AEPD (Spain) - E/03783/2020: Difference between revisions
No edit summary |
No edit summary |
||
Line 50: | Line 50: | ||
}} | }} | ||
The Spanish DPA held that the monitoring of news and social networks by the Directorate for National Security and the Spanish police forces did not violate any data protection regulation. | The Spanish DPA held that the monitoring of news and social networks by the Directorate for National Security and the Spanish police forces did not violate any data protection regulation, since no personal data had been processed. | ||
==English Summary== | ==English Summary== |
Latest revision as of 09:37, 12 May 2021
AEPD (Spain) - E/03783/2020 | |
---|---|
Authority: | AEPD (Spain) |
Jurisdiction: | Spain |
Relevant Law: | Article 2 GDPR Directive (EU) 2016/680 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data by competent authorities for the purposes of the prevention, investigation, detection or prosecution of criminal offences or the execution of criminal penalties, and on the free movement of such data |
Type: | Investigation |
Outcome: | No Violation Found |
Started: | |
Decided: | |
Published: | 04.05.2021 |
Fine: | None |
Parties: | Dirección General de la Guardia Civil Ministerio del Interior Secretaría de Estado de Seguridad Secretaría de Estado de Seguridad del Ministerio del Interior |
National Case Number/Name: | E/03783/2020 |
European Case Law Identifier: | n/a |
Appeal: | n/a |
Original Language(s): | Spanish |
Original Source: | AEPD (in ES) |
Initial Contributor: | n/a |
The Spanish DPA held that the monitoring of news and social networks by the Directorate for National Security and the Spanish police forces did not violate any data protection regulation, since no personal data had been processed.
English Summary
Facts
The Directorate for National Security of the Ministry of Interior issued guidelines for the police forces to monitor news and social networks to spot fake news and misinformation, to prevent some actors from causing social stress, in light of the covid-19 pandemic.
This came to the Spanish DPA (AEPD) knowledge, that launched an investigation to verify that such behaviour complied with the personal data regulations.
Such guidelines were issued to prevent and minimize the effects of misinformation, with extreme vigilance and monitoring of networks and websites where false messages and information aimed at increasing social stress are disseminated, and, where appropriate, calling for the intervention measures provided for in the applicable legislation".
According to the guidelines, within the surveillance and monitoring of networks and web pages, intervention shall only be carried out in accordance with the aforementioned purposes and principles and always under the protection of the applicable legislation. Also, personal data will only be processed when there is sign of a criminal offence, in accordance with the Directive (EU) 2016/680 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data by competent authorities for the purposes of the prevention, investigation, detection or prosecution of criminal offences or the execution of criminal penalties, and on the free movement of such data.
If such activities were related to national security, then the processed would be carried out with basis on the national legislation regarding state secrets and classified matters.
In their response to the DPA, the Directorate for National Security also stated that they do not collect personal data, but only carry out a daily observation of news or public information from social networks, where the information collected relates to data of a public nature, shared by its authors through social networks and public media, consisting primarily of the content of the communication and the medium of dissemination.
For this, specialized officers from the Spanish Civil Guard ("Guardia Civil") browse the news and create anonymous users to monitor (read) social networks such as Twitter, Facebook, Instagram, Badoo and other websites.
Afterwards, reports with reference to cybercrime, cyberterrorism, hacktivism, cyberattacks, misinformation and news summaries are issued. If there is a sign of a criminal offence, evidence is gathered. Such reports are stored for 5 years.
Holding
The DPA concluded that there was no violation of the GDPR, that is not applicable in accordance with its Article 2, nor with the Directive (EU) 2016/680, as personal data were not processed, as the reports showed, and there was no evidence that there was any illegal additional processing. Therefore, the presumption of innocence principle applied.
Hence, the AEPD archived the case.
Comment
Share your comments here!
Further Resources
Share blogs or news articles here!
English Machine Translation of the Decision
The decision below is a machine translation of the Spanish original. Please refer to the Spanish original for more details.
