Presentation is loading. Please wait.

Presentation is loading. Please wait.

The Spanish experience of enforcing privacy norms Two decades of evolution from sticks to carrots Dr. Artemi Rallo Constitucional Law Professor Regulator's.

Published byProsper Ferguson Modified over 6 years ago

Similar presentations

Presentation on theme: "The Spanish experience of enforcing privacy norms Two decades of evolution from sticks to carrots Dr. Artemi Rallo Constitucional Law Professor Regulator's."— Presentation transcript:

1 The Spanish experience of enforcing privacy norms Two decades of evolution from sticks to carrots Dr. Artemi Rallo Constitucional Law Professor Regulator's Do's and Must's for Effective Enforcement 36th International Conference of Data protection and Privacy Commissioners Mauritius, October 2014

2 minor: from €600 (today, €900) to €60,000;
The Spanish experience of enforcing privacy norms: Two decades of evolution from sticks to carrots From 1992, an extremely hard level of sanctions (fines) on the private sector: minor: from €600 (today, €900) to €60,000; serious: from €60,001 (today, €40,001 €) to €300,000; very serious: from €300,001 to €600,000 In the last decade, the AEPD has imposed FINES totaling more than €206 millions: 2002 2003 2004 2005 2006 2007 2008 2009 2010 2011 2012 TOTAL FINES (€000) 7989 8372 16439 21105 24422 23263 22013 24872 17497 19500 21054 + 206 millions

3 Investigating “ALL” complaints:
The Spanish experience of enforcing privacy norms: Two decades of evolution from sticks to carrots Investigating “ALL” complaints: 2002 2003 2004 2005 2006 2007 2008 2009 2010 2011 2012 AREO 393 541 463 592 632 849 1,229 1,947 1,830 1,939 2,193 2002 2003 2004 2005 2006 2007 2008 2009 2010 2011 2012 Complaints 723 574 978 1,158 1,282 1,624 2,362 4,136 4,302 7,648 8,594 Annual increase 2009 2010 2011 2012 Increase 2011/2012 Abandonment 222 229 337 448 32.94 % Refusal 1,967 2,240 2,993 4,756 58.90% File 920 1,044 901 1,153 27.97 % Total 3,109 3,513 4,240 6,357 Complaints 4,136 4,302 7,648 8,594

4 The Spanish experience of enforcing privacy norms: Two decades of evolution from sticks to carrots
Types of infringements: prevalence of serious infringements Gradating criteria under LOPD: The new downgrading clause: the qualified reduction of guilt 2006 2007 2008 2009 Minor 111 108 105 152 Serious 308 323 520 527 Very Serious 43 35 33 Total 462 474 660 712 2008 Sanctions 2008 Gradated 2009 2009 Gradated 2010 Gradated 2011l Sanctions 2011 Gradated 2012 Sanctions 2012 Gradated Minor 105 - 152 Serious 520 204 527 193 Very Serious 35 25 33 26 Total 660 229 712 219 591 182 505 145 863 308

5 The Spanish experience of enforcing privacy norms: Two decades of evolution from sticks to carrots
Comparison of the evolution between fines and sanctions: the “humanization” of the sanctions. Warnings in writing under the LOPD reform in 2011 2002 2003 2004 2005 2006 2007 2008 2009 2010 2011 2012 TOTAL Fines (€ 000) 7,989 8,372 16,439 21,105 24,422 23,263 22,013 24,872 17,497 19,500 21,054 + de 206 millions Private sector sanctions 128 148 189 279 301 342 535 661 591 505 863 Warnings in writing 312 (38%) 352 (29%) Hypothetical average fine/sanction (€000) 62 57 87 76 81 68 41 38 30 24 17

6 TWO ENFORCEMENT EXAMPLES ON GOOGLE (I): PRIVACY POLICY
The Spanish experience of enforcing privacy norms: Two decades of evolution from sticks to carrots TWO ENFORCEMENT EXAMPLES ON GOOGLE (I): PRIVACY POLICY . The resolution of the AEPD 2892/2013 imposed a fine on Google of €900,000 in a case involving the unification of its privacy policies in 2012. . Identical facts drove the French CNIL to impose a €150,000 fine on Google on 8 January 2014. . Former European Commissioner for Justice Viviane Reding considered both fines as “pocket money”

