← Back to the top of the Report
3 – THE LACK OF ENFORCEMENT OF ARTICLE 85 IN SPAIN – THE LACK OF PROTECTION OF FREEDOM OF INFORMATION IN THE DATA PROTECTION ACT
THE LACK OF ENFORCEMENT OF ARTICLE 85 IN SPAIN – THE LACK OF PROTECTION OF FREEDOM OF INFORMATION IN THE DATA PROTECTION ACT
The European General Data Protection Regulation obliges States to reconcile the right to data protection with other fundamental rights, such as freedom of expression and information.
Xnet, during the drafting of the Organic Law on Data Protection and the Guarantee of Digital Rights, passed in December 2018, made proposals in several meetings with the legislator to reconcile the boundaries between these rights. None of the proposals was accepted with a motivation, which we cannot share: “this is a court matter”. We consider this approach to be a dangerous one as it implies that the rights to freedom of expression and information are guaranteed only to those who can afford to litigate. We would rather establish a legal framework where it is possible to exercise these rights with greater legal certainty.
In Spain, there has not yet been a case that massively demonstrates this asymmetry and negative impact on fundamental rights, but we can provide some symptomatic examples.
First example: Xnet, in its anti-corruption activities, is aware of the frequency with which, in corruption cases, the corrupt claim the right to the protection of their data in order to invalidate evidence(1,2,3). One well-known case is that of the Spanish People’s Party (Partido Popular), that justified the destruction of hard disks possibly related to the Bárcenas case claiming data protection(4). To this effect, see also the chapter on the “Right to record abuses” of this report.
Another example. As Xnet warned, Tthe consequences of this omission have already been highlighted in the academic field when, after a petition via the Data Protection Act, the University of Alicante decided to remove from the search results of search engines such as Google the name of Antonio Luis Baena Tocón, an officer in Franco’s army who served as legal secretary in one of the military councils that led to sentenced the poet Miguel Hernández to death, and whose name appeared in several texts signed by university professor Juan Antonio Ríos Carratalá. In the end, the University rectified and decided not to eliminate the search results after deeming the officer’s name and activity to be information of public interest, published for historical research purposes(5).
However, the clearest example of the consequences of not embodying the spirit of Article 85 of the European General Data Protection Regulation has been seen in Romania, where the Romanian Data Protection Authority investigated RISE Project journalists for a report on a corruption scandal. They were accused of violating the data protection of the people (politicians, etc.) they mentioned in their investigation by publishing it. They were asked, among other things, the sources of the information they had published. Initially they were threatened with a fine of €600 for each day of delay in providing the information, plus a penalty of €20 million(6).
“Both the European Court of Justice and the European Court of Human Rights have pointed out in numerous judgements the importance of protecting debate on matters of public interest and that the protection of journalistic sources is one of the pillars of the freedom of information of the press. The UN Special Rapporteur on the protection of the right to freedom of opinion and expression has also underlined the need to protect journalistic sources.”(7,8)
With European and international regulation in mind, the Association for Technology and Internet (ApTI), in collaboration with Privacy International and with the support of Xnet among other European digital rights organisations(9), filed a complaint to the European Commission(10) considering that the European Regulation could not serve as a tool to limit the freedoms of expression and information and that in the case of Romania, the three exceptions provided for by the Law were too limited, with journalistic activities going beyond the provisions. They also questioned the investigative powers of the Data Protection Authority when freedom of information is at stake.
Following the case of Romania, the President of Bulgaria exercised his right of veto over the Bulgarian Data Protection Law because he considered that the provisions of the law relating to the conditions for its non-application when data protection collided with freedoms of expression and information would entail oversight of the work done by journalists, academics and artists, damaging their freedoms of expression and information as well as their independence(11). Even so, the Law was passed without any modification on this point with the vote in favour of more than half of all members of Parliament and entered into force last March 2019.
As a result of the analysis carried out, in order to ensure and protect the right of individuals to inform and receive general-interest information in line with international human rights standards, XNet recommends:
• Protecting the public interest and freedom of expression and information
Amend the recently passed Organic Law 3/2018, of 5 December, on the Protection of Personal Data and the Guarantee of Digital Rights, in order that it effectively guarantees, and not merely announces, the freedoms of expression and information for the general population.
