AEPD (Spain) - E/03783/2020
From GDPRhub
| AEPD (Spain) - E/03783/2020 | |
|---|---|
 | |
| Authority: | AEPD (Spain) |
| Jurisdiction: | Spain |
| Relevant Law: | Article 2 GDPR Directive (EU) 2016/680 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data by competent authorities for the purposes of the prevention, investigation, detection or prosecution of criminal offences or the execution of criminal penalties, and on the free movement of such data |
| Type: | Investigation |
| Outcome: | No Violation Found |
| Started: | |
| Decided: | |
| Published: | 04.05.2021 |
| Fine: | None |
| Parties: | Dirección General de la Guardia Civil Ministerio del Interior Secretaría de Estado de Seguridad Secretaría de Estado de Seguridad del Ministerio del Interior |
| National Case Number/Name: | E/03783/2020 |
| European Case Law Identifier: | n/a |
| Appeal: | n/a |
| Original Language(s): | Spanish |
| Original Source: | AEPD (in ES) |
| Initial Contributor: | n/a |
The Spanish DPA held that the monitoring of news and social networks by the Directorate for National Security and the Spanish police forces did not violate any data protection regulation, since no personal data had been processed.
English Summary
Facts
The Directorate for National Security of the Ministry of Interior issued guidelines for the police forces to monitor news and social networks to spot fake news and misinformation, to prevent some actors from causing social stress, in light of the covid-19 pandemic.
This came to the Spanish DPA (AEPD) knowledge, that launched an investigation to verify that such behaviour complied with the personal data regulations.
Such guidelines were issued to prevent and minimize the effects of misinformation, with extreme vigilance and monitoring of networks and websites where false messages and information aimed at increasing social stress are disseminated, and, where appropriate, calling for the intervention measures provided for in the applicable legislation".
According to the guidelines, within the surveillance and monitoring of networks and web pages, intervention shall only be carried out in accordance with the aforementioned purposes and principles and always under the protection of the applicable legislation. Also, personal data will only be processed when there is sign of a criminal offence, in accordance with the Directive (EU) 2016/680 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data by competent authorities for the purposes of the prevention, investigation, detection or prosecution of criminal offences or the execution of criminal penalties, and on the free movement of such data.
If such activities were related to national security, then the processed would be carried out with basis on the national legislation regarding state secrets and classified matters.
In their response to the DPA, the Directorate for National Security also stated that they do not collect personal data, but only carry out a daily observation of news or public information from social networks, where the information collected relates to data of a public nature, shared by its authors through social networks and public media, consisting primarily of the content of the communication and the medium of dissemination.
For this, specialized officers from the Spanish Civil Guard ("Guardia Civil") browse the news and create anonymous users to monitor (read) social networks such as Twitter, Facebook, Instagram, Badoo and other websites.
Afterwards, reports with reference to cybercrime, cyberterrorism, hacktivism, cyberattacks, misinformation and news summaries are issued. If there is a sign of a criminal offence, evidence is gathered. Such reports are stored for 5 years.
Holding
The DPA concluded that there was no violation of the GDPR, that is not applicable in accordance with its Article 2, nor with the Directive (EU) 2016/680, as personal data were not processed, as the reports showed, and there was no evidence that there was any illegal additional processing. Therefore, the presumption of innocence principle applied.
Hence, the AEPD archived the case.
Comment
Share your comments here!
Further Resources
Share blogs or news articles here!
English Machine Translation of the Decision
The decision below is a machine translation of the Spanish original. Please refer to the Spanish original for more details.
1/10
940-0419 procedure No.: E / 03783/2020
RESOLUTION OF ACTION FILE
Of the actions carried out by the Spanish Agency for Data Protection and
based on the following
FACTS
FIRST: On April 30, 2020, the Director of the Spanish Agency for
Data Protection agrees to initiate the present investigation actions in
relationship with the Order of the Ministry of the Interior *** ORDER.1, of *** DATE.1, which
establishes in section Fourth point 8, 2nd paragraph that, on the part of the Bodies
acting police officers and the competent centers of the Secretary of State for
Safety, guidelines will be issued to prevent and minimize the effects of
disinformation, extreme surveillance and monitoring of networks and pages
website in which false messages and information are disseminated aimed at increasing
social stress, and urging, where appropriate, the intervention measures envisaged in the
applicable legislation, and to the news appeared in various media
on the preparation of a report dedicated to the identification, study and monitoring,
in relation to the situation created by the COVID-19 of disinformation campaigns,
as well as publications denying hoaxes and fake news likely to generate
social stress and disaffection with government institutions, indicated in the Order of
