Report and Legislative Proposals on Institutionalised Abuses in Privacy and Data Protection

Report and Legislative Proposals on Institutionalised Abuses in Privacy and Data Protection

Post last edited: September 2023


Download Pdf here
Web version below ↓

As a result of this report, we have opened two procedures before the European Commission. You can find a summary in the Público newspaper:

And excerpts from the two proceedings here:

Xnet’s proposals on Privacy and Data Protection against Institutionalised Abuses

Transparency for institutions, privacy for the people
Reforms of data policies to correct the asymmetry and lack of protection of people before institutions and companies

Updated version to December 20, 2022




In each section, this report presents:




As an annex for each section:

(Exception: in the case of the first topic, this is in the main body, not in an annex)





The right to the protection of personal data is a fundamental privacy right that guarantees personal control over our data, its use and its destination. Simply put, to talk of data is to talk of control; it is to ask who can know who we are, where we live, what we do during the day; during the night; what tastes, convictions, vices, pleasures or pains we have, etc. It is a right that should be respected by both public and private agencies. Much has been said of abuses relating to personal data committed by Facebook and other private companies, but there has been little comment on non-compliance by public administrations or institutions, the policies that undermine the privacy of the public, the small (or large) daily abuses to which people are subjected.

In this context, Xnet has long denounced a perverse use of “data protection”(1): data protection is often used as an excuse to hide and protect corruption as well as to cover up bad practices, inertia, incompetence or abuse by institutions.

The European Data Protection Regulation (known by the acronym GDPR), which entered into force in May 2018, was the result of more than a decade of organised efforts by civil society to guarantee people’s rights to privacy, updating them to be more suitable in the digital era(2). The GDPR that we all remember thanks to the endless messages about consent we have received since then, is in fact the result of more than a decade of organised efforts by civil society to guarantee people’s rights to privacy and updating them to be more suitable in the digital era. Perhaps the largest efforts have come from within German civil society, as they know what it means for established powers to have all your data: they suffered at the hands of the Stasi, the largest surveillance and personal data collection operation ever known in the pre-digital age.

With the GDPR, we have managed to impose the first brakes —imperfect but firm— on the corporate and state interests in the exploitation of the new gold that is our personal data.

Yet this is just the foundation. We must continue with our efforts. We must use this first, significant victory to strengthen the fight for our privacy and at the same time to ensure that it not serve as an excuse or cover for bad practices, or to impede the right to information and report abuses.

As a tool to help achieve this goal, Xnet presents a new report. Comprising more than 200 pages, it aims to explain which flanks are exposed and what we must do to protect them.

It comprises 5 parts:

Each of these parts is accompanied by legal and legislative proposals to change the current situation. Each of these texts will ask the Governments, Congress or Parliaments, as well as the competent bodies, to enact changes in the legislation or the policies necessary for the data protection law to serve to protect the privacy of the public and not to guarantee the impunity of the powerful.

There are three basic central threads running through all this work:

    • The first is a force that included in the GDPR. It is the principle of minimization. No one should request or take from us more data than is strictly necessary. We need to know that this principle is a firm base on which we can rely. At the moment, even asking what time an office opens or calling a supply company to know their rates requires you to identify yourself, not to mention when you ask for more complex information to uncover abuses or injustices. This has to end.

    • The second common thread is a weakness of the GDPR. It allows us to ask for all types of personal data by alleging “legitimate interests”. Countries like Spain that have not defined what these “legitimate interests” are, nor are they asking for them to emerge and be detailed so that they can be brought into discussion, open the door to all kinds of arbitrariness and abuses. This formula is used when there is no solid or sufficient justified legal grounds. Out of respect for the rights, freedoms and interests of the people, it should not be possible to use such one-size-fits-all excuses, which end up invalidating the spirit of the regulations. The “legitimate interests” that this or that company or institution deems necessary must not prevail over the rights and interests of the people. We want to guarantee the principle of privacy by design and by default.

