The new Spanish Data Protection Act adapting the General Data Protection Regulation into the national legislation brought two things: first, an unpleasant surprise in the form of a new art. 58 bis in the Spanish Electoral System Act; and second, a memorable citizen judicial victory.
Spanish society in general, and a group of lawyers in particular, rose up against what obviously was an unfair rule.
As a result, various initiatives were undertaken, resulting in the Spanish Constitutional Court declaring the provision null and void.
This is the story.
The ugly: the controversial article
The Third Final Provision of the Spanish Data Protection Act in force since 7 December 2018, introduced a new art. 58 bis on the Spanish Electoral System Act (LOREG).
Art. 58 bis LOREG states:
«Article fifty-eight bis. Use of technological means and personal data in electoral activities.
- The collection of personal data relating to the political opinions of individuals carried out by political parties in the performance of their electoral activities shall be deemed to be in the public interest only where adequate safeguards are provided.
- Political parties, coalitions and electoral groupings may use personal data obtained from websites and other publicly accessible sources in the performance of political activities during the electoral period.
- The sending of electoral propaganda by electronic means or messaging systems and the contracting of electoral propaganda in social networks or equivalent media shall not be considered a commercial activity or communication.
- These above-mentioned dissemination activities will prominently identify their electoral nature.
- The addressee shall be provided with a simple and free means of exercising the right of objection”.
That is, political parties have given themselves legal authority to collect personal data regarding the political ideology of citizens (i.e. a special category of data which require, by legal imperative, a higher level of protection) from social networks and the Internet to personalize electoral propaganda.
Art. 58 bis of the Spanish Electoral System Act was introduced by an amendment of a parliamentary group in the last phase of legislative process of the Data Protection Act. Unlike the drafting of the Proposal, the amending process counted with no guarantees such as a public consultation and information or any review by a relevant consultative body such as the State Council or the Spanish Data Protection Authority.
In simple terms, this article was tailored-made by and for the political parties.
The good: we, the people against it
This provision quickly generated unanimous criticism among data specialists and a strong feeling in the citizens. On the other hand, only the experts who had participated in the drafting of Art. 58 bis of the Spanish Electoral System Act defended it.
By not specifying suitable and specific safeguard measures, the legislator had resigned from its responsibility and left citizens’ right to data protection in political parties’ hands. Ironically, the wording of an earlier draft of the challenged provision did contain specific measures, which were suppressed form the final version.
Consequently, the controversy reached national level, although the media focused not on the ideological data processing, but on the new possibility to send electoral spam to citizens, without the limitations established for electronic marketing.
As a result, various initiatives spontaneously arose. Also, several groups of lawyers organized themselves through twitter to develop legal actions against the new law:
1. Friday List
The think-tank Secuoya Group created the Foundation for the Defense of Privacy and Digital Rights to channel one of the initiatives: “Friday List”, an electoral advertising exclusion system made it available for free to both Spanish citizens and political parties.
Firday List («Lista Viernes» in Spanish) is a system designed to prevent citizens from receiving unwanted electoral propaganda, in the style of the Robinson List, a similar well-known service in Spain with years of existence to prevent indiscriminate commercial advertising by companies.
In the upcoming weeks, the Foundation will release the software code so that any organization can promote the same project for free in their country.
2. Online form
A group of Spanish lawyers drafted and published online a model document to enable citizens to exercise their right to object the processing of their ideological data. Access the document here.
3. Constitutional challenge
Another group of jurists (including the promoters of the Foundation for the Defense of Privacy and Digital Rights) organized themselves through twitter and created a draft appeal of unconstitutionality against Spanish Electoral System Act´s Art. 58 bis paragraph 1. Access the draft here.
This draft appeal was submitted to the Spanish Ombudsman on 22 February 2019. Just a few days later, on 4 March 2019, the Ombudsman filed its appeal of unconstitutionality against art. 58 bis before the Constitutional Court, which admitted it.
On 30 June 2019 -that is, in an absolute record time -, the Constitutional Court published its judgment unanimously declaring the unconstitutionality of Art. 58 bis paragraph 1 of the Spanish Electoral System Act, which is therefore declared null and void. Access the judgement here.
At this point in the story, you will be wondering what the legal arguments assumed by both the Ombudsman’s appeal and the Constitutional Court decision were. Let’s comment on the most relevant ones.
The Bad: art. 58 bis 1 LOREG versus GDPR and Spanish Constitution
1. Recital 56 GDPR
Spanish Electoral System Act´s Art. 58 bis was allegedly based on Recital 56 GDPR, as expressed in earlier drafts of the provision.
Recital 56 GDPR established that personal data consisting on people’s political opinions might be processed whenever the conditions expressed thereof were met, namely: (i) “the operation of the democratic system in a Member State requires that political parties compile” such personal data; and (ii) “provided that appropriate safeguards are established”.
However, the wording of the Spanish provision did not aim to identify why the democratic system would require such pervasive processing of personal data, nor it provided for any safeguard, therefore, not meeting the requirements of recital 56 GDPR.
Thus, the content of Spanish Electoral System Act´s Art. 58 bis infringed the GDPR.
2. Article 9 GDPR
As if this was not enough, Recital 56 was not the correct legal ground of art. 58 bis paragraph 1. Remember, this provision enabled the processing of ideological data -that is, special category of data- on the basis of the public interest. The only provision under the GDPR allowing for processing of special categories of personal data on the public interest is art. 9.2.g) GDPR, which indeed features stronger requirements.
According to art. 9.2.g) GDPR, a «substantial public interest» is needed. This requires the processing to be proportionate to the aim pursued, to respect the essence of the right to data protection and to provide for “suitable and specific measures» to safeguard the interests and fundamental rights of the data subject. None of these conditions were met in the wording of art 58 bis LOREG, for the following reasons.
First, the contested national provision did not identify what substantial public interest existed that would serve as the lawful ground for the processing of data referred to people´s political opinions.
Second, nor art. 58 bis LOREG or any other provision in the law established any adequate and specific measure to protect data subjects. Furthermore, in light of the Spanish constitutional law, these safeguard measures, could have only been established by law. And there was no other applicable law establishing such imperative and indispensable safeguard measures.
Consequently, the shortcomings of the challenged provision left the only feasible interpretation that the public interest in fact invoked was not the “substantial” public interest set out in art. 9.2.g) GDPR but the general public interest provided for in art. 6.1.e) GDPR, which was clearly insufficient to justify the processing of special categories of data.
Long story short, the article did not live up to the burden of either recital 56 nor art. 9 GDPR.
3. The Spanish Constitution
All these inadequacies of the provision mean that art. 58 bis paragraph 1 LOREG violated the Spanish Constitution of 1978, as it did not respect the essential content of the right to protection of personal data.
Again, ironically enough, the rationale for the creation of art. 58 bis was «to adapt the Regulation to national specificities and to establish safeguards to prevent cases such as the one linking ‘Cambridge Analytica’ to the unlawful use of data of 50 million Facebook users for electoral marketing«.
However, a Cambridge Analytica-like situation would have found legal basis in Spain, according to the new article.
As the Constitutional Court judgment indeed stated.
This is the story of how Spanish civil society acted in the system of checks and balances and won. And they lived happily ever after.