Show-me: Spanish Data Protection laws shaken by the Supreme Court

By the end of the 2018, the Spanish Parliament belatedly completed the framework provided by EU’s GDPR approving a new Data Protection Act. Following a local tradition dated in 1992, the Spanish legislators deviated themselves from the mainstream position in the EU. The new Spanish law included, among other deviations, new digital rights unknown by the GDPR, a special period of retention of personal data in favor of public authorities after the data had to be deleted or corrected, a general ban to process information on criminal convictions and a ban to process most special category data relying on the consent of the data subjects. Providing a “compact” privacy notice with some basic details and a link to the long-form Privacy Notice is also required when full access to the latter is not immediately possible. These deviations have obliged companies to be careful when implementing EU-wide privacy policies in Spain.

All this local gold-plating may have now been blown-out by a decision of the Spanish Supreme Court dated 14 September 2021. In principle, it should have been just another Covid-related case. The regional government of Galicia had approved some measures to help local bars and restaurants. Despite high figures of infection during the summer of 2021, they should still be allowed to admit clients in the inner side of their bars, provided that the clients could show their “Covid-Passports”. Owners applauded the measures because the alternative was closing the inner part of the premises entirely. The Supreme Regional Court of Galicia found these measures disproportionate and the Galician government appealed to the Spanish Supreme Court (which had already dismissed similar measures from the region of Andalusia).

The Spanish Supreme Court supported the measures of the Government of Galicia, saying that they were better justified from the medical perspective than the ones of the Government of Andalusia and limited to a few places where Covid figures were sky-high. It could have stopped there. Nevertheless, it decided to go a bit farther and to analyze whether the GDPR, the Spanish law developing it and data protection rights in general could be affected. The Spanish Supreme Court ruled this was not the case, because the mere showing of a document, without the other side not recording it, storing it or incorporating it to a database would be not a processing activity and would thus remain off-limits for all the Spanish and EU data protection laws. This implies an earthquake in the Spanish privacy market.

Showing the relevant document, that was originally generated from a structured computerized database would not be deemed subject to GDPR, not even as a non-automated form of processing. If the showing of the Covid-Passport is totally off-limits for the data protection laws, it cannot be argued that that processing exceeds the limits of article 5 of the GDPR, because the GDPR is not applicable. Similarly, all the additional limitations established by the Spanish Data Protection Act would be not applicable. The headaches of multinational companies when having to conduct a background check of new employees would be over. Diversity programs (and discrimination practices) based on special category data could be more relaxed. True, there could be other laws protecting the individuals concerned, like the ones for the defense of private life that pre-dated data protection laws. The Court said that there was an infringement of those laws, but just a minor one that would not be relevant in the current pandemic scenario, thus opening the door for their enforcement under different conditions. The key is that, conversely to data protection laws, the enforcement mechanisms for these other laws are much more lenient and more cumbersome. Companies may find an acceptable risk to have to pay 1500 euros to someone after years of litigation, but not a five million euros fine, to put it in simple terms.

Many years ago, the Spanish Supreme Court created the so-called “Baptism Exception” under which the baptism records of the church (and any similar records in corporate files), being non-structured, would be off-limits for data protection laws. Now, a “Show-Me Exception” has been born. It is still the first decision of the Spanish Supreme Court in this direction. Spanish law requires two decisions along the same lines to make this position binding for all courts. The next decision (or two decisions, depending of the contents of the second one) may mark a milestone in the evolution of Spanish data protection laws.