    • Finally, as we have already mentioned, data protection cannot be an excuse to limit the right to information and the fight against corruption and abuses: from the hard disk drives of the People’s Party that might have held proof of corruption and which were destroyed under the guise of data protection(3) , to the vote that was lost on the publication of the torturer Billy el Niño’s service sheet because of MPs citing data protection(4), we find this “motivation” used over and over again. For journalists and anti-corruption activists, these excuses are the walls we encounter daily.

With the now well-known motto “Transparency for institutions; privacy for the people”, we hope to show just how much is required from the latter, and how little is required of the former, as well as exploring what must be done to reverse this situation.


    Part 1 – Abuse of identification by institutions vs. minimization of data by design and by default

In many countries, such as in Spain, there is an abusive tendency to ask for more information than is necessary when someone makes a simple enquiry of any given institution, something that is sometimes reinforced by other administrative laws and sometimes even by the Law of Transparency, when they establish the verification of the identity of the interested parties as mandatory. This is because, by default, any relationship between the public and administration is considered an “administrative procedure”, and that includes asking for information that by law should be public. This shows that “administrative procedure” in Spain is held to be a synonym of power, subordination and hierarchy. We find the reason behind this not in logic, and especially not in the agile logic of the digital era; nor is it compatible with the concept of a modern democracy: it is civil society that must be able to monitor its institutions and not vice versa.

As such, Xnet denounces that our administrative laws can conflict with the basic principle of a higher law: the minimization principle of the European Data Protection Regulation which states that only appropriate, relevant and non-excessive data should be collected in accordance with the purposes for which they are collected, and that any data that is collected and the reason for it must be explained.

We must protect the weak and oversee the strong, as there is a clear asymmetry between the established powers, which can monitor us, and the general public, who ends up having to fight and expose themselves in order to access information that should be theirs in a modern democracy (aside from the fact that it is the public that foots the bill). 

Part of the struggle for real democracy is to end this asymmetry. That is, to achieve free access to information without threats (without which, we cannot oversee or fight corruption and abuses), and to balance this freedom with the right to privacy, highlighting any false ambiguities.


    Part 2 – The right to record abuses to report them and data protection policies

And here we have the other side of the coin. While on the one hand the public is asked to provide an abundance of data, we find, perversely, that the established powers have a hard time handing over theirs. It is another classic: to allege data protection to punish the use of information (i.e. disclosure) such as recordings of officials committing excesses (the police, for example). From 2016 to 2018, 113 sanctions were imposed in Spain by applying the “Gig Law”, totalling 70,522 euros against those affected. This regulatory framework has had a powerful deterrent effect in the reporting of systemic abuses. But, contrary to common belief, the most monolithic obstacle to recording and above all to disseminate the commission of institutional or systemic abuses is not only the well-known and oft-denounced Law on Citizen Security, aka the Gag Law, but the jurisprudence from the Law on Data Protection.

However, the devil is in the details: at XNet, we praise every step taken towards streamlining reports and complaints by victims who have had their private content disseminated without their consent. Xnet supports the #PuedesPararlo [You can Stop it] campaign run by the Spanish Data Protection Agency, which strengthens the interpretation of its European counterpart by not applying the exception of domestic use in these cases when there is viralisation (i.e., the information circulates in a way that transcends the domestic scope).

That being said, there is one important detail: it is necessary to differentiate these cases from those in which the recordings of the people have been captured in their performance of a public service, in a public place or at public events. In no case can such situations be equated to violation of privacy. It should be emphasised that it is very pernicious for any democracy to use such a case (the violation of rights in the dissemination of intimate information) to curtail the freedom of information in the public interest to disseminate abuses.


    Part 3 – The lack of protection for the freedom of information in the organic law on data protection

For all of these reasons, it is essential that legislators properly transpose Article 85 of the GDPR, which requires the harmonisation of privacy with the freedom of information and expression.

When in 2018 the Spanish legal system was adapted to the RGPD with the Organic Law on the Protection of Personal Data and the Guarantee of Digital Rights (LOPDGDD), Xnet tried without success to carry it out.

The LOPDGDD has some novel and laudable embryonic characteristics with respect to digital rights, but also numerous weaknesses, as we shall see. Regarding the transposition of article 85, the refusal that Xnet received from the legislator was that “this is resolved by the courts”.

