The Spanish Data Protection Agency (AEPD) recently issued new privacy guidelines designed to identify and avoid privacy risks. The AEPD’s guidance on data protection impact assessments (PIAs) encourages privacy by design – i.e., building privacy protections into products or services and maintaining throughout their life. Since PIAs are commonly used in the U.S. and other English-speaking countries, the AEPD hopes to introduce a new approach to data protection in Spain. Currently, Spanish law does not require PIAs or privacy by design, but the AEPD rulings will take into account an entity’s attempt at due diligence done in accordance with its directives.
The guide strongly recommends PIAs where companies employ “particularly invasive technologies,” such as geolocation, data mining, biometrics, genetic techniques, video surveillance, etc. The guide also suggests measures companies can take to avoid or mitigate risks. For example, biometric identification information can be accessed through a central database by unauthorized third parties. A decentralized system, such as the use of smart cards, might reduce this risk. Measures to be adopted can be diverse (organizational, technological, contractual, etc.), so each company must decide which measure or combination of measures is best suited to its culture and structure.
Although there are no currently binding regulations on PIAs in Spain, the AEPD is considering adopting binding regulations after the E.U.’s general data protection regulation is approved. In January 2012, the European Commission, the E.U.’s executive branch, proposed a uniform E.U.-wide regulation (16 PRA, 1/26/12) to replace the 1995 E.U. Data Protection Directive. In March 2014, the European Parliament adopted its position on the reform (49 PRA, 3/13/14), and the E.U. Council, which represents the governments of E.U. member states, is in the process of considering the proposal (198 PRA, 10/14/14). Regardless of the regulatory developments in Europe, the AEPD has concluded that the PIA methodology has reached a “sufficient level of development” to be incorporated in Spain. The “Personal Data Protection Impact Assessment Guide” is available here in Spanish.
For more coverage on this topic, see this BNA article.