The Spanish Supreme Court's Judgements of 15 July 2010 on the two cases brought by the Spanish National Association of Credit Institutions ('ASNEF') and the Federation of Electronic Commerce and Direct Marketing ('FECEMD') reviewed some of the most controversial obligations in Spanish data protection law. The plaintiffs questioned the legality of a number of provisions both from the Spanish Data Protection Act 15/1999 (DPA) and its regulation set up by the Royal Decree 1720/2007.
Firstly, the judgment declared four Articles in the Royal Decree 1720/2007 null and considered it necessary to seek a preliminary ruling from the European Court of Justice (ECJ) regarding the controversial Articles of the DPA. It should be noted that other organisations including Trade Unions, the major communications operators in Spain and a Communications consumer Association decided to take part in the process as intervening parties; thus illustrating the importance of what was being decided in this particular case.
On 24 November 2011 the ECJ gave its preliminary ruling; calling into question the work of the Spanish legislator in drafting the relevant provisions of the DPA and Royal Decree.
What is wrong with Spanish law?
While the grounds used by the Spanish Supreme Court to declare the four Articles of Royal Decree 1720/2007 null were based on the creation of additional obligations to those already set out in the DPA, the ECJ also considered that the Spanish legislator added extra conditions to those required by the EU Directive 95/46/EC (the EU Directive) when implementing this piece of legislation into national law.
Specifically, the ECJ judges the implementation of Article 7(j) (which addresses the principle of "legitimate interest" of the controller or the recipient of the personal data) as an exception to the obligation to request the consent of the data subject for processing their personal data.
The Spanish legislator implements this Article stating that, in the absence of the data subject’s consent, and in order to allow such processing of that data subject’s personal data as is necessary to pursue a legitimate interest of the data controller or third party or parties to whom the data are disclosed, it is required that not only must the fundamental rights and freedoms of the data subject be respected, but also that the data must be collected from publicly available sources.
The EU Directive allows the application of the principle of legitimate interest in any case, although it must always be balanced against the potential damage to the fundamental rights and liberties of the affected data subject.
Regardless of the EU Directive's language, the Spanish provision does not allow this principle to apply unless data had been collected from public sources. The fact that data are collected from publicly available sources gives the data controller grounds to justify that the actions carried out do not themselves breach the fundamental rights of affected citizens, but that there may be other grounds to justify that the 'legitimate interest' condition prevails over any potential harm to the data subject. The Spanish law does not address these other circumstances that may also justify the application of the legitimate interest principle.
Accordingly, this flexibility offered by the EU Directive to 'self assess' the balance between both opposing interests is not addressed in the Spanish DPA.
What are the consequences of this?
The Spanish Supreme Court requested an additional question in the preliminary ruling to assess if the conditions for Article 7(j) to have direct effect are indeed met. On this regard, the ECJ states that Article 7(f) of Directive 95/46 is a provision that is "sufficiently precise to be relied on by an individual and applied by the national courts".
The Spanish legislator has never been in favour of allowing data controllers to adopt a discretionary, self-assessment approach to ensuring compliance with their data protection obligations.
A clear example of this approach is the regulation on security measures for the processing of personal data which, contrary to the approach seen in many other EU Member States where it is generally left to the controller to take the measures which it thinks are necessary to ensure the safe processing and transfer of data, it instead establishes specific security measures which must be applied in every situation, regardless of the specific circumstances of the processing of the personal data.
Similarly, the wording of Article 7(f) of the Directive permits the data controller to balance the Legitimate Interest condition against the potential harm to the data subject. Again, in Spain this balancing exercise is not permitted as the only valid condition for the applicability of the legitimate interest principle is when the data has been collected form publicly available sources.
The Spanish approach in implementing the EU Directive's Legitimate Interest principle gives a higher standard of certainty by limiting its applicability to a single condition; however this has dramatically limited the circumstances in which European regulators consider valid the processing of personal data without the prior consent of the data subject.
It is noticeable that the ECJ ruling has been given at the same time as we are considering the early drafts of the regulation that will directly replace the EU Directive. A rule which has been in force for the last 15 years in Spain will only then, on implementation of the new regulation, be correctly interpreted.
The Spanish Data Protection Authority ('AEPD') has drafted an official opinion on this matter, stating that the effects of the change in the regulatory framework will not be overly significant, since the AEPD was already considering the legitimate interest condition against the rights and freedoms of the data subject in the resolutions they are currently issuing.