SPAIN—Important reform of the data protection sanctions regime

International Consulting on Data Protection Organic Act 15/1999, dated December 13, on Protection of Personal Data (Spanish acronym LOPD), is the legal reference framework in Spain on privacy matters. It is a law that is fulfilling a prime role in implementing the data protection culture in Spain and in other countries where it is being taken as an example. The act has been developed by its regulations, approved by Royal Decree 1720/2007. The LOPD has recently been amended by Act 2/2011, dated March 4, which introduced major reforms on the matter of sanction regimes. The reform affects Articles 43 to 46 and 49 of the LOPD, and it has an extremely wide-reaching scope. It affects considerably the sanctions regime. Not only does it substantially amend the classification of infringements, but also it establishes new criteria to determine the amount of the penalties. It also includes a new figure—that of admonition—that shall undoubtedly avoid numerous penalties being issued; however, it shall give rise to an issue over practical application. The reform allows substantial softening of the penalty regime foreseen up to present in the LOPD. That was a long-standing aim among the private sector, which considered the regime to be a highly disturbing element for controllers and processors. Amendment of Title VII of the LOPD is articulated around the following major themes:

• Substantial amendment of the classification of infringements. At present, it is not possible to carry out a detailed analysis of the reforms implemented. However, one may point out that, among other novelties, to mention some, there is a considerable reduction in the type and number of very serious infringements (in Spain the LOPD foresees the existence of very serious, serious and minor infringements); diverse offenses change classification: for example, data disclosure without consent of the data subject is now considered a serious offense (instead of a very serious one) except if it refers to sensitive data (that is personal data which reveal ideology, trade union membership, religion and beliefs, or that refer to racial origin, health or sex life); although breach of the duty to secrecy foreseen in Article 10 of the LOPD has become a serious, instead of a minor, infringement, on the other hand, data disclosure to a processor without fulfilling the formal provisions foreseen in Article 12 of the LOPD is considered a minor infringement.
• A new regime has been established with the scales and setting the amount of the penalty. Without any doubt whatsoever, the amendment of Article 45 of the LOPD is of extraordinary importance and with major practical transcendence. Now, the new text of Article 45 sets, on one hand, the criteria (in an unrated manner, considering the terms of section j) of Article 45.4) that must be taken into account to classify the amount of the penalties (a specific reference to the turnover or activity of the offender is included). On the other hand, it obliges the Spanish Data Protection Agency (AEPD) to establish the amount of the penalty by applying a scale related to the type of infringements that immediately precedes that comprising those considered in the case concerned (these indeed being rated) that is recorded in Article 45.5 in severity. One must bear in mind that it is not a power assigned to the director of the AEPD, but rather an obligation. That said article is clear: "the penalising body shall establish…..” Thus, the agency must necessarily apply the relative scale for the class of infringements that immediately precedes it in severity whenever one of the cases foreseen in Article 45 arises. Thus, for example, an offence that would attract a fine of €600,000 may be penalised with the sum of €40,000.
• The newly introduced figure of admonition also has an enormous scope. Article 45.6 states that, exceptionally, the AEPD may, on hearing the parties concerned and according to the nature of the facts and the significant concurrence of the criteria established in the preceding section, not resolve to open penalisation proceedings and, instead of these, to issue an admonition to the subject responsible in order that, within the term determined by the agency, he may accredit adoption of the relevant corrective measures.

It is undoubtedly also a highly important amendment of the sanction regime that aims to take inspiration from the laws of other countries. Thus, irregularities in personal data processing may be prosecuted without resorting to penalties as means to do so. It is a discretionary power of the director of the AEPD, that may only be exercised whenever the following cases arise: a) the facts constitute a minor or serious offence pursuant to the terms of the LOPD; b) the offender has not previously been penalised or received an admonition. The AEPD thus takes on a great discretional margin. Consider that, for instance, in the case of a serious offence, the possible actions range from admonition to issuing a fine of 300,000 euros. The law also states that if the admonition is not heeded within the term the AEPD has determined, it shall then be appropriate to open the relevant penalisation proceedings for that offence. That breach, in itself, shall constitute a serious offence.

• To summarize, there is a slight amendment in the amounts of the penalties. The minimum limit of the minor fines rises to €900 (€601 before the reform), but the maximum has been lowered to €40,000 (€60,101 before the reform). Thus, apart from the serious penalties, it is extended from €40,001 to the present €300,000 (from €60,101 to €300,000 before the reform). Very serious fines remain unchanged from €300,000 to €600,000.

As stated previously, the reform came into force on March 6, 2011. It is an appropriate reform. Of course, it will bring relief to the data controllers and processors. However, the reform is only partial. It has not included some of the matters now proposed for debate by the European Community in its document "Communication from the Commission to the European Parliament, the Council, the Economic and Social Committee and the Committee of the Regions. A comprehensive approach on personal data protection in the European Union," in order to review the legal framework of data protection and, in particular, Directive 95/46/EC. For example, there is still no obligation to notify security breaches. Thus, we must consider that it shall soon be necessary to undertake a new reform of the LOPD on the basis of what is resolved within the European Union.