The head of Privacy and Data Protection at Garrigues spoke to the Congress Justice Commission about the LOPD draft bill.

With the Personal Data Protection bill (LOPD) “Spain has a chance to be at the front-line in developing data technologies". This was the view put forward by Alejandro Padín, counsel in the Commercial Department and head of Privacy and Data Protection, when he spoke on Tuesday 6 March to the Congress of Deputies Justice Commission, in view of the imminent application of the new GDPR on 25 May.

As a speaker in the debate, part of the process of tabling the LOPD bill in the Lower House, he highlighted the fact that the new law "regulates not only a fundamental right but also the market based on that right." In this regard, he held that it is best to "avoid preconceived notions and to look at the whole picture". The fact is, as he indicated, “we are talking about regulation of an asset - the data - which has real economic value".

Our professional expert went on to explain that “this is a case of regulating a global market, and the impact of the Regulation will result in an opportunity for Europe." And he applied this approach to the case of Spain: "We need to see things from the perspective of placing Spain at the forefront of the market with this new regulation. If we increase restrictions, countries will go outside Europe. Spain could be a point of entry to the data market, offering legal security and placing us at the front line in terms of competition,” all of which,  Garrigues’ expert pointed out, would comply with and ensure the right to data protection.

Legal security

Alejandro Padín also emphasised that the Spanish law "should not be a law implementing the whole fundamental right, but only that which should be regulated according to the terms of the Regulation". Therefore, he considered that the Spanish government should not start regulating issues that are not the province of the European regulation.

Furthermore, legal security depends on this. The fact is, he claimed "if we attempt to regulate a fundamental right at European level and then every country decides to create its own laws, we will have 28 regulations which could well contradict each other in some cases". In this regard he asked, by way of example, which law a company would abide by if it had a presence in several European Union member states, a problem that could be avoided through regulatory restraint. “The more we adhere to the content of the Regulation the fewer problems we will encounter in this regard" he stressed.

Furthermore, he considered that the draft bill "is full of indeterminate legal concepts and what entrepreneurs and businesses want is legal security, not to have to interpret the norm and for it to become a problem".

Alejandro Padin also addressed other issues relating to the new law, such as how all this would affect regulations on cookies, compliance with security measures, the status of the data protection officer, or data processing in the public sector.

A sandbox for data

Finally, he proposed that the lawmakers consider the possibility, provided there is still time to do so, of setting up a test bed or sand box, something that Spain is currently considering for Fintech. The sandbox would make it possible to act in a controlled and restricted environment, testing new technologies, establishing a disciplinary regime that would not be integral to those developments. In his opinion, "this could be a gateway to leading technological developments and as such Spain could become an attractive jurisdiction in this regard".

Finally, Alejandro Padin warned that "fundamental rights should be absolutely protected but without falling into the trap of ingenuously thinking that if we protect them well, nothing will happen. Technology is overtaking us in every area, without us realising it. My approach would be to look at the whole picture. Nothing should ever be done without obtaining authorisation of persons; however, it is necessary to regulate bearing in mind that there is no stopping this phenomenon". And he concluded by pointing out that what he wants is "not for there to be no regulation, but to regulate only what is necessary, thus avoiding needless bureaucratic formalities".

The Agencies' view

In the session organised this Tuesday, 6 March by the Congress Justice Commission, in addition to  Alejandro Padín, other speakers present were  Margarita Uría Etxebarría, Director of the Basque Data Protection Agency, José Muelas Cerezuela, former dean of the  Cartagena Bar Association, and Jesús María Hernández Rivas, doctor in Medicine and Surgery at the University of  Salamanca, Chair of Haematology at the same University, and specialist in Haemotology and Haemotherapy at Salamanca University Hospital.

Margarita Uría spoke on details of the draft regulation and how it would be appropriate to provide an explanation of grounds.  Regarding the European Regulation, she pointed out that it is the first time that a European norm has been completely dedicated to a fundamental right.

She also addressed reconciling rights in access to information in the public sphere, and the role of the authorities in controlling this aspect. In this regard, she recalled that the European regulation emphases the need for controlling authorities to act together. She also mentioned the Basque and Catalan data protection agencies’ relations with the Spanish Data Protection Agency (AEPD), highlighting their excellent relationship and their joint contribution to assessing the finer details of application of the GDPR. "The three agencies have worked together, and there has not been the slightest conflict with the state agency, our relations are excellent and we get on well together". Therefore, in her opinion "it is surprising that there is a section in the regulation that provides for the AEPD to take action should the other agencies cease to operate. It is surprising because no such problem has ever arisen".

 Margarita Uría also mentioned several other aspects addressed in the new regulation, and spoke of issues such as the need to clearly designate the tasks of the data protection officer (DPO).

Jurisdictional information

In turn, José Muelas suggested that we “view the law with common sense”. He analysed the effects of the regulation for lawyers and the effect that it could have with respect to jurisdictional data submitted to the courts, and which are beyond the control of data protection agencies.  In his opinion, "It does not seem reasonable that jurisdictional data should be processed by authorities other than the judiciary."

He also highlighted the fact that some data should never be accessible, namely that which the client shares with his/her lawyer: "They should be safeguarded from executive and judicial authority. It would be helpful to have a provision that would appease lawyers in this regard".

Furthermore, he mentioned that while he considered it appropriate for official professional associations to have a data protection officer, it would not necessarily be a prerequisite for the 83 bar associations", however, a formula should be pursued which would enable institutions to cooperate with each other.

Re-use of medical data

Finally, Jesús María Hernández Rivas, provided a view from a health expert's perspective emphasising the importance of the need to reuse medical data.  This expert explained that "the health service handles and compiles a huge volume of data which can serve and contribute to improving the health of sick patients" He asserted that the use of these data "ensures best clinical practices, and reusing patients’ data will help to improve end results", as is the case with cancer research for example.

In this regard he explained that “if we are really unable to reuse the data available to us, the work of medical research will lose the significance that it has had to date" holding that "from the perspective of health care, data needs to be shared, in a secure framework that will ensure the patient cannot be identified, and the data should always be used to help the patient, so that it is also possible to look back and see how treatments have worked for our patients". And finally he added, “we have plenty of mechanisms in place to ensure that data can be managed in an anonymous manner".