Vilas Au 0904
Vilas Au 0904
Vilas Au 0904
Article
Mnica Vilasau
September 2004
Article
Abstract
This article is designed to be an introduction to the regulatory framework for data protection in force in terms of Spanish law. The analysis centres mainly on Organic Law 15/1999, which replaced the previous law from 1992, adhering to Directive 95/46/EC on protection of individuals with regard to the processing of personal data and on the free movement of such data. The current Organic Law develops article 18.4 CE and looks to guarantee peoples right to privacy and informational selfdetermination in terms of the many forms of intrusion that information and communication technologies represent. In line with the Directive, principles are established for data protection and the processing involved in the use of personal data. The starting point is the consent of the individual in question, consent, which in the case of sensitive data, has to be reinforced. However, despite this wide-ranging protection that the regulations seem to offer, a range of exceptions to this general principle of consent have been found. In terms of the creation of files, Spanish regulations set a distinction between whether the files are publicly or privately owned, providing virtual impunity for the former, given that the sanctions are practically inexistent. Finally, reference is made to the rights of the interested or affected party, concluding with an introduction to the international movement of data.
Keywords
data protection, privacy, consent, public accessible sources, files
Introduction
New technologies, new threats to the right to privacy
Every time we surf the net, buy a book, visit a web page or consult our accounts through on-line banks, we leave a trail,1 we leave data such as our name, address, account number, or our preferences. Much of this data is not exactly secret. So where is the danger of giving it? The danger comes from the sophistication of the information and communication technology, and the possibilities of storing, controlling,
cross-referencing and exchanging this data which on its own may seem irrelevant. It is also in the possibility of using powerful search engines. Often, also, the subject does not know what data is in a third partys possession, or the use and transmission carried out. This ease in obtaining and cross-referencing data is of great benefit, for both businesses and government. Companies are very interested in knowing the preferences of potential consumers when it comes to sending them specific marketing or a bank will wish to know if a person offers enough guarantees in order to approve a loan. On the other hand public authorities are also interested in having the maximum amount of information on the citizens, to fight against crime and terrorism or to prevent fraud.
*Updated version of the article previously published in [2003] CTLR, volume 9: issue n 7. Translated from original Catalan by Katy Reay. The author would like to thank Dr. Mark Jeffery for his valuable feedback. 1. Regarding the dangers that surfing the net involves see: RIBAS ALEJANDRO, p. 143-161.
September 2004
The new technologies really do represent a risk and a threat to the privacy, secrecy and defence of a sphere of personal autonomy. It is necessary to create new protection mechanisms for peoples private lives. But the right to privacy is not an absolute right, rather, when it comes to defining this right it will be necessary to bear in mind other rights and interests. The right to privacy must be weighed up against the freedom of information. To this limit it is necessary to add the principal of freedom of the company within the framework of the market economy, which is kept very much in mind in common law countries.2 In respect of the control of personal data, the sentence of the German Constitutional Tribunal, of 15 December 1983 on the Law of censorship,3 formed a new right, the right to information selfdetermination, as a corollary to the right to self-determination of the individual. The right to information self-determination means that the individual can basically decide for himself when, and within what limits, to disclose information relating to his life.4
