Law Library Stacks

Back to Online Privacy Law

*This report updates a report from 2012

The most significant development regarding online privacy in Spain since 2012 has been the decision rendered by the European Court of Justice in Google Spain, which basically ruled that Google had an obligation to remove links to pages displayed by third parties.  Regarding data retention, the prior law was amended to require that the transfer of data to qualified authorities may only be done through electronic means and limited to the information that is essential for the detection, investigation, and prosecution of serious crimes.  The Penal Code was also amended to include new cybercrimes and amend some of the provisions already in force related to online privacy, such as computer intrusion and sexting.

The most significant development related to the right of privacy in Spain since 2012 has been the European Court of Justice (ECJ) decision rendered in the Google Spain case on May 13, 2014.[1]  In that case the ECJ determined that search engines are engaged in the processing of data because they navigate the internet in an automatic, continuous, and systematic manner searching for information.[2]  The decision further established that since Google, a US-based company, had a Spanish subsidiary, it was subject to EU law because it operated as an establishment in Spain and carried out its commercial transactions there through advertising space accessible in its search engine.[3]

Based on EU legislation and specifically EU Directive 95/46 on Data Protection,[4] the ECJ ruled that Google had an obligation to remove links to pages displayed by third parties, in this case La Vanguardia newspaper, when they became inadequate, irrelevant, or excessive in relation to the purposes for which they were collected by the mere fact of the passage of time, even if the content published by the third parties was lawful.[5]

The ECJ also recognized the right of individuals to request that search engines remove links to personal data.  It concluded that there was not a preponderant public interest in access to the links offered by the search engine related to auction notices for a debt that was settled sixteen years before that outweighed the plaintiff’s privacy interests.  Therefore, the court granted the plaintiff the right to demand that the search engine erase all search-result links to his name and the 1998 auction legal notices.[6]  However, the decision also established that the right to be forgotten is not without limitations.[7]  Determining the proper balance between the privacy rights of an individual affected and the legitimate interest of a search engine may depend on the type of information involved, such as the sensitivity of the information for the privacy of the individual in question, the public interest in access to the information, and the status of the individual in the public sphere, the ECJ said.[8]

Since the Google v. Spain decision, anyone in Spain who wants to have search results related to personal data removed must make a direct claim to the search engine in question, which must then decide on a case-by-case basis whether there are justified grounds for the request.[9]  Requests are deemed justified if the individual’s right of privacy takes precedence over the public’s interest in accessing such information.[10]  If the petition is denied, the petitioner may seek redress through the courts.[11]  As a consequence of the decision, search engines such as Google, Yahoo, and others now offer users a special form to request the removal of links according to data protection standards.[12]

Regarding data retention, Law 25/2007[13] was amended by Law 9/2014,[14] which now requires that the transfer of data to qualified authorities be done only through electronic means and be limited to the information that is essential for the detection, investigation, and prosecution of serious crimes.[15]

In addition, the Penal Code was amended by Law 1/2015[16] to include new cybercrimes and amend some of the provisions already in force related to online privacy.  Computer intrusion, or accessing or facilitating access to an information system by circumventing security measures and without proper authorization, is now punishable with a term of imprisonment ranging from three months to two years and a fine.[17]  The same punishment applies to the interception of non-public transmissions of computer data, which is a new crime.[18]  Those who manufacture, acquire, import, or provide others, without authorization, the tools or instruments to carry out the crimes of computer intrusion and computer data interception, such as a computer program adapted to perpetrate a crime or a computer password or access key allowing access to a computer system, are subject to imprisonment for six months to two years and a fine.[19]

The abovementioned crimes now carry an enhanced penalty of a fine ranging from €5,400 to €1,800,000 (about US$6,350 to $2,117,000) when they are perpetrated by a criminal organization[20] or when criminal responsibility falls on a company or legal entity.[21]

The collection of personal data in violation of someone’s privacy now carries an enhanced penalty of imprisonment of three to five years when it is carried out by those in charge of or responsible for electronic files, archives, or registries,[22] and through the unauthorized use of personal information of the victim.[23]  If the personal information is disseminated, transferred, or revealed to third persons, the perpetrator will be subject to the upper half of the sanction.[24]  If the personal information involved in the crime reveals the ideology, religion, beliefs, health, racial origin, or sexuality of the victim, or if the victim is a minor or disabled person, the perpetrator will be subject to the upper half of the sanction.[25]  The same increased sanction will apply if the crime is perpetrated for profit.[26]