1/10 940-0419 procedure No.: E / 03783/2020 RESOLUTION OF ACTION FILE Of the actions carried out by the Spanish Agency for Data Protection and based on the following FACTS FIRST: On April 30, 2020, the Director of the Spanish Agency for Data Protection agrees to initiate the present investigation actions in relationship with the Order of the Ministry of the Interior *** ORDER.1, of *** DATE.1, which establishes in section Fourth point 8, 2nd paragraph that, on the part of the Bodies acting police officers and the competent centers of the Secretary of State for Safety, guidelines will be issued to prevent and minimize the effects of disinformation, extreme surveillance and monitoring of networks and pages website in which false messages and information are disseminated aimed at increasing social stress, and urging, where appropriate, the intervention measures envisaged in the applicable legislation, and to the news appeared in various media on the preparation of a report dedicated to the identification, study and monitoring, in relation to the situation created by the COVID-19 of disinformation campaigns, as well as publications denying hoaxes and fake news likely to generate social stress and disaffection with government institutions, indicated in the Order of *** ORDER. 2 (ECHO-ALFA) Service of the General Directorate of the Civil Guard. SECOND: The Subdirectorate General for Data Inspection proceeded to carry out of previous investigative actions to clarify the facts, having knowledge of the following points: On April 30, 2020, the Secretary of State for Security of the Ministry of the Interior (hereinafter SES) information in relation to the Order *** ORDER.1 of *** DATE.1 and with the Service Order *** ORDER.2 (ECHO-ALFA) of the General Directorate of the Civil Guard, specifically requesting information on what are the specific purposes of the processing of personal data carried out in the aforementioned actions by both the General Directorate of the Police and by the Civil Guard, the type of data collected in these treatments and period of conservation foreseen by said treatments, the number of affected of said treatments and which authorities have been considered as recipients of the data. On May 14, 2020, it has entered the Spanish Agency for the Protection of Data (hereinafter AEPD) a letter sent by the Data Protection Delegate of the Ministry of the Interior in which it states that after collecting the appropriate reports of the General Directorate of the Police and the General Directorate of the Civil Guard, convey the following considerations: C / Jorge Juan, 6 www.aepd.es 28001 - Madrid sedeagpd.gob.es 2/10 “Regarding the obtaining of information in open sources of the so-called Cyberspace (networks and web pages) indicate that the Security Strategy Current national (hereinafter, ESN), approved by Royal Decree 1008/2017, of December 1, warns of "the use of cyberspace as a means for carrying out illegal activities, disinformation actions, propaganda or terrorist financing and organized crime activities, among others, impacts on National Security, amplifying complexity and uncertainty, and also puts citizens' own privacy at risk. " Among the general objectives pursued by the ESN is to deepen and adapt the comprehensive crisis management model within the framework of the National Security in order to provide effective and timely responses to the threats and challenges of the current panorama so that crisis management involves several phases in a temporal arc that ranges from early warning to the response where it is important to promote a preventive approach and anticipatory, for which permanent monitoring is particularly relevant security environment and its constant changes, intelligence systems and information, the development of risk analysis methodologies and instruments that contribute to protection against misinformation. Within the framework of crisis management caused by COVID-19 and following the provided in the ESN, that Department established by Order *** ORDER.1, of *** DATE.1, the action criteria for the Forces and Corps of Security in relation to Royal Decree 463/2020, of March 14, by which the state of alarm is declared for the management of the health crisis situation caused by COVID-19. In said Order, it is provided in section First.3, that the planned measures in the same they will be applied in accordance with the principles of proportionality and necessity, in order to protect the health and safety of citizens and contain the progression of the disease. The section under analysis specifically states that “on the part of the Corps acting police officers and the competent centers of the Secretary of State for Safety guidelines will be issued to prevent and minimize the effects of disinformation, extreme surveillance and monitoring of networks and pages website in which false messages and information aimed at increase social stress, and urging intervention measures where appropriate provided for in the applicable legislation ”. Within the surveillance and monitoring of networks and web pages, It will only intervene in accordance with the aforementioned purposes and principles and always under the applicable legislation. In the event that in the course of