Another legislative impulse is found on an international level. To start with it is necessary to highlight Convention 108 of the European Council, of 28 January 1981, on the protection of individuals with regard to automatic processing of personal data.5 Later, on a Community level, Directive 95/46/EC of the European Parliament and of the Council of 24 October 1995, on the protection of individuals with regard to the processing of personal data6 was passed and Directive 2002/58/EC of the European Parliament and of the Council, of 12 July 2002 on the processing of personal data and the protection of privacy in the electronic communications sector, has been approved.7 The latter Directive has repealed Directive 97/66/EC of the European Parliament and of the Council, of 15 December 1997, on the processing of personal data and the protection of privacy in the telecommunications sector.8 The European Union had been rethinking its policy on data protection and in order to finish defining it, it held a European conference in Brussels in autumn 2002.9
2. About the different interests in conflict and different positions adopted by the legislator, see: US tech protests EU privacy laws. http://zdnet.com.com/2100-1106-960134.html 3. This sentence can be found translated into Spanish in the Constitutional Jurisprudence Bulletin, n 33, 1984, p. 126 and following. 4. See German Constitutional Tribunal Sentence, Constitutional Jurisprudence Bulletin, n 33, p. 152-153. 5. One must bear in mind the additional Protocol to the aforementioned Treaty, dated 8-XI-01. http://conventions.coe.int/Treaty/EN/CadreListeTraites.htm 6. You can find it in: http://europa.eu.int/smartapi/cgi/sga_doc?smartapi!celexapi!prod!CELEXnumdoc&lg=ES&numdoc=31995L0046&model=guichett 7. OJEC L 201/37, dated 12th July 2002. http://europa.eu.int/smartapi/cgi/sga_doc?smartapi!celexapi!prod!CELEXnumdoc&lg=es&numdoc=32002L0058&model=guichett 8. You can find it in: http://europa.eu.int/eur-lex/pri/es/oj/dat/1998/l_024/l_02419980130es00010008.pdf 9. Regarding this conference see: http://europa.eu.int/comm/internal_market/privacy/lawreport_en.htm 10. Published in the Spanish Official State Bulletin (BOE) n 298, on 14th December 1999, it repealed Organic Law 5/1992, although it has temporarily left some regulatory provisions in force which developed Organic Law 5/1992. Organic Law 15/1999 has had minor amendments by law 62/2003, of 30 th December, (BOE n 313, on 31st December). See Spanish regulations on data protection at: https://www.agpd.es/index.php?idSeccion=72 11. BOE n 166, on 12th July. 12. See Art. 18 LSSI and Art. 32 LOPD.
September 2004
Regarding the contents of the LOPD, this is organised around some principals, found in Title II and which are the following: Quality of the data (Art. 4), in order to guarantee its reliability and accuracy. Consent (Art. 6): In order to process personal data the unequivocal consent of the data subject is necessary. In relation to this principal, complete information must be given to the data subject (Art. 5). Also there are certain data that, depending on their purpose, enjoy even greater protection (Art. 7). Security and secrecy in the processing of the data (Art. 9 and 10) and consistency and proportionality in its use (Art. 11 and 12). To ensure the application of these principals, the LOPD acknowledges a series of rights for the data subject (Title III): the right to object to assessments (Art. 13), the right to consult and access the data (Art. 14 and 15), the right to rectification and cancellation (Art. 16), the right to protection (Art. 18) and the right to compensation (Art. 19). One key characteristic of the LOPD is that it regulates publicly owned databases separately from privately owned ones, and grants the public sector databases privileged treatment.13
By contrast, legal persons are excluded from the scope of application of the LOPD although they have protection under the civil and criminal law. And what about the individual businessman? The Data Protection Authority considers that the LOPD is applicable when the data refers to the private life of the data subject, assuming from the start the private nature.
Data collection
At first we might think that data can only be collected because the data subject has provided it. However, there are other forms (allowed by Law) of data collection which do not pass by the data subject, such as through publicly accessible sources or by means of data transfer.
See SU, p. 157. A general view on the LOPD can be found in LVAREZ-CIENFUEGOS. Art. 32.2 Directive 95/46/EC and Additional Provision (DA) 1. 2 LOPD. In the same way: Art. 18.4 EC and Consideration 24 of Directive 95/46/EC. As provided for in Art. 6.1.b) Directive 95/46/EC. For all, DEZ-PICAZO, p. 148-149. APARICIO, p. 58-63 and TLLEZ, p. 150. DEZ-PICAZO, p. 150-151. In this sense, APARICIO, p. 63-69; DE MIGUEL, p. 551-552 and TLLEZ, p. 150.