7 TWO ENFORCEMENT EXAMPLES ON GOOGLE (II): THE RIGHT TO BE FORGOTTEN
The Spanish experience of enforcing privacy norms: Two decades of evolution from sticks to carrots TWO ENFORCEMENT EXAMPLES ON GOOGLE (II): THE RIGHT TO BE FORGOTTEN . Decision of the European Union Court of Justice of 13 May 2014 (Case C-131/12, Google vs AEPD): recognition of the ‘right to be forgotten’ online against Internet search engines in all circumstances . Main grounds: Validity of Section 2 b) of the EU Directive, stating that, even if searches are automatically stored, search engines are not neutral intermediaries that should be exempt from data protection obligations. Google Spain is an ‘establishment’ based in Spain and a branch of [US based] Google Inc as defined by article 4.1 a) of EU directive 95/46. The court considered that there should not be a restrictive interpretation of the ‘framework of the activities’ ‘carried out by’ the “establishment” including “to promote and sell advertisement space of search engines in an EU member state”.

8 TWO ENFORCEMENT EXAMPLES ON GOOGLE (II): THE RIGHT TO BE FORGOTTEN
The Spanish experience of enforcing privacy norms: Two decades of evolution from sticks to carrots TWO ENFORCEMENT EXAMPLES ON GOOGLE (II): THE RIGHT TO BE FORGOTTEN 4) Search engines are responsible for the processing of data given that they determine the “purpose and means of such activity’ as specified in Section 2 d) of the EU Directive. 5) Given that article 2 d) of the EU Directive specifies that “purposes and means” can be specified ‘by the data controller itself or together with others’, Internet search engines must respect citizen´s rights in the framework of their activity. 6) Search engines’ processing of data is different from that of webpage editors and the impact of search engines over data processing is greater than that of the data’s original website. 7) An editor’s failure to use internet protocols to exclude data such as “robot.txt” and codes such as “noindex” or “noarchive” does not exempt search engine administrators of their responsibility.

9 TWO ENFORCEMENT EXAMPLES ON GOOGLE (II): THE RIGHT TO BE FORGOTTEN
The Spanish experience of enforcing privacy norms: Two decades of evolution from sticks to carrots TWO ENFORCEMENT EXAMPLES ON GOOGLE (II): THE RIGHT TO BE FORGOTTEN 8) Section 7 (f) of the EU Directive allows search engines to process data, given their legitimate business and economic interests, but they cannot prevail over the protection of citizen´s data. 9) Search engines can no longer argue on the right to information, neither that they are part of the ‘media’ nor that they are ‘neutral’ online. 10) Data protection rights will prevail over some legitimate interests - legally inferior to the fundamental rights (Sections 7 and 8 of the EU Charter of Fundamental Rights)-. 11) “Public interest” of “Internet users” would only be relevant when someone attempts to delete a public figure’s personal data or any information of public interest.

10 TWO ENFORCEMENT EXAMPLES ON GOOGLE (II): THE RIGHT TO BE FORGOTTEN
The Spanish experience of enforcing privacy norms: Two decades of evolution from sticks to carrots TWO ENFORCEMENT EXAMPLES ON GOOGLE (II): THE RIGHT TO BE FORGOTTEN 12) The right to ‘object’ established in section 14.1 a) of the EU Directive offers a legal instrument to articulate the ‘right to be forgotten’ online depending on individual circumstances and on legitimate reasons. Individuals can use their right to object given the potential seriousness of this interference. 13) A legal processing of data can become ‘with time, incompatible with such Directive, when the data is no longer necessary in relation to the original purpose for which the data was initially collected or processed’. The search engine should, therefore, in the ‘current context,’ delete the data – even when true and legally published by third parties.

Download ppt "The Spanish experience of enforcing privacy norms Two decades of evolution from sticks to carrots Dr. Artemi Rallo Constitucional Law Professor Regulator's."

Similar presentations

Re-use of PSI Data Protection Issues Cécile de Terwangne Professor at the Law Faculty, Research Director at CRIDS University of Namur (Belgium) 2 nd LAPSI.

