Commentary Addressing Risks and Opportunities Through the Lifecycle of Data, Technology, Advertising and Innovation

Data Counsel

Home | Data Counsel

<img class="alignright wp-image-4197 size-medium" src="http://dataprivacymonitor.bakerhostetlerblogs.com/wp-content/uploads/sites/5/2015/07/Spanish-Flag-480896529-300x225.jpg" alt="Spanish Flag - 480896529" width="300" height="225" />As of July 24, Spain has a new director for its Data Protection Authority (<a href="http://www.agpd.es/portalwebAGPD/index-iden-idphp.php">Agencia Española de Protección de Datos — AEPD</a>). The AEPD is the agency responsible for conducting investigations and bringing disciplinary actions concerning data protection issues, including compliance with Spain’s Data Protection Act of 1999 (called the “LOPD” in Spain), which implemented the EU’s Data Protection Directive 95/46/EC.

The new director at the helm of the AEPD, for a four-year term, is Mar España Martí. In what may be a change in tone at the AEPD, Martí acknowledged upon taking office that the perception of the AEPD was that it was a sanctioning body. Martí stated that the AEPD needed to engage more with public and private stakeholders to foster a respect for privacy. Martí said that she will be aiming to establish the appropriate balance between the right to privacy and the demands for information.

Martí could potentially be signaling a shift at the AEPD away from what has been perceived as a policy of heavy-handed fines. The AEPD has one of the most stringent penalty systems in the entire EU, with fines of up to €600,000 per privacy violation, depending on the severity of the privacy compliance matter.

In 2013, the AEPD fined Google €900,000 ($1.24 million) for what it considered three separate violations of the LOPD: gathering data on users, combining the data through various services, and keeping the data without the knowledge or consent of the users. In 2012 (the last year with complete data), the AEPD handled close to 900 sanctions proceedings, imposing fines totaling €21,054,656. More recently, in March 2015, the AEPD fined Orange, a Spanish mobile and broadband provider, €50,000. The fines related to the transferring of a customer’s personal information to a list of bad debtors, even though the customer’s service had been cancelled.

Whether the new AEPD director will in fact seek to rein in the investigations and fines issued by the AEPD remains to be seen. In the meantime, businesses that process personal data related to Spanish citizens should continue to remain mindful of the <a href="http://www.bakerlaw.com/files/Uploads/Documents/Data%20Breach%20documents/International-Compendium-of-Data-Privacy-Laws.pdf">requirements of the LOPD</a>.

A Kinder, Gentler Spanish Data Protection Authority?