the analysis of the "open" area of said sources, rational indications of the commission of a criminal offense were observed, will act under the corresponding judicial authorization for the processing of data from personal character, which in this case would be protected by the provisions of the Directive (EU) 2016/680, of the European Parliament and of the Council, of April 27, 2016, regarding the protection of natural persons with regard to the processing of personal data by the competent authorities for purposes of prevention, investigation, detection or prosecution of infractions penalties or the execution of criminal sanctions, and the free movement of said data and repealing the Council Framework Decision 2008/977 / JHA. C / Jorge Juan, 6 www.aepd.es 28001 - Madrid sedeagpd.gob.es 3/10 In the event that these activities refer to the investigation of threats against National Security, would not fall within the scope of application of the RGPD or the aforementioned Directive, but would be dealt with under the regulations regarding official secrets and classified matters. In this sense, specifically in the aforementioned area of the Civil Guard, the Complementary Order No. 2 of the Service Order *** ORDER.2 (ECHO- ALFA), cited in the requirement of the AEPD, collects in a generic way what is provided in the aforementioned Order *** ORDER.1, of *** DATE.1, specifically provides that it be increased (not implemented since it is a mission derived from article 11 of Organic Law 2/1986, of March 13, Security Forces and Bodies) the surveillance of social networks for the detection of disinformation activities. By virtue of the foregoing, by the Security Forces and Bodies of the Status, an active monitoring of cyberspace is carried out, in order to meet intelligence needs in the field of their functions related to the fight against terrorism and other serious forms of organized crime in this area, carry out an early detection of cyber threats that may affect ICT Information Systems (Information and Communication Technologies) of organizations cataloged as critical infrastructures, and those dependent on main State agencies involved in the management and treatment of the health crisis motivated by COVID-19, and disinformation activities. In these activities, a priori, no data processing is carried out personal, limiting itself to the daily observation of news or public information from social networks, in which the information collected is refers to public data, shared by their authors through consistent social media and public media fundamentally in the content of the communication and the means of diffusion. In the case of detecting any criminal offense, the corresponding proceedings and the proceedings are made available to the judicial authority competent." In response to the specific questions raised in the request for information the following answers are given: In relation to the specific purposes of the processing of personal data carried out in the aforementioned actions by both the General Directorate of the Police as by the Civil Guard it is stated that: “No specific personal treatment has been carried out by virtue of the provided in paragraph 2 of section 4.8 of the Order *** ORDER.1, of *** DATE. 1. In the event that the supervision of open sources in the Cyberspace, if any criminal offense is detected, the corresponding treatment in accordance with what the laws determine criminal proceedings and applicable data protection. In the event that any threat against National Security is detected, it is acted in accordance with what determines the regulations on official secrets and classified matters; as well as the rest that is applicable to the course. " In relation to the type of data collected in these treatments and period of conservation provided for by said treatments, state that C / Jorge Juan, 6 www.aepd.es 28001 - Madrid sedeagpd.gob.es 4/10 "No personal data has been collected in relation to the aforementioned Cyberspace monitoring activity. In the event that in said activities would have detected a criminal offense or a threat against the National Security the treatment of identifiers and / or personal data is would be carried out in accordance with the criminal procedural regulations, the applicable data protection, regulations on classified matters and any other that may be applicable. " In relation to the number of people affected by these treatments, it is stated that “No people have been identified in relation to the aforementioned activity of Cyberspace supervision. In the event that in said activities there were detected an illicit criminal offense or a threat against National Security the Obtaining or processing identifiers that allow to "identify" the interested parties would be carried out in accordance with the criminal procedure regulations, the applicable data protection regulations, regulations on matters classified and any other that may be applicable. " In relation to which authorities have been considered as recipients of the data, notes that "No personal data derived from the activity object has been transferred of the requirement. In the event that such activities had detected an illegal criminal offense or a threat against National Security the data collected in accordance with the appropriate regulations (in a treatment specific and different) will be sent to the competent Judicial Authority or to the competent bodies of the Ministry of the Interior to receive information classified. " THIRD: On June 17, 2020, the GENERAL MANAGEMENT is required DE LA GUARDIA CIVIL (hereinafter DGGC) copy of the Service Order *** ORDER 2 (ECHO-ALFA), of complementary orders 1 and 2, of the instructions given to the Cybersecurity Coordination Unit, Information about the period of validity of these orders and instructions, the purposes specific information on the processing of personal data carried out by the Civil Guard in the framework of the Service Order *** ORDER. 