*** ORDER. 2 (ECHO-ALFA) Service of the General Directorate of the Civil Guard.
SECOND: The Subdirectorate General for Data Inspection proceeded to carry out
of previous investigative actions to clarify the facts,
having knowledge of the following points:
On April 30, 2020, the Secretary of State for Security of the
Ministry of the Interior (hereinafter SES) information in relation to the Order
*** ORDER.1 of *** DATE.1 and with the Service Order *** ORDER.2 (ECHO-ALFA) of
the General Directorate of the Civil Guard, specifically requesting information on
what are the specific purposes of the processing of personal data
carried out in the aforementioned actions by both the General Directorate of the Police and
by the Civil Guard, the type of data collected in these treatments and period of
conservation foreseen by said treatments, the number of affected of said
treatments and which authorities have been considered as recipients of the data.
On May 14, 2020, it has entered the Spanish Agency for the Protection of
Data (hereinafter AEPD) a letter sent by the Data Protection Delegate
of the Ministry of the Interior in which it states that after collecting the appropriate reports
of the General Directorate of the Police and the General Directorate of the Civil Guard,
convey the following considerations:
C / Jorge Juan, 6 www.aepd.es
28001 - Madrid sedeagpd.gob.es 2/10
“Regarding the obtaining of information in open sources of the so-called
Cyberspace (networks and web pages) indicate that the Security Strategy
Current national (hereinafter, ESN), approved by Royal Decree 1008/2017,
of December 1, warns of "the use of cyberspace as a means for
carrying out illegal activities, disinformation actions, propaganda or
terrorist financing and organized crime activities, among others, impacts on
National Security, amplifying complexity and uncertainty, and also
puts citizens' own privacy at risk. "
Among the general objectives pursued by the ESN is to deepen and
adapt the comprehensive crisis management model within the framework of the
National Security in order to provide effective and timely responses to
the threats and challenges of the current panorama so that crisis management
involves several phases in a temporal arc that ranges from early warning
to the response where it is important to promote a preventive approach and
anticipatory, for which permanent monitoring is particularly relevant
security environment and its constant changes, intelligence systems and
information, the development of risk analysis methodologies and instruments
that contribute to protection against misinformation.
Within the framework of crisis management caused by COVID-19 and following the
provided in the ESN, that Department established by Order *** ORDER.1,
of *** DATE.1, the action criteria for the Forces and Corps of
Security in relation to Royal Decree 463/2020, of March 14, by which
the state of alarm is declared for the management of the health crisis situation
caused by COVID-19.
In said Order, it is provided in section First.3, that the planned measures
in the same they will be applied in accordance with the principles of proportionality and
necessity, in order to protect the health and safety of citizens and
contain the progression of the disease.
The section under analysis specifically states that “on the part of the Corps
acting police officers and the competent centers of the Secretary of State for
Safety guidelines will be issued to prevent and minimize the effects of
disinformation, extreme surveillance and monitoring of networks and pages
website in which false messages and information aimed at
increase social stress, and urging intervention measures where appropriate
provided for in the applicable legislation ”.
Within the surveillance and monitoring of networks and web pages,
It will only intervene in accordance with the aforementioned purposes and principles and always
under the applicable legislation.
In the event that in the course of the analysis of the "open" area of said
sources, rational indications of the commission of a criminal offense were observed,
will act under the corresponding judicial authorization for the processing of data from
personal character, which in this case would be protected by the provisions of the
Directive (EU) 2016/680, of the European Parliament and of the Council, of April 27,
2016, regarding the protection of natural persons with regard to the
processing of personal data by the competent authorities for
purposes of prevention, investigation, detection or prosecution of infractions
penalties or the execution of criminal sanctions, and the free movement of said
data and repealing the Council Framework Decision 2008/977 / JHA.
C / Jorge Juan, 6 www.aepd.es
28001 - Madrid sedeagpd.gob.es 3/10
In the event that these activities refer to the investigation of threats
against National Security, would not fall within the scope of application of the
RGPD or the aforementioned Directive, but would be dealt with under the
regulations regarding official secrets and classified matters.
In this sense, specifically in the aforementioned area of the Civil Guard, the
Complementary Order No. 2 of the Service Order *** ORDER.2 (ECHO-
ALFA), cited in the requirement of the AEPD, collects in a generic way what is
provided in the aforementioned Order *** ORDER.1, of *** DATE.1, specifically
provides that it be increased (not implemented since it is a mission
derived from article 11 of Organic Law 2/1986, of March 13,
Security Forces and Bodies) the surveillance of social networks for the
detection of disinformation activities.
By virtue of the foregoing, by the Security Forces and Bodies of the
Status, an active monitoring of cyberspace is carried out, in order to
meet intelligence needs in the field of their functions
related to the fight against terrorism and other serious forms of
organized crime in this area, carry out an early detection of
cyber threats that may affect ICT Information Systems
(Information and Communication Technologies) of organizations
cataloged as critical infrastructures, and those dependent on
main State agencies involved in the management and treatment of the
health crisis motivated by COVID-19, and disinformation activities.
In these activities, a priori, no data processing is carried out
personal, limiting itself to the daily observation of news or
public information from social networks, in which the information collected is
refers to public data, shared by their authors through
consistent social media and public media
fundamentally in the content of the communication and the means of diffusion.
In the case of detecting any criminal offense, the corresponding
proceedings and the proceedings are made available to the judicial authority
competent."
In response to the specific questions raised in the request for
information the following answers are given:
In relation to the specific purposes of the processing of personal data
carried out in the aforementioned actions by both the General Directorate of the Police
as by the Civil Guard it is stated that:
“No specific personal treatment has been carried out by virtue of the
provided in paragraph 2 of section 4.8 of the Order *** ORDER.1, of
*** DATE. 1. In the event that the supervision of open sources in the
Cyberspace, if any criminal offense is detected, the
corresponding treatment in accordance with what the laws determine
criminal proceedings and applicable data protection. In the event that
any threat against National Security is detected, it is acted in accordance
with what determines the regulations on official secrets and classified matters;
as well as the rest that is applicable to the course. "
In relation to the type of data collected in these treatments and period of
conservation provided for by said treatments, state that
C / Jorge Juan, 6 www.aepd.es
28001 - Madrid sedeagpd.gob.es 4/10
"No personal data has been collected in relation to the aforementioned
Cyberspace monitoring activity. In the event that in said
activities would have detected a criminal offense or a threat against the
National Security the treatment of identifiers and / or personal data is
would be carried out in accordance with the criminal procedural regulations, the
applicable data protection, regulations on classified matters and
any other that may be applicable. "
In relation to the number of people affected by these treatments, it is stated that
“No people have been identified in relation to the aforementioned activity of
Cyberspace supervision. In the event that in said activities there were
detected an illicit criminal offense or a threat against National Security the
Obtaining or processing identifiers that allow to "identify" the
interested parties would be carried out in accordance with the criminal procedure regulations, the
applicable data protection regulations, regulations on matters
classified and any other that may be applicable. "
In relation to which authorities have been considered as recipients of the data,
notes that
"No personal data derived from the activity object has been transferred
of the requirement. In the event that such activities had
detected an illegal criminal offense or a threat against National Security the
data collected in accordance with the appropriate regulations (in a treatment
specific and different) will be sent to the competent Judicial Authority or to the
competent bodies of the Ministry of the Interior to receive information
classified. "
THIRD: On June 17, 2020, the GENERAL MANAGEMENT is required
DE LA GUARDIA CIVIL (hereinafter DGGC) copy of the Service Order
*** ORDER 2 (ECHO-ALFA), of complementary orders 1 and 2, of the
instructions given to the Cybersecurity Coordination Unit, Information
about the period of validity of these orders and instructions, the purposes
specific information on the processing of personal data carried out by the Civil Guard in the
framework of the Service Order *** ORDER. 2 (ECHO-ALFA) and complementary as
related to publications likely to generate disaffection with institutions of the
government, the recipients of this data and the legal basis that protects the treatments.
On July 2, 2020, a letter sent by the
Lieutenant Colonel Delegate for Data Protection of the Civil Guard who states
the next:
“On May 4, 2020, we were requested by the Secretary of State
Ministry of the Interior, information regarding this matter for the purpose
to answer that AEPD. For which we prepare a report on the matter that is
attached to this letter, understanding that this response contains the information that
it is requested again. "
The report provided includes the considerations transferred on May 14,
2020 to the AEPD by the Data Protection Delegate of the Ministry of the Interior.
