Bird & Bird wins landmark preliminary ruling on Spanish data protection regulations

28 November 2011

Bird & Bird has obtained a CJEU judgment for its client ASNEF (National Association of Financial Institutions, Spain) which may lead to a complete overhaul of data protection legislation in Spain and the way in which the European Commission’s legislation is typically harmonised across member states.

Our client sought to challenge Spanish data protection legislation, as an overly restrictive enactment of the European Commission’s proposals for data protection. They believed the legislation to be affecting the development of business in Spain as international companies were deterred from the costs and risks of operating within such a strict framework. 

The judgment handed down at the end of last week ruled that the Spanish data protection secondary regulations were indeed non-compliant with the EU Data Protection Directive.  The Spanish Supreme Court will now have to decide whether or not to repeal the two non-compliant articles.

Javier Fernández-Samaniego, head of our Madrid Data Protection team, has welcomed the judgment and said, “Hopefully, this judgment will have an impact on the European Commission’s proposals for the reform of data protection legislation as it highlights the difficulties that the lack of harmonisation among Member States creates for multinational companies. This issue is affecting the development of European industry, as a number of international investors are refusing to do business in a number of European countries due to their strict approach to data protection, and because different countries treat identical issues in completely different ways. This is something which the new legislation must address.”

Antonio Creus, Partner in our Madrid office added: “This judgment proves, once again, the great importance of EU law as a retaining wall against the excesses committed by Member States during national implementation. Until now, the Spanish data protection regime has been characterised by its restrictive nature in comparison with other EU national laws, with sanctions imposed by the Spanish Data Protection Agency amounting to 90% of the total value of penalties imposed by data protection authorities across all Member States. Needless to say, this has posed a great problem for the free movement of personal data in Spain, which shall hopefully be to some extent alleviated now that the Spanish legislation has been found contrary to EU law.”

- Ends -

Notes to Editors:

The judgment was on a preliminary reference submitted by the Spanish Supreme Court regarding the non-compliance of Royal Decree 1720/2007, the Spanish Data Protection secondary regulations (“Secondary Regulations”), with Directive 95/46/EC (the “Data Protection Directive”).

The case follows the Spanish Supreme Court’s judgment of July 2010, in which the Supreme Court partially repealed the Secondary Regulations and submitted a preliminary question to the CJEU on the interpretation of art. 7 of the Data Protection Directive, which ASNEF argued had been implemented incorrectly. The Spanish Data Protection Act and its implementing Secondary Regulation do not enact art.7(f) of the Data Protection Directive, which allows data to be processed for the pursuit of the legitimate interests of the controller, as an independent justification for data processing and instead Spanish data controllers must seek the consent of the data subject. Furthermore, Spanish legislation has added two additional conditions to processing in pursuit of the controller’s legitimate interests: (i) that the processing must authorised by national or EU legislation and (ii) that the data are available in public databases.

On 24th November 2011, the CJEU issued its judgment on the preliminary reference cases (C-468/10 and C-469/10) in favour of ASNEF’s arguments,  and held that the Data Protection Directive precludes “national rules which, in the absence of the data subject’s consent, and in order to allow such processing of that data subject’s personal data as is necessary to pursue a legitimate interest of the data controller or of the third party or parties to whom those data are disclosed, require not only that the fundamental rights and freedoms of the data subject be respected, but also that the data should appear in public sources, thereby excluding, in a categorical and generalised way, any processing of data not appearing in such sources.” Art. 7 of the Data Protection Directive was also held to have direct effect.

The full judgment can be found at