Tag Archives: personal data

Exam scripts and examiner’s corrections are personal data of the exam candidate (AG Kokott Opinion in Nowak)

AG Kokott delivered her Opinion on 20 July in Case C-434/16 Nowak v Data Protection Commissioner, concluding that “a handwritten examination script capable of being ascribed to an examination candidate, including any corrections made by examiners that it may contain, constitutes personal data within the meaning of Article 2(a) of Directive 95/46/EC” (Note: all highlights in this post are mine).
This is a really exciting Opinion because it provides insight into:

  • the definition of personal data,
  • the purpose and the functionality of the rights of the data subject,
  • the idea of abusing data protection related rights for non-data protection purposes,
  • how the same ‘data item’ can be personal data of two distinct data subjects (examiners and examinees),
  • what constitutes a “filing system” of personal data processed otherwise than by automated means.

But also because it technically (even if not literally) invites the Court to change its case-law on the definition of personal data, and specifically the finding that information consisting in a legal assessment of facts related to an individual does not qualify as personal data (see C-141/12 and C-372/12 YS and Others).

The proceedings were initially brought in front of the Irish Courts by Mr Nowak, who, after failing an exam organised by a professional association of accountants (CAI) four times, asked for access to see his exam sheet on the basis of the right to access his own personal data. Mr Nowak submitted a request to access all his personal data held by CAI and received 17 items, none of which was the exam sheet. He then submitted a complaint to the Irish Data Protection Commissioner, who decided not to investigate it, arguing that an exam sheet is not personal data. The decision not to investigate on this ground was challenged in front of a Court. Once the case reached the Irish Supreme Court, it was referred to the Court of Justice of the EU to clarify whether an exam sheet falls under the definition of “personal data” (§9 to §14).

Analysis relevant both for Directive 95/46 and for the GDPR

Yet again, AG Kokott refers to the GDPR in her Conclusions, clarifying that “although the Data Protection Directive will shortly be repealed by the General Data Protection Regulation, which is not yet applicable, the latter will not affect the concept of personal data. Therefore, this request for a preliminary ruling is also of importance for the future application of the EU’s data protection legislation” (m.h.).

The nature of an exam paper is “strictly personal and individual”

First, the AG observes that “the scope of the Data Protection Directive is very wide and the personal data covered by the Directive is varied” (§18).

The Irish DPC argued that an exam script is not personal data because “examination exercises are normally formulated in abstract terms or relate to hypothetical situations”, which means that “answers to them are not liable to contain any information relating to an identified or identifiable individual” (§19).

This view was not followed by the AG, who explained that it is incongruent with the purpose of an exam. “In every case“, she wrote, “the aim of an examination — as opposed, for example, to a representative survey — is not to obtain information that is independent of an individual. Rather, it is intended to identify and record the performance of a particular individual, i.e. the examination candidate”  (§24; m.h.). Therefore, “every examination aims to determine the strictly personal and individual performance of an examination candidate. There is a good reason why the unjustified use in examinations of work that is not one’s own is severely punished as attempted deception” (§24; m.h.).

What about exam papers identified by codes?

In a clear indication that pseudonymized data are personal data, the AG further noted that an exam script is personal data also in those cases where instead of bearing the examination candidate’s name, the script has an identification number or bar code: “Under Article 2(a) of the Data Protection Directive, it is sufficient for the existence of personal information that the data subject may at least be indirectly identified. Thus, at least where the examination candidate asks for the script from the organisation that held the examination, that organisation can identify him by means of the identification number” (§28).

Characteristics of handwriting, personal data themselves 

The AG accepted the argument of Mr Nowak that answers to an exam that are handwritten “contain additional information about the examination candidate, namely about his handwriting” (&29). Therefore, the characteristics of the handwriting are personal data themselves. The AG explains that “a script that is handwritten is thus, in practice, a handwriting sample that could at least potentially be used at a later date as evidence to determine whether another text was also written in the examination candidate’s writing. It may thus provide indications of the identity of the author of the script” (§29). According to the AG, it’s not relevant whether such a handwriting sample is a suitable means of identifying the writer beyond doubt: “Many other items of personal data are equally incapable, in isolation, of allowing the identification of individuals beyond doubt” (§30).

Classifying information as ‘personal data’ is a stand alone exercise (does not depend on whether rights can be exercised)

The Irish DPC argued that one of the reasons why exam scripts are not personal data in this case is because the “purpose” of the right to access and the right to rectification of personal data precludes them to be “personal data” (§31). The DPC is concerned that Recital 41 of Directive 95/46 specifies that any person must be able to exercise the right of access to data relating to him which is being processed, in order to verify in particular the accuracy of the data and the lawfulness of the processing. “The examination candidate will seek the correction of incorrect examination answers”, the argument goes (§31).

AG Kokott rebuts this argument by acknowledging that the classification of information as personal data “cannot be dependent on whether there are specific provisions about access to this information” or on eventual problems with rectification of data (§34). “If those factors were regarded as determinative, certain personal data could be excluded from the entire protective system of the Data Protection Directive, even though the rules applicable in their place do not ensure equivalent protection but fragmentary protection at best” (§34)

Even if classification information as “personal data” would depend in any way on the purpose of the right to access, the AG makes it clear that this purpose is not strictly linked to rectification, blocking or erasure: “data subjects generally have a legitimate interest in finding out what information about them is processed by the controller” (§39). This finding is backed up by the use of “in particular” in Recital 41 of the Directive (§39).

The purpose of processing and… the passage of time, both relevant for obtaining access, rectification

After clarifying that it’s irrelevant what an individual wants to do with their data, once accessed (see also the summary below on the ‘abuse of rights’), AG Kokott explains that a legitimate interest in correcting an “exam script”-related data is conceivable.

She starts from the premise that “the accuracy and completeness of personal data pursuant to Article 6(1)(d) must be judged by reference to the purpose for which the data was collected and processed” (§35). The AG further identifies the purpose of an exam script as determining  “the knowledge and skills of the examination candidate at the time of the examination, which is revealed precisely by his examination performance and particularly by the errors in the examination” (§35). “The existence of errors in the solution does not therefore mean that the personal data incorporated in the script is inaccurate”, the AG concludes (§35).

Rectification could be achieved if, for instance, “the script of another examination candidate had been ascribed to the data subject, which could be shown by means of, inter alia, the handwriting, or if parts of the script had been lost” (§36).

The AG also found that the legitimate interest of the individual to have access to their own data is strengthened by the passage of time, to the extent that their recollection of the contents of their answer is likely to be considerably weaker a few years after the exam. This makes it possible that “a genuine need for information, for whatever reasons, will be reflected in a possible request for access. In addition, there is greater uncertainty with the passing of time — in particular, once any time limits for complaints and checks have expired — about whether the script is still being retained. In such circumstances the examination candidate must at least be able to find out whether his script is still being retained” (§41).

Is Mr Nowak abusing his right of access under data protection law?

AG Kokott recalls CJEU’s case-law on “abuse of rights” and the double test required by the Court to identify whether there had been any abuse of rights in a particular case (C-423/15 Kratzer and the case-law cited there at §38 to §40), which can be summed up to (§44):

i) has the purpose of the EU legislation in question been misused?

ii)  is the essential aim of the transaction to obtain an undue advantage?

The DPC submitted during the procedure that if exam scripts would be considered personal data, “a misuse of the aim of the Data Protection Directive would arise in so far as a right of access under data protection legislation would allow circumvention of the rules governing the examination procedure and objections to examination decisions” (§45).

The AG considers that “any alleged circumvention of the procedure for the examination and objections to the examination results via the right of access laid down by data protection legislation would have to be dealt with using the provisions of the Data Protection Directive” and she specifically refers to the restrictions to the right of access laid down in Article 13 of the Directive with the aim “to protect certain interests specified therein” (§46). She also points out that if restricting access to exam scripts can’t be circumscribed to those exceptions, than “it must be recognised that the legislature has given precedence to the data protection requirements which are anchored in fundamental rights over any other interests affected in a specific instance” (§47).

The AG also looks at the exceptions to the right of access under the GDPR and finds that it is more nuanced than the Directive in this regard. “First, under Article 15(4) of the regulation, the right to obtain a copy of personal data is not to adversely affect the rights and freedoms of others. Second, Article 23 of the regulation sets out the grounds for a restriction of data protection guarantees in slightly broader terms than Article 13 of the Directive, since, in particular, protection of other important objectives of general public interest of the Union or of a Member State pursuant to Article 23(1)(e) of the regulation may justify restrictions” (§48).

However, it seems that she doesn’t find the slight broadening of the scope of exemptions in the GDPR as justifying the idea of an abuse of right in this particular case.

The AG also argues that “on the other hand, the mere existence of other national legislation that also deals with access to examination scripts is not sufficient to allow the assumption that the purpose of the Directive is being misused” (§49). She concludes that even if such misuse would be conceivable, the second limb of the “abuse of rights” test would not be satisfied: “it is still not apparent where the undue advantage lies if an examination candidate were to obtain access to his script via his right of access. In particular, no abuse can be identified in the fact that someone obtains information via the right of access which he could not otherwise have obtained” (§50).

Examiner’s correction on the exam script are the examinee’s personal data and his/her own personal data at the same time

The AG looks into whether any corrections made by the examiner on the examination script are also personal data with respect to the examination candidate (a question raised by some of the parties), even though she considers that the answer will not impact the result of the main proceedings (§52, §53).

It is apparent that the facts of this case resemble the facts of YS and Others, where the Court refused extension of the right of access to the draft legal analysis of an asylum application on the grounds that that did not serve the purpose of the Data Protection Directive but would establish a right of access to administrative documents. The Court argued in YS that such an analysis “is not information relating to the applicant for a residence permit, but at most information about the assessment and application by the competent authority of the law to the applicant’s situation” (§59; see YS and Others, §40). The AG considers that only “at first glance” the cases are similar. But she doesn’t convincingly differentiate between the two cases in the arguments that follow.

