Spanish Government approves new Decree-Law on Data Protection matters

Due to the complex balances inside the Spanish Parliament, Spain has been unable to put in place to date (July 2018) a new Data Protection Act that develops the EU Regulation 2016/679 (“GDPR”) in the areas where EU Member States are entitled to fill the gaps or add gold-plating requirements on top of those established by the GDPR. The task is harder than it would in principle appear, because privacy is a constitutional right in Spain and the law changing the scope of any constitutional right (Spanish “Ley Orgánica”) requires special majorities inside the Parliament and a lengthy drafting and approval process. It is currently expected that the new Act of Parliament may be ready for the end of 2018 or the beginning of 2019, but this is still uncertain.

Since most of the former Spanish Data Protection Act (Data Protection Act 15/1999 or “LOPD”) is inconsistent with GDPR, Spain remains as a matter of fact relying on a “pure” GDPR application, without gold-plating requirements. The draft law in the Parliament and the Guidance Notes issued by the Spanish Data Protection Commissioner (Agencia Española de Protección de Datos or “AEPD”), for different reasons, provide limited help to companies to decide how to adapt themselves in a better way to the future legal framework in Spain.

In the light of this challenging scenario, the Spanish Government decided on Friday 27 July 2018 to approve a Decreto-Ley on Data Protection Matters (“RDL 5/2018”) indicating that there were urgent reasons to do so. A Spanish Decreto-Ley is an hybrid of a regulation (that only the Government can approve) and of a Law (that only the Parliament can approve). It is considered technically a Law (and so the rank of its provisions are “law” for all purposes) but it needs to be confirmed by the Parliament within a short timeframe, otherwise it will lose its legal force automatically.

RDL 5/2018 was eventually published in the Official Gazette on the morning of Monday, 30 July 2018. In fact, its scope is extremely limited. It deals mainly with procedural matters , including, among others:

• Confirming the investigative powers of the AEPD officials
• Clarification on who shall be responsible for one infringement (controllers and processors, but also, explicitly, representatives in the EU of non-EU controllers and processors, certification entities and entities supervising codes of conduct) and who shall not (data protection officials).
• Limitation periods for infringements (three years for infringements of article 83.5 and 83.6 GDPR, two years for infringement of article 85.4 GDPR)
• Limitation periods for paying fines (one year up to €40 000, two years from €40 001 to €300 000, three years over that amount).
• How the officials shall behave themselves when investigating a claim / incident
• Requiring the determination of the territorial scope of a case and the supervisory authority in charge (without giving any specific details on how to do it).
• Establishing the authority of the AEPD to approve interim measures
• Appointing the AEPD as Spanish representative in front of the European Data Protection Board.
• Establishing the obligation of the AEPD to publish its decisions (an excellent practice that has been discontinued over the years)
• Confirming that on-going procedures should be decided applying the former LOPD
• Indicating that pre-existing data processing agreements would remain in force until their date of expiration, whilst open ended data processing agreement would expire by 25 may 2022 (although any of the parties to them is entitled to seek the immediate update of the agreement to comply with GDPR).

Provisions that may conflict with the terms of the new RDL 5/2018 are declared no longer in force (including the relevant articles of LOPD). RDL 5/2018 shall enter into force by 31 July 2018.

The message behind the approval and publication of RDL 5/2018 is that the Spanish Government is doing whatever it can to move forward the adequate application in Spain of GDPR, even if most of the responsibility for achieving that goal (and for being late on it) remains with the Spanish Parliament. In that sense, it would put some pressure on the Parliament to complete the task within the shortest delays.