Regulatory changes in the field of Data Protection and E-Commerce continue

Article

Regulatory changes in the field of Data Protection and E-Commerce continue

The economic and social integration resulting from the functioning of the internal market has led to a substantial increase in cross-border flows of personal data. This translates into an increase in the exchange of personal data between different operators, especially between companies involved in the tourism sector. In order to ensure a uniform and high level of data protection and to remove obstacles to the flow of personal data within the EU, the Commission published, among others, Directive 95/46/EC on the protection of personal data and Directive 2000/31/EC on electronic commerce. These Directives were transposed into national legislation, giving rise to the development and publication of the following:

  • Organic Law 15/1999, of December 13, 1999, on the Protection of Personal Data (LOPD).
  • The Regulation of development of the LOPD approved by Royal Decree 1720/2007, of December 21.
  • Law 34/2002, of July 11, 2002 on Information Society Services and Electronic Commerce (LSSI).

After 17 years of application of the LOPD, the EU has understood that the effective protection of personal data in the Union required, on the one hand, that the rights of data subjects and the obligations of those who process and determine the processing of personal data be strengthened and specified, and on the other hand, that the member states recognize equivalent powers to supervise and guarantee compliance with data protection regulations.The same applies to the LSSI as to the former LOPD, since everything related to electronic commerce has also undergone significant progress in recent years. In this way, and as a consequence of all of the above, the EU published Regulation (EU) 2016/679, of April 27, 2016, on the protection of data of natural persons with regard to the processing of personal data and the free movement of such data (GDPR), thus repealing Directive 95/46/EC.Since the entry into force of the GDPR and the subsequent publication and entry into force of the new Organic Law 3/2018 on Data Protection and Digital Rights Guarantees (LOPDGDD), European bodies have considered it necessary to amend the LSSI, given the important interrelation between both regulations. Thus, we have the LSSI of 2002 being applied together with the new LOPDGDD, but as previously established, Europe does foresee a change for the regulation of European electronic commerce with the so-called E-Privacy Regulation, whose changes will force the modification of the current LSSI or, most likely, will lead to the approval of a new regulation. In this regard, it should be noted that the European Data Protection Board (ECDC) has just published Opinion 5/2019 on the Interplaybetween the E-Privacy Regulation and the GDPR, in particularregarding the competence, tasks and powers of data protection authorities("Opinion 5/2019 on the interplay between the ePrivacy Directive and the GDPR, in particular regarding the competence, tasks and powers of data protection authorities").In this regard, the E-Privacy Regulation will mean the repeal of the European Directive 2000/31/EC. In the meantime, the LSSI will continue to apply until the Spanish legislator promulgates a new e-commerce regulation that definitively repeals Law 34/20002.With regard to the application of the regulation, one of the examples of the relationship between the LOPDGDD and the LSSI is the regulation of the sending of commercial communications to former customers by electronic means (e.g. an e-mail). The current LOPDGDD and RGPD require the unequivocal consent of the interested party to send such commercial communications, while the LSSI gives importance, not so much to the consent, but to the possibility of revoking it by means of simple and free means or channels for the interested party. Another example is the regulation of the information that must be made available to the interested party via the web, such as the legal notice, the cookies policy or the conditions of use of the website. However, the new E-Privacy Regulation will modify, and is modifying in certain aspects, the regulations, and it is for this reason that we recommend our clients in the sector to request this consent in order to prepare a database orienting it to future clients. In addition to other issues of great importance at the web level, the regulation on cookies will be modified as a result of the approval of the LOPDGDD. In this sense, we must make it clear to operators in the tourism sector that all those who process personal data and all those who carry out an economic activity through a web, that is, practically all, must have continuous advice on these matters, not only because of possible sanctions, but because of the importance that the processing of personal data is acquiring both nationally and at the European level.

Rosario Saldarriaga (Lawyer T&L)