However, she is convincing when explaining why the examiner’s corrections are “personal data”. AG Kokott explains that the purpose of the comments made by examiners on an exam script is “the evaluation of the examination performance and thus they relate indirectly to the examination candidate” (§61). It does not matter that the examiners don’t know the identity of the examination candidate who produced the script, as long as the candidate can be easily identified by the organisation holding the examination (§60 and §61).

The AG further adds that “comments on an examination script are typically inseparable from the script itself … because they would not have any informative value without it” (§62). And it is “precisely because of that close link between the examination script and any corrections made on it”, that “the latter also are personal data of the examination candidate pursuant to Article 2(a) of the Data Protection Directive” (§63).

In an important statement, the AG considers that “the possibility of circumventing the examination complaint procedure is not, by contrast, a reason for excluding the application of data protection legislation” (§64). “The fact that there may, at the same time, be additional legislation governing access to certain information is not capable of superseding data protection legislation. At most it would be admissible for the individuals concerned to be directed to the simultaneously existing rights of information, provided that these could be effectively claimed” (§64).

Finally, the AG points out “for the sake of completeness” that “corrections made by the examiner are, at the same time, his personal data”. AG Kokott sees the potential conflict between the right of the candidate to access their personal data and the right of the examiners to protect their personal data and underlines that the examiner’s rights “are an appropriate basis in principle for justifying restrictions to the right of access pursuant to Article 13(1)(g) of the Data Protection Directive if they outweigh the legitimate interests of the examination candidate” (§65).

The AG considers that “the definitive resolution to this potential conflict of interests is likely to be the destruction of the corrected script once it is no longer possible to carry out a subsequent check of the examination procedure because of the lapse of time” (§65).

An exam script forms part of a filing system

One last consideration made by AG Kokott is whether processing of an exam script would possibly fall outside the scope of Directive 95/46, considering that it does not seem to be processed using automated means (§66, §67).

The AG points out that the Directive also applies to personal data processed otherwise than by automated means as long as they form part of a “filing system”, even if this “filing system” is not electronically saved (§69).

“This concept covers any structured set of personal data which is accessible according to specific criteria. A physical set of examination scripts in paper form ordered alphabetically or according to other criteria meets those requirements” (§69), concludes the AG.

Conclusion. What will the Court say?

The Conclusions of AG Kokott in Nowak contain a thorough analysis, which brings several dimensions to the data protection debate that have been rarely considered by Courts – the self-standing importance of the right of access to one’s own data (beyond any ‘utilitarianism’ of needing it to obtain something else), the relevance of passage of time for the effectiveness of data protection rights, the limits of the critique that data protection rights may be used to achieve other purposes than data protection per se, the complexity of one data item being personal data of two different individuals (and the competing interests of those two individuals).

The Court will probably closely follow the Conclusions of the AG for most of the points she raised.

The only contentious point will be the classification of an examiner’s corrections as personal data of the examined candidate, because following the AG will mean that the Court would reverse its case-law from YS and Others.

If we apply the criteria developed by AG Kokott in this Opinion, it is quite clear that the analysis concerning YS and their request for asylum is personal data: the legal analysis is closely linked to the facts concerning YS and the other asylum applicants and the fact that there may be additional legislation governing access to certain information (administrative procedures in the case of YS) is not capable of superseding data protection legislation. Moreover, if we add to this the argument that access to one’s own personal data is valuable in itself and does not need to satisfy other purpose, reversing this case-law is even more likely.

The only arguable difference between this case and YS and Others is that, unlike what the AG found in §62 (“comments on an examination script are typically inseparable from the script itself… because they would not have any informative value without it”), it is conceivable that a legal analysis in general may have value by itself. However, a legal analysis of particular facts is void of value when applied to different individual facts. In this sense, a legal analysis can also be considered inseparable from the particular facts it assesses. What would be relevant in classifying it as personal data would then remain the identifiability of the person that the particularities refer to…

I was never convinced by the argumentation of the Court (or AG Sharpston for that matter) in YS and Others and I would welcome either reversing this case-law (which would be compatible with what I was expecting the outcome of YS to be) or having a more convincing argumentation as to why such an analysis/assessment of an identified person’s specific situation is not personal data. However, I am not getting my hopes high. As AG Kokott observed, the issue in the main proceedings can be solved without getting into this particular detail. In any case, I will be looking forward to this judgement.

(Summary and analysis by dr. Gabriela Zanfir-Fortuna)

 

CJEU case to follow: purpose limitation, processing sensitive data, non-material damage

A new case received by the General Court of the CJEU was published in the Official Journal of the EU in February, Case T-881/16 HJ v EMA.

A British citizen seeks to engage the non-contractual liability of the European Medicines Agency for breaching data protection law. The applicant claims that “the documents in his personal file, which were made public and accessible to any member of staff of the European Medicines Agency for a period of time, were not processed fairly and lawfully but were processed for purposes other than those for which they were collected without that change in purpose having been expressly authorised by the applicant”.

Further, the applicant claims that “the dissemination of that sensitive data consequently called into question the applicant’s integrity, causing him real and certain non-material harm”.

The applicant asks the Court to “order the defendant to pay the applicant the symbolic sum of EUR 1 by way of compensation for the non-material harm suffered”.

Even if in the published summary there is no mention of the applicable law, it is clear that Regulation 45/2001 is relevant in this case – the data protection regulation applicable to EU institutions and bodies (EMA is an EU body). The rules of Regulation 45/2001 are fairly similar to those of Directive 95/46.

(Thanks dr. Mihaela Mazilu-Babel for bringing this case to my attention)

***

Find what you’re reading useful? Please consider supporting pdpecho.

 

 

What’s new in research: full-access papers on machine learning with personal data, the ethics of Big Data as a public good

Today pdpecho inaugurates a weekly post curating research articles/papers/studies or dissertations in the field of data protection and privacy, that are available under an open access regime and that were recently published.

This week there are three recommended pieces for your weekend read. The first article, published by researchers from Queen Mary University of London and Cambridge University, provides an analysis of the impact of using machine learning to conduct profiling of individuals in the context of the EU General Data Protection Regulation.

The second article is the view of a researcher specialised in International Development, from the University of Amsterdam, on the new trend in humanitarian work to consider data as a public good, regardless of whether it is personal or not.

The last paper is a draft authored by a law student at Yale (published on SSRN), which explores an interesting phenomenon: how data brokers have begun to sell data products to individual consumers interested in tracking the activities of love interests, professional contacts, and other people of interest. The paper underlines that the US privacy law system lacks protection for individuals whose data are sold in this scenario and proposes a solution.

1) Machine Learning with Personal Data (by Dimitra Kamarinou, Christopher Millard, Jatinder Singh)

“This paper provides an analysis of the impact of using machine learning to conduct profiling of individuals in the context of the EU General Data Protection Regulation.

We look at what profiling means and at the right that data subjects have not to be subject to decisions based solely on automated processing, including profiling, which produce legal effects concerning them or significantly affect them. We also look at data subjects’ right to be informed about the existence of automated decision-making, including profiling, and their right to receive meaningful information about the logic involved, as well as the significance and the envisaged consequences of such processing.

The purpose of this paper is to explore the application of relevant data protection rights and obligations to machine learning, including implications for the development and deployment of machine learning systems and the ways in which personal data are collected and used. In particular, we consider what compliance with the first data protection principle of lawful, fair, and transparent processing means in the context of using machine learning for profiling purposes. We ask whether automated processing utilising machine learning, including for profiling purposes, might in fact offer benefits and not merely present challenges in relation to fair and lawful processing.”

The paper was published as “Queen Mary School of Law Legal Studies Research Paper No. 247/2016″.

“International development and humanitarian organizations are increasingly calling for digital data to be treated as a public good because of its value in supplementing scarce national statistics and informing interventions, including in emergencies. In response to this claim, a ‘responsible data’ movement has evolved to discuss guidelines and frameworks that will establish ethical principles for data sharing. However, this movement is not gaining traction with those who hold the highest-value data, particularly mobile network operators who are proving reluctant to make data collected in low- and middle-income countries accessible through intermediaries.

This paper evaluates how the argument for ‘data as a public good’ fits with the corporate reality of big data, exploring existing models for data sharing. I draw on the idea of corporate data as an ecosystem involving often conflicting rights, duties and claims, in comparison to the utilitarian claim that data’s humanitarian value makes it imperative to share them. I assess the power dynamics implied by the idea of data as a public good, and how differing incentives lead actors to adopt particular ethical positions with regard to the use of data.”

This article is part of the themed issue ‘The ethical impact of data science’ in “Philosophical transactions of the Royal Society A”.

3) What Happens When an Acquaintance Buys Your Data?: A New Privacy Harm in the Age of Data Brokers (by Theodore Rostow)

Privacy scholarship to date has failed to consider a new development in the commercial privacy landscape. Data brokers have begun to sell data products to individual consumers interested in tracking the activities of love interests, professional contacts, and other people of interest. This practice creates an avenue for a new type of privacy harm — “insider control” — which privacy scholarship has yet to recognize.

U.S. privacy laws fail to protect consumers from the possibility of insider control. Apart from two noteworthy frameworks that might offer paths forward, none of the viable reforms offered by privacy scholars would meaningfully limit consumers’ vulnerability. This Note proposes changes to existing privacy doctrines in order to reduce consumers’ exposure to this new harm.”

This paper was published as a draft on SSRN. According to SSRN, the final version will be published in the 34th volume of the Yale Journal on Regulation.

***

Find what you’re reading useful? Please consider supporting pdpecho.

