Spanish Parliament Ratifies Urgent Data Protection Measures

Artículo de Brett Allan King en Bloomberg BNA. Publicado el 18 de septiembre de 2018.

Spanish lawmakers have ratified an urgent decree under the EU’s General Data Protection Regulation that will generally respect existing data-handling contracts.

The Spanish Parliament Sept. 6 voted overwhelmingly to ratify the decree, which establishes provisional regulations needed to ensure Spain is complying with the GDPR.

The move gives companies greater legal certainty until lawmakers can pass a new data protection law. It is urgent because the government and lawmakers see it as necessary to apply the GDPR to Spain.

Daniel López, a partner at the law firm of ECIJA in Madrid, said the transitional regime gives companies breathing room and “legal security to keep working.”

According to López, contracts for data handling by service providers that comply with the spirit of the GDPR and were in force when the new decree-law was enacted will remain valid. In any case, it gives companies time to formalize new contracts, he said.

“I think this is one of the most important questions because once the regulation became applicable, there was a lot of debate over this and it was driving companies crazy,” López told Bloomberg Law.

A crucial aspect of Royal Decree-law 5/2018 is the adoption of penalties already established in the GDPR. The new rules identify data handlers to whom sanctions can apply and establish statutes of limitations for infractions and fines already foreseen in the GDPR.

The new decree establishes a “transitional regime” that respects pre-existing contracts and procedures, unless the new rules prove more favorable to affected parties.

The GDPR allows for administrative fines of up to 20 million euros ($23.3 million) or four percent of a group’s worldwide annual turnover, whichever is higher.

While this can “‘make companies disappear or become completely unviable,” the Spanish Data Protection Agency will have the ability to adjust sanctions on a case by case basis, according to Iñaki Uriarte, legal director and secretary general of the Spanish Digital Economy Association (Adigital).

“It’s not so much a question of regulations but of interpretation of the regulations,” Uriarte told Bloomberg Law.

Urgent Action

The GDPR has been directly applicable in European Union members states since May 25, with no transposition into national law necessary. Nonetheless, limited aspects of data protection are up to the criteria of individual members states.

In the absence of a full-fledged overhaul of Spain’s Organic Data Protection Act, the Spanish government July 27 approved royal decree-law 5/2018, on grounds that some measures were urgent for adaptation to the GDPR.

“The current executive understands that with certain questions that are not reserved to organic laws, ‘it is essential that regulations with the rank of law be adopted’ to adapt Spanish law to European law,” the Parliament said in a Sept. 6 statement.

Spain’s “organic laws” deal with the development of basic rights and public liberties. To deal with other urgent matters, the executive may approve decree-laws provided they are debated by Parliament within 30 days.

New Data Protection Law Elusive

Royal decree-law 5/2018 went into effect Aug. 4. Parliament ratified it Sept. 6 with 339 votes in favor and two abstentions. It will remain in effect until a new Spanish Organic Data Protection Act takes effect.

“The intention is that is be approved before the end of the year,” Uriarte told Bloomberg Law. Despite sufficient time in the parliamentary calendar for approval by later November or early December, he said, there is no guarantee a new law will be enacted.

Spain’s attempt at a new data protection law has been the victim of unprecedented parliamentary gridlock, with a primarily bipartisan landscape giving way to four main parties and smaller nationalist groups with wildly divergent agendas.

The previous conservative government’s proposed law of November 2017 is languishing in Parliament’s Judiciary Committee.

“As of today, there is not a sufficient majority to approve an organic law of this nature,” López said. “There’s no way we’re going to have a new organic law before next year.”

Permanent link to this article: http://dlcarballo.com/2018/09/18/spanish-parliament-ratifies-urgent-data-protection-measures/