2 (ECHO-ALFA) and complementary as related to publications likely to generate disaffection with institutions of the government, the recipients of this data and the legal basis that protects the treatments. On July 2, 2020, a letter sent by the Lieutenant Colonel Delegate for Data Protection of the Civil Guard who states the next: “On May 4, 2020, we were requested by the Secretary of State Ministry of the Interior, information regarding this matter for the purpose to answer that AEPD. For which we prepare a report on the matter that is attached to this letter, understanding that this response contains the information that it is requested again. " The report provided includes the considerations transferred on May 14, 2020 to the AEPD by the Data Protection Delegate of the Ministry of the Interior. C / Jorge Juan, 6 www.aepd.es 28001 - Madrid sedeagpd.gob.es 5/10 FOURTH: On October 6, 2020, an inspection visit was made at the headquarters of the General Directorate of the Civil Guard (DGGC), highlighting the following facts, collected in the Inspection Report: 1. Regarding the obtaining of information in open sources of the so-called Cyberspace (social networks and web pages) the representatives of the DGGC indicate that the current National Security Strategy (hereinafter, ESN), approved by Royal Decree 1008/2017, of December 1, warns of "the use of cyberspace as a means to carry out activities illicit actions, disinformation, propaganda or terrorist financing and Organized crime activities, among others, impact Security National, amplifying complexity and uncertainty, and also puts in risk the own privacy of citizens. " 2. Within the framework of crisis management caused by COVID-19 and following the established in the ESN, the Ministry of the Interior established by Order *** ORDER.1, of *** DATE.1, the action criteria for the Forces and Security Bodies in relation to Royal Decree 463/2020, of 14 March, declaring the state of alarm for the management of the situation of health crisis caused by COVID-19. 3. In the area of the Civil Guard, Complementary Order No. 2 of the Order of Service *** ORDER.2 (ECHO-ALFA), collects in a generic way the provisions of the aforementioned Order *** ORDER.1, of *** DATE.1, specifically provides that be increased (not implemented since it is a derived legal mission of Article 11 of Organic Law 2/1986, of March 13, on Forces and Security Bodies) the surveillance of social networks for the detection of misinformation activities. Specifically, point 2.2 (tasks) establishes in its section g): “Increase the surveillance of social networks to the detection of disinformation activities, both internal and external, as well as for the prevention and investigation of activities related to cybercrime. " Both the *** ORDER.1 and the Order of Service *** ORDER.2 (ECHO-ALFA) and its complements were in force during the time the decreed alarm state was in force by the Government through Royal Decree 463/2020 4. Printed copies of the Order were collected by the data inspection Service *** ORDER. 2 (ECHO-ALFA) and Complementary Order number 2 of this. 4.2. On the part of the CG, they state that the surveillance of the RRSS is carried out by creating anonymous users created for this purpose and making a visualization of the publications made by the users of these networks, in the jobs of the agents in charge of carrying out This function. This surveillance is carried out among other social networks, on Twitter, Facebook, Instagram, Badoo and also web pages. 5. The product of these actions is the preparation of a daily report by part of the Coordination Unit that is sent to the Deputy Directorate Operational. The total number of reports made is 53, one was made daily between March 20 and May 11, 2020. 