Privacy in the Digital Era

Spain’s Princess and her right (or not) to be forgotten

Posted on 29 March, 2017

La Vanguardia - Laura Vivet

Recently, the Nóos corruption case has livening up the discussion regarding the right to be forgotten, since Spain’s Princess Cristina considered appealing the Mallorca Provincial Court’s decision to prosecute her before the Supreme Court, as she has finally been found not guilty of the tax fraud charges she was accused of. One of the main consequences of this appeal would have been the possibility of exercising the right to be forgotten regarding online publications where she appeared sitting in the dock, in an attempt to clean up her reputation.

The princess and her husband are public figures, and this information is certainly of public interest.

Although it seems that she has changed her mind for personal reasons, from a legal and effective point of view this action would most likely have been unsuccessful and counterproductive, since the princess and her husband are public figures, and this information is certainly of public interest, for its repercussions and due to the fact that it is a current topic.

In its iconic ruling of May 13, 2014, following a case brought by Mario Costeja against the Internet giant Google, The European Court of Justice (ECJ) concluded that, according to Directive 95/46 / EC (articles 12 and 14 a) and the Charter of Fundamental Rights of the European Union (articles 7 and 8), users have the right to request search engines to remove links to web pages that appear in a list of results displayed following a search made on the basis of a person’s name.

This right is especially relevant when it is intended to eliminate links to legitimate publications from this list of results, whose contents cannot be removed from the main site because, for example, they are publications that comply with a law, e.g. the Official State Gazette, or when they rely on the right to information and freedom of expression, as is the case of newspapers.

Thus, even if the content has not been deleted by the source website editor, it will no longer appear in the list of results linked to a person’s name when their name is typed into the search engine.

Nevertheless, the ECJ expressly established certain limits in its interpretation of the right to be forgotten, in accordance with the exceptions already established by the abovementioned Directive. This is not an absolute right; its exercise should be based on the fact that information is inaccurate, inadequate, irrelevant or excessive regarding the way the data is handled, or that it be kept for a longer period than is necessary. It also states that even the lawful handling of accurate data may become, over time, inconsistent with the Directive, when such data are no longer necessary in relation to the purposes for which they were collected or processed, as happened in the Costeja case. In this procedure, the Court considered that the information displayed on two links of an online newspaper that appeared when typing the claimant’s name in the search engine, was if a sensitive nature because it referred to a seizure of money corresponding to a debt to the Social Security system. Considering that the initial publication took place 16 years previously, there were now no specific reasons justifying the overriding interest of the public having access to this information.

The right to be forgotten is not applied to people who play a role in public life in exactly the same way.

Therefore, according to the ECJ, it is necessary to find the right balance in each situationbetween the public interest, i.e. having access to information, and a citizen’s right to protect his/her privacy, and this balance depends on the nature of the information in question, its sensitivity for the affected person’s private life, and the public’s interest in having access to that information, which may vary precisely according to the role played by that person in public life.
Consequently, the right to be forgotten is not applied to people who play a role in public life in exactly the same way. This difference can also be found in Organic Law 1/1982 of May 5th 1982 on the protection of the right to honor, personal and family privacy and image, specially aimed at protecting one’s own image and reputation. This law establishes that the right to one’s own image does not prevent its collection, reproduction or publication by any means when it refers to someone with a public role, high-profile profession or public visibility, and the image is captured during a public act or in a public place, nor when there is considerable historical, scientific or cultural interest.

The seriousness and current nature of the Princess’ case could not be more important for public opinion, as despite being acquitted of the criminal charges she is attributed a lucrative participation for which she had to pay an important sum for civil liability damages, with her husband being sentenced to six years and three months in prison.

Even with the passage of time, there are strong arguments for not recognizing the Princess’ right to be forgotten regarding the Nóos case and its passage through the courts, because these are facts that could even have historical connotations, she is a major public figure and the images of her were captured with her knowledge and in public places.

In this context, a judicial action in defense of the right to be forgotten could have a Streisand effect, i.e. what occurs when an attempt to hide a piece of information has the unintended consequence of publicizing the information more widely, and inadvertently draw further public attention to it.
Article published in La Vanguardia on Tuesday, March 28, 2017.

