The Spanish experience of enforcing privacy norms Two decades of evolution from sticks to carrots Dr. Artemi Rallo Constitucional Law Professor Regulator's Do's and Must's for Effective Enforcement 36th International Conference of Data protection and Privacy Commissioners Mauritius, October
The Spanish experience of enforcing privacy norms: Two decades of evolution from sticks to carrots From 1992, an extremely hard level of sanctions (fines) on the private sector: (1)minor: from €600 (today, €900) to €60,000; (2)serious: from €60,001 (today, €40,001 €) to €300,000; (3)very serious: from €300,001 to €600,000 In the last decade, the AEPD has imposed FINES totaling more than €206 millions: TOTAL FINES (€000) millions
The Spanish experience of enforcing privacy norms: Two decades of evolution from sticks to carrots Investigating “ALL” complaints: AREO ,2291,9471,8301,9392, Complaints ,1581,2821,6242,3624,1364,3027,6488,594 Annual increase Increase 2011/2012 Abandonment % Refusal1,9672,2402,9934, % File9201, , % Total3,1093,5134,2406,357 Complaints4,1364,3027,6488,594
The Spanish experience of enforcing privacy norms: Two decades of evolution from sticks to carrots Types of infringements: prevalence of serious infringements Gradating criteria under LOPD: The new downgrading clause: the qualified reduction of guilt Minor Serious Very Serious Total Sanctions 2008 Gradated 2009 Sanctions 2009 Gradated 2010 Sanctions 2010 Gradated 2011l Sanctions 2011 Gradated 2012 Sanctions 2012 Gradated Minor Seriou s Very Seriou s Total
The Spanish experience of enforcing privacy norms: Two decades of evolution from sticks to carrots Comparison of the evolution between fines and sanctions: the “humanization” of the sanctions. Warnings in writing under the LOPD reform in TOTAL Fines (€ 000) 7,9898,37216,43921,10524,42223,26322,01324,87217,49719,50021,054 + de 206 millions Private sector sancti ons Warni ngs in writin g 312 (38%) 352 (29%) Hypot hetical averag e fine/sa nction (€000)
The Spanish experience of enforcing privacy norms: Two decades of evolution from sticks to carrots TWO ENFORCEMENT EXAMPLES ON GOOGLE (I): PRIVACY POLICY. The resolution of the AEPD 2892/2013 imposed a fine on Google of €900,000 in a case involving the unification of its privacy policies in Identical facts drove the French CNIL to impose a €150,000 fine on Google on 8 January Former European Commissioner for Justice Viviane Reding considered both fines as “pocket money” 6
The Spanish experience of enforcing privacy norms: Two decades of evolution from sticks to carrots TWO ENFORCEMENT EXAMPLES ON GOOGLE (II): THE RIGHT TO BE FORGOTTEN. Decision of the European Union Court of Justice of 13 May 2014 (Case C-131/12, Google vs AEPD): recognition of the ‘right to be forgotten’ online against Internet search engines in all circumstances. Main grounds: 1)Validity of Section 2 b) of the EU Directive, stating that, even if searches are automatically stored, search engines are not neutral intermediaries that should be exempt from data protection obligations. 2)Google Spain is an ‘establishment’ based in Spain and a branch of [US based] Google Inc as defined by article 4.1 a) of EU directive 95/46. 3)The court considered that there should not be a restrictive interpretation of the ‘framework of the activities’ ‘carried out by’ the “establishment” including “to promote and sell advertisement space of search engines in an EU member state”. 7
The Spanish experience of enforcing privacy norms: Two decades of evolution from sticks to carrots TWO ENFORCEMENT EXAMPLES ON GOOGLE (II): THE RIGHT TO BE FORGOTTEN 4) Search engines are responsible for the processing of data given that they determine the “purpose and means of such activity’ as specified in Section 2 d) of the EU Directive. 5) Given that article 2 d) of the EU Directive specifies that “purposes and means” can be specified ‘by the data controller itself or together with others’, Internet search engines must respect citizen´s rights in the framework of their activity. 6) Search engines’ processing of data is different from that of webpage editors and the impact of search engines over data processing is greater than that of the data’s original website. 7) An editor’s failure to use internet protocols to exclude data such as “robot.txt” and codes such as “noindex” or “noarchive” does not exempt search engine administrators of their responsibility. 8
The Spanish experience of enforcing privacy norms: Two decades of evolution from sticks to carrots TWO ENFORCEMENT EXAMPLES ON GOOGLE (II): THE RIGHT TO BE FORGOTTEN 8) Section 7 (f) of the EU Directive allows search engines to process data, given their legitimate business and economic interests, but they cannot prevail over the protection of citizen´s data. 9) Search engines can no longer argue on the right to information, neither that they are part of the ‘media’ nor that they are ‘neutral’ online. 10) Data protection rights will prevail over some legitimate interests - legally inferior to the fundamental rights (Sections 7 and 8 of the EU Charter of Fundamental Rights)-. 11) “Public interest” of “Internet users” would only be relevant when someone attempts to delete a public figure’s personal data or any information of public interest. 9
The Spanish experience of enforcing privacy norms: Two decades of evolution from sticks to carrots TWO ENFORCEMENT EXAMPLES ON GOOGLE (II): THE RIGHT TO BE FORGOTTEN 12) The right to ‘object’ established in section 14.1 a) of the EU Directive offers a legal instrument to articulate the ‘right to be forgotten’ online depending on individual circumstances and on legitimate reasons. Individuals can use their right to object given the potential seriousness of this interference. 13) A legal processing of data can become ‘with time, incompatible with such Directive, when the data is no longer necessary in relation to the original purpose for which the data was initially collected or processed’. The search engine should, therefore, in the ‘current context,’ delete the data – even when true and legally published by third parties. 10