C / Jorge Juan, 6 www.aepd.es
28001 - Madrid sedeagpd.gob.es 5/10
FOURTH: On October 6, 2020, an inspection visit was made at the
headquarters of the General Directorate of the Civil Guard (DGGC), highlighting
the following facts, collected in the Inspection Report:
1. Regarding the obtaining of information in open sources of the so-called
Cyberspace (social networks and web pages) the representatives of the DGGC
indicate that the current National Security Strategy (hereinafter, ESN),
approved by Royal Decree 1008/2017, of December 1, warns of "the
use of cyberspace as a means to carry out activities
illicit actions, disinformation, propaganda or terrorist financing and
Organized crime activities, among others, impact Security
National, amplifying complexity and uncertainty, and also puts in
risk the own privacy of citizens. "
2. Within the framework of crisis management caused by COVID-19 and following the
established in the ESN, the Ministry of the Interior established by Order
*** ORDER.1, of *** DATE.1, the action criteria for the Forces and
Security Bodies in relation to Royal Decree 463/2020, of 14
March, declaring the state of alarm for the management of the situation
of health crisis caused by COVID-19.
3. In the area of the Civil Guard, Complementary Order No. 2 of the Order of
Service *** ORDER.2 (ECHO-ALFA), collects in a generic way the provisions of
the aforementioned Order *** ORDER.1, of *** DATE.1, specifically provides that
be increased (not implemented since it is a derived legal mission
of Article 11 of Organic Law 2/1986, of March 13, on Forces and
Security Bodies) the surveillance of social networks for the detection of
misinformation activities. Specifically, point 2.2 (tasks)
establishes in its section g): “Increase the surveillance of social networks to
the detection of disinformation activities, both internal and
external, as well as for the prevention and investigation of activities
related to cybercrime. " Both the *** ORDER.1 and the Order of
Service *** ORDER.2 (ECHO-ALFA) and its complements were
in force during the time the decreed alarm state was in force
by the Government through Royal Decree 463/2020
4. Printed copies of the Order were collected by the data inspection
Service *** ORDER. 2 (ECHO-ALFA) and Complementary Order number
2 of this. 4.2. On the part of the CG, they state that the surveillance of the RRSS is
carried out by creating anonymous users created for this purpose and
making a visualization of the publications made by the users of
these networks, in the jobs of the agents in charge of carrying out
This function. This surveillance is carried out among other social networks, on Twitter,
Facebook, Instagram, Badoo and also web pages.
5. The product of these actions is the preparation of a daily report by
part of the Coordination Unit that is sent to the Deputy Directorate
Operational. The total number of reports made is 53, one was made
daily between March 20 and May 11, 2020.
6. These reports are structured in 4 sections that collect the findings in the
matters of cybercrime, cyberterrorism and hacktivism, cyberattacks,
disinformation and news summary. In each of these sections,
collects the publication made in the corresponding social network, in some
In some cases it includes a link to the publication and in others a screenshot of the
C / Jorge Juan, 6 www.aepd.es
28001 - Madrid sedeagpd.gob.es 6/10
publication with the identification information with which the user is
presents on the net. The reports contain only information published in
networks, not increasing the information from other sources or files.
They state that when an alleged crime is detected, evidence is captured
in the same way that they are collected in any other police investigation,
according to the chain of custody of evidence. In these cases the
The investigation is prosecuted, the police forces making a report without
expand the information (including only what is openly published in
networks). Later the judge can make an order to extend
information, in particular, to find out who is the promoter or the one who incites the
investigated behaviors. Those findings that could be
constituting a crime are prosecuted becoming part of the
treatments collected in the activity called INTPOL in the Registry of
Treatment Activities.
In relation to the reports that have not been the subject of legal proceedings,
are kept in the administrative files of the target Units
and conserved during the period of five years established for the
passive correspondence.
The inspectors obtained copies of 3 reports dated March 19, 20 and 28
2020, in which it is verified that the structure and content correspond
with the previously described.
FOUNDATIONS OF LAW
I
In accordance with the investigative and corrective powers that article 58 of the
Regulation (EU) 2016/679 (General Data Protection Regulation, hereinafter
RGPD) grants each control authority, and according to the provisions of article 47 of the
Organic Law 3/2018, of December 5, on the Protection of Personal Data and
guarantee of digital rights (hereinafter LOPDGDD), is competent to
resolve these investigative actions by the Director of the Spanish Agency for
Data Protection.
II
Article 2 of the RGPD when determining its scope of application provides that
"1. This Regulation applies to the total or partial treatment
automated personal data, as well as non-automated data processing
personal content or intended to be included in a file.
