The Spanish Data Protection Agency (“AEPD”) has recently published a report in which it analyses the impact that the new General Data Protection Regulation (“GDPR”), approved by the European Parliament, and the draft of the Spanish Law on Protection of Personal Data (“LOPD”) –currently being processed– will have in the field of biomedical research.

Such report has been motivated by the concern shown by the scientific community over the fact that these new rules might demand that from now on patients must give their specific consent for each particular research in which they participate.

Flexible interpretation

According to the AEPD, the GDPR and the draft of the LOPD do not only modify the regime contained both in the mentioned Law on Biomedical Research as well as in the Royal Decree 1090/2015 on clinical trials with medicinal products, but they also allow to make a more flexible interpretation of the scope that might be given to the consent granted according to them, going beyond even the more restrictive interpretation of the Law on Biomedical Research.

“Specific and unequivocal” consent

The AEPD considers that when the GDPR becomes applicable, it will not be necessary that individuals give their consent for a specific research; not even in order to carry out research in a very defined branch as, for instance, a specific type of cancer. On the contrary, taking into account the interpretation directly derived from the GDPR, the consent given in relation to a broad branch of research as, for instance, the oncological research or even for broader areas will be sufficiently unequivocal and specific.

Likewise, in the report issued by the AEPD the opportunity is taken to recall the fact that Law 14/2007 foresees the possibility to undertake research without having the patients’ consent, when such research is of general interest and has been authorized by a Research Ethics Committee, provided that certain conditions foreseen in such Law have been met.

From now on it remains to be seen if the doctrine established by the AEPD through this report is followed by the Ethics Committees when authorizing future research.

La entrada The new rules on data protection facilitate biomedical research in Spain aparece primero en Faus & Moliner Abogados.

One of the main uses of Big Data is establishing correlations and creating consumer patterns and profiles. It is of particular interest to countless sectors that undertake online sales and even physical sales via so-called “loyalty cards”, that make it possible to discover the buying habits of a vast number of consumers. Big Data is also an effective tool in sectors such as health, where there are many examples of its effectiveness, for example, in reducing hospital admission times or predicting future illnesses and health risks.

Despite the huge benefits it brings, Big Data also poses obvious risks when it comes to personal data. Imagine, for example, the indiscriminate use of this data without appropriately protecting people’s privacy or without adopting the legal, organisational or technical measures required. The Code sets out guidelines for minimizing or eliminating said risks in such projects, pursuant to the provisions of the new European Data Protection Regulation, which will come into force in May 2018.

Basic principles

The Code recommends considering Privacy by Design in order to ensure that data protection guarantees are included from the very beginning of project planning. Furthermore, it promotes self-regulation by companies managing Big Data projects by producing codes of conduct on this topic (accountability). It also demands that impact assessments are carried out to assess possible risks, amongst others, in the event that health data is being processed.

Legal and technical aspects

Based on the risks that these processes entail in terms of people’s privacy, the Code identifies aspects that must be addressed in order for Big Data projects to comply with data protection regulations. On the one hand, it covers the most important legal aspects to be considered, such as the transparency of information provided in advance to those affected or obtaining their consent and the exercise of their rights, or subsequent uses that had not been envisaged when informed consent was obtained. On the other, the Code reviews the different technical and security issues to be considered as part of these projects. Specifically, it identifies the most common privacy strategies: anonymisation, encryption, access control and traceability.

La entrada Publication of the Code of Best Practice on data protection for Big Data projects aparece primero en Faus & Moliner Abogados.

In year 2007, the sole director of an Italian building company sued the Chamber of Commerce of Lecce. He considered that the properties that his company had built were not selling because in the companies’ register it was still noted that he had been the sole director and liquidator of another company which was declared insolvent in 1992 and liquidated in 2005. The court of first instance upheld that claim and obliged the Chamber of Commerce to anonymize the data linking the plaintiff to the liquidated company, and to pay compensation for the damage suffered. The Chamber of Commerce brought an appeal against this judgment and the Italian Supreme Court decided to refer various questions to the European Court of Justice. In essence, the court requested the ECJ whether European Law on protection of privacy opposes to the fact that any person may have access for an unlimited period of time to the data related to individuals that are recorded in the Mercantile Registry.

Public registry and privacy

The European Court recalls that the purpose of making certain data public in the Mercantile Registry aims to protect the interests of third parties in relation to companies. Given that companies only respond towards third parties with their own assets, some situations may appear where having the personal data of its representatives may be of interest even years after the company had been liquidated (for instance, if personal liabilities have to be sought). According to the European Court, this interference in the right of privacy is not disproportionate because (i) in the Mercantile Registry only a limited number of personal data are recorded (its identity and the functions in the company) (ii) the persons whose data are recorded are persons who choose to participate in trade through a company.

Case-by-case analysis

However, the European Court does not exclude that, in special situations, legitimate reasons may justify that access to personal data recorded in the registry may be limited once a sufficiently long period of time after the liquidation of the company has expired. In these cases, only third parties justifying a specific interest in the consultation should be allowed to this data. In the opinion of the court the limitation of access to personal data shall have to be done case by case and shall be for each Member State to decide whether it wants to establish such a limitation or not.