Re-use of PSI Data Protection Issues Cécile de Terwangne Professor at the Law Faculty, Research Director at CRIDS University of Namur (Belgium) 2 nd LAPSI.
Introduction to basic principles of Regulation (EC) 45/2001 Sophie Louveaux María Verónica Pérez Asinari.

Introduction to basic principles of Regulation (EC) 45/2001 Sophie Louveaux María Verónica Pérez Asinari.
The Spanish experience of enforcing privacy norms Two decades of evolution from sticks to carrots Dr. Artemi Rallo Constitucional Law Professor Regulator's.

The Spanish experience of enforcing privacy norms Two decades of evolution from sticks to carrots Dr. Artemi Rallo Constitucional Law Professor Regulator's.
The Problem Solvers TM www.singleton.com Privacy Rights: Minors and Parents Michael J. Hewitt Marcel Daigle Singleton Urquhart LLP.

The Problem Solvers TM Privacy Rights: Minors and Parents Michael J. Hewitt Marcel Daigle Singleton Urquhart LLP.
The fundamentals of EC competition law

The fundamentals of EC competition law
Hong Kong Privacy Code on Human Resource Management

Hong Kong Privacy Code on Human Resource Management
Data Protection and Records Management

Data Protection and Records Management
EU: Bilateral Agreements of Member States. Formerly concluded international agreements of Member States with third countries Article 351 TFEU The rights.

EU: Bilateral Agreements of Member States. Formerly concluded international agreements of Member States with third countries Article 351 TFEU The rights.
Lecture to Carleton University, Center for European Studies, December 1, 2010.

Lecture to Carleton University, Center for European Studies, December 1, 2010.
The Internet and the Right to Communicate Presented by: Tina Conley, Michael Gorman and Piper Ross Photo courtesy of Getty Images.

The Internet and the Right to Communicate Presented by: Tina Conley, Michael Gorman and Piper Ross Photo courtesy of Getty Images.
CHAPTER 1 The sources and institutions of employment law.

CHAPTER 1 The sources and institutions of employment law.
Per Anders Eriksson

Per Anders Eriksson
Data Protection & Human Rights. Data Protection: a Human Right Part of Right to Personal Privacy Personal Privacy : necessary in a Democratic Society.

Data Protection & Human Rights. Data Protection: a Human Right Part of Right to Personal Privacy Personal Privacy : necessary in a Democratic Society.
COPYRIGHT, LEGAL ISSUES & TAKEDOWN. 2 Work priorities 2014-15 Orphan Works ALRC review Copyright and the Digital Economy Creative Commons licenses Legal.

COPYRIGHT, LEGAL ISSUES & TAKEDOWN. 2 Work priorities Orphan Works ALRC review Copyright and the Digital Economy Creative Commons licenses Legal.
European Ombudsman Access to environmental information Task Force on Access to Information Geneva, 4 December 2014.

European Ombudsman Access to environmental information Task Force on Access to Information Geneva, 4 December 2014.
Forgetting, Non-Forgetting and Quasi-Forgetting: Public Policy and Corporate Practice Colin J. Bennett, Adam Molnar and Christopher Parsons Department.

Forgetting, Non-Forgetting and Quasi-Forgetting: Public Policy and Corporate Practice Colin J. Bennett, Adam Molnar and Christopher Parsons Department.
Legal instruments for site protection in the EU Boris Barov, BSPB/BirdLife Bulgaria.

Legal instruments for site protection in the EU Boris Barov, BSPB/BirdLife Bulgaria.
Data Protection Privacy in the Digital Age: the UN General Assembly Resolution Sophie Kwasny, 16 October 2014 36 th International Conference, Mauritius.

Data Protection Privacy in the Digital Age: the UN General Assembly Resolution Sophie Kwasny, 16 October th International Conference, Mauritius.
French Legislation on CRIS Jacques Millet

French Legislation on CRIS Jacques Millet
TAIEX Multi beneficiary Workshop on Data Protection and the Internet - New Challenges, 20-21 June 2013, Zagreb TAIEX Multi beneficiary Workshop on Data.

TAIEX Multi beneficiary Workshop on Data Protection and the Internet - New Challenges, June 2013, Zagreb TAIEX Multi beneficiary Workshop on Data.

Similar presentations

Ads by Google