Reporters know full well that there are many times where those affected by their investigations resort to legal action to wear down the media, even if the case ends up being rejected. When faced with a lawsuit, the media are forced to mobilise resources to defend themselves, and that compromises much-needed journalistic investigations. Even worse is the situation of whistleblowers, ordinary people who reveal abuses. See ->

The approach of “the courts will handle this” is a dangerous, elitist one, as it implies that the defense of freedom of expression and information is guaranteed only to those who can afford to sue. We would rather establish clear criteria so that everyone can exercise their rights safely and without fear of being punished.

Data protection is too often used as a pretext to invalidate evidence. Apart from the aforementioned examples, the democratic grievance of not including the defense of freedom of information in the field of data protection as a part of the transposition is laid manifest in Romania where journalists who investigated government corruption have been sanctioned to the tune of 20 million euros because of the data protection law (for releasing the data of the alleged corrupt politicians). It is for all these reasons that the Association for Technology and the Internet (ApTI), with the support of Privacy International and Xnet among other European digital rights defense organisations lodged a complaint with the European Commission a year ago. At that time, European Commission spokesperson Margaitis Schinas said: “It is extremely important that the Romanian authorities implement this obligation [art.85] in national law to (…) protect journalistic sources (…) when necessary to respect the freedom of information and expression of the media. (…) Data protection cannot be used as a back door to force journalists (…).

It is a pity that the complaint, a year on, is still awaiting response.


    Part 4 – Abuses during electoral campaigns: How did it become normal for Municipal Census Data to end up in the hands of political parties?

Campaigns to halt the sending of election propaganda to voters’ homes are already widespread, and yet the practice continues.

Xnet takes a stand.

The right to data protection is a fundamental right that guarantees individuals control over their data, the way it’s used and where it’s sent. This right must be respected by public and private bodies alike. There are exceptions provided for in the regulations, but these should only apply where it is strictly necessary to protect some higher good.

So how is it that it has become commonplace for municipal census data to end up in the hands of political parties? Name and surname, province and municipality of residence, district, section and polling station, address, date of birth and nationality in the case of foreign voters. Unbelievable.

The recently passed Organic Law on Data Protection included only the option to oppose having your data sent to the parties (an option that is not even respected). These are mere crumbs of what our legitimate rights should be.

If our goal is to truly respect the principle of privacy by design and by default, it should be the other way around: if we want our data to be supplied to political parties so as to receive electoral publicity, we should have to request it.

People are not even informed of this fact when they register on the Official Municipal Registry of inhabitants that is used for elections. This violates another of the essential principles of the European Data Protection Regulation, the principle of transparency, which implies that when people provide their data, they must be made fully aware to what end their data will be used and to whom it will be communicated, this in addition to the obligation to offer people the chance to oppose any such use.

Xnet offers solutions that could be applied immediately. It is a shame, then, that the ones who must decide whether to act to remedy this abuse of our rights are the same political parties who directly benefit from it.


    Part 5 – Abuses in the labour field: sale of data of freelancers

In our daily lives, in both the physical and digital worlds, we use and allow others to use our personal data even in many times where we cannot choose whether we want to provide it. These cases must be motivated by the common good, otherwise they would undermine the fundamental right to our privacy.

The self-employed, even before starting their activity, are obliged to make declarations, registrations and records of data in various institutions in order to work. The main and coincident in any case is the Tax Agency; with the new obligations for the prevention of money laundering, for those who provide certain services to companies, also the Mercantile Registry.

We believe that the possibility of disseminating and selling the data of the self-employed should be limited, especially when these data have not been manifestly made public by them, nor are they, in most cases, necessary to communicate with them.

In compliance with the data minimization principle, as this information is not necessary, it should not be publicly available.

There is a double standard in the application of data protection: while the ownership of companies in tax havens is hidden, the personal data of the self-employed with less purchasing power is sold.
Transparency must be an instrument for the balance of powers and is not incompatible with the preservation of personal privacy. It is absolutely possible to include the appropriate safeguards for those who do not have sufficient income (3.5 times the IPREM) to afford a professional domicile, while allowing the ownership of professional activities to be known.

