Spanish DPA leads EU fining league table

Spain’s national Data Protection Authority, the Agencia Española de Protección de Datos (AEPD), announced on 25th September that it imposed fines of 19,597,906 Euros in 2011. In the most recent years for which data is available, Spain’s fines represented, 87% (2008), 87.8% (2009) and 79.8% (2010) of all data protection fines in the European Union.

With the ability to impose a maximum fine of 600,000 Euros, there are worries, publicly expressed by one of the former directors of the AEPD, that such large fines could discourage companies from investing in Spain and, therefore, be counter-productive in an economic sense. The AEPD started to issue warnings and use its discretion to vary fines according to circumstances in March 2011.

Changing interpretations of the law

There are other signs of change this year when the European Court of Justice in February issued a decision in a Spanish case involving legitimate interests as a legal basis for processing in the absence of consent. The court stated that EU Member States could not add additional requirements to those established by the EU Data Protection Directive. As a result:

1. Spain’s Supreme Court in February set aside Art.10.2.b of the Royal Decree which interprets the data protection law to enable a way forward for permission-based marketing. The case was brought by the FEMD (Spain’s Direct Marketing Federation) and was about the limits on collecting and processing data not in public files and without the consent of the data subjects.

2. Spain’s Audiencia Nacional (National Appeal Court against rulings of Spain’s AEPD) in March and April this year repealed two of the Agencia's rulings on legitimate interests and ordered the fines to be set aside. Since then, there have been two more rulings by the Audiencia Nacional in which Art. 7 f) (covering the balance between legitimate interests and fundamental rights) of the EU Data Protection Directive had been interpreted by the AEPD. The court set aside the AEPD fine in the case decided on 31st May and reduced the AEPD fine imposed in the other case decided on 6 June.

3. The AEPD commented in its Annual Report, published in September, on these decisions. It stated that from now on, in each case where a legitimate interest is claimed for the processing of personal data in the absence of consent, the AEPD will carry out a balance assessment between the controller’s legitimate interests and individuals’ fundamental rights and freedoms. To assess the balance, the principles of data protection law will be taken into account, especially those relating to information on individuals, data quality and proportionality. It will consider whether the purpose of the processing can be achieved by other means.

[Source: Javier Fernández-Samaniego, Advocate, and Partner, Bird & Bird, Spain. He is one of the lawyers acting in the above cases, giving presentations at PL&B’s Privacy Officers Network data protection law Briefing on 12th November in Madrid on the practical impact on business of these and other cases and other policies. The Director and senior staff of the AEPD, Spain’s DP Authority, will present its perspectives on these and other issues at a Roundtable which it is hosting at its office on 13th November.]