Xnet highlights gaps in Spain’s adaptation of the EU General Data Protection Regulation (GDPR). The Spanish member of EDRi has opened two complaints to the European Commission related to the lack of effective adaptation of the data minimisation principle and the lack of conciliation between personal data protection and freedom of expression and information in the Spanish legislation.
The COVID-19 Crisis has forcefully put on the table the scope to which the extraction and use of citizens’ personal data may reach.
These problems had already been detected and explained in a February 2020 report by Xnet, “Privacy, Data Protection and Institutionalised Abuses” and with the campaign #DatosPorLiebre.
Xnet believes that the use of personal data in the general interest is necessary. However, it should never conflict with the respect for the fundamental rights to privacy and intimacy.
The procedures that Xnet is now starting are a consequence of the report, but the EDRi member believes that they will also be useful in the design of policies post-COVID-19. The European Commission has published a position that supports Xnet’s point of view. This could positively influence the new Spanish Secretary-General for Digital Transformation. This is why Xnet considers that this is a good moment to start these two procedures.
As Xnet explained in the report “Privacy, Data Protection and Institutionalised Abuses”, they consider that the “Organic Law on Data Protection and the Guarantee of Digital Rights”, which aims to adapt the GDPR to the Spanish system, contains gaps that are detrimental to fundamental rights.
The report and the procedures explain the collision between the principle of minimisation, which is fundamental in the GDPR, and other laws in force that prevent its enforcement and the control of personal data, their use and destination by individuals.
Specifically, the identification requirements of citizens when they want to carry out any type of procedure, however simple it may be, at a Public Administration or other companies, are abusive and disproportionate. These identification requirements of Spanish legislation are no longer justified in the new framework established by the GDPR. The principle of minimisation establishes that no one should ask or extract more data than necessary. The privacy must be by design and by default.
The second procedure highlights the lack of transposition of Article 85 of the Regulation into national law, thus failing to comply with the obligation that it establishes to reconcile the right to personal data protection with the freedoms of expression and information. This makes it difficult to uncover cases of abuse or corruption, which is very necessary in a situation such as this one.
[In Spanish]: Xnet abre procedimientos ante la Comisión Europea para la mejora de la protección de datos en la legislación española (04.05.2020)
ApTI submits complaint on Romanian GDPR implementation (27.02.2019):
One Year Under the GDPR. An implementation progress report:
(Contribution by Simona Levi, from EDRi member Xnet)