CJEU: CCTV camera in family home falls under the Data protection directive, but it is in principle lawful

CJEU gave its decision today in Case C-212/13 František Ryneš – under the preliminary ruling procedure. The press release is available here and the decision here.

Facts

A person who broke the window of the applicant’s home and was identified by the police with the help of the applicant’s CCTV camera complained that the footage was in breach of data protection law, as he did not give consent for that processing operation. The Data Protection Authority fined the applicant, and the applicant challenged the DPAs decision in front of an administrative court. The administrative court sent a question for a preliminary ruling to the CJEU.

Video image is personal data

First, the Court established that “the image of a person recorded by a camera constitutes personal data because it makes it possible to identify the person concerned” (para. 22).

In addition, video surveillance involving the recording and storage of personal data falls within the scope of the Directive, since it constitutes automatic data processing.

Household exception must be “narrowly construed”

According to the Court, as far as the provisions of the Data protection directive govern the processing of personal data liable to infringe fundamental freedoms, they “must necessarily be interpreted in the light of the fundamental rights set out in the Charter (see Google Spain and Google, EU:C:2014:317, paragraph 68)”, and “the exception provided for in the second indent of Article 3(2) of that directive must be narrowly construed” (para. 29).

In this sense, the Court emphasized the use of the word “purely” in the legal provision for describing the personal or household activity under this exception (para. 30).

Such processing operation is most likely lawful

In one of the last paragraphs of the decision, the Court clarifies that “the application of Directive 95/46 makes it possible, where appropriate, to take into account — in accordance, in particular, with Articles 7(f), 11(2), and 13(1)(d) and (g) of that directive — legitimate interests pursued by the controller, such as the protection of the property, health and life of his family and himself, as in the case in the main proceedings” (para. 34).

This practically means that, even if the household exception does not apply in this case, and the processing operation must comply with the requirements of the Data protection directive, these requirements imply that a CCTV camera recording activity such as the one in the proceedings is lawful.

NB: The Court used a non-typical terminology in this decision – “the right to privacy” (para. 29)

Spain: ORGANIC LAW 15/1999 of 13 December on the Protection of Personal Data

ORGANIC LAW 15/1999 of 13 December on the Protection of Personal Data

This is an unofficial translation that has been updated according to the changes operated
in the Act after the Sentence 292/200 of the Spanish Constitutional Court

Please note that the only legally binding text

is that published in the Spanish Official Journal2

I. General provisions

OFFICE OF THE HEAD OF STATE
23750 ORGANIC LAW 15/1999 of 13 December on the Protection of Personal Data.
JUAN CARLOS I
KING OF SPAIN

To whom it may concern.

Know ye that Parliament has passed, and I approve, the following Organic Law.

TITLE I

General provisions

Article 1. Subject
This Organic Law is intended to guarantee and protect the public liberties and fundamental
rights of natural persons, and in particular their personal and family privacy, with regard to the
processing of personal data.

Article 2. Scope
1. This Organic Law shall apply to personal data recorded on a physical support which makes
them capable of processing, and to any type of subsequent use of such data by the public and
private sectors.

This Organic Law shall govern any processing of personal data:
a) When the processing is carried out on Spanish territory as part of the activities of an
establishment belonging to the person responsible for the processing.
b) When the person responsible for the processing is not established on Spanish territory but is
subject to Spanish law pursuant to the norms of public international law.
c) When the person responsible for the processing is not established on the territory of the
European Union and is using for the processing means situated on Spanish territory, unless such
means are used solely for transit purposes.
2. The system of protection of personal data laid down by this Organic Law shall not apply to:
a) Files maintained by natural persons in the exercise of purely personal or household activities.
b) Files subject to the legislation on the protection of classified materials.
c) Files established for the investigation of terrorism and serious forms of organised crime.
However, in such cases, the person responsible for the file shall previously inform the Data
Protection Agency of its existence, its general characteristics and its purpose.
3. The following processing of personal data shall be governed by the specific provisions, and
by any special provisions, of this Organic Law:3
a) Files regulated by the legislation on the electoral system.
b) Those used solely for statistical purposes and protected by central or regional government
legislation on public statistical activities.
c) Those intended for the storage of the data contained in the personal assessment reports
covered by the legislation on the personnel regulations of the armed forces.
d) Those contained in the Civil Register and the Central Criminal Register.
e) Thos deriving from images and sound recorded by videocameras for the security forces in
accordance with the relevant legislation.

Article 3. Definitions
The following definitions shall apply for the purposes of this Organic Law:
a) Personal data: any information concerning identified or identifiable natural persons.
b) File: any structured set of personal data, whatever the form or method of its creation, storage
organisation and access.
c) Processing of data: operations and technical processes, whether or not by automatic means,
which allow the collection, recording, storage, adaptation, modification, blocking and
cancellation, as well as assignments of data resulting from communications, consultations,
interconnections and transfers.
d) Controller: natural or legal person, whether public or private, or administrative body which
determines the purpose, content and use of the processing.
e) Data subject: the natural person who owns the data undergoing the processing referred to in
(c) above.
f) Dissociation procedure: any processing of personal data carried out in such a way that the
information obtained cannot be associated with an identified or identifiable person.
g) Processor: the natural or legal person, public authority, service or any other body which
alone or jointly with others processes personal data on behalf of the controller.
h) Consent of the data subject: any free, unequivocal, specific and informed indication of his
wishes by which the data subject consents to the processing of personal data relating to him.
i) Assignment or communication of data: any disclosure of data to a person other than the data
subject.
j) Sources accessible to the public: those files which can be consulted by anyone, which are not
subject to restrictive legislation, or which are subject only to payment of a consultation fee. Only
the following shall be considered to be sources accessible to the public: the publicity register,
telephone directories subject to the conditions laid down in the relevant regulations, and the lists
of persons belonging to professional associations containing only data on the name, title,
profession, activity, academic degree, address and an indication of his membership of the
association. Newspapers, official gazettes and the media shall also be considered sources with
public access.4

TITLE II

Principles of data protection

Article 4. Quality of the data
1. Personal data may be collected for processing, and undergo such processing, only if they are
adequate, relevant and not excessive in relation to the scope and the specified, explicit and
legitimate purposes for which they were obtained.
2. Personal data subjected to processing may not be used for purposes incompatible with those
for which they were collected. Further processing of the data for historical, statistical or
scientific purposes shall not be considered incompatible.
3. Personal data shall be accurate and updated in such a way as to give a true picture of the
current situation of the data subject.
4. If the personal data recorded prove to be inaccurate, either in whole or in part, or
incomplete, shall be erased and officially replaced by the corresponding rectified or
supplemented data, without prejudice to the rights granted to data subjects in Article 16.
5. Personal data shall be erased when they have ceased to be necessary or relevant for the
purpose for which they were obtained or recorded.
They shall not be kept in a form which permits identification of the data subject for longer than
necessary for the purposes for which they were obtained or recorded.
On a regular basis, the procedure shall be determined by which, exceptionally, it is decided to
keep the entire set of particular data, in accordance with the specific legislation, because of their
historical, statistical or scientific value.
6. Personal data shall be stored in a way which permits the right of access to be exercised,
unless lawfully erased.
The collection of data by fraudulent, unfair or illicit means is prohibited.

Article 5. Right of information in the collection of data
1. Data subjects from who personal data are requested must previously be informed explicitly,
precisely and unequivocally of the following:
a) The existence of a file or personal data processing operation, the purpose of collecting the
data, and the recipients of the information.
b) The obligatory or voluntary nature of the reply to the questions put to them.
c) The consequences of obtaining the data or of refusing to provide them.
d) The possibility of exercising rights of access, rectification, erasure and objection.
e) The identity and address of the controller or of his representative, if any.
Where the controller is not established on the territory of the European Union, and he is using
for the processing means situated on Spanish territory, he must, unless these means are being
used for transit purposes, designate a representative in Spain, without prejudice to any action
which may be taken against the controller himself.
2. Where questionnaires or other forms are used for collection, they must contain the warnings
set out in the previous paragraph in a clearly legible form.5
3. The information set out in subparagraphs (b), (c) and (d) of paragraph 1 shall not be required
if its content can be clearly deduced from the nature of the personal data requested or the
circumstances in which they are obtained.
4. Where the personal data have not been obtained from the data subject, he must be informed
explicitly, precisely and unequivocally by the controller or his representative within three months
from the recording of the data – unless he has been informed previously – of the content of the
processing, the origin of the data, and the information set out in (a), (d) and (e) of paragraph 1
of this Article.
5. The provisions of the preceding paragraph shall not apply where explicitly provided for by
law, when the processing is for historical, statistical or scientific purposes, or when it is not
possible to inform the data subject, or where this would involve a disproportionate effort in the
view of the Data Protection Agency or the corresponding regional body, in view of the number
of data subjects, the age of the data and the possible compensatory measures.
The provisions of the preceding paragraph shall also not apply where the data come from
sources accessible to the public and are intended for advertising activity or market research, in
which case each communication sent to the data subject shall inform him of the origin of the
data, the identity of the controller and the rights of the data subject.

Article 6. Consent of the data subject
1. Processing of personal data shall require the unambiguous consent of the data subject, unless
laid down otherwise by law.
2. Consent shall not be required where the personal data are collected for the exercise of the
functions proper to public administrations within the scope of their responsibilities; where they
relate to the parties to a contract or preliminary contract for a business, employment or
administrative relationship, and are necessary for its maintenance or fulfilment; where the
purpose of processing the data is to protect a vital interest of the data subject under the terms of
Article 7(6) of this Law, or where the data are contained in sources accessible to the public and
their processing is necessary to satisfy the legitimate interest pursued by the controller or that of
the third party to whom the data are communicated, unless the fundamental rights and freedoms
of the data subject are jeopardised.
3. The consent to which the Article refers may be revoked when there are justified grounds for
doing so and the revocation does not have retroactive effect.
4. In the cases where the consent of the data subject is not required for processing personal
data, and unless provided otherwise by law, the data subject may object to such processing
when there are compelling and legitimate grounds relating to a particular personal situation. In
such an event, the controller shall exclude the data relating to the data subject from the
processing.