“Sexting” is now a crime punishable with imprisonment for three months to one year and a fine.[27]  It is defined as the unauthorized transfer or exposure to third persons of images or audiovisual recordings of the victim, even when they were taken with his or her consent in a residence or a private setting.[28]  Sexting will be considered an aggravated crime if it is carried out by a spouse or a person that is or was in an affectionate relationship in the past with the victim even if they did not live together, if the victim is a minor or disabled, or if the crime was carried out for profit.[29]  In such cases, the perpetrator will be subject to the upper half of the sanction.[30]

The Agencia Espanola de Protección de Datos (AEPD) (Spanish Agency for Data Protection) has recently imposed economic sanctions of €1.2 million (about US$1.4 million) on Facebook for violations of the Ley Organica de Protección de Datos de Carácter Personal.[31]  According to the decision, the data protection agency of Spain concluded that Facebook collects the personal data of Facebook users without the informed, specific, and unequivocal consent of those users, as required by Spanish law, for economic gain.[32]  The agency further concluded that Facebook shares the users’ personal information with advertisers and marketers without informing users.  During the investigation, the AEPD found that the social networking company collects sensitive data referring to users’ ideology, sex, religious beliefs, personal preferences, and navigation habits without clearly informing them about how that information will be used and for what purpose.[33]

The AEPD has published on its website an updated guide on the data protection rights of citizens, which compiles all the rights and procedures for their enforcement, in furtherance of the policies established in the AEPD Strategic Plan 2015–2019 on Data Protection.[34]

Back to Top

Prepared by Graciela Rodriguez-Ferrand
Senior Foreign Law Specialist
December 2017

[1] Case C-131/12, Google Spain SL, Google Inc. v. Agencia Española de Protección de Datos, Mario Costeja González, ECLI:EU:C:2014:317, TXT&ancre, archived at

[2] Juan Pablo Aparicio Vaquero & Alfredo Batuecas Caletrio, En Torno a la Privacidad y la Protección de Datos en la Sociedad de la Información 81 (Granada, 2015).

[3] Id.

[4] Directive 95/46/EC of the European Parliament and of the Council of 24 October 1995 on the Protection of Individuals with Regard to the Processing of Personal Data and on the Free Movement of Such Data (1995 Data Protection Directive), 1995 O.J. (L 281) 31, 31995L0046, archived at

[5] Aparicio Vaquero & Batuecas Caletrio, supra note 2, at 82.

[6] Id. at 83.

[7] Id.

[8] Id. at 85–86.

[9] Id. at 90.

[10] Id.

[11] Id.

[12] Id.

[13] Ley 25/2007 de Conservación de Datos Relativos a las Comunicaciones Electrónicas y a las Redes Públicas de Comunicaciones, Boletín Oficial del Estado [B.O.E.], Oct. 19, 2007, id=BOE-A-2007-18243&b=9&tn=1&p=20140510, archived at

[14] Ley 9/2014 de Telecomunicaciones, B.O.E., May 10, 2014,, archived at

[15] Id. art. 22.2.

[16] Ley Orgánica 1/2015 por la que se Modifica la Ley Orgánica 10/1995, de 23 de Noviembre, del Código Penal, B.O.E., Mar. 31, 2015,, archived at

[17] Id. art. 197 bis, para. 1.

[18] Id. art. 197 bis, para 2.

[19] Id. art. 197 Ter.

[20] Id. art. 197 Quarter.

[21] Id. arts. 50.4 & 197 Quinquies.

[22] Id. art. 197. 4.a.

[23] Id. art. 197.4.b.

[24] Id. art. 197.4.b, para. 2.

[25] Id. art. 197.5.

[26] Id. art. 197.6.

[27] Id. art. 197.7, para. 1.

[28] Id.

[29] Id. art. 197.7, para. 2.

[30] Id.

[32] Press Release, AEPD, La AEPD Sanciona a Facebook por Vulnerar la Normativa de Protección de Datos (Sept. 11, 2017), 2017_09_11-iden-idphp.php, archived at

[33] Id.

Back to Top

Last Updated: 04/05/2018