Data Retention by ISPs
In Spain, data retention and the protection of the online privacy of citizens are synonymous. That
is reflected by the fact that, among EU countries, Spain has some of the strictest legislation on
personal data protection. Data privacy for Spaniards is protected by the 1978 Spanish Constitution
which provides for the protection of both personal and family privacy. The law clearly sets
limitations on the use of information technology in order to guarantee the personal and family
privacy of individuals and the full exercise of said rights.
Spain enacted Law 25/2007 in 2007 on the Retention of Data Generated or Processed in Connection with
Electronic or Public Communications Networks. Known colloquially as ‘LOPDP’, this 2007 Act applies
to personal data stored in a physical medium susceptible of being processed and the use of such data
in the public or private sectors. The Act is always applicable whenever, (a) the data controller
carries out their activities in Spain; (b) the person responsible for the data processing is not
located in Spain but is subject to Spanish law under international law; or (c) the person is not
established in the EU but is using processing means located in Spain, unless such means are used
only for transit. The Law also sets restrictions as to what competent authorities can access the
data transferred. These authorities may only include members of the security forces, customs
authority agents, and the National Centre of Intelligence staff who perform judicial police duties.
Data protection law does not apply to: (i) data files maintained by natural persons exclusively for
personal or domestic activities; (ii) data files subject to the protection of classified matters or;
(iii) data files created to investigate terrorism and serious organised crime. However, data
designated as “sensitive data” is protected, and includes data relating to ideology, trade union
membership, religion and beliefs, as well as racial origin, health and sex life. As a rule, this
data can only be processed on general interest grounds established by law, or with the data
subject's express consent.
Interestingly, the 2007 Act also set up a national data protection agency, the Agencia Española de
Protección de Datos (AEPD), which is an enforcement agency with the authority to hear complaints on
personal data protection matters and has imposed huge fines on those deemed to have infringed data
protection rights. Spain also passed Royal Decree 13/2012 (known as the Act on the Information
Society Services and e-Commerce or 'LSSI, which regulates the use of ‘cookies’ by websites and
service providers., The Decree aims to ensure that users are safeguarded with proper information and
appropriate tools to protect their privacy with regard to cookies.
It is very important to note the pivotal case of Google v Spain, as heard in 2012 at the European
Court of Justice (ECJ). An action was brought against Google by a Spanish citizen, Mario Costeja
González, who filed a complaint with the AEPD, the Spanish data protection agency. He claimed that
his right to privacy had been violated by Google’s search engine making notice of his bankruptcy
easily accessible and, thus, public. He requested Google remove his details from their searches,
which Google refused. The ECJ ruled that European citizens have a right to request that commercial
search firms, such as Google, should remove links to private information when asked by the relevant
person. The ECJ found that the fundamental right to privacy is greater than the economic interest of
a commercial firm. The Court also made clear that it is not necessary to find that searches cause
prejudice or loss to the data subject. The ‘right to be forgotten’ case was seen as a major blow to
corporations that deal in mining personal data and a victory for personal privacy.
Digital Copyright Laws
The main Spanish legislation is the Copyright Act (CA) of 1996, and as reformed by Law No. 21 of
2014. A copyright owner can file a lawsuit on copyright matters before a commercial court. Article
32.2 of the Act specifically addresses digital use such as the limitation on an author’s economic
rights (known as the ‘Google tax’ as inspired by the Google v Spain case, as above). One does not
need to register a work for it to be copyrighted in Spain.
Freedom of Speech and Censorship
Unfortunately, owing to its recent history of dictatorship, as well as many years of domestic
terrorism in the form of ETA, Spain has very draconian laws that impede freedom of speech. The
country has been known to send people who supposedly ‘supported’ terrorists on Twitter to jail.
Freedom of speech is an issue in Spain, since censorship, especially of the political or national
security ilk, is clearly permissible and aggressively pursued by courts.
Spain seems to have a schizophrenic relationship with digital freedoms – on the one hand, it has
some of the fiercest protections for online privacy in the EU. On the other hand, its laws regarding
freedom of speech are draconian and foster censorship. Spain owes itself defending the former and a
clear repudiation and reform of the latter.
Spain – a country that ably defends its citizens’ right to online privacy, yet allows censorship of certain political views. The latter only diminishes the former.
Interested in other countries? See our Comparison of Internet Privacy Laws