We have proposed legal modifications and recommendations to respect privacy, without undermining the transparency that should guide all business actions so as not to hide possible cases of corruption or malpractice.


At Xnet we defend that democracy is, among other things, citizen vigilance over its institutions. For this reason, the weak must be protected and the strong must be controlled, since there is a clear asymmetry between the established powers and the citizenry.

We believe that part of the fight for a real democracy is to put an end to this asymmetry.
Using the new General Data Protection Regulation, also conquered by organized civil society, we are going to start various actions to continue on the path towards greater and better democracy.

Let’s do it.




    • When you are asked to provide your personal data, be it in a physical form, online or even on the telephone, make sure that the data you are asked to provide are the minimum necessary to carry out the service being provided or the task to be performed (art. 5.1.c) of the General Data Protection Regulation).

    • If this is not the case, you have the right to refuse and they cannot refuse to provide the service simply because you do not want to hand over more information than necessary. If you are asked for data that does not seem appropriate or relevant in accordance with this principle, and you therefore believe that they are requesting more data than necessary, inform them that the minimization principle of the European Data Protection Regulation says that they cannot ask you for such data.

• REMEMBER, in the case of public entities in Spain, Law 39/2015 of the Administrative Procedure (LPAC) requires proof of identity of those wishing to carry out any procedure with them, by checking their ID card or equivalent document, and via the Cl@ve PIN, Permanent Cl@ve or electronic DNI in the case of online procedures. Therefore, in the case of these entities, and until the law is modified, you should consider it “normal” to be asked for your name, surname and ID number for any procedures. But nothing else. If they request more data, you have the right to refuse and they cannot refuse to provide the service simply because you do not want to hand over more information than necessary.


In the event that an entity denies access to public information claiming data protection, we should bear in mind that this is not always a valid reason as to why it should not be provided.
If the requested information contains personal data, however, the institution may provide the information if the personal data is dissociated or anonymized, i.e., it is impossible to identify the people who appear in the requested information.


If you find yourself in one of these circumstances, tell them that you will communicate their malpractice to the AEPD (Spanish Data Protection Agency) (if it is a public sector organization, you can also contact the regional authority in Catalonia, the Basque Country and Andalusia). You can file a claim with the following links and you can also state that you are following the guidelines of Xnet; this will make the process more effective, and allows us to group together queries to create general precedents and they will get a clearer understanding of what you are referring to:

If you can, forward any replies you receive to







Considerando (43) del RGPD: “Para garantizar que el consentimiento se haya dado libremente, este no debe constituir un fundamento jurídico válido para el tratamiento de datos de carácter personal en un caso concreto en el que exista un desequilibro claro entre el interesado y el responsable del tratamiento, en particular cuando dicho responsable sea una autoridad pública y sea por lo tanto improbable que el consentimiento se haya dado libremente en todas las circunstancias de dicha situación particular. Se presume que el consentimiento no se ha dado libremente cuando no permita autorizar por separado las distintas operaciones de tratamiento de datos personales pese a ser adecuado en el caso concreto, o cuando el cumplimiento de un contrato, incluida la prestación de un servicio, sea dependiente del consentimiento, aún cuando este no sea necesario para dicho cumplimiento.”


Xnet project coordinated by Simona Levi with Míriam Carles and with the collaboration of Postgraduate researchers led by Simona Levi and Cristina Ribas on Technopolitics and Rights in the Digital Age, Rubén Bujalance, César Manso-Sayao, along with other participants who have requested their names not be published.

*Title proposed during the Postgraduate Course in Technopolitics and Rights in the Digital Age by Víctor Pérez Berruezo.

Updated version on December 20, 2022.

Published under CC license by-sa 4.0

Research carried out in part with the support of the Transparency Agency of the Barcelona Metropolitan Area (AMB) and Barcelona City Council (in both cases, through grants).
Part of the research will be incorporated and will continue as part of the Gavius project of the UIA.

The contents are the opinion of Xnet alone. The Transparency Agency of the Barcelona Metropolitan Area and other institutions are not responsible for any use that may be made of the information provided.