Article 7. Data with special protection
1. In accordance with the provisions of Article 16(2) of the Constitution, nobody may be
obliged to state his ideology, religion or beliefs.
If, in relation to such data, the consent referred to in the following paragraph is sought, the data
subject shall be warned of his right to refuse such consent.
2. Personal data which reveal the ideology, trade union membership, religion and beliefs may be
processed only with the explicit and written consent of the data subject. Exceptions shall be files
maintained by political parties, trade unions, churches, religious confessions or communities, and 6
associations, foundations and other non-profit-seeking bodies with a political, philosophical,
religious or trade-union aim, as regards the data relating to their associates or members, without
prejudice to the fact that assignment of such data shall always require the prior consent of the
data subject.
3. Personal data which refer to racial origin, health or sex life may be collected, processed and
assigned only when, for reasons of general interest, this is so provided for by law or the data
subject has given his explicit consent.
4. Files created for the sole purpose of storing personal data which reveal the ideology, trade
union membership, religion, beliefs, racial or ethnic origin or sex life remain prohibited.
5, Personal data on criminal or administrative offences may be included in files of the competent
public administrations only under the circumstances laid down in the respective regulations.
6. Notwithstanding the provisions of the preceding paragraphs, the personal data referred to in
paragraphs 2 and 3 of this Article may be processed when such processing is necessary for
purpose of preventive medicine or diagnosis, the provision of medical care or treatment, or the
management of health-care services, provided such data processing is effected by a health
professional subject to professional secrecy or by another person also subject to an equivalent
obligation of secrecy.
The data referred to in the preceding subparagraph may also be processed when this is
necessary to safeguard the vital interests of the data subject or another person in the event that
the data subject is physically or legally incapable of giving his consent.

Article 8. Data on health
Without prejudice to the provisions of Article 11 on assignment, public and private health-care
institutions and centres and the corresponding professionals may process personal data relating
to the health of persons consulting them or admitted to them for treatment, in accordance with
the provisions of the central or regional government legislation on health care.

Article 9. Data security
1. The controller or, where applicable, the processor shall adopt the technical and
organisational measures necessary to ensure the security of the personal data and prevent their
alteration, loss, unauthorised processing or access, having regard to the state of the art, the
nature of the data stored and the risks to which they are exposed by virtue of human action or
the physical or natural environment.
2. No personal data shall be recorded in files which do not meet the conditions laid down by
rules regarding their integrity and security, as well as the rules governing the processing centres,
premises, equipment, systems and programs.
3. Rules shall be laid down governing the requirements and conditions to be met by the files and
the persons involved in the data processing referred to in Article 7 of this Law.

Article 10. Duty of secrecy
The controller and any persons involved in any stage of processing personal data shall be
subject to professional secrecy as regards such data and to the duty to keep them. These
obligations shall continue even after the end of the relations with the owner of the file or, where
applicable, the person responsible for it.7

Article 11. Communication of data
1. Personal data subjected to processing may be communicated to third persons only for
purposes directly related to the legitimate functions of the transferor and transferee with the
prior consent of the data subject.
2. The consent required under the previous paragraph shall not be required:
a) when the transfer is authorised by a law.
b) when the data have been collected from publicly accessible sources.
c) when the processing corresponds to the free and legitimate acceptance of a legal relationship
whose course, performance and monitoring necessarily involve the connection between such
processing and files of third parties. In that case, communication shall be legitimate to the extent
of the purpose justifying it.
d) when the communication to be effected is destined for the Ombudsman, the Office of Public
Prosecutor, judges, courts or the Court of Auditors in the exercise of the functions assigned to
them. Not shall consent be required when the communication is destined to regional government
authorities with functions analogous to the Ombudsman or the Court of Auditors.
e) when the transfer is between public administrations and concerns the retrospective
processing of the data for historical, statistical or scientific purposes.
f) when the transfer of personal data on health is necessary for resolving an emergency which
requires access to a file or for conducting epidemiological studies within the meaning of central
or regional government health legislation.
3. Consent for the communication of personal data to a third party shall be null and void when
the information given to the data subject does not enable him to know the purpose for which the
data whose communications is authorised will be used or the type of activity of the person to
whom it is intended to communicate them.
4. Consent for the communication of personal data may also be revoked.
5. The person to who personal data are communicated is obliged, by the mere fact of the
communication, to abide by the provisions of this Law.
6. If the communication is preceded by a depersonalisation procedure, the provisions of the
preceding paragraphs shall not apply.

Article 12. Access to data on behalf of third parties
1. Access to data by a third party shall not be considered communication of data when such
access is necessary for the provision of a service to the data controller.
2. Processing on behalf of third parties shall be regulated in a contract which must be in writing
or in any other form which allows its performance and content to be assessed, it being expressly
laid down that the processor shall process the data only in accordance with the instructions of
the controller, shall not apply or use them for a purpose other than that set out in the said
contract, and shall not communicate them to other persons even for their preservation.
The contract shall also set out the security measures referred to in Article 9 of this Law, which
the processor is obliged to implement.
3. Once the contractual service has been provided, the personal data must be destroyed or
returned to the controller, together with any support or documents contain personal data
processed.
4. If the processor uses the data for another purpose, communicates them or uses them in a
way not in accordance with the terms of the contract, he shall also be considered as the
controller and shall be personally responsible for the infringements committed by him.8

TITLE III

Rights of persons
Article 13. Challenging assessments
1. Citizens have the right not to be subject to a decision with legal consequences for them, or
which significantly affects them, and which is based processing of data intended to assess
certain aspects of their personality.
2. The data subject may challenge administrative acts or private decisions which involve an
assessment of his behaviour, the only basis for which is the processing of personal data which
provides a definition of his characteristics or personality.
3. In that case, the data subject shall have the right to obtain information from the controller on
the assessment criteria and program used in the processing on the basis of which the decision
containing the act was adopted.
4. An assessment of the behaviour of citizens based on data processing shall have conclusive
force only at the request of the data subject.

Article 14. Right to consult the General Data Protection Register
Anyone may consult the General Data Protection Register to learn about the existence of
personal data, their purpose and the identity of the controller. The General Register shall be
open to public consultation free of charge.

Article 15. Right of access
1. The data subject shall have the right to request and obtain free of charge information on his
personal data subjected to processing, on the origin of such data and on their communication or
intended communication.
2. The information may be obtained by simply displaying the data for consultation or by
indicating the data subjected to processing in writing, or in a copy, fax or photocopy, whether
certified a true copy or not, in legible and intelligible form, and without using keys or codes
which require the use of specific devices.
3. The right of access referred to in this Article may be exercised only at intervals of not less
than twelve months, unless the data subject can prove a legitimate interest in doing so, in which
case it may be exercised before then.

Article 16. Right of rectification or cancellation
The controller shall be obliged to implement the right of rectification or cancellation of the data
subject within a period of ten days.
2. Rectification or cancellation shall apply to data whose processing is not in accordance with
the provisions of this Law and, in particular, when such data are incorrect or incomplete.
3. Cancellation shall lead to the data being blocked and maintained solely at the disposal of the
public administrations, judges and courts, for the purpose of determining any liability arising
from the processing, and for the duration of such liability. On expiry of such liability, they shall
be deleted.9
4. If the data rectified or cancelled have previously been communicated, the controller shall
notify the person to whom they have been communicated of the rectification or cancellation. If
the processing is being maintained by that person, he shall also cancel the data.
5. Personal data shall be kept for the periods set out in the relevant provisions or, where
applicable, in the contractual relations between the person or body responsible for the
processing (“the controller”) and the data subject.

Article 17. Objection, access, rectification or cancellation procedure
1. The procedures for exercising the right of objection, access, rectification and cancellation
shall be established by regulation.
2. No consideration shall be demanded for the exercise of the rights of objection, access,
rectification or cancellation.

Article 18. Supervision of rights
1. Acts contrary to the provisions of this Law may be the subject of complaints by data subjects
to the Data Protection Agency in the form laid down by regulation.
2. A data subject who is denied, either wholly or partially, the exercise of the rights of
objection, access, rectification or cancellation, may bring this to the attention of the Data
Protection Agency or, where applicable, to the competent body in each Autonomous
Community, which must decide on the admissibility or inadmissibility of the denial.
3. The maximum period within which a decision on the ownership of data must be reached shall
be six months.
4. An appeal may be lodged against the decisions of the Data Protection Agency.

Article 19. Right to damages
1. Data subjects who, as a result of failure to comply with the provisions of this Law on the part
of the controller or processor, suffer damage to their possessions or rights, shall have the right
to damages.
2. Where the files are in public ownership, liability shall be established in accordance with the
legislation regulating the liability of public administrations.
3. In the case of files in private ownership, the case shall be heard by the civil courts.

TITLE IV

Sectoral provisions

CHAPTER I

Files in public ownership

Article 20. Creation, modification or deletion
1. Files of the public administrations may only be created, modified or deleted by means of a
general provision published in the Boletín Oficial del Estado or in the corresponding official
gazette.10
2. The provisions for the creation or modification of files must indicate:
a) The purpose of the file and its planned use.
b) The persons or bodies on which it is planned to obtain personal data or which they are
obliged to submit data.
c) The procedure for collecting the personal data.
d) The basic structure of the file and a description of the personal data included in it.
e) The intended transfers of personal data and, where applicable, the intended transfers of data
to third countries.
f) The officials in the administrations responsible for the file.
g) The services or units with which the rights of access, rectification, cancellation and objection
may be exercised.
h) The security measures, indicating the basic, medium or high level required.
3. The provisions on the deletion of files shall lay down the fate of the files or, where applicable,
the timetables to be adopted for their destruction.