Privacy, drones and IoT

Posted on 16 August, 2016

This year I had the opportunity to give a presentation at the World Bank in Washington DC during one of their “brown bag sessions”, focused on Privacy, Drones and Internet of Things (IoT).

The World Bank is an organization that works worldwide with a wide range of projects, including some initiatives connected with new technologies, and every time, they should evaluate different risks involved, including privacy risks.

The purpose of the presentation was to understand the concept of ‘privacy’ and its different meanings worldwide, how to define the privacy framework and assess the risks arising from the use of new technologies such as drones or IoT, and introduce the Privacy Impact Assessment as an effective tool that we can use in any jurisdiction.

I am going to share some thoughts of these broad and complex chapters that I had to sum up within one hour! [+]

Internacional Privacy

Posted on 15 June, 2016

This year starts the First session of the Specialization Course on International Privacy and New Technologies from the Autonomous University of Barcelona, that I have organized together with my former teacher in International Law, Lídia Santos.

Currently I live in Washington DC where I am learning how privacy regulations apply in the US, as it was not possible to study this in Spain. This is the reason why I started organizing this course, which is the one I wished to have studied in my city.

Privacy and data protection has become an international matter long ago due to the use of new technologies and the globalization of companies and services.


Organizations increasingly need professionals with an international profile as they seek to expand their marketing campaigns and sell their products and services to a broader public, collaborate with providers from other countries or unify human resources management from their different subsidiaries.

Therefore, in this course we will study not only privacy regulations in Spain but also in Europe, the US, Canada, Latin America and Asia from professionals of different nationalities in the field of the Law, Computer Science and Telecommunications , in order to understand how privacy is understood through different cultures and countries .

In addition, we will count on the experience from the Data Protection Authorities and multinational companies such as Google, Microsoft and Hewlett Packard Enterprise whom will explain in a practical way how have they solved some of the main privacy challenges such as: regulation ofcloud services, right to be forgotten , the provision of services globally, Binding Corporate Rules (BCR y BSPR) and APEC Cross Border Privacy Rules.

This course is intended not only for law students, computer science and telecommunication students but also to professionals in the field of privacy and technology, so I invite you all to register.

Registration period is open and there are limited seats! You can find more information here and in the website.

Right to be forgotten, the Photoshop for Data?

Posted on 17 July, 2014


Recently the media have been echoing the landmark judgement of the European Union Court of Justice (ECJ) about the famous “right to be forgotten” starring Mario Costeja González, a Spanish forensic expert who decided to defy the laws of internet and challenge the giant Google, and defend his right to privacy.

It reminds us of the Ministry of Truth of the classic 1984 by George Orwell, whose function was to re-write history and falsify it.

The origin of this case started in 1998, before the approval of the current LOPD ( in Spanish acronym) – the Organic Law 15/1999 on personal data protection. Back then, the newspaper La Vanguardia ( newspaper of wide circulation in Catalonia ) published in its printed version an announcement of an auction of a property belonging to Costeja and his wife. An auction which was taking place as a direct result of social security attachment. Strangely enough this was also the year in which the company Google, our second principal star, was founded. 10 years later La Vanguardia digitized all its hermeroteca from 1881 to present day, facilitating free consultation by date or key words. [+]