In order to protect the presumption of innocence, we refer to our recommendations for the right to record(12) and apply the same parameters: the personal data of persons appearing in information made public for the general interest must be withheld unless they are public and notorious or have already been disclosed by the justice system or the media. The necessary measures must also be taken so as not to disseminate parts of the information that relate to private events that have no public utility. On the other hand, the social function of certain professionals in a democratic system must be respected and specific criteria established for them (journalists, academics, researchers, artists, etc.), preserving their prerogatives and function for the general interest and protecting their sources of information as a priority.
• Passing Xnet’s Law on Comprehensive Protection of Whistleblowers (first enforcement of the European Directive).
With the passage of the Law on Trade Secrets, progress was made, including an exception to its application to ensure that it is not a crime to reveal a trade secret in order to protect the public interest, thus guaranteeing freedom of expression and information(13).
Following down this path, Xnet created the Law on Full Protection of Whistleblowers(14) and integrated the first enforcement of the European Directive in which it also participated. This law has already begun the process for being passed at three levels, at the state level(15), in Catalonia(16) and in the Basque Country(17), although none has yet been passed. This law guarantees protection against any kind of retaliation against those who expose systemic abuses that affect the general interest.
BEST PRACTICE RECOMMENDATIONS FOR INSTITUTIONS
PRIOR TO THE AMENDMENTS TO THE LAW TO CREATE A MORE FAVOURABLE FRAMEWORK FOR THE RESPECT OF FUNDAMENTAL FREEDOMS
– Establish clear interpretative criteria and inform the public about it so that they can know the limits between freedom of expression and information and the right to the protection of personal data and thus facilitate the exercise of these freedoms in cases where it is in the public interest while protecting the fundamental right to the protection of personal data and the right to defence where appropriate.
– Implement secure and anonymous channels for whistleblowing, both internal and external, such as those that Xnet, powered by Globaleaks, has implemented in institutions for the first time in Spain(18), to allow the disclosure of information of public interest on irregularities committed both in the public and business spheres. Normalise the use of these channels without criminalising their users(19).
English translation of the letter from the Romanian Data Protection Authority sent to RISE Project:
Report of the Special Rapporteur on the promotion and protection of the right to freedom of opinion and expression. https://www.un.org/en/ga/search/view_doc.asp?symbol=A/70/361
Recommendations of the Xnet report on the Right to Record:
• Correcting the balance of consent and ensure legal certainty for the public.
Promote regulations and laws, for example, to amend the recently approved Organic Law 3/2018, of 5 December, on the Protection of Personal Data and the Guarantee of Digital Rights, so that the consent of civil servants or corporate workers is not required to capture their image and voice when the purpose of such recordings is to oversee the proper functioning of public institutions, to report abuses of power, malpractice and abuses of defenceless users, or irregularities committed by those who serve the public. This processing of personal data may be legitimised by other legal groundings for processing provided for both by the Law on Data Protection (Article 8) and the General European Data Protection Regulation (Article 6.1, letters c, e and f): compliance with legal obligations applicable to the public, the performance of tasks carried out in the public interest and the satisfaction of legitimate interests.
Standardise the use of cameras and recording systems in the spaces where services open to the public are provided, both by institutions and corporations and by the public and consumers, as a preventive measure against the commission of aggressions and irregularities.
• Protecting the public interest and freedom of expression and information with respect to the dissemination of recordings. Finding the balance between these rights and the presumption of innocence. Repeal Article 36.23 of Law 4/2015 on Citizen Security.
Promote regulations that guarantee the possibility of disseminating recordings of public servants and elected officials, as well as workers of corporations that work with the public or users of services, in order to allow them to report situations of malpractice, irregularities, abuses or aggressions, while respecting other fundamental rights. This means preserving the personal data of the person recorded and hiding or disguising their voice and image in the dissemination. In both cases, in order to preserve the presumption of innocence, in the event of dissemination, necessary measures must be taken to ensure that the person recorded cannot be recognised and that any parts of the recording that relate to private events that are not used to clarify the details of the potential abuse cannot be disseminated.