Spain challenged over EU data law implementation

Out-Law News | 01 Aug 2019 | 3:19 pm | 2 min. read

The European Commission has opened legal proceedings against Spain over its failure to fully implement recent reforms to EU data protection law.

In 2016 EU law makers finalised a new directive concerning the processing of personal data by authorities for the purposes of the prevention, investigation, detection or prosecution of criminal offences or the execution of criminal penalties. EU member states had until 6 May 2018 to implement that directive into national law.

The so-called Law Enforcement Directive was drawn up in parallel to the much more highly publicised General Data Protection Regulation (GDPR), which took effect on 25 May last year.

The Commission said, though, that both Spain and Greece had failed to transpose the new Law Enforcement Directive into their national legislature. It has asked the Court of Justice of the EU (CJEU) to impose financial sanctions on both countries for their non-compliance with EU law.

"The lack of transposition by Spain and Greece creates a different level of protection of peoples' rights and freedoms and hampers data exchanges between Greece and Spain on one side and other member states who transposed the Directive on the other side," the Commission said in a statement.

Spain's new Organic Law on Data Protection and Digital Rights Guarantee (LOPDGDD), the aim of which was to develop and complete the provisions of the GDPR in Spanish law, was only finalised in November last year, six months after the deadline for GDPR implementation. Law makers in Spain had introduced a smaller set of transitional provisions into Spanish data protection law earlier in the summer of 2018 while work on the LOPDGDD was ongoing.

Madrid-based data protection law expert Miguel Garrido De Vega of Pinsent Masons, the law firm behind Out-Law, said: "The LOPDGDD specified that, until the Law Enforcement Directive is transposed, articles 22 to 24 of Spain's old data protection law from 1999, as well as any provisions that develop them, will remain applicable to any processing activities to be made by competent authorities for the purposes of prevention, investigation, detection or prosecution of criminal offences," De Vega said. "While some aspects of the old law remain relevant, the 1999 legislation does not fully reflect the changes made under the Law Enforcement Directive."

"Provisions concerning the work of data protection officers, the right to information, the right of access for those data subjects acting as experts and witnesses, the right of rectification and the right of deletion as provided for in the Law Enforcement Directive are not accounted for in the 1999 law. It is for that reason that Spain cannot be considered to have transposed the content of the Law Enforcement Directive," he said.

De Vega said that there are similarities between the contents of the Law Enforcement Directive and the GDPR. Examples include in relation to principles relating to the processing of personal data, provisions concerning information to be offered to the data subjects, rules concerning data protection by design and by default, and obligations to carry out privacy impact assessments and the documenting of processing activities.

However, he said that the conditions applicable to personal data processing for law enforcement purposes are much more restrictive than those that generally apply in a commercial context and that certain rights that data subjects enjoy under the GDPR, including in relation to the portability of their personal data, do not apply under the Law Enforcement Directive.

De Vega said that Spain is unlikely to implement the Law Enforcement Directive in the short term. This is because the country is currently in the process of forming a new government – a process that could last until the end of 2019, he said.