Article 21. Communication of data between public administrations
1. Personal data collected or drawn up by public administrations in the performance of their
tasks shall not be communicated to other public administrations for the exercise of different
powers or powers relating to other matters unless the communication is for the purpose of
subsequent processing for historical, statistical or scientific purposes.
2. Personal data which a public administration obtains or draws up on behalf of another
administration may be communicated.
3. Notwithstanding the provisions of Article 11.2.b), communication of data obtained from
sources accessible to the public shall apply to files in private ownership only with the consent of
data subject or when a law stipulates otherwise.
4. In the cases provided for in paragraphs 1 and 2 of this Article, the consent of the data
subject referred to in Article 11 of this Law shall not be required.

Article 22. Files of the security forces
1. The files created by the security forces and containing personal data which, because they
were collected for administrative purposes, must be recorded permanently, shall be subject to
the general rules of this Law.
2. Collection and processing, for police purposes, of personal data by the security forces
without the consent of the data subjects shall be limited to those cases and categories of data
necessary for the prevention of a genuine threat to public safety or for the suppression of crime;
such data shall be stored in special files established for the purpose, which must be classified
according to their degree of reliability.
3. The data referred to in paragraphs 2 and 3 of Article 7 may be collected and processed only
in cases in which it is absolutely essential for the purposes of a specific investigation, without
prejudice to checks on the legality of the administrative action or the obligation to consider any
applications made by the data subjects falling within the remit of the bodies responsible for the
administration of justice.
4. Personal data stored for police purposes shall be cancelled when they are not necessary for
the investigations for the purposes of which they were stored.11
To this end, special consideration shall be given to the age of the data subject and the nature of
the data stored, the need to maintain the data until the conclusion of a specific investigation or
procedure, a final judgment, and in particular an acquittal, a pardon, rehabilitation and the expiry
of liability

Article 23. Exceptions to the rights of access, rectification and cancellation
1. The controllers of files containing the data referred to in paragraphs 2, 3 and 4 of the
preceding Article may deny access, rectification or cancellation in the light of the risks which
might arise for the defence of the state or public safety, the protection of the rights and liberties
of third parties, or for the needs of investigations under way.
2. Controllers of files in the public finance sector may also deny exercise of the rights referred to
in the previous paragraph when this impede administrative actions aimed at ensuring fulfilment of
tax obligations, and particularly when the data subject is under investigation.
3. A data subject who is denied, either wholly or partially, exercise of the rights referred to in
the preceding paragraphs may bring this to the notice of the Director of the Data Protection
Agency, or of the competent body in each Autonomous Community in the case of files
maintained by its own police forces, or the tax authorities of the Autonomous Communities,
which must establish the admissibility or inadmissibility of the denial.

Article 24. Other exceptions to the rights of data subjects
The provisions of paragraphs 1 and 2 of Article 5 shall not apply to the collection of data when
informing the data subject would affect national defence, public safety or the prosecution of
criminal offences.

CHAPTER II

Files in private ownership

Article 25. Creation
Files in private ownership containing personal data may be created when it is necessary for the
success of the legitimate activity and purpose of the person, undertaking or body owning them
and the guarantees laid down by this Law for the protection of persons are respected.12

Article 26. Notification and entry in the register
1. Any person or body creating files of personal data shall first notify the Data Protection
Agency,
2. Detailed rules shall be established for the information to be contained in the notification,
amongst which must be the name of the controller, the purpose of the file, its location, the type
of personal data contained, the security measures, with an indication of whether they are of
basic, medium or high level, any transfers intended and, where applicable, ant intended transfers
of data to third countries.
3. The Data Protection Agency must be informed of any changes in the purpose of the
computer file, the controller and the address of its location.
4. The General Data Protection Register shall enter the file if the notification meets the
requirements.
If this is not the case, it may ask for the missing data to be provided or take remedial action.
5. If one month has passed since submitting the application for entry without the Data Protection
Agency responding, the computer file shall, for all accounts and purposes, be considered
entered in the Register.

Article 27. Communication of transfers of data
1. When making the first transfer of data, the controller must communicate this to the data
subjects, also indicating the purpose of the file, the nature of the data transferred and the name
and address of the transferee.
2. The obligation set out in the preceding paragraph shall not apply in the case provided for in
paragraphs 2.c), d) and e) and 6 of Article 11, nor when the transfer is forbidden by law.

Article 28. Data included in sources accessible to the public
1. Personal data contained in the publicity register or in the lists of persons belonging to
professional associations referred to in Article 3.j) of this Law must be limited to those that are
strictly necessary to fulfil the purpose for which each list is intended. The inclusion of additional
data by the bodies responsible for maintaining these sources shall require the consent of the
data subject, which may be revoked at any time.
2. Data subjects shall have the right to require the body responsible for maintaining the lists of
professional associations to indicate, free of charge, that their data may not be used for the
purposes of publicity or market research.
Data subjects shall have the right to have all the personal data contained in the publicity register
excluded, free of charge, by the bodies entrusted with maintaining those sources.
A reply to the application for exclusion of the unnecessary information or for inclusion of the
objection to the use of the data for the purposes of publicity or distance selling must be given
within ten days in the case of information provided via telematic consultation or communication,
and in the following edition of the list regardless of the medium on which it is published.
3. Publicly accessible sources published in the form of a book or on any other physical support
shall cease to be an accessible source when the new edition is published.
If an electronic version of the list is obtained by telematic means, it shall cease to be a publicly
accessible source within one year from the moment it was obtained.
4. Data contained in guides to telecommunications services available to the public shall be
governed by the relevant legislation.13

Article 29. Provision of information services on creditworthiness and credit
1. Providers of information services on creditworthiness and credit may process only personal
data obtained from registers and sources accessible to the public and set up for that purpose or
based on information provided by the data subject or with his consent.
2. Processing is also allowed of personal data relating to the fulfilment or non-fulfilment of
financial obligations provided by the creditor or by someone acting on his behalf. In such cases
the data subjects shall be informed, within a period of thirty days from the recording, of those
who have recorded personal data in files, with a reference to the data included, and they shall
be informed of their right to request information on all of them under the conditions laid down by
this Law.
3. In the cases referred to in the two paragraphs above, and at the request of the data subject,
the data controller shall communicate to him the data, together with any assessments and
appreciations made about him during the previous six months and the name and address of the
person or body to whom the data have been disclosed.
4. Only those personal data may be recorded and transferred which are necessary for assessing
the economic capacity of the data subjects and which, in the case adverse data, do not go back
for more than six years, always provided that they give a true picture of the current situation of
the data subjects.

Article 30. Processing for the purpose of publicity and market research
1. Those involved in compiling addresses, disseminating documents, publicity, distance selling,
market research or other similar activities shall use names and addresses or other personal data
when they feature in sources accessible to the public or when they have been provided by the
data subjects themselves or with their consent.
2. When the data come from sources accessible to the public, in accordance with the provisions
of the second paragraph of Article 5.5 of this Law, each communication sent to the data subject
shall indicate the origin of the data and the identity of the controller, as well as the rights
available to the data subject.
3. In exercising the right of access, data subjects shall have the right to know the origin of their
personal data and the rest of the information referred to in Article 15.
4. Data subjects shall have the right to object, upon request and free of charge, to the
processing of the data concerning them, in which case they shall be deleted from the processing
and, at their mere request, the information about them contained in the processing shall be
cancelled.

Article 31. Publicity register
1. Those intending to be involved, either permanently or occasionally, in compiling addresses,
disseminating documents, publicity, distance selling, market research or other similar activities,
may request from the National Statistical Institute or the equivalent bodies in the Autonomous
Communities a copy of the publicity register comprising data on the surnames, forenames and
domiciles contained in the electoral roll.
2. Each publicity register list shall be valid for one year. Thereafter, the list shall lose its validity
as a publicly accessible source.14
3. The procedures by which data subjects may request not to be included in the publicity
register shall be governed by regulation. Amongst these procedures, which shall be free of
charge for the data subjects, shall be the census document. Every quarter, an updated list of the
publicity register shall be published, leaving out the names and addresses of those who have
asked to be excluded.
4. A consideration may be required for providing the above list on a digital medium.

Article 32. Standard codes of conduct
1. By means of sectoral agreements, administrative agreements or company decisions, publicly
and privately-owned controllers and the organisations to which they belong may draw up
standard codes of conduct laying down the organisation conditions. The operating rules, the
applicable procedures, the safety standards for the environment, programs and equipment, the
obligations of those involved in the processing and use of personal information, as well as the
guarantees, within their remit, for exercising the rights of the individual in full compliance with the
principles and provisions of this Law and its implementing rules.
2. These codes may or may not contain detailed operational rules for each particular system and
technical standards for their application.
If these codes are not incorporated directly into the code, the instructions or orders for drawing
them up must comply with the principles laid down in the code.
3. The codes must be in the form of codes of conduct or of good professional practice, and
must be deposited or entered in the General Data Protection Register and, where appropriate,
in the registers set up for this purpose by the Autonomous Communities, in accordance with
Article 41. The General Data Protection Register may refuse entry when it considers that the
code does not comply with the legal and regulatory provisions on the subject. In such a case,
the Director of the Data Protection Agency must require the applicants to make the necessary
changes.

TITLE V

International movement of data

Article 33. General rule
1. There may be no temporary or permanent transfers of personal data which have been
processed or which were collected for the purpose of such processing to countries which do
not provide a level of protection comparable to that provided by this Law, except where, in
addition to complying with this Law, prior authorisation is obtained from the Director of the
Data Protection Agency, who may grant it only if adequate guarantees are obtained.
2. The adequacy of the level of protection afforded by the country of destination shall be
assessed by the Data Protection Agency in the light of all the circumstances surrounding the
data transfer or category of data transfer. Particular consideration shall be given to the nature of
the data, the purpose and duration of the proposed processing operation or operations, the
country of origin and country of final destination, the rules of law, both general and sectoral, in
force in the third country in question, the content of the reports by the Commission of the
European Union, and the professional rules and security measures in force in those countries.

