New rules have recently come into force in Spain covering the retention of data by the providers of electronic communication services and public communication networks. These rules impose obligations on service providers to retain certain information generated or processed by them for twelve months and provide for access to this data by the authorities for the investigation, detection and prosecution of serious crimes.
The Spanish Law 25/2007, dated 18 October, on the retention of data related to electronic communications and public communications networks, has recently been approved and published in the Spanish Official Gazette. The law came into force on 9 November 2007 and implements Directive 2006/24/EC of 15 March 2006 on the retention of data. Although the Law is now in force, service providers obliged by this Law have been given 6 months to adapt their equipment and systems in order to comply with these new requirements.
The new Law applies to traffic and location data on both legal entities and natural persons and to the related data necessary to identify the subscriber or registered users. Under Article 3 of the Law, the data to be retained is classified in the following categories:
data necessary to trace and identify the source of a communication;
data necessary to identify the destination of a communication;
data necessary to identify the date, time and duration of a communication;
data necessary to identify the type of communication;
data necessary to identify users’ communication equipment or what purports to be their equipment; and
data necessary to identify the location of mobile communication equipment.
The Law provides for a standard retention period of 12 months from the date of the communication, but the government, taking into account the costs of storage of the data and its value in relation to the investigation of serious crimes, will be able to vary the retention term for specific types of data to a maximum of 2 years and a minimum of 6 months. In such cases the government shall seek the opinion of operators.
In relation to access to the data by the authorities, Articles 6 and 7 of the new Law state that data should only be transferred by the operators to a competent authority and under a judicial order. Operators must transmit relevant data to the competent authorities within any period specified in the judicial order or, if no such period is specified, within 72 hours from 8:00 a.m. of the working day following the day in which the operator received the order.
With regard to protection and security of the data, the Law refers to general personal data protection legislation, (i.e. the Data Protection Act 15/1999, on Data Protection, and Royal Decree 994/1999 on the Regulation on Security Measures). In this respect, it is important to note that the current draft Regulation of Development of the Data Protection Act requires higher levels of security for traffic and location data. If adopted as currently worded, service providers will need to put additional security measures in place for these types of data. The draft regulation is expected to be approved in 2008 and would repeal and replace the Regulation on Security Measures.
Finally, the retention law also includes an obligation on mobile operators to keep a register of the identity of their customers acquiring prepaid cards. This register must contain, the name, surname/s, nationality and identification document number for natural persons; and the trade name and identification tax number for companies.