Spain’s constitutional right to data protection and application of the GDPR
In November, Spain approved a controversial data protection law to facilitate compliance with Spanish law to the EU General Data Protection Regulation. Although the Spanish law aimed to provide clarity to the implementation of GDPR principles, its text and potential real-world application have caused concern that it is deviating from the GDPR’s intended effect.
Citizens of Spain have a right to data protection both under the Constitution of Spain in Article 18(4) and under Article 8 of the Charter of Rights of the European Union. However, both the Spanish Constitution and the Charter take a different path and textual approach to the fundamental right to data protection. Article 18(4) of the Constitution of Spain confers a negative right, whereas Article 8 Charter of Rights of the European Union confers a positive right. Strictly read, Article 8 of the EU Charter severed the data protection right from the right to privacy — paving the way for the adoption of the GDPR. This regulation affords all European citizens, including citizens of Spain, the right to be forgotten, the right to data portability and the right to resist profiling. The Spanish implementation of the GDPR differs. It could potentially allow political profiles to be collected. This huge exception may have far-reaching implications in Spain’s constitutional right to data protection, as well as for the EU as a whole.
Statutory theory: Positive versus negative privacy rights
When a constitution confers a negative right on the citizens of the state, this often implies the citizens have “freedom from” specific acts or abuse. In contrast, a positive right associated with rights that afford citizens “freedom to” a specific liberty. In looking at the language used in the Article 18(4) of the Constitution of Spain and Article 8 of the EU Charter, each article uses a different framework in bestowing the fundamental right to data protection. Strictly read, Article 18(4) of the Constitution of Spain creates a negative right, requiring others — that is, the public and private actors using and collecting the personal data — to limit “the use of data processing in order to guarantee the honor and personal and family privacy of citizens.” Conversely, looking at the language used in Article 8 of the EU Charter, citizens are afforded the positive right of protection of their personal data. The key language is stated in Section 1: “Everyone has the right to the protection of personal data concerning him or her … .” Ultimately, while both articles take a different statutory approach, the result is the same — a fundamental right to data protection.
Path to the fundamental right to data protection versus privacy
The Constitution of Spain, strictly read, did not recognize a separate fundamental right to data protection apart from the right to privacy. It took a decision by the Spanish Constitutional Court in 1993 interpreting the right to data protection to be guaranteed by Article 18(4). The decision was influenced by the advancement in technology since the adoption of the Constitution of Spain in 1978. Conversely, looking at Article 8 of the EU Charter, the right to data protection is specifically enumerated in Section 1. The clear language used in the charter was in response to the fact that some member states, prior to the charter, did not recognize the fundamental constitutional right to data protection as separate from the right to privacy. In other words, the ratification of Article 8 of the EU Charter was motivated by an inconsistent gap in the policy of member states, whereas, Article 18(4) of the Constitution of Spain required judicial intervention to address the rapidly developing technology. Although both took very different paths, they end up at the same conclusion that there should be a fundamental right to data protection.
Adapting to privacy frameworks
Article 8 of the EU Charter severed the data protection right from a right to privacy. This had the effect of elevating data protection to a higher regulatory level. This led to the establishment of the GDPR, which has become the premier data protection framework.
The Spanish implementation of the GDPR emphasizes the Spanish fundamental right perspective of data protection by adding several rights not included in the GDPR to the framework, including the right to digital security, right to digital wills, right to digital education, right to net neutrality, and right to universal access to the internet. However, Spain has carved out a potentially massive exception. Article 58 establishes that “political parties, coalitions, and electoral groups may use personal data obtained in web pages and other public access sources for carrying out political activities during the electoral period.”
Critics argue that this largely runs in contradiction with GDPR Recital 56, which establishes that compiling personal data on people’s political opinions are only required for the operation of the democratic system in an EU state. The fear is that Spanish data protection laws allow political profiles to be built in the vein of data protection malpractices, such as Cambridge Analytica’s usage of political profiles. The Spanish Data Protection Agency has attempted to allay concern by indicating that they will strictly follow Recital 56 of the GDPR; however, an application has yet to be seen.
Ultimately, privacy professionals should be aware this regulation will have lasting effects on any election in Spain and the day-to-day collection of personal information. Companies now have wide breadth when it comes to collection and dissemination of political data. Interest groups and political parties can use personal data acquired via websites and other places of public access to conduct political activities during the elections. With the election rapidly approaching in Spain, the development of political profiles can have far-reaching implications, including promoting a chilling effect among voters.