Article 34. Derogations15
The provisions of the preceding paragraph shall not apply where:
a) The international transfer of personal data is the result of applying treaties or agreements to
which Spain is a party.
b) The transfer serves the purposes of offering or requesting international judicial aid.
c) The transfer is necessary for medical prevention or diagnosis, the provision of health aid or
medical treatment, or the management of health services.
d) Where the transfer of data is related to money transfers in accordance with the relevant
legislation.
e) The data subject has given his unambiguous consent to the proposed transfer.
f) The transfer is necessary for the performance of a contract between the data subject and the
controller or the adoption of precontractual measures taken at the data subject’s request.
g) The transfer is necessary for the conclusion or performance of a contract concluded, or to be
concluded, in the interest of the data subject, between the controller and a third party.
h) The transfer is necessary or legally required to safeguard a public interest. A transfer
requested by a tax or customs authority for the performance of its task shall be considered as
meeting this condition.
i) The transfer is necessary for the recognition, exercise or defence of a right in legal
proceedings.
j) The transfer takes place at the request of a person with a legitimate interest, from a public
register, and the request complies with the purpose of the register.
k) The transfer takes place to a Member State of the European Union or to a country which the
Commission of the European Communities, in the exercise of its powers, has declared to ensure
an adequate level of protection.

TITLE VI

Data Protection Agency

Article 35. Nature and legal status
1. The Data Protection Agency is a body under public law, with its own legal personality and
unlimited public and private legal capacity, which acts fully independently of the public
administrations in the performance of its tasks. It shall be governed by the provisions of this
Law and in a Statute of its own to be approved by the Government.
2. In the exercise of its public functions, and until such time as this Law and its implementing
provisions are adopted, the Data Protection Agency shall act in conformity with Law 301992 of
26 November on the Legal Status of Public Administrations and the Common Administrative
Procedure. Its acquisitions of assets and contracts shall be governed by private law.
3. The posts in the bodies and services belonging to the Data Protection Agency shall be filled
by officials of the public administrations and by staff recruited to this end, in accordance with the
functions assigned to each post. The staff is obliged to keep secret any personal data of which
they acquire knowledge in the performance of their task.
4. For the performance of its tasks, the Data Protection Agency shall have the following assets
and resources:
a) The annual appropriations from the General Government Budget.16
b) The goods and assets making up its resources, and any interest from them.
c) Any other resources legally assigned to it.
5. Each year the Data Protection Agency shall draw up and approve the corresponding
preliminary draft budget and send it to the Government for incorporation, with due regard to its
independence, into the General Government Budget.

Article 36. The Director
1. The Director of the Data Protection Agency manages and represents the Agency. He shall be
appointed from amongst the members of the Consultative Council, by Royal Decree, for a
period of four years.
2. He shall exercise his functions fully independently and objectively and shall not be subject to
any instructions thereby.
The Director shall in all cases take note of any proposals the Consultative Council may make to
him in the exercise of its functions.
3. The Director of the Data Protection Agency may be removed from office before the end of
the period set out in paragraph 1 only at his own request or on the instructions of the
Government, after an investigation in which the other members of the Consultative Council must
be consulted, for serious infringement of his obligations, inability to exercise his functions,
incompatibility or conviction for a criminal offence.
4. The Director of the Data Protection Agency shall be considered as occupying a senior post
and shall be governed by the special services régime if he was previously exercising a pubic
function. If a member of the judicial or tax career bracket is appointed to the post, he shall also
be governed by the special services administrative régime.

Article 37. Functions
The functions of the Data Protection Agency are as follows:
a) To ensure compliance with the legislation on data protection and ensure its application, in
particular as regards the rights of information, access, rectification, objection and cancellation of
data.
b) To issue the authorisations provided for in the Law or in its regulatory provisions.
c) To issue, where applicable, and without prejudice to the remits of other bodies, the
instructions needed to bring processing operations into line with the principles of this Law.
d) To consider the applications and complaints from the data subjects.
e) To provide information to persons on their rights as regards the processing of personal data.
f) To require controllers and processors, after having heard them, to take the measures
necessary to bring the processing operations into line with this Law and, where applicable, to
order the cessation of the processing operation when the cancellation of the files, when the
operation does not comply with the provisions of the Law.
g) To impose the penalties set out in Title VII of this Law.
h) To provide regular information on the draft general provisions set out in this Law.
i) To obtain from the data controllers any assistance and information it deems necessary for the
exercise of its functions.
j) To make known the existence of files of personal data, to which end it shall regularly publish a
list of such files with any additional information the Director of the Agency deems necessary.17
k) To draw up an annual report and submit it to the Ministry of Justice.
l) To monitor and adopt authorisations for international movements of data, and to exercise the
functions involved in international cooperation on the protection of personal data.
m) To ensure compliance with the provisions laid down by the Law on Public Statistics with
regard to the collection of statistical data and statistical secrecy, to issue precise instructions, to
give opinions on the security conditions of the files set up for purely statistical purposes, and to
exercise the powers referred to in Article 46.
n) Any other functions assigned to it by law or regulation.

Article 38. Consultative Council
The Director of the Data Protection Agency shall be assisted by a Consultative Council made
up of the following members:
One member of the Congress of Deputies, proposed by the Congress.
One member of the Senate, proposed by the Senate.
One member of the central administration, proposed by the Government.
One member of the local administration, proposed by the Spanish Federation of Municipalities
and Provinces.
One member of the Royal Academy of History, proposed by the Academy.
One expert in the field, proposed by the Supreme Council of Universities.
A representative of users and consumers, to be selected according to a method to be laid down
by regulation.
One representative of each Autonomous Community which has set up a data protection agency
on its territory, to be proposed in accordance with the procedure laid down by the Autonomous
Community concerned.
One representative of the private file sector, to be proposed according to the procedure laid
down by regulation.
The Consultative Council shall operate in accordance with the regulations laid down for that
purpose.

Article 39. The General Data Protection Register
1. The General Data Protection Register is a body incorporated into the Data Protection
Agency.
2. The following shall be entered in the General Data Protection Register:
a) Files owned by the public administrations.
b) Files in private ownership.
c) The authorisations referred to in this Law.
d) The codes of conduct referred to in Article 32 of this Law.
e) Data relating to files which are necessary for the exercise of the rights of information, access,
rectification, cancellation and objection.
3. The procedures for entering the files in public and private ownership in the General Data
Protection Register, the content of the entry, its modification, cancellation, complaints and 18
appeals against the corresponding decisions, and other related matters, shall be laid down by
regulation.

Article 40. Powers of inspection
1. The supervisory authorities may inspect the files referred to in this Law and obtain any
information they require for the performance of their tasks.
To this end, they may require the disclosure or transmission of documents and data and examine
them at their place of storage, inspect the hardware and software used to process the data, and
obtain access to the premises on which they are located.
2. In the performance of their tasks, the officials carrying out the inspection referred to in the
preceding paragraph shall be deemed to be a public authority.
They shall be obliged to keep secret any information acquired in the exercise of the
aforementioned functions, even after they have ceased to exercise them.

Article 41. Corresponding bodies of the Autonomous Communities
1. The functions of the Data Protection Agency set out in Article 37, with the exception of those
referred to in paragraphs j), k) and l), and in paragraphs f) and g) as regards international
transfers of data, as well as in Articles 46 and 49 relating to its specific powers, shall, when they
concern files of personal data created and administered by the Autonomous Communities and
by local government within its territory, be exercised by the corresponding bodies in each
Community, which shall be deemed to be supervisory authorities guaranteed full independence
and objectivity in the performance of their task.
2. The Autonomous Communities may create and maintain their own registers of files for the
exercise of the powers assigned to them.
3. The Director of the Data Protection Agency may regularly meet the corresponding bodies in
the Autonomous Communities for the purposes of institutional cooperation and coordination of
the criteria or operating procedures. The Director of the Data Protection Agency and the
corresponding bodies in the Autonomous Communities may ask each other for the information
needed for the exercise of their functions.

Article 42. Files of the Autonomous Communities for which the Agency has sole
responsibility
1. When the Director of the Data Protection Agency establishes that the maintenance or use of
a particular file of the Autonomous Communities contravenes any provision of this Law for
which it has sole responsibility, he may require the corresponding administration to adopt the
corrective measures specified by him within the period laid down by him.
2. If the public administration in question does not comply with the requirement, the Director of
the Data Protection Agency may challenge the decision taken by that administration.

