New Spanish data protection law in 2017?
A few days ago, Mar España, the Head of the Spanish Data Protection Authority (AEPD), announced in the VI IAB Congress that a draft bill to reform the current Spanish Data Protection Act ("LOPD") (which transposes the Data Protection Directive) will be submitted in February 2017. A consultation period for this draft new law is also on the agenda for early 2017.
Our understanding is that the aim behind this initiative is, among others, to bring the Spanish data protection regime (including the LOPD and the Royal Decree that supplements it) up to the General Data Protection Regulation ("GDPR") standards and to provide an interpretation to some of the broader concepts in the GDPR. It is expected that the new LOPD will also cover some topics subject to derogations under GDPR and that the mandatory list of security measures (currently mandatory for all controllers and processors based in Spain) is revisited and updated.
This announcement has not come completely by surprise; earlier this year, the Ministry of Justice asked Public Law Section V of the Codification Commission, chaired by privacy veteran and ex-head of the AEPD Professor Jose Luis Piñar, to study the impact of the GDPR on the current LOPD.
Why is Spain doing this?
The ultimate aim of the Spanish law makers is to put a new law in place that sits alongside and complements the GDPR.
Our auspices for this new law are that it will cover most of the GDPR derogations and provide a conservative interpretation of GDPR, where possible, in line with the current application of the LOPD and case law.
It is known that the Spanish data protection regime is one of the strictest regimes in the EU and it is not clear whether this initiative seeks to ensure that this continues to be the case by keeping some of the stricter requirements of the current Spanish data protection regime which would otherwise have been lost upon the implementation of the GDPR.
From a pan European standpoint, it seems Spain is following the initiative taken by countries like France, Germany or the Netherlands all of which are pushing through legislative initiatives to bring existing data protection laws up to GDPR standards. Please see here for a blog on the changes in France brought by the recently approved Digital Republic Act.
What does this mean for controllers and processors operating in Spain?
Controllers and processors operating in Spain will be subject to the GDPR and the reformed LOPD. In practice this will mean that, as it happens today, organisations will have to take into account local data protection laws when considering privacy compliance. If many EU member states follow suit, would the harmonisation of EU data protection law be put at risk?
Whilst the GDPR does allow for local laws to be put in place, the LOPD is a broad piece of legislation that applies 'across the board' so the question is whether the post-GDPR European data protection legal landscape was meant to have all encompassing local laws sitting alongside the GDPR.
The AEPD seems to be optimistic that the reformed LOPD will be in force at the same time as GDPR, in May 2018. However, there are political and procedural factors that have to be taken into account when considering timings. The reform of an 'organic' law (i.e. a law that regulates areas related to fundamental rights) is subject to a more complex parliamentary procedure than 'ordinary' laws. Furthermore, the Spanish Government has only been recently formed, after months of political uncertainly and the repetition of the general elections.