In this particular case, the European Court understands that the reasons raised by the Italian director were not sufficient to justify a limitation on the access by third parties to the personal data recorded in the Mercantile Registry.

La entrada Personal data recorded in the Mercantile Registry and “the right to be forgotten”, a difficult equilibrium aparece primero en Faus & Moliner Abogados.

Both Organic Law 15/1999 and Royal Decree 1720/2007 contain a wide variety of provisions similar to those established by the GDPR. Companies that currently comply with said provisions already have a solid base on which to build their compliance with the GDPR. Even so, the GDPR includes several new developments to which all companies must adapt. The AEPD recently published a range of guidelines to help companies with their efforts to adapt to the new regulations.

Informed consent

Under the GDPR, the unmistakable consent of the interested party shall always be required to process personal data. Said consent must have been granted by a clear affirmative action or statement issued by the interested party. Tacit consent or consent by omission will no longer be permitted, as had been the case to date.

Processing activities started prior to the implementation of the GDPR shall remain valid insofar as explicit consent was granted. Furthermore, in addition to other new developments, the GDPR also demands further information to be provided to interested parties, in particular concerning the legal basis that makes it possible to process personal data, in addition to the scope of rights extended to interested parties. This will involve reviewing not only widely-used informed consent, but clauses included in privacy policies and agreements to this end.

Controllers and data processors

As had been the case to date, the relationship between the controller and data processor must be covered by an agreement, although the GDPR already regulates its basic content more thoroughly. What’s more, the controller will have to adopt appropriate measures to ensure that the processor is able to process data pursuant to the GDPR.

Therefore, it would be advisable for companies that process personal data to adapt to the GDPR as soon as possible rather than waiting until May 2018. This process of adapting will undoubtedly require decision making and measures will need to be adopted that set out a reasonable time frame for their implementation. Particular care will be required, specifically in cases in which sensitive data is processed, for example, data relating to people’s health.

La entrada Countdown for adapting to the new European personal data protection framework aparece primero en Faus & Moliner Abogados.

Law No 19/2013 on transparency, access to public information and good governance, as is well known, sets out that requests for access to information possessed by Public Administrations may be denied when said information contains personal data.

In order to ensure consistency between the principles of transparency and access to public information and the fundamental right to personal data protection, on 13 October 2016, the Spanish Data Protection Agency (hereinafter AEPD) published two documents containing guidelines on how to reuse information generated by the public sector and how to anonymise personal data contained therein.

AEPD Guidelines

In these documents the AEPD proposes a series of measures in order to enable Public Administrations to provide individuals with information in their possession (known as the “reuse of public information”), whilst complying with personal data protection guarantees.

Specifically, the documents include detailed instructions on how to anonymise public information in such a way as to minimise the risk of information requested by applicants identifying the individuals to which said information may refer.

In this regard, applicants who have been refused access to information based on said information containing personal data may ask the Public Administration in charge to anonymise the information pursuant to the AEPD guidelines.

Anonymising is not the same as redrafting

These guidelines have been established at a time at which the discretionary powers available to Public Administrations to deny access to public information is gradually subject to more restrictions. Proof of this is the ruling of 23 September 2016 issued by the Spanish Council of Transparency and Good Governance, in which said organisation considers to be incorrect a decision of the Ministry of Development to denying access to files regarding a building work on the basis that it would have to redraft said information.

The need to redraft the information requested is indeed a valid reason for denying access thereto. However, the Spanish Council of Transparency and Good Governance believes that this rationale was in this case unjustified by the Ministry of Development, as it had merely invoked this exception to the right to access public information but without explaining the reasons for having to redraft the requested information. In this regard, the Spanish Council of Transparency and Good Governance highlights the fact that requested information must be previously anonymised does not involve submitting said information to a redrafting process and, therefore, access to information cannot be denied on these grounds.

La entrada Access to public information and personal data protection aparece primero en Faus & Moliner Abogados.

Adequate level of protection

The CJEU deemed that the Commission had not checked whether the US guaranteed that the affected companies actually ensured a level of protection substantially equivalent to the level of protection in the European Union, which resulted in said Agreement being declared invalid.

The Privacy Shield, adopted by the Commission in agreement with the US, replaced the Safe Harbour Agreement, imposing far stricter obligations on US companies, with a view to ensuring the adequate protection of personal data transferred to the US. To ensure compliance, the Privacy Shield provides for a range of measures.

Measures to ensure compliance

Firstly, the US Department of Commerce will be responsible for performing periodic controls on US companies receiving personal data and that have signed up to the Privacy Shield, in order to ensure that they comply with the rules they have subscribed to. If they fail to comply with said rules, they may be subject to penalties and even removed from the list of companies covered by the Privacy Shield.

Secondly, access to personal data by the US administration will be subject to limitations, safeguards and clear supervision mechanisms. Data will no longer be supervised on a massive, indiscriminate basis.