TITLE VII

Infringements and penalties

Article 43. Controllers19
1. Controllers and processors shall be subject to the penalties set out in this Law.
2. In the case of files for which the public administrations are responsible, the provisions of
Article 46(2) shall apply to the procedure and penalties.
Article 44. Types of infringement
1. Infringements shall be classified as minor, serious and very serious.
2. The following shall be minor infringements:
a) Failure to respond, for formal reasons, to a request by a data subject for the rectification or
cancellation of personal data subject to processing, when that request is justified in law.
b) Failure to provide the information requested by the Data Protection Agency in the exercise of
the functions assigned to it by law, with regard to non-substantive aspects of data protection.
c) Failure to request the entry of the file of personal data in the General Data Protection
Register, where this does not amount to a serious infringement.
d) Collection of personal data on data subjects without providing them with the information set
out in Article 5 of this Law.
e) Failure to respect the duty of secrecy set out in Article 10 of this Law, where this does
amount to a serious infringement.
3. The following shall be serious infringements:
a) Creating files in public ownership, or initiating the collection of personal data for such files,
without the authorisation published in the Boletín Oficial del Estado or the corresponding
official gazette.
b) Creating files in private ownership, or initiating the collection of data for such files, for
purposes other than the legitimate purposes of the undertaking or body.
c) Collecting personal data without obtaining the explicit consent of the data subjects, where this
has to be obtained.
d) Processing personal data or subsequently using them in infringement of the principles and
guarantees laid down in this Law, and failure to respect the protection laid down by the
implementing provisions, where this does not amount to a very serious infringement.
e) Preventing or hindering the exercise of the rights of access and objection, and refusing to
provide the information asked for.
f) Maintaining incorrect personal data or failure to rectify or cancel such data when legally
obliged if the citizens’ rights protected by this Law are affected
g) Breach of the duty of secrecy for personal data incorporated into files containing data on the
commission of administrative or criminal offences, public finance, financial services, provision of
creditworthiness and credit services, as well as other files containing a set of personal data
sufficient to obtain an assessment of the personality of the individual.
h) Maintaining files, premises, programs or hardware containing personal data without the
security required by regulations.
i) Failure to send the Data Protection Agency the notifications laid down in this Law or in its
implementing provisions, and not providing it, on time, with any documents and information due
to it or which it may require to that end.
j) Impeding inspections.
k) Failure to enter a file of personal data in the General Data Protection Register when this has
been required by the Director of the Data Protection Agency.20
l) Failure to comply with the duty of information laid down in Articles 5, 28 and 29 of this Law,
when the data have been obtained from a person other than the data subject.
4. The following shall be very serious infringements:
a) The misleading or fraudulent collection of data.
b) Communication or transfer of personal data other than in cases where these are allowed.
c) Obtaining and processing the personal data referred to in paragraph 2 of Article 7 without
the explicit consent of the data subject; obtaining and processing the data referred to in
paragraph 3 of Article 7 when not covered by a law or when the data subject has not given his
explicit consent, or breaching the prohibition contained in paragraph 4 of Article 7.
d) Failure to cease the illegitimate use of personal data processing operations when required to
do so by the Director of the Data Protection Agency or by the persons owning the rights of
access.
e) The temporary or final transfer of personal data which have been subjected to processing, or
which have been collected for such processing, to countries which do not provide a comparable
level of protection, without the authorisation of the Director of the Data Protection Agency.
f) Processing personal data illegally or in breach of the principles and guarantees applying to
them, when this prevents or infringes the exercise of fundamental rights.
g) Breach of the duty to maintain the secrecy of the personal data referred to in paragraphs 2
and 3 of Article 7, as well as of data obtained for police purposes without the consent of the
data subjects.
h) Systematically impeding or failing to comply with the exercise of the rights of access,
rectification, cancellation or objection.
i) Systematic failure to comply with the duty to notify the inclusion of personal data in a file.

Article 45. Penalties
1. Minor infringements shall be punished by a fine of Ptas 100 000 to 10 000 000.
2. Serious infringements shall be punished by a fine of Ptas 10 000 000 to 50 000 000.
3. Very serious infringements shall be punished by a fine of Ptas 50 000 000 to 100 000 000.
4. The amount of the penalties shall be graded taking account the nature of the personal rights
involved, the volume of the processing operations carried out, the profits gained, the degree of
intentionality, repetition, the damage caused to the data subjects and to third parties, and any
other considerations of relevance in determining the degree of illegality and culpability of the
specific infringement.
5. If, in the light of the circumstances, there is a qualified diminution of the culpability of the
offender or of the illegality of the action, the body applying the penalties shall determine the
amount of the penalty by applying the scale for the category of penalties immediately below that
for the actual case in question.
6. In no case shall a penalty be imposed which is higher than that laid down in the Law for the
category covering the infringement to be punished.
7. The Government shall regularly update the amount of the penalties in accordance with
changes in the price indices.

Article 46. Infringements by public administrations21
1. When the infringements referred to in Article 44 are committed in files for which the public
administrations are responsible, the Director of the Data Protection Agency shall issue a
decision setting out the measures to be adopted to terminate or correct the effects of the
infringement. This decision shall be notified to the data controller, the body to which he is
responsible, and to the data subjects, if any.
2. The Director of the Agency may also propose that disciplinary proceedings be initiated. The
procedure and penalties to be applied shall be those laid down in the legislation on disciplinary
proceedings in public administrations.
3. Decisions on the measures and proceedings referred to in the preceding paragraphs shall be
communicated to the Agency.
4. The Director of the Agency shall communicate to the Ombudsman the proceedings and
decisions taken within the terms of the preceding paragraphs.

Article 47. Time limits
1. The time limits for pursuing infringements shall be three years for very serious infringements,
two years for serious infringements and one year for minor infringements.
2. The time limits shall start to run on the day on which the infringement was committed,
3. The time limits shall be interrupted when the person concerned is informed of the initiation of
the infringement procedure, and the time limit shall recommence if the procedure is held up for
more than six months for reasons for which the alleged offender cannot be held responsible.
4. Penalties imposed for very serious infringements shall expire after three years, those imposed
for serious infringements after two years, and those imposed for minor infringements after one
year.
5. The time limits for penalties shall start to run from the day after the decision imposing the
penalty comes into force.
6. The time limits shall be interrupted when the person concerned is informed of the initiation of
the execution procedure, and shall recommence if the procedure is held up for more than six
months for reasons for which the offender cannot be held responsible.

Article 48. Penalty procedure
1. The procedure for determining infringements and imposing the penalties referred to in this
Title shall be laid down by regulation.
2. The decisions of the Data Protection Agency or the corresponding body in the Autonomous
Community shall exhaust the administrative procedure.
Article 49. Power to immobilise files
In cases of very serious infringement, involving the use or illicit transfer of personal data in which
the exercise of the rights of citizens and the free development of the personality guaranteed by
the Constitution and the laws are seriously impeded or otherwise affected, the Director of the
Data Protection Agency may, in addition to imposing a penalty, require the controllers of files
personal data in both public and private ownership to terminate the use or illicit transfer of the
data. If there is no response to this requirement, the Data Protection Agency may, on the basis
of a reasoned decision, immobilise such files for the sole purpose of restoring the rights of the
data subjects.22
First additional provision. Existing files
Files and computer processing operations, whether or not entered in the General Data
Protection Register, must comply with this Organic Law within three years of its entry into
force. Within this period, files in private ownership must be communicated to the Data
Protection Agency, and the public administrations responsible for files in public ownership must
approve the relevant provision regulating the files or adapt the existing provision.
In the case of files and data processing operations which are not computerised, compliance with
this Organic Law and the obligation in the preceding paragraph must be achieved within twelve
years from 24 October 1995, without prejudice to the exercise of the rights of access,
rectification and cancellation by the data subjects.

Second additional provision. Population files and registers of public administrations
1. Central Government and the administrations of the Autonomous Communities may request
from the National Statistical Institute, without the consent of the data subject, an updated copy
of the file comprising data on the surname, forenames, domicile, sex and date of birth contained
in the municipal censuses of inhabitants and the electoral roll for the territories in which they
exercise their powers, for the creation of population files or registers.
2. The purpose of the population files or registers shall be communication between the various
bodies in each public administration and data subjects resident in the respective territories, in
relation to the legal and administrative relations deriving from the respective remits of the public
administrations.

Third additional provision. Processing of files from the repealed Laws on Vagrants and
Malefactors and on Riskiness and Social Rehabilitation
The files specifically established under the repealed Laws on Vagrants and Malefactors and on
Riskiness and Social Rehabilitation, and containing data of whatever sort which might affect the
security, reputation, privacy or image of individuals, may not be consulted without the explicit
consent of the data subjects or unless fifty years have passed since their date of collection.
In the latter case, the Central Government shall, unless there is proof of the death of the data
subjects, make the documentation available to requesters after deleting from it the data referred
to in the preceding paragraph using the technical procedures appropriate to each case.

Fourth additional provision. Amendment to Article 112.4 of the General Law on Taxation
“4. The processed personal data which must be transferred to the tax authorities in
accordance with the provisions of Article 111, of the preceding paragraphs of this
Article, or of other rules of equal standing, shall not require the consent of the data
subject. The provisions of paragraph 1 of Article 21 of the Organic Law on Personal
Data relating to public administrations shall also not apply to such matters.”

Fifth additional provision. Remit of the Ombudsman and similar regional government
bodies
The provisions of this Organic Law are without prejudice to the remit of the Ombudsman and
the similar bodies in the Autonomous Communities.23

Sixth additional provision. Amendment to Article 24.3 on the Law on the Regulation and

Supervision of Private Insurances

Article 24.3, second paragraph, of Law 30/1995 of 8 November, on the Regulation and
Supervision of Private Insurances, is amended as follows:
“Insurance bodies may create joint files containing personal data for the settlement of
accident claims and for actuarial statistical collaboration aimed at establishing rates of
premiums and the selection of risks, and for drawing up studies on insurance techniques.

The transfer of data to such files shall not require the prior consent of the data subject,
but the possible transfer of his personal data for the purposes indicated must be
communicated to the data subject, together with an explicit indication of the data
controller, so that the rights of access, rectification and cancellation laid down by law
may be exercised.

Joint files may also be created without the consent of the data subject for the purpose of
preventing insurance fraud. However, it will be necessary in such cases to make known
to the data subject, when the data are first introduced, who is responsible for the file
and the ways in which the rights of access, rectification and cancellation may be
exercised.
In all cases, data relating to health may be subjected to processing only with the explicit
consent of the data subject.”

First transitional provision. Processing operations under international agreements
The Data Protection Agency shall be the body responsible for the protection of natural persons
as regards the processing of personal data, with respect to the processing operations set up
under any international agreement to which Spain is a signatory and which assigns this power to
a national supervisory authority, unless a different authority is set up for this task in
implementation of the agreement.