6. These reports are structured in 4 sections that collect the findings in the matters of cybercrime, cyberterrorism and hacktivism, cyberattacks, disinformation and news summary. In each of these sections, collects the publication made in the corresponding social network, in some In some cases it includes a link to the publication and in others a screenshot of the C / Jorge Juan, 6 www.aepd.es 28001 - Madrid sedeagpd.gob.es 6/10 publication with the identification information with which the user is presents on the net. The reports contain only information published in networks, not increasing the information from other sources or files. They state that when an alleged crime is detected, evidence is captured in the same way that they are collected in any other police investigation, according to the chain of custody of evidence. In these cases the The investigation is prosecuted, the police forces making a report without expand the information (including only what is openly published in networks). Later the judge can make an order to extend information, in particular, to find out who is the promoter or the one who incites the investigated behaviors. Those findings that could be constituting a crime are prosecuted becoming part of the treatments collected in the activity called INTPOL in the Registry of Treatment Activities. In relation to the reports that have not been the subject of legal proceedings, are kept in the administrative files of the target Units and conserved during the period of five years established for the passive correspondence. The inspectors obtained copies of 3 reports dated March 19, 20 and 28 2020, in which it is verified that the structure and content correspond with the previously described. FOUNDATIONS OF LAW I In accordance with the investigative and corrective powers that article 58 of the Regulation (EU) 2016/679 (General Data Protection Regulation, hereinafter RGPD) grants each control authority, and according to the provisions of article 47 of the Organic Law 3/2018, of December 5, on the Protection of Personal Data and guarantee of digital rights (hereinafter LOPDGDD), is competent to resolve these investigative actions by the Director of the Spanish Agency for Data Protection. II Article 2 of the RGPD when determining its scope of application provides that "1. This Regulation applies to the total or partial treatment automated personal data, as well as non-automated data processing personal content or intended to be included in a file. 2. This Regulation does not apply to the processing of personal data: a) in the exercise of an activity not included in the scope of application of the Law of the Union; C / Jorge Juan, 6 www.aepd.es 28001 - Madrid sedeagpd.gob.es 7/10 b) by Member States when carrying out activities included in the scope of application of chapter 2 of title V of the TEU; c) carried out by a natural person in the exercise of activities exclusively personal or domestic; d) by the competent authorities for prevention purposes, investigation, detection or prosecution of criminal offenses, or the execution of criminal sanctions, including protection against threats to public safety and its prevention. " Article 1 of Directive (EU) 2016/680 of the European Parliament and of the Council of April 27, 2016 regarding the protection of natural persons in the regarding the processing of personal data by the authorities competent for the purposes of prevention, investigation, detection or prosecution of criminal offenses or the execution of criminal sanctions, and the free movement of said data and repealing Council Framework Decision 2008/977 / JHA, establishes in its article 1 under the title Object and objectives that “1. This Directive establishes the rules relating to the protection of natural persons in what Regarding the processing of personal data by the authorities competent, for the purposes of prevention, investigation, detection or prosecution of criminal offenses or the execution of criminal sanctions, including protection and prevention against threats to public security. (…) " Article 2 of the same provides regarding its scope of application that “1. This Directive applies to the processing of personal data by companies competent authorities for the purposes established in article 1, paragraph 1. " However, the aforementioned Directive at the time of the occurrence of the events that are the object of the investigation, the provisions of the fourth transitory provision of Organic Law 3/2018, of December 5, on Protection of Personal Data and guarantee of digital rights, according to which: "Treatments subject to Directive (EU) 2016/680 of the Parliament Council and Council, of April 27, 2016, on the protection of individuals with regard to the processing of personal data by the competent authorities for the purposes of prevention, investigation, detection or prosecution of criminal offenses or execution of criminal sanctions, and the free circulation of such data and repealing the Framework Decision 2008/977 / JAI of the Council, will continue to be governed by Organic Law 15/1999, of 13 December, and in particular Article 22, and its development provisions, as long as the rule that transposes the provisions of the aforementioned into Spanish law does not come into force directive." In this regard, it should be noted that articles 1 and 2 of the Organic Law 15/1999 extend their protection to the rights of citizens with regard to to the processing of your personal data, these being defined in the article 3.a) of said Law as “any information concerning natural persons identified or identifiable. “Article 5.1.f of the Regulations for the development of said C / Jorge Juan, 6 www.aepd.es 28001 - Madrid sedeagpd.gob.es 8/10 Law, approved by Royal Decree 1720/2007, of December 21, specifies said definition indicating that they constitute personal data "Any numerical, alphabetical, graphic, photographic, acoustic or any other information concerning identified or identifiable natural persons. " From