The Spanish experience of enforcing privacy norms Two decades of evolution from sticks to carrots Dr. Artemi Rallo Constitucional Law Professor Regulator's Do's and Must's for Effective Enforcement 36th International Conference of Data protection and Privacy Commissioners Mauritius, 15-16 October 2014

minor: from €600 (today, €900) to €60,000; The Spanish experience of enforcing privacy norms: Two decades of evolution from sticks to carrots From 1992, an extremely hard level of sanctions (fines) on the private sector: minor: from €600 (today, €900) to €60,000; serious: from €60,001 (today, €40,001 €) to €300,000; very serious: from €300,001 to €600,000 In the last decade, the AEPD has imposed FINES totaling more than €206 millions:   2002 2003 2004 2005 2006 2007 2008 2009 2010 2011 2012 TOTAL FINES (€000) 7989 8372 16439 21105 24422 23263 22013 24872 17497 19500 21054 + 206 millions

Investigating “ALL” complaints: The Spanish experience of enforcing privacy norms: Two decades of evolution from sticks to carrots Investigating “ALL” complaints:   2002 2003 2004 2005 2006 2007 2008 2009 2010 2011 2012 AREO 393 541 463 592 632 849 1,229 1,947 1,830 1,939 2,193   2002 2003 2004 2005 2006 2007 2008 2009 2010 2011 2012 Complaints 723 574 978 1,158 1,282 1,624 2,362 4,136 4,302 7,648 8,594 Annual increase 2009 2010 2011 2012 Increase 2011/2012 Abandonment 222 229 337 448 32.94 % Refusal 1,967 2,240 2,993 4,756 58.90% File 920 1,044 901 1,153 27.97 % Total 3,109 3,513 4,240 6,357   Complaints 4,136 4,302 7,648 8,594

The Spanish experience of enforcing privacy norms: Two decades of evolution from sticks to carrots Types of infringements: prevalence of serious infringements Gradating criteria under LOPD: The new downgrading clause: the qualified reduction of guilt   2006 2007 2008 2009 Minor 111 108 105 152 Serious 308 323 520 527 Very Serious 43 35 33 Total 462 474 660 712   2008 Sanctions 2008 Gradated 2009 2009 Gradated 2010 Gradated 2011l Sanctions 2011 Gradated 2012 Sanctions 2012 Gradated Minor 105 - 152 Serious 520 204 527 193 Very Serious 35 25 33 26 Total 660 229 712 219 591 182 505 145 863 308

The Spanish experience of enforcing privacy norms: Two decades of evolution from sticks to carrots Comparison of the evolution between fines and sanctions: the “humanization” of the sanctions. Warnings in writing under the LOPD reform in 2011   2002 2003 2004 2005 2006 2007 2008 2009 2010 2011 2012 TOTAL Fines (€ 000) 7,989 8,372 16,439 21,105 24,422 23,263 22,013 24,872 17,497 19,500 21,054 + de 206 millions Private sector sanctions 128 148 189 279 301 342 535 661 591 505 863 Warnings in writing 312 (38%) 352 (29%) Hypothetical average fine/sanction (€000) 62 57 87 76 81 68 41 38 30 24 17

TWO ENFORCEMENT EXAMPLES ON GOOGLE (I): PRIVACY POLICY The Spanish experience of enforcing privacy norms: Two decades of evolution from sticks to carrots TWO ENFORCEMENT EXAMPLES ON GOOGLE (I): PRIVACY POLICY . The resolution of the AEPD 2892/2013 imposed a fine on Google of €900,000 in a case involving the unification of its privacy policies in 2012. . Identical facts drove the French CNIL to impose a €150,000 fine on Google on 8 January 2014. . Former European Commissioner for Justice Viviane Reding considered both fines as “pocket money”

TWO ENFORCEMENT EXAMPLES ON GOOGLE (II): THE RIGHT TO BE FORGOTTEN The Spanish experience of enforcing privacy norms: Two decades of evolution from sticks to carrots TWO ENFORCEMENT EXAMPLES ON GOOGLE (II): THE RIGHT TO BE FORGOTTEN . Decision of the European Union Court of Justice of 13 May 2014 (Case C-131/12, Google vs AEPD): recognition of the ‘right to be forgotten’ online against Internet search engines in all circumstances . Main grounds: Validity of Section 2 b) of the EU Directive, stating that, even if searches are automatically stored, search engines are not neutral intermediaries that should be exempt from data protection obligations. Google Spain is an ‘establishment’ based in Spain and a branch of [US based] Google Inc as defined by article 4.1 a) of EU directive 95/46. The court considered that there should not be a restrictive interpretation of the ‘framework of the activities’ ‘carried out by’ the “establishment” including “to promote and sell advertisement space of search engines in an EU member state”.

TWO ENFORCEMENT EXAMPLES ON GOOGLE (II): THE RIGHT TO BE FORGOTTEN The Spanish experience of enforcing privacy norms: Two decades of evolution from sticks to carrots TWO ENFORCEMENT EXAMPLES ON GOOGLE (II): THE RIGHT TO BE FORGOTTEN 4) Search engines are responsible for the processing of data given that they determine the “purpose and means of such activity’ as specified in Section 2 d) of the EU Directive. 5) Given that article 2 d) of the EU Directive specifies that “purposes and means” can be specified ‘by the data controller itself or together with others’, Internet search engines must respect citizen´s rights in the framework of their activity. 6) Search engines’ processing of data is different from that of webpage editors and the impact of search engines over data processing is greater than that of the data’s original website. 7) An editor’s failure to use internet protocols to exclude data such as “robot.txt” and codes such as “noindex” or “noarchive” does not exempt search engine administrators of their responsibility.

TWO ENFORCEMENT EXAMPLES ON GOOGLE (II): THE RIGHT TO BE FORGOTTEN The Spanish experience of enforcing privacy norms: Two decades of evolution from sticks to carrots TWO ENFORCEMENT EXAMPLES ON GOOGLE (II): THE RIGHT TO BE FORGOTTEN 8) Section 7 (f) of the EU Directive allows search engines to process data, given their legitimate business and economic interests, but they cannot prevail over the protection of citizen´s data. 9) Search engines can no longer argue on the right to information, neither that they are part of the ‘media’ nor that they are ‘neutral’ online. 10) Data protection rights will prevail over some legitimate interests - legally inferior to the fundamental rights (Sections 7 and 8 of the EU Charter of Fundamental Rights)-. 11) “Public interest” of “Internet users” would only be relevant when someone attempts to delete a public figure’s personal data or any information of public interest.

TWO ENFORCEMENT EXAMPLES ON GOOGLE (II): THE RIGHT TO BE FORGOTTEN The Spanish experience of enforcing privacy norms: Two decades of evolution from sticks to carrots TWO ENFORCEMENT EXAMPLES ON GOOGLE (II): THE RIGHT TO BE FORGOTTEN 12) The right to ‘object’ established in section 14.1 a) of the EU Directive offers a legal instrument to articulate the ‘right to be forgotten’ online depending on individual circumstances and on legitimate reasons. Individuals can use their right to object given the potential seriousness of this interference. 13) A legal processing of data can become ‘with time, incompatible with such Directive, when the data is no longer necessary in relation to the original purpose for which the data was initially collected or processed’. The search engine should, therefore, in the ‘current context,’ delete the data – even when true and legally published by third parties.