Second transitional provision. Use of the publicity register
The procedures for drawing up the publicity register, for objecting to being entered in it, for
making it available to requesters, and for monitoring the lists disseminated, shall be governed by
regulation. The regulation shall lay down the time limits for implementation of the publicity
register.

Third transitional provision. Continuation in force of existing rules
Until such time as the arrangements set out in first final provision of this Law come into force,
the existing regulatory rules shall continue in force with their own ranking, and in particular Royal
Decrees 428/1993 of 26 March, 1332/1994 of 20 June, and 994/1999 of 11 June, unless they
are in conflict with this Law.
Single repealing provision. Repeal of rules24

Organic Law 5/1992 of 29 October regulating the computer processing of personal data is
hereby repealed.

First final provision. Authorisation for regulatory development
The Government shall approve or amend the regulatory provisions necessary for the application
and further development of this Law.

Second final provision. Precepts with the character of ordinary law
Titles IV, VI – except for the last indent of paragraph 4 of Article 36 – and VII of this Law, the
fourth additional provision, the first transitional provision, and the first final provision, shall have
the character of ordinary law.

Third final provision. Entry into force
This Law shall enter into force one month after its publication in the Boletín Oficial del Estado.

Therefore

I order all Spaniards, individuals and authorities, to uphold this Organic Law and to ensure that
it is upheld.

Madrid, 13 December 1999.

JUAN CARLOS R.

The Prime Minister

JOSÉ MARÍA AZNAR LÓPEZ

 

See also: Mchigan: Internet Privacy Protection Act

Financial Supervisory Authority issues circular for Hungarian financial institutions on the use of cloud computing technologies

Márton Domokos writes for “The Privacy Advisor” that On 18 July, the Hungarian Financial Supervisory Authority-PSZÁF (HFSA) issued a circular for Hungarian financial institutions on the use of cloud computing technologies. It is the first time in Hungary that a regulatory authority issued such an opinion. The document outlines detailed proposals for financial institutions on data classification, pre-contracting tasks and the contents of the service agreement with the cloud provider.

Regulatory considerations

The HFSA expressly reminds the management, IT internal audit, compliance and legal departments of financial institutions that if the company is willing to use cloud computing services, they shall pay particular attention to the following.

Obtaining cloud services is considered as “outsourcing” under the Hungarian sector-specific regulations which results in the application of certain additional rules; e.g., notification to the HFSA, specific data processing obligations.
It is important to continuously monitor the changes in the regulations of the EU affecting cloud computing services, practices and best practice recommendations.
It is also essential to keep an eye on the Hungarian and EU data privacy provisions and practices—in particular to practices and resolutions concerning cross-border data transfers or data transfers to third countries.
The relationship between the master services agreement to be concluded and the related SLAs shall be harmonised.
Data classification

According to the HFSA, it is important to classify the data processed by the financial institution before determining which data can be transferred to the cloud at all. The circular states that it is not recommended to process bank secrets, personal data or other sensitive data in the public cloud and reminds that the physical storage or place of procession of data in the public cloud in particular, e.g., outside of the European Economic Area or the Safe Harbor, substantially influence the possibility of compliance with the EU data protection regulations.

Read the whole text HERE.

DP history: Which was the first country to adopt a Data protection law?

Why did governments and legislatures thought that the personal information collected by different entities should be protected? When did they discover the society needs such regulations?

I will try to answer these questions in my new category “DP history”. I keep reposting news about countries which pass for the first time data protection legislation. But how about the ones that first discovered this need in their societies? So, I figured I should provide valuable information in this regard also.

I will start by answering the question “Which was the first country to adopt a Data Protection law?”.

The answer is Germany. Well, Germany was a “door opener” not only in nation-wide data protection regulation, but also in data protection law in general, as its land of Hesse adopted the first ever law with regard to the protection of personal data in 1970.

However, I will write today a few facts about the Federal law on the protection of personal data adopted by the German Parliament: Bundesdatenschutzgesetz.

It was as early as 1969 that the German Parliament requested the Government “to introduce without delay a statute regulating the computerized processing of personal information.”

The first draft of the Bill appeared in 1973, but it was not until November 10, 1976 that the Bundestag approved the Act on the Protection against the Misuse of Personal Data in Data Processing. The President of the Republic signed the definitive version on January 1, 1977.

However, in the intervening period a number of lander (German states) had passed laws on the protection of personal data as far as public bodies were concerned.

The Federal Act covers processing of personal data at Federal Level, at Land level to the extent that no Land regulation exists, and also data in the private sector.

So, it took about 8 years to transform the recognized need of protection personal data into law. But you will see tomorrow that in one European country it took 15 years! Why do you think such legislation was so problematic to be passed?

Source: A.C.M. Nugter, Transborder Flow of Personal Data within the EC, Springer, Olanda, 1990. You can find the book here:

Transborder Flow of Personal Data Within the EC (Computer/law series)

Is Privacy in the Cloud only an illusion?

Is Privacy in the Cloud only an illusion? Technewsworld.com thinks so. They published a large article today arguing that “Laws around the world allow governments free access to data in the cloud. What may come as a surprise is that Mutual Legal Assistance Treaties facilitate cooperation across international boundaries. Under these MLATs, the U.S. and EU member states allow law enforcement authorities to request data on servers of cloud providers located in any countries that are part of the MLATs.”

If you ask me, the article brings nothing new under the sun, as it is built on the conclusions of Hogan & Lovell’s White Paper published in May this year (you can also find it on this blog).

Regarding the main topic, my comment would be that your personal data in the Cloud is as secure as your personal data deposited in any other way, from a governmental access point of view. The laws that allow governments to have access to personal data on account of fighting terrorism are not especially made for the Cloud, but for all sorts of information, personal data, mere anonymized data or whatever data you could think of, stored anywhere and by whoever.

However, what complicates a bit privacy things with the Cloud is that the effort made by governments to have access to data stored there is perhaps smaller than it would be to travel to a certain address and grab a certain device which contains data.

It is also possible I am terribly wrong by not taking into account information I do not know. If you have thoughts about this, or more information, please leave a comment 🙂

The multibillion industry of selling our personal information

Articles concerning the buying and selling of personal data come to my attention almost on a daily basis lately. For me this is a good thing as one of the hypothesis of my thesis is now the patrimonial value of personal data and its legal consequences – such as recognizing certain proprietary rights in personal data. However, for privacy and for the a bureaucratic-free society this is a completely bad thing.

I decided to create a new category in this blog which will collect all the information I gather from the media regarding the commercialization of aggregated personal information.

Today I read an article in The New York Times about Acxiom. I’ve never heard of that company before. Apparently, it is one of the biggest “data brokers” in the world. “Its servers process more than 50 trillion data “transactions” a year. Company executives have said its database contains information about 500 million active consumers worldwide, with about 1,500 data points per person. That includes a majority of adults in the United States.”

What is also interesting is that “For Acxiom, based in Little Rock, the setup is lucrative. It posted profit of $77.26 million in its latest fiscal year, on sales of $1.13 billion”. Hence, in one instance of the trade world, aggregated personal information values 1.13 billion dollar a year. So, is it just to talk about personal information as valuable goods? I believe it is, as it would be a non-sense declaring personal information values nothing, when one company in this world sells personal information for 1.3 billion dollar a year. However, the personal information sold is not merely personal information, but aggregated personal information. The legal regime of such transactions should, therefore, take into account also this reality.

What is even more interesting is the following statement from the same article: “Such large-scale data mining and analytics — based on information available in public records, consumer surveys and the like — are perfectly legal”. This affirmation involves two possible conclusions. First, if indeed they are legal, then the law has to be changed. Second, if they are not legal, then the existing law should be interpreted as such and applied against such companies. As far as I know, there is a right to privacy protected under American constitutional and tort law, even if it is not still very well developed in the sense of also covering information already made available to the public in certain circumstances or for certain purposes. But in a flexible common law system, this should not be a barrier of applying the right o privacy in such a manner.

Instead, the EU regulates more in depth the issue of processing even data previously made available to the public. So at least this is what I thought. I found out that Acxiom has several branches in EU, for instance in Germany, UK and Poland, just to name three. As far as I knew, EU data protection law forbids personal data processing without the consent of data subjects, unless the processing is provided by law or the processor, lato sensu, has a legitimate interest of processing it. I highly doubt that producing private profit for a big data company is a legitimate interest in the meaning of the 95/46 Directive. Hence, my assumption is that at least the European branches of this company have the consent of every single person whose data they sell for a particular transaction in a particular purpose. Because if they don’t have the data subjects’ consent and they are still legally functioning on the territory of the EU, than even the specialized European law of data protection is not good enough to prevent the invasion of privacy in this scenario.

 

Tim Berners-Lee: demand your data from Google and Facebook

Tim Berners-Lee, the father of the world wide web, has urged internet users to demand their personal data from online giants such as Google and Facebook to usher in a new era of highly personalised computer services “with tremendous potential to help humanity”, according to guardian.co.uk.

Berners-Lee, the British born MIT professor who invented the web three decades ago, says that while there has been an explosion of public data made available in recent years, individuals have not yet understood the value to them of the personal data held about them by different web companies.

In an interview with the Guardian, Berners-Lee said: “My computer has a great understanding of my state of fitness, of the things I’m eating, of the places I’m at. My phone understands from being in my pocket how much exercise I’ve been getting and how many stairs I’ve been walking up and so on.”

Exploiting such data could provide hugely useful services to individuals, he said, but only if their computers had access to personal data held about them by web companies. “One of the issues of social networking silos is that they have the data and I don’t … There are no programmes that I can run on my computer which allow me to use all the data in each of the social networking systems that I use plus all the data in my calendar plus in my running map site, plus the data in my little fitness gadget and so on to really provide an excellent support to me.”

Read the whole story HERE.