Presentation is loading. Please wait.

Presentation is loading. Please wait.

The Spanish experience of enforcing privacy norms Two decades of evolution from sticks to carrots Dr. Artemi Rallo Constitucional Law Professor Regulator's.

Published byLorenzo Gambrel Modified over 9 years ago

Similar presentations

Presentation on theme: "The Spanish experience of enforcing privacy norms Two decades of evolution from sticks to carrots Dr. Artemi Rallo Constitucional Law Professor Regulator's."— Presentation transcript:

1 The Spanish experience of enforcing privacy norms Two decades of evolution from sticks to carrots Dr. Artemi Rallo Constitucional Law Professor Regulator's Do's and Must's for Effective Enforcement 36th International Conference of Data protection and Privacy Commissioners Mauritius, 15-16 October 2014 1

2 The Spanish experience of enforcing privacy norms: Two decades of evolution from sticks to carrots From 1992, an extremely hard level of sanctions (fines) on the private sector: (1)minor: from €600 (today, €900) to €60,000; (2)serious: from €60,001 (today, €40,001 €) to €300,000; (3)very serious: from €300,001 to €600,000 In the last decade, the AEPD has imposed FINES totaling more than €206 millions: 2 20022003200420052006200720082009201020112012TOTAL FINES (€000) 79898372164392110524422232632201324872174971950021054+ 206 millions

3 The Spanish experience of enforcing privacy norms: Two decades of evolution from sticks to carrots Investigating “ALL” complaints: 3 20022003200420052006200720082009201020112012 AREO3935414635926328491,2291,9471,8301,9392,193 20022003200420052006200720082009201020112012 Complaints7235749781,1581,2821,6242,3624,1364,3027,6488,594 Annual increase 2009201020112012Increase 2011/2012 Abandonment22222933744832.94 % Refusal1,9672,2402,9934,75658.90% File9201,0449011,15327.97 % Total3,1093,5134,2406,357 Complaints4,1364,3027,6488,594

4 The Spanish experience of enforcing privacy norms: Two decades of evolution from sticks to carrots Types of infringements: prevalence of serious infringements Gradating criteria under LOPD: The new downgrading clause: the qualified reduction of guilt 4 2006200720082009 Minor111108105152 Serious308323520527 Very Serious43 3533 Total462474660712 2008 Sanctions 2008 Gradated 2009 Sanctions 2009 Gradated 2010 Sanctions 2010 Gradated 2011l Sanctions 2011 Gradated 2012 Sanctions 2012 Gradated Minor105-152- Seriou s 520204527193 Very Seriou s 35253326 Total660229712219591182505145863308

5 The Spanish experience of enforcing privacy norms: Two decades of evolution from sticks to carrots Comparison of the evolution between fines and sanctions: the “humanization” of the sanctions. Warnings in writing under the LOPD reform in 2011 5 20022003200420052006200720082009201020112012TOTAL Fines (€ 000) 7,9898,37216,43921,10524,42223,26322,01324,87217,49719,50021,054 + de 206 millions Private sector sancti ons 128148189279301342535661591505863 Warni ngs in writin g 312 (38%) 352 (29%) Hypot hetical averag e fine/sa nction (€000) 6257877681684138302417

6 The Spanish experience of enforcing privacy norms: Two decades of evolution from sticks to carrots TWO ENFORCEMENT EXAMPLES ON GOOGLE (I): PRIVACY POLICY. The resolution of the AEPD 2892/2013 imposed a fine on Google of €900,000 in a case involving the unification of its privacy policies in 2012.. Identical facts drove the French CNIL to impose a €150,000 fine on Google on 8 January 2014.. Former European Commissioner for Justice Viviane Reding considered both fines as “pocket money” 6

7 The Spanish experience of enforcing privacy norms: Two decades of evolution from sticks to carrots TWO ENFORCEMENT EXAMPLES ON GOOGLE (II): THE RIGHT TO BE FORGOTTEN. Decision of the European Union Court of Justice of 13 May 2014 (Case C-131/12, Google vs AEPD): recognition of the ‘right to be forgotten’ online against Internet search engines in all circumstances. Main grounds: 1)Validity of Section 2 b) of the EU Directive, stating that, even if searches are automatically stored, search engines are not neutral intermediaries that should be exempt from data protection obligations. 2)Google Spain is an ‘establishment’ based in Spain and a branch of [US based] Google Inc as defined by article 4.1 a) of EU directive 95/46. 3)The court considered that there should not be a restrictive interpretation of the ‘framework of the activities’ ‘carried out by’ the “establishment” including “to promote and sell advertisement space of search engines in an EU member state”. 7