September 2004
of public Administration; when it refers to the parties of a business, labour or administrative relationship and is necessary for its maintenance or fulfilment22 (art 6.2); when the purpose of the processing is to protect a vital interest of the data subject (Art. 7.6 LOPD) and when the data figures in publicly accessible sources [Art. 3 j), 28 and 30 LOPD]. It should also be noted that although consent may have been given, this is revocable when a justified cause exists and retroactive effects are not attributed (Art. 6.3). In the cases where consent of the data subject is not necessary for the processing of personal data, the data subject can oppose that processing when fundamental and legitimate motives exist relating to a concrete personal situation.
the satisfaction of a legitimate interest of the database administrator or of the third party to whom the data is communicated and it is on the condition that it does not harm the fundamental rights and freedoms of the data subject. When the data is in publicly accessible sources the regime to which the consent is subjected changes. Amongst other provisions that apply in this area we find articles 5.5.2, 6.2 and 11.2.b) and it also necessary to bear in mind articles 28, 29 and 30 LOPD. It must be stressed that in the case of publicly accessible sources, the only thing that is excluded is the need for the data subjects consent. But that is the only exception, and the data subjects right to be informed about the processing of his data is not excluded.
Creation of databases
Title IV of the LOPD regulates the creation of databases. Unlike Directive 95/46/EC, the LOPD makes a distinction between publicly owned databases (chapter I) and those that are privately owned (chapter II) granting the former a somewhat privileged treatment.
22. In the framework of a contractual relationship one piece of data that can be given is the e-mail address. Now, when the LSSI is applicable, if the service provider wants to use the e-mail address that has been given to him in the contractual relationship for subsequent commercial communications, he needs with some exceptions the data subjects consent (Art. 22.1 LSSI), consent that can be revoked at any time (Art. 22.1 LSSI). 23. Some authors do not consider the difference in requisites established for obtaining consent between the data contemplated in Art. 7.2 and that of 7.3 as justified, as it seems to indicate a certain hierarchy between the different data contemplated. For this reason it is defended that the data contemplated in the two provisions have the same value. Therefore, the requisites have to be the same and in the assumptions contemplated in Art. 7.3 express written consent would also be necessary when obtaining data (TLLEZ, p. 130). This thinking seems reasonable, above all bearing in mind that some data, such as for example that referring to sexual life, goes together with ideology. 24. Regarding the application of the LOPD to the telecommunications sector and its specificity consult DE ASS ROIG, p. 201-228.
September 2004
sumers. It has followed the opt-in system (Art. 21.1) in such a way that it prohibits sending marketing or promotional communications by e-mail that have not been previously requested or expressly authorised by the recipients. Nevertheless, these kind of communications can be sent when there is a previous commercial relationship between the sender and the recipient and the communication refers to the same kind of product that has been previously contracted. In short, regarding marketing or promotional communications by e-mail, it is not enough to be in possession of a series of data to be able to carry out a marketing campaign, the consent of the data subject to whom this type of communication is to be sent is also necessary.26 There is also special regulation on common databases of insurance companies that contain personal data for the liquidation of insurance claims (Additional Section 6 LOPD). Data transfer to these databases does not require the prior consent of the data subject, but it does need the communication of the possible transfer of data. The treatment of these databases is extremely criticised as it introduced an exception that was not provided for in the Directive 95/46/EC.27
This articles have been modified by Law 32/2003 of Telecommunications of 3rd November (Final disposition n 1). BOE n 264 on 4th november 2003. Regarding the different systems that may be followed in relation to commercial communications, see: RODRGUEZ and LOZA p. 3-18. See the criticisms made by the doctrine regarding this DA 6, SU, p. 171-172. The Regulations of Security Mesures (RMS) establishes 3 levels of security, a basic level (for databases contemplated in Art. 4.1 RMS and the security measures are regulated in arts. 8-14 RMS) medium (data contemplated in Art. 4.2 and 4.4 and measures regulated in arts. 15-22) and high (data contemplated in Art. 4.3, and measures regulated in arts 23-26).
