Spain’s proposed implementation of the Data Retention Directive

05 March 2007

Alexander Benalal

The Spanish Industry, Justice and Internal Affairs Ministries have issued a preliminary draft of a law on Retention of Data regarding Electronic Communications and Public Communications Networks which is aimed at implementing the EC Directive 2006/24 on the Retention of Data into Spanish Law. The proposed legislation will repeal the existing provisions of the E-Commerce Act as well as any other inconsistent legal provision. This will introduce significant changes to the data retention regime in Spain.

At present the regulatory framework in Spain with regard to data retention obligations for electronic communications is contained in Royal Decree 424/2005. This approved the Regulation on the conditions for the provision of electronic communications services, universal service and the protection of consumers. It also sets forth certain rules regarding the interception of communications, which need to be ordered by a judicial authority. These interception rules oblige the operators to provide certain data to authorised police officers; however this obligation is subject to the availability of the data and does not involve an obligation to retain such data for a defined period.

In addition, the E-Commerce Act (Act 34/2002) sets forth an obligation on operators of electronic communications networks and services, providers of communications network providers and providers of data hosting services to retain the connection and traffic data generated by the communications across such networks, for the purposes of prosecution of crime and protection of national security. Such retention period shall not be more than 12 months.

For the most part, the proposed legislation mirrors the provisions of the Data Retention Directive. There are nevertheless certain differences and remarkable aspects. For instance, the data retention provisions are to be applied in relation to any type of crime under Spanish law, not only to "serious crimes" as provided for in the Directive (article 1). Likewise the retention period provided under the proposed legislation is 1 year for all types of data (article 5) but the government, taking into account the costs of storage of the data and its value in relation to the investigation of crimes, has provided in the proposed legislation that it will be able to vary the retention term for a specific type of data to a maximum of 2 years and a minimum of 6 months (i.e. as per Article 6 of the Directive). Even though the proposed legislation provides that in such case the government will have to seek the opinion of the operators, the extension of the term has been very controversial and certain associations have claimed that the term cannot be decided at the government’s discretion.

In addition to the above the proposed legislation provides that the transmission of the data to the competent authorities shall only take place under a judicial order (article 7) and that the data shall be transmitted to the competent authorities within the period established in the judicial order; if this order does not indicate any period, the transmission shall be made within 24 hours after the working day, following the day in which the operator received the order (article 7.3)

With regard to protection and security of the data, the proposed legislation refers to general personal data protection legislation (i.e. Act 15/1999 on Data Protection and Royal Decree 994/1999 on the Regulation on Security Measures). The draft regulation to be made under the Data Protection Act (which is due to be approved this year and which would abrogate the Regulation on Security Measures), will require traffic and location data to have a high level of security applied to them. Therefore, if the draft regulation is approved with its current wording operators will have to apply additional security measures to these kinds of data.

Finally the proposed legislation also includes an obligation on mobile operators to keep a register of the identity of their customers acquiring prepaid cards.

Even though under Article 15 of the Directive the period for Member States to implement this Directive into their national laws expires on 15 September 2007, the proposed legislation is only a preliminary text which still has to go through the Parliament. The version approved may therefore substantially differ from its current wording.