Privacy Fair Play Rules

Posted on 16 April, 2014


Not long ago at the Bilbao Web Summit, Tim Berners-Lee inventor of the World Wide Web came up with a proposal stating that a constitution should be passed in order to protect Internet users. I think the most significant element of this statement is that it comes from someone best placed to know the origin and characteristics of this technology and the fact that his conclusion is a global regulation seems quite logical to me, considering that the resources and services that we find on Internet have no frontiers.
Establishing uniform rules for everyone would not only help protect Internet users, but also would enhance communication within it. Although, I absolutely share this theory, maybe right now it is still too early to know the real scope of this new system in order to establish with clarity what the basic international principles that should direct the cyberspace are, without undermining the technology evolution or creating important gaps or inconsistencies. We do not have to lose sight that laws, constitutions and international conventions, especially those that have regulated certain areas for decades (Human Rights, Security, etc.) are rules that have been shaped through time, customs and experience. The wording came after the understanding thorough knowledge of cause, risks and consequences, knowing full well what was intended to be protected or avoided.
Although the ultimate goal would be to pass an international constitution or principles, it is still too ambitious considering not only the limited experience that we have in this matter that is unusually changeable, but for the differing laws across the countries, strongly marked by a particular historical and cultural evolution. Nevertheless, we should keep in mind that, before constitutions or international conventions are adopted there are always a set of rules governing the practical functioning of society, such as, commercial relationships, transportation, the use of common spaces such as airspace, the sea, etc. These are operating rules to live by in society and sharing common spaces with a certain security.

In my view, in relation to the Internet or new technologies, we should do the same: establishing some fair play rules from a more practical point of view and with an international aspiration to enhance communication and services offered through the network, clearly defining what our rights and obligations are without undermining the progress and evolution of technology.

But how could communication be improved?

  • Synthesizing and standardizing the required legal information at any website, App or service,
  • Establishing an Incoterms system to facilitate content removal.
  • Establishing consequences for misleading legal notices, as already happens in certain countries.

And how should rights and obligations be established?

    • Imposing a strong transparency principle. This would permit us to offer convenient information under a uniformed blueprint, empowering consumers to compare with one another the terms offered by providers and choose the best deal effectively.


Establishing uniform rules for everyone would not only help protect Internet users, but also would enhance communication within it.

We cannot ignore that Internet has been a revolution that has deeply changed communications and society, while blurring borders and distance. So that, sooner or later we will have to think big if we want to build more effective regulations and often, less is more. Therefore, starting with this question, why don’t we try to agree with some useful international ‘fair play rules‘ to improve our experience and safety in the Internet and use of technologies, while letting the global principles emerge naturally with the evolution and experience?

Cookies ‘Made in Spain’

Posted on 15 July, 2013

“The Maria biscuit is the most popular in Spain.” (Wikipedia)

The Spanish Data Protection Authority recently issued guidelines on the regulation of Spanish cookies, following an amendment to Article 22 of Act 34/2002 on Information Society Services and Electronic Commerce, with a view to implementing the EU e-privacy Directive in Spain.

The guidelines provide useful information to understand the new requirements of the Regulation and useful tips to put it into practice. They also stress the importance of the terms included in the contractual and pre-contractual relationship between parties.

The Spanish authority stresses the importance of the contractual relationship between editors, advertisers and third parties involved in this process.

A distinction is made between different types of cookies (first/third party cookies, tracking cookies, advertising, analytics, session, security cookies, etc.) and it is established that certain types are excluded from the legal requirements. These exceptions are based on Opinion 4/2012 (WP194) and are usually related to cookies that are strictly necessary for a service or are explicitly requested by a user, e.g. session or access cookies, security cookies, authentication/identification cookies, multimedia player session cookies, load balancing session cookies, UI customization cookies, and social plug-in content sharing cookies.

The guidelines also explain the different types of parties involved in the management of this system and the information processed (user, editor, advertiser, advertising agencies…), stating that the main obligations are to provide clear information and consent. They also highlight the following main points:

  • Information provided must be clear and easy to understand. It also must disclose information about: definition of the cookie, types of cookies used, parties involved (first/third party cookies), purposes, the specific action that would constitute consent to the use of cookies, and how to opt-out and delete cookies.
  • Preference for layered privacy notices: provide basic information in a short initial note with further, more detailed, information available should an individual require it.
  • Locating the information where users can find it easily.
  • Implied consent is possible: in general terms, for consent to be valid users should be clearly informed and must carry out a positive action. However, consent could also be valid if clear information is given and the user clicks on any other link on the web page uses the scroll bar.
  • Cookies that come under the exemption are excluded from the requirement of prior informed consent.
  • The possibility of withdrawing previously given consent must be available at any time.
The legislation does not expressly define who is responsible for complying with these requirements. In this regard, the guidelines state that the different parties involved in the delivery and management of information in cookies should cooperate, and that they could both be responsible for complying with these obligations.