September 2004
In addition, the database administrator and whoever intervenes at any stage of the data processing is obliged to maintain a professional secrecy (Art. 10), an obligation that endures even after the termination of the contractual relationship.
one must also see Directive 1/1998, of the Data Protection Authority of 19 January. The rights of the data subject are personal and independent. To exercise them it is necessary to send an application to the database administrator. The right to access is regulated in Art. 12-14 Royal Decree 1332/94 although it is necessary to bear in mind the restrictions to its exercise that are established in Arts. 23 and 24 LOPD. Sentence of Constitutional Court 292/2000 has declared this latter provision partially void. Regarding personal data registered in privately owned databases, access is only denied when a person other than the data subject makes the application. The exercise of these rights of rectification and cancellation is found in Art. 15 RD 1332/94, with the modifications which are to be understood from a literal interpretation of Art. 16 LOPD. In those cases in which the exercise of the above-mentioned rights has been unsuccessful due to the opposition or reticence of the database administrator or the person in charge of processing, the data subject may file a claim before the Data Protection Authority arguing that his rights have been infringed. The final resolution of the Data Protection Authority is appealable without a further right of appeal before the relevant division of the High Court. As well as claims made in order to exercise the rights acknowledged in LOPD, the data subject who as a consequence of the noncompliance of what is provided for in this Law suffers harm or injury to his goods or rights, has the right to be compensated. Regarding publicly owned databases, the responsibility will be determined in accordance with the regulatory legislation of the regime for public administration responsibility. In the case of privately owned databases the claim is made before the ordinary jurisdiction (Art. 19).
29. See the form provided by the Data Protection Authority for the exercise of the right to access: https://agpd.es/upload/mod_a_derecho_acceso.pdf 30. See the forms provided by the Data Protection Authority for the exercise of the rights to rectification and cancellation respectively. https://agpd.es/upload/mod_b_derecho_rectificacion.pdf https://agpd.es/upload/mod_c_derecho_cancelacion.pdf 31. APARICIO, p. 185.
September 2004
Directive 95/46/EC established detailed minimum regulations, which can be improved by national legislation, as long as it does not serve to justify any obstacle to the free transmission of data between member countries. The standard of the Directive is considered to be sufficient and no State can invoke a superior protection, subject the transfer to organisations established in the territory of one of the member states to authorisation. In contrast, the transfer of data to countries with less protection than that of this Directive, supposes a violation of the community law, and therefore of the national legislations, and as a result is susceptible to sanction. It must also be borne in mind that international data transfers cannot constitute an abstract act, but must always have a particular objective, as set out in the law. Art 33 LOPD provides that international data transfers cannot be made to countries that do not provide a level of protection comparable with that of the LOPD, unless that, as well as observing what is provided for by this law, prior authorisation is obtained from the Data Protection Authority. The latter, on the basis of the provisions of Art 33.2 LOPD, evaluates the adequate nature of the protection. The problem posed by the adaptation of the provisions of the Directive that has been made relating to the international transfer of data is that it seems to be left, as a last resort, to the criteria of the processing administrators whether the third country to which the data is being exported offers enough guarantees or not. On the contrary, from Community law it seems to be deduced that it should be the States who should determine, case by case, a list of States that offer adequate protection. If this protection is missing transfers could only be authorised once the circumstances are evaluated, a sufficient level of privacy is guaranteed. For this reason, some authors consider that the system offered by the LOPD has to be interpreted in a way that most conforms to the Directive. In concrete it is considered that it must be understood that no exportation of data can be made to third countries unless they had been declared as safe destinations by the Ministry of Justice, or that they had obtained prior authorisation from the Data Protection Authority.32 The interest of the Data Protection Authority in the transfer of data is specified in Directive 1/2000, of 1 December, published in the Official Bulletin of the State on 16th December. The Data Protection Authority, following the position adopted by the Data Protection Group created by the Directive, has admitted the contractual solution as an instrument that allows the processing administrator to offer adequate guarantees on transferring data outside countries of the EC, and therefore, outside the scope of application of the Directive and general framework of Community Law. The contractual regulation has to have all the basic principals for data protection, giving details of the purpose, the means and the conditions of processing of the data transferred as well as the