the actions mentioned in the factual antecedents, it appears that within the framework of the National Security Strategy and the competencies attributed by article 11 of the Law of State Security Forces and Bodies, as well as Royal Decree 463/2002 of March 14, which declares the state alarm for the management of the health crisis situation caused by COVID- 19, a visualization of open publications made by the social media users. This activity is carried out among other social networks, in Twitter, Facebook, Instagram, Badoo and also web pages, circumscribed to cybercrime, cyberterrorism, hacktivism, cyberattacks and disinformation. The product of these actions is the preparation of a daily report by part of the Coordination Unit that is referred to the Deputy Operational Directorate, having carried out a total of 53 reports, one daily, between March 20 and on May 11, 2020. The delegate of Data Protection of the Ministry of the Interior, states that In these activities, a priori, no data processing is carried out personal, limiting itself to the daily observation of news or information public social networks, in which the information collected refers to data from public nature, shared by their authors through social networks and media communication audiences, consisting mainly of the content of the communication and the means of dissemination. As stated in the on-site inspection carried out, “these reports are structured in 4 sections that collect the findings in the subjects of cybercrime, cyberterrorism and hacktivism, cyberattacks, disinformation and news summary. In each of these sections the publication is included made in the corresponding social network, in some cases it includes a link to the publication and in others a capture of the publication with the information of the Identification with which the user is presented on the network. The reports contain only information published on networks in the aforementioned subjects, not increasing the information from other sources or files. " The AEPD inspectors collected copies of 3 reports dated 19, 20 and March 28, 2020, in which it is verified that the structure and content are corresponds to the above, without the documents provided contain personal data. Therefore, the processing of data from personal character. It must be taken into account that, to Administrative Law Sanctioner, due to his specialty, are applicable to him, with some qualification but without exceptions, the inspiring principles of the criminal order, being clear the full virtuality of the principle of presumption of innocence. C / Jorge Juan, 6 www.aepd.es 28001 - Madrid sedeagpd.gob.es 9/10 In this sense, the Constitutional Court, in Sentence 76/1990 considers that the right to the presumption of innocence implies “that the sanction is based on acts or means of proof of charge or incriminating the reproached conduct; what The burden of proof rests with the accuser, without anyone being obliged to prove his own innocence; and that any shortcomings in the test result practiced, freely valued by the sanctioning body, should be translated into a acquittal ”. This principle is expressly stated for sanctioning administrative procedures in article 53.2.b) of the Law 39/2015, of October 1, of the Common Administrative Procedure of the Public Administrations, which recognizes the interested party the right “To the presumption of non-existence of administrative responsibility until proven otherwise " In short, the application of the principle of presumption of innocence prevents impute an administrative infraction when no evidence has been obtained or evidence from which the existence of an infringement is derived. Therefore, in accordance with what was stated, by the director of the Agency Spanish Data Protection, HE REMEMBERS: FIRST: PROCEED TO THE FILING of these actions. SECOND: NOTIFY this resolution to the Secretary of State for Security of the Ministry of the Interior. In accordance with the provisions of article 50 of the LOPDGDD, the This Resolution will be made public once it has been notified to the interested parties. Against this resolution, which puts an end to the administrative procedure according to prescribed by art. 114.1.c) of Law 39/2015, of October 1, on the Procedure Common Administrative of Public Administrations, and in accordance with the established in arts. 112 and 123 of the aforementioned Law 39/2015, of October 1, the Interested parties may optionally file an appeal for reconsideration before the Director of the Spanish Data Protection Agency within one month to counting from the day after the notification of this resolution or directly contentious-administrative appeal before the Contentious-Administrative Chamber of the National High Court, in accordance with the provisions of article 25 and section 5 of the fourth additional provision of Law 29/1998, of July 13, regulating the Contentious-Administrative Jurisdiction, within a period of two months from the day following notification of this act, as provided in article 46.1 of the referred Law. Mar Spain Martí Director of the Spanish Agency for Data Protection C / Jorge Juan, 6 www.aepd.es 28001 - Madrid sedeagpd.gob.es 10/10 C / Jorge Juan, 6 www.aepd.es 28001 - Madrid sedeagpd.gob.es