The Spanish authority stresses the importance of the contractual relationship between editors, advertisers and third parties involved in this process, recommending the inclusion of certain clauses establishing how valid consent is to be obtained, by whom, and also the means to withdraw it. This seems a good clue to figure out who should be responsible for complying with the Regulation. It could certainly be an issue if the contractual terms are not clear.

Moreover, there is a debate about whether lack of express consent from users in the delivery of cookies could be sanctioned, because the law is not clear. The legislation expressly establishes a severe sanction for the lack of information or means to withdraw consent, but it does not expressly establish this sanction for a lack of opt-in consent.

Perhaps this is why the effectiveness of this new regulation in Spain is so controversial.

Finally, I would like to mention an interesting and witty initiative from the Interactive Advertising Bureau about this issue, to help understand the requirements of this new regulation. You can see it here.

BYOD: Pros & Cons

Posted on 25 February, 2013


In today’s world, nearly every aspect of life is affected by computer technology and increasingly we can notably appreciate this social change through companies and business.

For example, the culture of BYOD (“Bring Your Own Device”) is already a fact we can find in multiple types of companies and sectors.

It is often said that benefits are multiple. Companies save money and employees are more committed and available. Besides, there are advantages for the workforce as it helps reconciling family life.

In Europe, current Case Law allows companies’ access to all their devices when employees have been clearly informed

However, there are privacy issues that we may not forget. Firstly, there are risks of data leakage when companies allow their workforce to use their own devices to complete work duties. Personal devices are usually shared with family and friends; they may also include other apps o items less secure that could lead to lose control over data, as information may be replicated in multiple places.

From my point of view, it may be possible to embrace the BYODs benefits without undermine privacy and confidentiality business information, but not in all situations.
A case-by-case assessment shall be needed. While it is true that BYOD benefits are multiple, it may not be appropriate for the processing of certain information or work duties.

After an evaluation of the potential offshoring tasks and an accurate classification of information, a personalized privacy policy can be shaped and might permit using BYOD in certain scenarios such as contact means or internal communications, whenever confidential information is not exposed. However, it would still be necessary to introduce specific means to control the use of removable storage devices / media, in order to prevent a potential information leakage.

Beyond this, the control over the information could be critic, as in fact, it could only be effective when the company has a real control over all devices.
In Europe, current Case Law allows companies’ access to all their devices when employees have been clearly informed about the security and privacy policy established. However there is a possibility that this principle may not apply to BYOD as the consequences might be different, since we are talking about personal devices.

The question is; even if we already have the workforce consent would it be enough to justify the company’s access to a private device? In my opinion the answer would be negative, due to the employees protection tendency that is also being reinforced with the new EU Regulation.

To sum up, it seems to me that we have to be cautious not to be blinded by the amazing colours of technology while Regulations and Case Law are still not clear.

The “right to be forgotten”

Posted on 5 December, 2012


The proposed UE Data Protection Regulation includes in their art. 17 the “Right to be forgotten and to erasure”. Its purpose is to provide the data subject with the right to obtain from the controller, the erasure of personal data relating to them and the abstention from further disseminations of such data. The regulation states that any subject may require the deletion of their information, through their right of object or withdrawing the consent initially given.

The article 29 Working Party and ENISA in its report of 20th November have already noticed several weaknesses in that Regulation suggesting that, as configured, it can not be effective in practice.
Indeed, when reading the article and trying to figure out in which situations we could exercise this right, many doubts arise, such as the fact that the scope of this right is not clear, against whom we could exercise it or how it could really be effective.
But the main question is whether the effective removal of data items once they have been published is really possible? [+]

What shall we do with cookies?

Posted on 21 July, 2012


Recently, at European level there has been a discussion concerning the adoption of an opt-in system in order to install some kinds of cookies on users’ computers. Cookies are small files that are automatically installed on your computer every time you connect to a website. When talking about cookies, the opt-in system consists of requiring users’ express consent before installing this type of files on their computer. Article 29 Working Party has adopted a strict interpretation of the notion of consent in these cases.

However, it seems to me that it could be desirable to slightly change the approach, in order to improve the coherence between technology and legislation.

We cannot expect users to read a whole page on cookies or privacy policies. This approach is excessive and may not be effective.

It is a well known fact that information overload causes the opposite effect. The online environment is characterized by its dynamism and its internationality; therefore, this could be the moment to self-reinvent ourselves.

We cannot expect users to read a whole page on cookies or privacy policies.

We cannot lose sight of the fact that a user browses the Internet looking for information he/she barely stops to read a few lines from each page, until he/she finds what he/she looking for. People are used to browsing with their smartphones, laptops or tablets on journeys or while waiting for a train. Increasingly, the general trend is to be online everywhere, at every moment and with any device. [+]

Cloned identity

Posted on 25 June, 2012


Recently, a patent has been published that will impact strongly in the world of privacy and the business of the accumulation of users’ information and user tracking practices.

Apple Inc. has acquired the use and enjoyment of a new patented technology developed by Stephen Carter, Novell, called “Techniques to pollute electronic profiling. It is a technology that allows cloning of the real identity of a person in the network, creating a false identity to operate quietly on the web without danger of being spied on by criminals or tracked and analysed by marketing companies. The patent is very interesting and evokes the “Big Brother” of the Orwell’s novel 1984; it defends the increase in users’ concern about privacy and the control of their data.

The technology means that a number of preferences, interests and actions that are completely different from the reality can be assigned to this cloned identity. For example, if a woman in Italy purchases a bicycle on-line through eBay, the clone of that person can be a Norwegian man who purchases a book through Amazon. Therefore, the trace information involved in the operation would be contaminated and therefore useless for marketing companies.

It even allows one to generate a user name, e-mail address and fake bank details to prevent identity theft. This new technology may also allow safer navigation without having to be a privacy or computer expert.

It is a smart and effective solution against the current abuse of traceability techniques, analysis of user profiles and identity theft that allows users to fighting for the control of their data on equal terms.

This development is quite recent and still we do not know what will be the reaction of the rest of the industry that lives off the accumulation and analysis of information, or governments, or if Apple finally will implement this technology. Nevertheless, it is an issue that deserves careful consideration.

Behavioural advertising

Posted on 15 April, 2011


The European online advertising industry has drafted a code of self-regulation that is ahead of the new EU Data Protection Regulation, where the online advertisers need to require users’ opt-in consent before installing tracking cookies.

Using cookies, organizations can track online habits and activities of Internet users through their websites, in order to send advertising based on the user’s preferences and tastes (behavioral advertising). The self-regulatory code stipulates that online ads would include an icon called “AdChoices” allowing users to change their privacy preferences in order to not be tracked for advertising purposes. Yahoo, Microsoft, Google and AOL are among the companies that have agreed to use this icon in their European ads online.
However, despite being an interesting initiative, it seems that this system does not meet the Commission’s requirements on previous consent (opt-in) before installing tracking cookies.

Privacy vs Copyright

Posted on 15 April, 2011


Pedro Cruz Villalón has expressed a contrary opinion in a report released on Thursday 14th, arguing that the granting of intellectual property rights should prevail over the privacy and secrecy of communications, in accordance with the Charter of Fundamental Rights.

He considers it unlawful to force an ISP from Belgium to establish a system for screening and blocking electronic communications in order to protect intellectual property rights.

Nevertheless, he acknowledges that the privacy and secrecy of communications rights are not unlimited, stating that a limitation of such rights and freedoms of Internet users “could only be admitted if it is based on national, accessible, clear and foreseeable legislation”.

Belgian legislation allows judges to intervene when there are violations of intellectual property rights, but it does not specifically establish a system for screening and blocking, so Villalón concludes that these steps are illegal.

Although the judgement still has not been issued and its opinion is not binding, the Advocate General’s recommendations are usually followed by the Court of Justice.