Spain Applies GDPR Amid Parliamentary Gridlock

Artículo de Brett Allan King en Bloomberg BNA. Publicado el 28 de junio de 2018.

Spain’s parliamentary gridlock is slowing down approval of a revised data protection law.

The European Union’s General Data Protection Regulation has been the law of the land since May 25, though limited aspects of data protection are still up to the criteria of individual member states. But Spain’s fractured political landscape places it among member states falling behind on planned adjustments to national privacy-related laws — in its case, the Organic Data Protection Law (LOPD 15/1999).

“The reality is that, in those aspects that don’t contradict the European regulation, our national regulations remain in force,” Daniel López, a partner at ECIJA in Madrid, told Bloomberg Law.

One legislative proposal would revise the role of the Spanish Data Protection Agency (AEPD). Still others would cover sanctions and enforcement measures, the jurisdiction of regional authorities, and “controversial aspects such as the credit information of deceased persons,” López said.

As legislators struggled to agree on a revised national regime, the AEPD released a guidance June 19 aimed at ensuring that companies comply with the GDPR.

Likewise, the AEPD’s free online tool, Facilita_RGPD, aims to help companies determine their data processing risk profile and identify the minimum documentation needed to make them GDPR-compliant.

Given the strictness of the existing Spanish data protection law, companies already in compliance with the LOPD should face no serious structural challenges in complying with the GDPR, Iñaki Uriarte, legal director and secretary general of the Spanish Digital Economy Association (Adigital), told Bloomberg Law.

At the same time, the European regulations may have served as a wake-up call for companies that have been more lax about data protection compliance, Uriarte said.

Legislative Drought

Spain’s fractured political landscape has led to a legislative drought affecting a wide array of policy areas— such as the approval of 2018 budget—which are arguably more urgent than a new LOPD.

While the country’s multiparty system has traditionally been dominated by either the Spanish Socialist Workers’ Party or the conservative Popular party, this de facto bipartisanship was toppled in 2016 elections with the rise of the leftist Podemos party and the liberal Citizens party.

Failure to form a government led to new elections, more parliamentary gridlock and a minority Popular party government, which was ousted June 1 in a no-confidence vote. One casualty of gridlock was a new LOPD bill proposed in late 2017, but with a limited chance of passing.

AEPD guidance is still in force and updated in accordance with the European regulations, Lopez said, although failure to approve a new LOPD by May 25 might have wrought some “uncertainties” regarding mandatory audits or the adoption of security measures.

New Data Protection Law

Although it is unknown what a final LOPD will look like, the fall of the Popular party government could give new life to amendments by opposition parties that previously had little chance of approval.

Socialist Prime Minister Pedro Sánchez has publicly stated that he plans to be in office through the end of the legislature in 2020, though the approval of laws will require consensus among a splintered playing field where support from Podemos and nationalist parties could prove essential.

“We should wait for the final text, since any similarity with the bill will be mere coincidence,” López said.

Parliamentary instability aside, the AEPD works on a different schedule in that directors are named to fouryear terms that overlap with different governments—and with the understanding that the office is to be executed independently and objectively without political interference. The current director, Mar España, was appointed in 2015 and ostensibly will be replaced in 2019.

The “very complex” introduction of cross-border procedures involving different languages and more than one national data protection authority stand as unprecedented challenges posed by the GDPR, Uriarte said.

“I have no doubt that the Spanish Data Protection Agency is among the most prepared, but whether it’s 100 percent prepared, I imagine not,” he said.

Enlace permanente a este artículo: