The Spanish Supreme Court has, by means of a court judgment dated February 8th, 2012, declared null and void section 10.2.b of the Spanish Royal Decree 1720/2007, which approves the Regulation implementing Organic Law 15/1999, of 13 December, on the Protection of Personal Data,(herein after referred as “RD 1720/2007”) declaring its wording contrary to the European law and consequently giving the Spanish data controllers and processors the opportunity to process and transfer personal data without the subject’s consent, even when the data has not been obtained from public sources. The annulment of the mentioned section 10.2.b, might substantially alter the current Spanish legal framework on data protection, specially in the following issues:
1.- ANNULMENT OF SECTION 10.2.B OF THE REGULATION IMPLEMENTING THE ORGANIC LAW 15/1999 ON PROTECTION OF PERSONAL DATA.
Following a previous ruling of the European Court of Justice (hereinafter referred as “ECJ”) from 24 November 2011, regarding a preliminary point of law on this issue, the Spanish Supreme Court has declared null the entire section 10.2.b of the RD 1720/2007 for contravening section 7f) of the EU Directive 95/46/EC of 24 October 1995, on the protection of individuals with regard to the processing of personal data and on the free movement of such data (hereinafter referred to as the “Directive”), since the Court understood that the regulation contained in the Spanish norm, was more restrictive than the wording of the Directive. This ruling will consequently allow processing personal data without the subject’s consent if the data controller has a “legitimate interest”, hence eliminating the need to collect such data from publicly available sources.
Recently annulled section 10.2.b was in fact limiting and restricting the possibility of processing and transferring personal data without the subject’s consent by means of establishing an additional requirement, in the sense that such personal data needed to be obtained “in sources accessible to the public and the data controller, or the third party to whom data has been communicated, has a legitimate interest in their processing or knowledge, as long as the fundamental rights and liberties of the data subject are not breached”, while the Directive does only require controllers and processors to have a “legitimate interest”.
Nevertheless, the decision of the Spanish Supreme Court of annulling the whole section instead of just annulling the extra requirement of the data needed to be collected from public sources, does now trigger the question of whether to use or not such data without consent when there is an actual legitimate interest for the controller or processor. Considering that the same Court of justice has already annulled four other sections of the same RD 1720/2007, we understand that in its determination to follow the instructions of the ECJ, the Supreme Court, with this judgment, has indirectly sought to send a message to the legislator and the Spanish Data Protection Agency, for them to amend and harmonize the Spanish data protection regulations.
In any case, until such harmonization occurs, we deem section 7f) of the Directive to be directly applicable in the Spanish legal system, according to previous case law of the ECJ. In consequence, as indicated above, from now on, the data processing necessary to satisfy the legitimate interest pursued by the data controller or the third party to whom data has been communicated can be made without the consent of the data subject, as long as the fundamental rights and liberties of such data subject are not breached.
2.- THE “LEGITIMATE INTEREST”.
The legal situation that has aroused from the mentioned judgment obliges the main legal actors to reach consensus on the interpretation of such an indeterminate concept as “legitimate interest pursued by the data processor” that as stated by the Supreme Court, shall in any case, be balanced with the interests, fundamental rights and liberties of the data subject.
In the first place, as pointed out by the Spanish Data Protection Agency, it should be taken into account that the term “legitimate interest” does not include any kind of specific interest, since it will always need to be balanced with the data subject interests. Nevertheless, the scope of such balance and the criteria to determine the legitimate interest of the data processor are factors currently pending to be delimitated.
It is nevertheless obvious that the definition and interpretation of “legitimate interest” cannot be based exclusively in the delimitation of fixed limitative criteria that might be too specific for the data controllers and processors to comply with, since we understand that such interest might considerably vary depending on the business sector in which the data processor is operating.
3.- REACTION OF THE DATA PROTECTION AGENCY.
While awaiting for an official response from the Spanish Data Protection Agency and based on the press release they issued in regards to the ECJ ruling last year, we can foresee that their reaction will be in the line of preventing any chance of recovery by the data processors/controllers that were fined in relation to breaches of the now annulled section of the RD 1720/2007. The Spanish data Protection Agency has previously stated that the interpretative criteria followed up until now was in accordance with the interpretative line established by the ECJ in its judgment, and always taking into consideration the mentioned balance between the rights of all parties. However, considering that Spain has a restrictive legislations on Data Protection, a case by case analysis should be made in order to determine whether or not the Spanish Data Protection Agency has always acted following the criteria now settled by the ECJ and the Spanish Supreme Court and consequently if there is a chance to claim damages for fines levied by the Spanish Data Protection Agency for breaches of the now annulled section 10.2.b.
The information contained in this note should not be regarded in itself as specific advice on the matter discussed, but only a first approach to the subject. Therefore it is highly recommended that the recipients of this note search professional advice about their particular case before taking specific measures or actions.