Thirdly, any European citizen that believes his/her data has been unduly used will have access to a range of complaint options: (i) directly with the company in violation; (ii) before the national data protection authority in his/her country (which will collaborate with the Federal Trade Commission to ensure that the complaint is investigated and resolved); or (iii) through any of the free alternative dispute resolution mechanisms to which the company in violation has acceded. The company must specify, in its privacy policy, the dispute resolution mechanism that it has chosen and provide a link to the website of the organisation through which the company and the complainant may try to solve the complaint.

If the complaint fails to be resolved by any of the aforementioned procedures, the Privacy Shield foresees that an arbitration procedure may be initiated before the “Privacy Shield Panel”.

La entrada The “Privacy Shield” comes into force: more protection in the transfer of personal data from the European Union to the US aparece primero en Faus & Moliner Abogados.

In our CAPSULAS 130 of November of 2011 we commented on the Judgment of the Court of Justice of the European Union (CJEU), of 24 of November 2011, regarding the possibility that the national law may establish that, in order to process personal data without the need to obtain the consent of the data subject, additional conditions or requirements not provided for in EU regulation need to be met.

The judgment of the CJEU was issued in response to a request for a preliminary ruling raised by the Spanish Supreme Court prior to rendering the Judgment that we will further analyze.

Decision of the Supreme Court

The issue analyzed by the Supreme Court is whether sections a) and b) of article 10.2 of Royal Decree (RD) 1720/2007, which approved the Regulation of the Organic Law on Personal Data Protection, are legal or not, because the requirements referred to in such regulation for the processing of personal data exceed those laid down by the EU regulations. According to the general rule, in order to be able to legitimately process personal data, it is necessary to have the prior consent of the data subject. However, sections a) and b) of Article 10.2 of RD 1720/2007, derogate from such general rule by allowing the processing of personal data even without having the consent of the data subject when:
• it is authorized by a regulation having the force of law or by a rule of European Community law;

• its purpose is to satisfy a legitimate interest of the data controller protected by a regulation with the force of law or by a rule of European Community law, unless the interest or the fundamental rights and freedoms of the data subject prevail;

• it is necessary in order for the data controller to fulfill an obligation imposed by a regulation having the force of law or by a rule of European Community law;

• the data to be processed are included in a publicly available source and the data controller has a legitimate interest in their processing, as long as the fundamental rights and freedoms of the data subject are not violated.

The Supreme Court, basing itself on the doctrine of the CJEU, considers that there is no doubt that the requirement established in the Spanish regulations that the personal data must be available in a publicly accessible source is a requirement that is not provided for in EU law, and that therefore the regulation that includes this requirement is contrary to law. Thus, in order to legitimately process personal data without having the prior consent of the data subject, it is sufficient that the processing satisfies a legitimate interest of the data controller and that the fundamental rights and freedoms of the data subject are not violated.

La entrada Processing of personal data without the consent of the data subject when there is a legitimate interest to do so aparece primero en Faus & Moliner Abogados.

On 24 November the Court of Justice of the European Union (CJEU) issued its judgment on several preliminary rulings concerning Spanish legislation on personal data protection. The judgment deals with a delicate issue: the conditions necessary for a company to be able to process these data without the need to obtain the consent of data subjects.

The National Association of Financial Credit Institutions (ASNEF) and the Spanish Federation of E-Commerce and Direct Marketing (FECEMD) decided to bring the legislation which implemented the rules on personal data contained in Directive 95/46/EC into our national legal order to court. They considered this national legislation to be incompatible with European Union law as it established additional requirements, which were not provided for in the Directive, for the processing of personal data without the consent of the data subject.

Indeed, whereas the Directive permits this processing as long as (a) the data are not specially protected, (b) the processing is necessary to satisfy a legitimate interest of the person responsible for it and (c) it does not infringe fundamental rights of the data subject, the Spanish regulation added moreover that the data must have appeared previously in a source available to the public. Once the matter was brought to the Supreme Court, this tribunal decided to stay the proceedings and to refer the case to the CJEU for a preliminary ruling.

Conclusions of the CJEU

The CJEU considered that the Directive undertakes an exhaustive harmonization of the matter, and it confers an unconditional and precise right to process this type of data without the consent of the data subject in the terms established in the Directive itself. The CJEU concluded, therefore, that a national law imposing additional requirements is incompatible with European Union law.

This is not an isolated case

The judgment of the CJEU is a strong reprimand against the temptation of using national legislation to go beyond the limits marked by the legislator of the European Union. And this sort of excess is not infrequent. A few days ago the Spanish Agency for Medicinal Products and Medical Devices published a circular in which it insists that in order to cease the marketing of a medicinal product, authorization must be requested from this body and that the reasons for such cease must be specified in detail. Such requirement comes into conflict with European Union law which confers an unconditional and precise right to cease the marketing by merely notifying the authorities at least two months in advance and that only requires a report on the volume of sales and product prescriptions. It would be very useful thus if the Spanish authorities reconsidered their position in this matter before anybody ends up bringing the case before the CJEU.

La entrada No additional requirements may be imposed as regards matters that have been totally harmonized by the European Union aparece primero en Faus & Moliner Abogados.