo Rojas, claimed that “the risk of sanction is not as dissuasive as it should be… the amount of fines, while not negligible, does not guarantee that it will be entirely neutralized by the illegal profit… particularly relevant in the data protection field is the black figure of unpunished infringements”. See “El régimen sancionador de la Ley Orgánica 15/1999, de 13 de diciembre, de protección de datos de carácter personal: El principio de proporcionalidad”, op. cit., p. 30.

  21. 21.

    J. Tornos Más had already advanced a range of cases for the application of this downgrading clause – partially coincident with AEPD – for their inclusion in the Spanish Data Protection Regulation . See “Potestad sancionadora de la Agencia Española de Protección de Datos y principio de proporcionalidad”, La potestad sancionadora de la Agencia Española de Protección de Datos, AEPD-Aranzadi, Cizur Menor (Navarra), 2008, pp. 49–50.

  22. 22.

    Casino Rubio, M., La potestad sancionadora de la Agencia Española de Protección de Datos, AEPD-Aranzadi, Cizur Menor (Navarra), 2008, p. 87.

  23. 23.

    Section 45 of the French Act 1978-17 on Computing and Freedoms, last amended by Act 2011-334, includes the following sanctioning mechanism: “1. La formation restreinte de la Commission nationale de l’informatique et des libertés peut prononcer, après une procédure contradictoire, un avertissement à l’égard du responsable d’un traitement qui ne respecte pas les obligations découlant de la présente loi. Cet avertissement a le caractère d’une sanction.”

  24. 24.

    The new EU Data Protection Regulation points out in its sanction regime that “in case of a first breach , a written warning may be sent and it shall not impose any sanction, if: (a) a physical person carries out the processing of personal data without commercial interest, (b) or a company or organization employing less than 250 workers processes personal data only as ancillary activity of its main activity.”

  25. 25.

    AEPD, Memoria Anual, 2011 and 2012. www.agpd.es

  26. 26.

    AEPD, Memoria Anual, 2011, p. 23.

  27. 27.

    Diario de Sesiones del Congreso de los Diputados, Committees, 2004, No. 154, p. 28.

  28. 28.

    For an introductory analysis, see Gómez-Juarez Sidera, “Estudio del régimen sancionador de la LOPD”, Revista Española de Protección de Datos, No. 4, January-June, 2008, pp. 159–173.

References

  • Agencia Española de la Protección de Datos (AEPD), Memoria Anual, 2012. www.agpd.es

  • Calvo Rojas, Eduardo, “El régimen sancionador de la Ley Orgánica 15/1999, de 13 de diciembre, de protección de datos de carácter personal. El principio de proporcionalidad”, in AEPD (ed.), La potestad sancionadora de la Agencia Española de Protección de Datos, Aranzadi, Cizur Menor (Navarra), 2008, pp. 20–21.

    Google Scholar 

  • Casino Rubio, M., in AEPD (ed.), La potestad sancionadora de la Agencia Española de Protección de Datos, Aranzadi, Cizur Menor (Navarra), 2008.

    Google Scholar 

  • Congreso de los Diputados, Boletín Oficial de las Cortes Generales, A, No. 60–14, 11/10/2010, pp. 364–367.

    Google Scholar 

  • Espín Templado, E., in AEPD (ed.), La potestad sancionadora de la Agencia Española de Protección de Datos, Aranzadi, Cizur Menor (Navarra), 2008.

    Google Scholar 

  • Fernández López, J.M., and J. Tornos Mas, in AEPD (ed.), La potestad sancionadora de la Agencia Española de Protección de Datos, Aranzadi, Cizur Menor (Navarra), 2008.

    Google Scholar 

  • Gómez-Juarez Sidera, “Estudio del régimen sancionador de la LOPD”, Revista Española de Protección de Datos, No. 4, January-June 2008, pp. 159–173.

    Google Scholar 

  • Gutwirth, Serge, Ronald Leenes, Paul De Hert and Yves Poullet (eds.), European Data Protection: in good health?, Springer, Dordrecht, 2012.

    Google Scholar 

  • López Calvo, J., “Actividad inspectora y procedimiento administrativo sancionador en materia de protección de datos personales”, in AEPD (ed.), La potestad sancionadora de la Agencia Española de Protección de Datos, Aranzadi, Cizur Menor (Navarra), 2008, pp. 253–267.

    Google Scholar 

  • Rallo, Artemi A., “Strengths and weaknesses of enforcement: the Spanish case”, London Initiative Workshop: “Selective to be effective”, London, 13 Dec 2007.

    Google Scholar 

  • Rallo, Artemi A., “Data Protection in Europe: the Spanish Data Protection Agency”, Georgetown University Law Center, Washington, DC, April 2010, pp. 10–12.

    Google Scholar 

  • Rallo, Artemi A., “Development of the Agency’s audit and sanctions policy in Spain: Trends regarding investigations, fines and other sanctions”, 23rd Annual International Privacy Laws and Business Conference, St. John’s College, Cambridge, 5–7 July 2010.

    Google Scholar 

  • Rebollo Puig, Manuel, in AEPD (ed.), La potestad sancionadora de la Agencia Española de Protección de Datos (AAVV), Aranzadi, Cizur Menor (Navarra), 2008.

    Google Scholar 

  • Reding, Viviane, “The EU Data protection reform: helping businesses thrive in the digital economy”, 19 January 2014. http://europa.eu/rapid/press-release_SPEECH-14-37_en.htm

  • Tornos Más, J., “Potestad sancionadora de la Agencia Española de Protección de Datos y principio de proporcionalidad”, in AEPD (ed.), La potestad sancionadora de la Agencia Española de Protección de Datos, Aranzadi, Cizur Menor (Navarra), 2008.

    Google Scholar 

Download references

Author information

Authors and Affiliations

  1. Public Law, Jaume I University, Ferrandis Salvador Avenue 50 8-1-A, Castellón, 12100, Spain

    Artemio Rallo Lombarte

Authors
  1. Artemio Rallo Lombarte
    View author publications

    You can also search for this author in PubMed Google Scholar

Corresponding author

Correspondence to Artemio Rallo Lombarte .

Editor information

Editors and Affiliations

  1. Trilateral Research, London, United Kingdom

    David Wright

  2. Vrije Universiteit Brussel Law, Science, Technology & Society (LSTS), Brussels, Belgium

    Paul De Hert

Rights and permissions

Reprints and permissions

Copyright information

© 2016 Springer International Publishing Switzerland

About this chapter

Cite this chapter

Lombarte, A.R. (2016). The Spanish Experience of Enforcing Privacy Norms: Two Decades of Evolution from Sticks to Carrots. In: Wright, D., De Hert, P. (eds) Enforcing Privacy. Law, Governance and Technology Series(), vol 25. Springer, Cham. https://doi.org/10.1007/978-3-319-25047-2_6

Download citation

  • DOI: https://doi.org/10.1007/978-3-319-25047-2_6

  • Published:

  • Publisher Name: Springer, Cham

  • Print ISBN: 978-3-319-25045-8

  • Online ISBN: 978-3-319-25047-2

  • eBook Packages: Law and CriminologyLaw and Criminology (R0)

Publish with us

Policies and ethics

Search

Navigation