8 The Spanish experience of enforcing privacy norms: Two decades of evolution from sticks to carrots TWO ENFORCEMENT EXAMPLES ON GOOGLE (II): THE RIGHT TO BE FORGOTTEN 4) Search engines are responsible for the processing of data given that they determine the “purpose and means of such activity’ as specified in Section 2 d) of the EU Directive. 5) Given that article 2 d) of the EU Directive specifies that “purposes and means” can be specified ‘by the data controller itself or together with others’, Internet search engines must respect citizen´s rights in the framework of their activity. 6) Search engines’ processing of data is different from that of webpage editors and the impact of search engines over data processing is greater than that of the data’s original website. 7) An editor’s failure to use internet protocols to exclude data such as “robot.txt” and codes such as “noindex” or “noarchive” does not exempt search engine administrators of their responsibility. 8

9 The Spanish experience of enforcing privacy norms: Two decades of evolution from sticks to carrots TWO ENFORCEMENT EXAMPLES ON GOOGLE (II): THE RIGHT TO BE FORGOTTEN 8) Section 7 (f) of the EU Directive allows search engines to process data, given their legitimate business and economic interests, but they cannot prevail over the protection of citizen´s data. 9) Search engines can no longer argue on the right to information, neither that they are part of the ‘media’ nor that they are ‘neutral’ online. 10) Data protection rights will prevail over some legitimate interests - legally inferior to the fundamental rights (Sections 7 and 8 of the EU Charter of Fundamental Rights)-. 11) “Public interest” of “Internet users” would only be relevant when someone attempts to delete a public figure’s personal data or any information of public interest. 9

10 The Spanish experience of enforcing privacy norms: Two decades of evolution from sticks to carrots TWO ENFORCEMENT EXAMPLES ON GOOGLE (II): THE RIGHT TO BE FORGOTTEN 12) The right to ‘object’ established in section 14.1 a) of the EU Directive offers a legal instrument to articulate the ‘right to be forgotten’ online depending on individual circumstances and on legitimate reasons. Individuals can use their right to object given the potential seriousness of this interference. 13) A legal processing of data can become ‘with time, incompatible with such Directive, when the data is no longer necessary in relation to the original purpose for which the data was initially collected or processed’. The search engine should, therefore, in the ‘current context,’ delete the data – even when true and legally published by third parties. 10

Download ppt "The Spanish experience of enforcing privacy norms Two decades of evolution from sticks to carrots Dr. Artemi Rallo Constitucional Law Professor Regulator's."

Similar presentations

Exploring the Meaning of Public Authority under the EISRs and Defining the Way Forward.

Exploring the Meaning of Public Authority under the EISRs and Defining the Way Forward.
New developments for trademarks online – ECJ rules on AdWords and Provider Liability Fordham IP Conference 2011 Prof. Dr. Peter Ruess, LL.M. IP (GWU)

New developments for trademarks online – ECJ rules on AdWords and Provider Liability Fordham IP Conference 2011 Prof. Dr. Peter Ruess, LL.M. IP (GWU)
A NEW EUROPEAN YOUTH PORTAL FOR A NEW GENERATION.

A NEW EUROPEAN YOUTH PORTAL FOR A NEW GENERATION.
1 A FUTURE EUROPEAN SPORTS POLICY In the name of Autonomy and Specificity By Prof. Michele Colucci, Tilburg University Sports Law and Policy Centre - Rome.

1 A FUTURE EUROPEAN SPORTS POLICY In the name of Autonomy and Specificity By Prof. Michele Colucci, Tilburg University Sports Law and Policy Centre - Rome.
1 FREE MOVEMENT OF PLAYERS IN THE EUROPEAN UNION MICHELE COLUCCI KULEUVEN,Tutorials Spring semester 2011.

1 FREE MOVEMENT OF PLAYERS IN THE EUROPEAN UNION MICHELE COLUCCI KULEUVEN,Tutorials Spring semester 2011.
Re-use of PSI Data Protection Issues Cécile de Terwangne Professor at the Law Faculty, Research Director at CRIDS University of Namur (Belgium) 2 nd LAPSI.