32. Compare APARICIO, p. 189. 33. See rule five of the abovementioned directive 1/2000.
form in which the basic data protection principals were applied. The prohibition of transfer to third parties not bound by contract has to be expressly contemplated.33 On the other hand Art. 25.6 of Directive 95/46/EC, which must be kept in mind, determines that The Commission may find [...] that a third country ensures an adequate level of protection within the meaning of paragraph 2 of this Article [...]. At the moment the Decisions 2000/518/EC, 2000/519/EC and 2000/520/EC of 26 July exist, according to which the level of personal data protection granted by the legislation of Switzerland and Hungary is considered adequate; and the level of protection conferred by the Safe Harbour principal is considered adequate for the protection of privacy in the USA. With regard to the USA it must be stressed that there is no specific law that regulates personal data processing. Although numerous sectors have requested it, the US has opted for the solution of combining legislation, regulations and above all industry selfregulation. It argues that companies themselves should voluntarily undertake to respect the rights of the consumers. This, therefore, will reward those companies that provide greater protection. Given the different level of protection between the USA and Europe, finally they have agreed to Safe Harbour. According to this agreement, the 15 consent to the flow of data by companies that voluntarily accept a set of principals and practices defined by the Department of Commerce. The latter will be the authority that ensures the compliance with these undertakings by the organisations that agree to this Safe Harbour for the data supplied by the consumers.
Bibliography
LVAREZ-CIENFUEGOS SUREZ, J.M. (2000). Notas a la nueva regulacin de la proteccin de datos de carcter personal. In La Ley, n. 5036, 17 April. APARICIO SALOM, J. (2000). Estudio sobre la Ley Orgnica de Proteccin de Datos de Carcter Personal. Navarra: Aranzadi. DE ASS ROIG, A. (2002). Proteccin de datos y derecho de las telecomunicaciones. In CREMADES, J.; FERNNDEZ-ORDEZ, M.A.; ILLESCAS, R. (coord.). Rgimen jurdico de internet, La Ley. Madrid, p. 201-228. DE MIGUEL ASENSIO, P.A. (2002). Derecho privado de internet (3rd ed.). Madrid: Civitas. DEZ-PICAZO; PONCE DE LEN, L. (1993). Fundamentos del Derecho civil patrimonial. I Introduccin. Teora del contrato (4th ed.). Madrid: Civitas. GRIMALT SERVERA, P. (1999). La responsabilidad civil en el tratamiento automatizado de datos personales. Granada: Comares. MIRALLES MIRAVET, S.; BACHES OPI, S. (2001). La cesin de datos de carcter personal: anlisis de la legislacin vigente y su aplicacin a algunos supuestos prcticos. In La Ley, vol. XXII, n. 5.306, 11 May. OLIVER LALANA, D. (2002). El derecho fundamental virtual a la proteccion de datos. tecnologia transparente y normas privadas. In La Ley, n. 5592, 22 July.
September 2004
RIBAS ALEJANDRO, J. (2000). Riesgos legales en Internet. Especial referencia a la proteccin de datos personales. In MATEU DE ROS, R.; CENDOYA MNDEZ DE VIGO, J.M. (coord.). Derecho de Internet. Contratacin electrnica y firma digital. Navarra: Aranzadi, p. 143-161. RODRGUEZ CASAL, C.; LOZA CORERA, M. (2002). Proteccin de la privacidad. Aproximacin al opt-in/opt-out. In Revista de la contratacin electrnica, n. 23, January, p. 318. Cdiz. SU LLINS, E. (2000). Tratado de Derecho informtico. Vol. I. Introduccin y proteccin de datos personales. Madrid: Servicio de publicaciones, Facultad de Derecho, Universidad Complutense, 2000. TLLEZ AGUILERA, A. (2001). Nuevas tecnologas y proteccin de datos. Estudio sistemtico de la Ley Orgnica 15/1999. Madrid: Edisofer. ULL PONT, E. (2000). Derecho pblico de la informtica (Proteccin de datos de carcter personal). Madrid: UNED.
Related links
Spanish Data Protection Agency:
https://www.agpd.es/index.php
European Commission. Internal Market Directorate General. Data protection:
http://europa.eu.int/comm/internal_market/privacy/ index_en.htm
Mnica Vilasau
Professor of Law and Political Science Studies [email protected]
The author is a professor of Civil Law and, initially, focused her attention on areas relating to damages and liability in construction, in particular. Subsequently, she became interested in areas relating to privacy and new technologies, and more specifically the so-called right to informational self-determination. Currently she is working on the principle of consent in data processing and exceptions thereto.