Xnet opens two complaints at the European Commission to improve data protection in Spanish legislation

Xnet highlights gaps in Spain’s adaptation of EU Data Protection Regulation (GDPR)

Xnet opens two complaints to the European Commission related to the lack of effective adaptation of the data minimization principle and the lack of conciliation between personal data protection and freedom of expression and information in Spanish legislation.

The Covid19 has forcefully put on the table the scope to which the extraction and use of citizens’ personal data may reach.

These problems had already been detected and explained in our February 2020 report, “Privacy, Data Protection and Institutionalised Abuses” and with the campaign #DatosPorLiebre:

We believe that the use of personal data in the general interest is necessary, but should not conflict with the respect for the fundamental rights to privacy and intimacy.

The procedures that we are now opening are a consequence of the report, but we believe that they are also useful in the design of policies post Covid19. The European Commission has published a position very similar to ours, and the new Spanish Secretary-General for Digital Transformation demonstrates sensitivity to digital rights more than any of her predecessors. That is why we consider that this is a good time to start these procedures.

As we explained in the report “Privacy, Data Protection and Institutionalised Abuses”, we consider that the “Organic Law on Data Protection and the Guarantee of Digital Rights”, which aims to adapt the European General Data Protection Regulation (RGPD) to the Spanish system, contains gaps that are detrimental to fundamental rights.

The report and the procedures explain the collision between the principle of minimisation, which is fundamental in the RGPD, and other laws in force that prevent its deployment and the control of personal data, their use and destination by individuals.

Specifically, the identification requirements of citizens when they want to carry out any type of procedure, however simple it may be, at a Public Administration or other companies, are abusive and disproportionate. These identification requirements of Spanish legislation are no longer justified in the new framework established by the European General Data Protection Regulation (also known by its acronym, RGPD). The principle of minimization establishes that no one should ask us or extract more data than necessary. The privacy must by design and by default.

On the other hand, the second procedure highlights the lack of transposition of Article 85 of the Regulation into national law, thus failing to comply with the obligation that it establishes to reconcile the right to personal data protection with the freedoms of expression and information. This makes it difficult to uncover cases of abuse or corruption, which is very necessary in a situation such as the one we are experiencing.

Here you can find excerpts from the two procedures: