Legal basis considered invalid due to identity theft

The Spanish Supervisory Authority (AEPD) has recently imposed a 60,000 € fine in a controversial case with a cosmetic company (PS/00159/2019). Note that this resolution can be subject to appeal before the Spanish National Court (Audiencia Nacional).

The case originates upon a claim from a consumer alleging the multinational brand unlawfully processed her information without appropriately verifying her identity which resulted in having her data wrongly added in a debt register.

Read More

Understanding International Data Transfer Mechanisms

One of the key objectives of the GDPR is ensuring an equivalent level of protection of persons and the free flow of personal data throughout the European territories. To that end, it includes different mechanisms including the establishment of an independent public authority in each member state responsible for monitoring the application of the Regulation and the effectiveness of the data protection rights of individuals across the Union. 

Read More

Spain’s Princess and her right (or not) to be forgotten

The Nóos corruption case has livening up the discussion regarding the right to be forgotten since Spain’s Princess Cristina considered appealing the Mallorca Provincial Court’s decision to prosecute her before the Supreme Court, as she has finally been found not guilty of the tax fraud charges she was accused of. One of the main consequences of this appeal would have been the possibility of exercising the right to be forgotten regarding online publications where she appeared sitting in the dock, in an attempt to clean up her reputation.

Read More

Privacy, drones and IoT

This year I had the opportunity to give a presentation at the World Bank in Washington DC during one of their “brown bag sessions”, focused on Privacy, Drones and Internet of Things (IoT).

The World Bank is an organization that works worldwide with a wide range of projects, including some initiatives connected with new technologies, and every time, they should evaluate different risks involved, including privacy risks. The purpose of the presentation was to understand the concept of ‘privacy’ and its different meanings worldwide, how to define the privacy framework and assess the risks arising from the use of new technologies such as drones or IoT, and introduce the Privacy Impact Assessment as an effective tool that we can use in any jurisdiction.

I am going to share some thoughts of these broad and complex chapters that I had to sum up within one hour.

Read More

Right to be forgotten, the Photoshop for Data?

Recently the media have been echoing the landmark judgement of the European Union Court of Justice (ECJ) about the famous “right to be forgotten” starring Mario Costeja González, a Spanish forensic expert who decided to defy the laws of internet and challenge the giant Google, and defend his right to privacy.

It reminds us of the Ministry of Truth of the classic 1984 by George Orwell, whose function was to re-write history and falsify it.

The origin of this case started in 1998, before the approval of the current LOPD ( in Spanish acronym) – the Organic Law 15/1999 on personal data protection. Back then, the newspaper La Vanguardia ( newspaper of wide circulation in Catalonia ) published in its printed version an announcement of an auction of a property belonging to Costeja and his wife. An auction which was taking place as a direct result of social security attachment. Strangely enough this was also the year in which the company Google, our second principal star, was founded. 10 years later La Vanguardia digitized all its hermeroteca from 1881 to present day, facilitating free consultation by date or key words.

Read More

Privacy Fair Play Rules

Not long ago at the Bilbao Web Summit, Tim Berners-Lee inventor of the World Wide Web came up with a proposal stating that a constitution should be passed in order to protect Internet users. I think the most significant element of this statement is that it comes from someone best placed to know the origin and characteristics of this technology and the fact that his conclusion is a global regulation seems quite logical to me, considering that the resources and services that we find on Internet have no frontiers.
Establishing uniform rules for everyone would not only help protect Internet users, but also would enhance communication within it.

Read More

Cookies ‘Made in Spain’

The Spanish Data Protection Authority recently issued guidelines on the regulation of Spanish cookies, following an amendment to Article 22 of Act 34/2002 on Information Society Services and Electronic Commerce, with a view to implementing the EU e-privacy Directive in Spain.

The guidelines provide useful information to understand the new requirements of the Regulation and useful tips to put it into practice. They also stress the importance of the terms included in the contractual and pre-contractual relationship between parties.

Read More

BYOD: Pros & Cons

In today’s world, nearly every aspect of life is affected by computer technology and increasingly we can notably appreciate this social change through companies and business.

For example, the culture of BYOD (“Bring Your Own Device”) is already a fact we can find in multiple types of companies and sectors.

It is often said that benefits are multiple. Companies save money and employees are more committed and available. Besides, there are advantages for the workforce as it helps reconciling family life.

Read More

The “right to be forgotten”

The proposed UE Data Protection Regulation includes in their art. 17 the “Right to be forgotten and to erasure”. Its purpose is to provide the data subject with the right to obtain from the controller, the erasure of personal data relating to them and the abstention from further dissemination of such data. The regulation states that any subject may require the deletion of their information, through their right of objection or withdrawing the consent initially given.


The article 29 Working Party and ENISA in its report of 20th November have already noticed several weaknesses in that Regulation suggesting that, as configured, it can not be effective in practice.
Indeed, when reading the article and trying to figure out in which situations we could exercise this right, many doubts arise, such as the fact that the scope of this right is not clear, against whom we could exercise it or how it could really be effective.

But the main question is whether the effective removal of data items once they have been published is really possible?

Read More

What shall we do with cookies?

Recently, at European level there has been a discussion concerning the adoption of an opt-in system in order to install some kinds of cookies on users’ computers. Cookies are small files that are automatically installed on your computer every time you connect to a website. When talking about cookies, the opt-in system consists of requiring users’ express consent before installing this type of files on their computer. Article 29 Working Party has adopted a strict interpretation of the notion of consent in these cases.

However, it seems to me that it could be desirable to slightly change the approach, in order to improve the coherence between technology and legislation.

We cannot expect users to read a whole page on cookies or privacy policies. This approach is excessive and may not be effective.

Read More

Cloned identity

Recently, a patent has been published that will impact strongly in the world of privacy and the business of the accumulation of users’ information and user tracking practices.

Apple Inc. has acquired the use and enjoyment of a new patented technology developed by Stephen Carter, Novell, called “Techniques to pollute electronic profiling. It is a technology that allows cloning of the real identity of a person in the network, creating a false identity to operate quietly on the web without danger of being spied on by criminals or tracked and analysed by marketing companies. The patent is very interesting and evokes the “Big Brother” of the Orwell’s novel 1984; it defends the increase in users’ concern about privacy and the control of their data.

The technology means that a number of preferences, interests and actions that are completely different from the reality can be assigned to this cloned identity. For example, if a woman in Italy purchases a bicycle on-line through eBay, the clone of that person can be a Norwegian man who purchases a book through Amazon. Therefore, the trace information involved in the operation would be contaminated and therefore useless for marketing companies.

It even allows one to generate a user name, e-mail address and fake bank details to prevent identity theft. This new technology may also allow safer navigation without having to be a privacy or computer expert. It is a smart and effective solution against the current abuse of traceability techniques, analysis of user profiles and identity theft that allows users to fighting for the control of their data on equal terms.

This development is quite recent and still we do not know what will be the reaction of the rest of the industry that lives off the accumulation and analysis of information, or governments, or if Apple finally will implement this technology. Nevertheless, it is an issue that deserves careful consideration. ∗

Behavioural advertising

The European online advertising industry has drafted a code of self-regulation that is ahead of the new EU Data Protection Regulation, where the online advertisers need to require users’ opt-in consent before installing tracking cookies.

Using cookies, organizations can track online habits and activities of Internet users through their websites, in order to send advertising based on the user’s preferences and tastes (behavioral advertising). The self-regulatory code stipulates that online ads would include an icon called “AdChoices” allowing users to change their privacy preferences in order to not be tracked for advertising purposes. Yahoo, Microsoft, Google and AOL are among the companies that have agreed to use this icon in their European ads online.
However, despite being an interesting initiative, it seems that this system does not meet the Commission’s requirements on previous consent (opt-in) before installing tracking cookies.

Privacy vs Copyright

Pedro Cruz Villalón has expressed a contrary opinion in a report released on Thursday 14th, arguing that the granting of intellectual property rights should prevail over the privacy and secrecy of communications, in accordance with the Charter of Fundamental Rights.

He considers it unlawful to force an ISP from Belgium to establish a system for screening and blocking electronic communications in order to protect intellectual property rights.

Nevertheless, he acknowledges that the privacy and secrecy of communications rights are not unlimited, stating that a limitation of such rights and freedoms of Internet users “could only be admitted if it is based on national, accessible, clear and foreseeable legislation”. Belgian legislation allows judges to intervene when there are violations of intellectual property rights, but it does not specifically establish a system for screening and blocking, so Villalón concludes that these steps are illegal.

Although the judgement still has not been issued and its opinion is not binding, the Advocate General’s recommendations are usually followed by the Court of Justice.