Re-use of PSI Data Protection Issues Cécile de Terwangne Professor at the Law Faculty, Research Director at CRIDS University of Namur (Belgium) 2 nd LAPSI.
Public Sector Information & Data Protection: A plea for personal privacy settings for the re-use of PSI Bart van der Sloot Institute for Information Law.

Public Sector Information & Data Protection: A plea for personal privacy settings for the re-use of PSI Bart van der Sloot Institute for Information Law.
Prof. Cécile de Terwangne - LAPSI Workshop 7-8 October 2010 1 Re-use and Privacy/Data Protection Cécile de TERWANGNE Professor at the Law Faculty CRID.

Prof. Cécile de Terwangne - LAPSI Workshop 7-8 October Re-use and Privacy/Data Protection Cécile de TERWANGNE Professor at the Law Faculty CRID.
Public Administration use of Social Networks - Data Protection Implications European Public Administration Network, Dublin Castle, 5 April 2013 Billy Hawkes.

Public Administration use of Social Networks - Data Protection Implications European Public Administration Network, Dublin Castle, 5 April 2013 Billy Hawkes.
Press Conference by EU Commissioners Viviane Reding and Meglena Kuneva.

Press Conference by EU Commissioners Viviane Reding and Meglena Kuneva.
1 IS THERE A FUNDAMENTAL RIGHT TO FORGET? Bruxelles – 20 May 2009.

1 IS THERE A FUNDAMENTAL RIGHT TO FORGET? Bruxelles – 20 May 2009.
27-29 May 2008 2008 Global Event on Measuring the Information Society, Geneva EUROSTAT ICT usage surveys Albrecht Wirthmann – Information society statistics.

27-29 May Global Event on Measuring the Information Society, Geneva EUROSTAT ICT usage surveys Albrecht Wirthmann – Information society statistics.
The Human Right to Access Communications References and Principles. APT-ITU workshop on the International Telecommunications Regulations Bangkok, 6-8 February.

The Human Right to Access Communications References and Principles. APT-ITU workshop on the International Telecommunications Regulations Bangkok, 6-8 February.
1 Agencia Española de Protección de Datos AUDITING AND ENFORCEMENT AT THE SPANISH DPA. EXPERIENCE WITH OUTSOURCING TO COUNTRIES WITH A NON ADEQUATE LEVEL.

1 Agencia Española de Protección de Datos AUDITING AND ENFORCEMENT AT THE SPANISH DPA. EXPERIENCE WITH OUTSOURCING TO COUNTRIES WITH A NON ADEQUATE LEVEL.
1 Enforcement Powers of National Data Protection Authorities and Experience gained of the Data Protection Directive Safe Harbour Conference Washington.

1 Enforcement Powers of National Data Protection Authorities and Experience gained of the Data Protection Directive Safe Harbour Conference Washington.
Applicable for Persons Registered under Article 10

Applicable for Persons Registered under Article 10
1 CHILDREN’S RIGHTS UNDER EUROPEAN UNION LAW Dr Geoffrey Shannon Solicitor Special Rapporteur on Child Protection Friday, 13 December 2013.

1 CHILDREN’S RIGHTS UNDER EUROPEAN UNION LAW Dr Geoffrey Shannon Solicitor Special Rapporteur on Child Protection Friday, 13 December 2013.
Data Protection & Human Rights. Data Protection: a Human Right Part of Right to Personal Privacy Personal Privacy : necessary in a Democratic Society.

Data Protection & Human Rights. Data Protection: a Human Right Part of Right to Personal Privacy Personal Privacy : necessary in a Democratic Society.
Data Protection Billy Hawkes Data Protection Commissioner Irish Human Rights Commission 20 November 2010.

Data Protection Billy Hawkes Data Protection Commissioner Irish Human Rights Commission 20 November 2010.
1 State Service of Ukraine on Personal Data Protection. Volodymyr Kozak, State Service of Ukraine on Personal Data Protection, Deputy Head, PhD Prague,

1 State Service of Ukraine on Personal Data Protection. Volodymyr Kozak, State Service of Ukraine on Personal Data Protection, Deputy Head, PhD Prague,

Similar presentations

Ads by Google