Regulatory changes in the area of Data Protection and Electronic Commerce continue

30/4/19

Regulatory changes in the area of Data Protection and Electronic Commerce continue

The economic and social integration resulting from the functioning of the internal market has led to a substantial increase in cross-border flows of personal data. This translates into an increase in the exchange of personal data between different operators, especially between companies dedicated to the tourism sector. In this regard, rapid technological evolution and globalization have posed new challenges for the EU. To ensure a uniform and high level of data protection, as well as to eliminate obstacles to the circulation of personal data within the EU, the Commission published, among others, Directive 95/46/EC, relating to the protection of personal data and that relating to electronic commerce, 2000/31/EC. These Directives were transposed into national regulations, leading to the development and publication of:

  • Organic Law 15/1999, of December 13, on the Protection of Personal Data (LOPD).
  • The Regulations for the development of the LOPD approved by Royal Decree 1720/2007, of December 21.
  • Law 34/2002, of July 11, on Information Society Services and Electronic Commerce (LSSI).

After 17 years of applying the LOPD, the EU has understood that the effective protection of personal data in the Union required, on the one hand, that the rights of the interested parties and the obligations of those who process and determine the processing of personal data be reinforced and, on the other, that equivalent powers should be recognized in the member states to monitor and ensure compliance with the regulations relating to data protection. The same thing happens with the LSSI as with the old LOPD, since everything related with electronic commerce, it has also undergone significant progress in recent years. In this way, and as a result of everything stated above, the EU published Regulation (EU) 2016/679, of April 27, 2016, on the protection of data of individuals with regard to the processing of personal data and the free movement of these data (GDPR), thus repealing Directive 95/46/EC. Since the entry into force of the RGPD and the subsequent publication and entry into force of the new Organic Law 3/2018 on Data Protection and Guarantees of Digital Rights (LOPDGDD), European bodies have considered it necessary to modification of the LSSI, given the important interrelationship between the two regulations. In this way, we have the 2002 LSSI being applied together with the new LOPDGDD, but as previously established, Europe does foresee a change for the regulation of European electronic commerce with the so-called E-Privacy Regulation, whose changes will make it necessary to modify the current LSSI or, surely, will entail the approval of new regulations. In this regard, it should be noted that the European Data Protection Council (CEPD) has just published Opinion 5/2019 on the Interaction between the E-Privacy Regulation and the GDPR, in particular, on the competence, tasks and powers of data protection authorities (”Opinion 5/2019 on the interplay between the ePrivacy Directive and the GDPR, in particular regarding the competence, tasks and powers of data protection authorities”). In this sense, the E-Privacy Regulation will repeal the European Directive 2000/31/EC. Meanwhile, the LSSI will continue to apply until the Spanish legislator enacts a new electronic commerce regulation that represents the definitive repeal of Law 34/2000. Regarding the application of the regulations, one of the examples of the existing relationship between the LOPDGDD and the LSSI is the regulation of sending commercial communications to previous customers by electronic means (e.g. an email). The current LOPDGDD and RGPD require unequivocal consent from the interested party to send such commercial communications, while the LSSI attaches importance, not so much to consent, but to the possibility of revoking it through simple and free means or channels for the interested party. Another example is the regulation of the information that must be made available to the interested party via the web, such as the legal notice, the cookie policy or the terms of web use. However, the new E-Privacy Regulation will modify, and is modifying in certain aspects, the regulations, and that is why we recommend that our clients in the sector request such consent in order to prepare a database for future clients. In addition to other issues of great importance at the web level, the regulation relating to cookies will be modified as a result of the approval of the LOPDGDD. In this regard, we must make it clear to operators in the tourism sector that all those who process personal data and all those who carry out an economic activity through a website, that is, practically everyone, must have continuous advice on these matters, not only because of possible sanctions, but because of the importance that the processing of personal data both nationally and at European level.

Rosario Saldarriaga (T&L Attorney)