This blog post was provided by Belén Gámez in our Madrid office
We previously reported that back in November, the Court of Justice of the European Union ("CJEU") declared that Spain’s refusal to permit the "legitimate interest" justification for the processing of personal data — instead, requiring data subjects’ consent as the way of carrying out the majority of the data processing in Spain — violated section 7.f of the European Data Protection Directive 95/46/EC. In a ruling made public on February 13, the Spanish Supreme Court incorporated the CJEU’s ruling into Spanish law.
As expected, following the CJEU decision, the Spanish Supreme Court annulled article 10.2(b) of the Royal Decree 1720/2007 developing the Spanish Data Protection Law ("DPL"). Article 10.2(b) imposed additional requirements above those required by Article 7.f of the Data Protection Directive when a data controller wished to process personal data in pursuit of its "legitimate interests."
Although the Spanish Supreme Court annulled article 10.2(b), it did not address article 6 of the DPL, which establishes the same requirements as article 10.2(b). This is because the Spanish Supreme Court is not entitled to declare the nullity of a law (article 10.2(b) was incorporated into a Royal Decree). Hence, the Spanish Parliament must now modify article 6 of the DPL in accordance with the CJEU’s and the Supreme Court’s decisions.
It is clear that this modification will have significant consequences for the ways in which companies process personal data in Spain since, until today, the Spanish data protection framework was organized around obtaining data subject consent. The Spanish Data Protection Agency has not yet made public its opinion regarding this important development.