The State of Communication and Privacy Law in Spain (2020)
Is there a data protection law?
Spain is subject to the EU’s Data Protection Reform package. This package contains the General Data Protection Regulation 2016/679, and Police Directive 2016/680 on the processing of personal data for authorities responsible for preventing, investigating, detecting, and prosecuting crimes. In 2018, Spain adopted its new data protection law, Organic Law 3/2018 based upon the GDPR. However, as Spain has not implemented the Police Directive yet, part of the repealed law remains in force with regard to personal data processing for law enforcement activities.SEE MORE
The Spanish Data Protection Agency was founded in 1994 and it is an independent body.
Does the data protection law apply to law enforcement activities?
Spain is subject to the EU’s Data Protection Reform package, which contains the GDPR and the Police Directive 2016/680 on the processing of personal data for authorities responsible for preventing, investigating, detecting, and prosecuting crimes. Spain has not implemented the Police Directive 2016/680 yet. Still, provisions regarding law enforcement activities within the country’s previous data protection law (Organic Law 15/1999) remain applicable to personal data processing in criminal investigation and prosecution.SEE MORE
What are the criteria, if any, for the transfer of personal data to third countries under their data protection law?
Spanish data protection law follows the GDPR. The GDPR primarily applies to controllers and processors located in the European Economic Area (EEA) with some exceptions. However, the GDPR restricts the transfer of personal data outside the EEA unless the third country guarantees an adequate level of personal data protection. Alternatively, a controller or processor may transfer personal data to a third country that does not comply with the adequacy requirements if the controller or processor provides appropriate safeguards.SEE MORE
The Criminal Procedure Act (Ley de Enjuiciamiento Criminal) requires that the interception of communication be authorized by a judge (juez de instrucción), except in case of emergencies. A judge can request the interception either ex officio or following an initiative by the Judicial Police or public prosecutor.
Interception of communication - Prior judicial order is required.
Access to the contents of communications - Prior judicial order is required.
Access to metadata - Prior judicial order is required.
Access to subscriber data - Prior judicial order is required, except for specific cases authorized by law.
Location data - Prior judicial order is required.SEE MORE
What’s the factual basis to access communications data?
The factual basis for accessing communications data in Spain includes:
Content and Metadata: Article 588, bis a, 1, 2, 3, 4, 5 of the Criminal Procedure Act.
Subscriber data: Article 588 bis, a, and Article 588, ter k, ter l, and ter m of the Criminal Procedure Act.
For details on the above articles,SEE MORE
Which authorities have the legal capacity to request access to communications data?
For interception (content and data associated with the communication): Judicial Police or public prosecutors.
For retained traffic data: Judicial Police or officials performing judicial police functions, and the National Intelligence Center.
For details on the above authorities,SEE MORE
Does the country have provisions about access to data in cases of emergency?
In cases of emergency, the interception of communications can be ordered, in an exceptional manner, by the Minister of Home Affairs (_ministro del interio_r) and the Secretary of State for Homeland Security. Those emergency powers are authorized when the investigations are related to armed gangs or terrorist crimes, and there are likely reasons that make the planned measure essential.SEE MORE
Is there any data retention mandate?
The Mandatory Data Retention Act compels telecom operators to retain traffic data (who communicates with whom, for how long, from where). The obligation to retain data extends to unsuccessful calls, those that have been made successfully but without an answer, or when there has been an intervention by any of the operators involved in the call.SEE MORE
Are there any rules that authorize the use of malware?
A competent judge may authorize the use of identification data and codes, as well as the installation of software which allows, remotely via a telecommunications system, long-distance examination of the content of a computer, electronic device, information system, computer mass storage system, or database without the knowledge of its owner or user, as long as it is done in pursuit of the investigation of specific crimes stipulated by the Criminal Procedure Act.SEE MORE
Is there any law that compels companies to provide direct access to their internal servers for law enforcement purposes?
We did not find any provision in the law that authorizes this kind of access in criminal investigations.
Does the law compel companies to assist law enforcement agencies in their investigations?
Spanish law mandates that a broad set of companies and persons provide investigating agents with the necessary assistance for carrying out interception orders (art. 588 ter e) and malware installation (art. 588 septies b). Likewise, those companies and persons are obliged to provide the necessary assistance so the collected data and information can be examined and understood.SEE MORE
Does the State report on the number of requests to access communications data?
To the best of our knowledge, the Spanish State does not publish reports on the number of requests to access communications data.
Is there any legal limitation that prohibits companies from publishing transparency reports?
To the best of our knowledge, no normative framework prohibits companies from publishing statistical data on the number of data requests made by the state in criminal or national security matters.
Do telecommunication companies publish transparency reports?
Orange -Jazztel- Published its latest transparency report in 2018.
Ono Vodafone- Published its latest transparency report in 2016-2017.
Telefónica-Movistar publishes yearly transparency reports. Orange released its latest transparency report in 2018 and its Spanish subsidiary, Jazztel, does not publish these reports. Masmóvil has not published any transparency reports. Ono Vodafone published its latest transparency report in 2016-2017.SEE MORE
Can companies notify users about States’ data requests?
Investigative measures (such as the interception of communication, malware, location tracking or access of communication data are secret by default. The obliged party carrying out the investigative measures must comply and is sworn to secrecy or risk committing a crime of disobedience.SEE MORE