2. This Regulation does not apply to the processing of personal data:
a) in the exercise of an activity not included in the scope of application
of the Law of the Union;
C / Jorge Juan, 6 www.aepd.es
28001 - Madrid sedeagpd.gob.es 7/10
b) by Member States when carrying out activities
included in the scope of application of chapter 2 of title V of the TEU;
c) carried out by a natural person in the exercise of activities
exclusively personal or domestic;
d) by the competent authorities for prevention purposes,
investigation, detection or prosecution of criminal offenses, or the execution of
criminal sanctions, including protection against threats to public safety
and its prevention. "
Article 1 of Directive (EU) 2016/680 of the European Parliament and of the
Council of April 27, 2016 regarding the protection of natural persons in the
regarding the processing of personal data by the authorities
competent for the purposes of prevention, investigation, detection or prosecution of
criminal offenses or the execution of criminal sanctions, and the free movement of
said data and repealing Council Framework Decision 2008/977 / JHA,
establishes in its article 1 under the title Object and objectives that “1. This Directive
establishes the rules relating to the protection of natural persons in what
Regarding the processing of personal data by the authorities
competent, for the purposes of prevention, investigation, detection or prosecution of
criminal offenses or the execution of criminal sanctions, including protection and
prevention against threats to public security. (…) "
Article 2 of the same provides regarding its scope of application that “1.
This Directive applies to the processing of personal data by companies
competent authorities for the purposes established in article 1, paragraph 1. "
However, the aforementioned
Directive at the time of the occurrence of the events that are the object of the
investigation, the provisions of the fourth transitory provision of
Organic Law 3/2018, of December 5, on Protection of Personal Data and
guarantee of digital rights, according to which:
"Treatments subject to Directive (EU) 2016/680 of the Parliament
Council and Council, of April 27, 2016, on the protection of individuals
with regard to the processing of personal data by the
competent authorities for the purposes of prevention, investigation, detection or
prosecution of criminal offenses or execution of criminal sanctions, and the
free circulation of such data and repealing the Framework Decision
2008/977 / JAI of the Council, will continue to be governed by Organic Law 15/1999, of 13
December, and in particular Article 22, and its development provisions, as long as
the rule that transposes the provisions of the aforementioned into Spanish law does not come into force
directive."
In this regard, it should be noted that articles 1 and 2 of the Organic Law
15/1999 extend their protection to the rights of citizens with regard to
to the processing of your personal data, these being defined in the article
3.a) of said Law as “any information concerning natural persons
identified or identifiable. “Article 5.1.f of the Regulations for the development of said
C / Jorge Juan, 6 www.aepd.es
28001 - Madrid sedeagpd.gob.es 8/10
Law, approved by Royal Decree 1720/2007, of December 21, specifies said
definition indicating that they constitute personal data "Any
numerical, alphabetical, graphic, photographic, acoustic or any other information
concerning identified or identifiable natural persons. "
From the actions mentioned in the factual antecedents, it appears
that within the framework of the National Security Strategy and the competencies
attributed by article 11 of the Law of State Security Forces and Bodies,
as well as Royal Decree 463/2002 of March 14, which declares the state
alarm for the management of the health crisis situation caused by COVID-
19, a visualization of open publications made by the
social media users. This activity is carried out among other social networks, in
Twitter, Facebook, Instagram, Badoo and also web pages, circumscribed to
cybercrime, cyberterrorism, hacktivism, cyberattacks and
disinformation.
The product of these actions is the preparation of a daily report by
part of the Coordination Unit that is referred to the Deputy Operational Directorate,
having carried out a total of 53 reports, one daily, between March 20 and
on May 11, 2020.
The delegate of Data Protection of the Ministry of the Interior, states that
In these activities, a priori, no data processing is carried out
personal, limiting itself to the daily observation of news or information
public social networks, in which the information collected refers to data from
public nature, shared by their authors through social networks and media
communication audiences, consisting mainly of the content of the
communication and the means of dissemination.
As stated in the on-site inspection carried out, “these reports are
structured in 4 sections that collect the findings in the subjects of
cybercrime, cyberterrorism and hacktivism, cyberattacks, disinformation and
news summary. In each of these sections the publication is included
made in the corresponding social network, in some cases it includes a link to the
publication and in others a capture of the publication with the information of the
Identification with which the user is presented on the network. The reports contain
only information published on networks in the aforementioned subjects, not
increasing the information from other sources or files. "
The AEPD inspectors collected copies of 3 reports dated 19, 20 and
March 28, 2020, in which it is verified that the structure and content are
corresponds to the above, without the documents provided
contain personal data.
Therefore, the processing of data from
personal character. It must be taken into account that, to Administrative Law
Sanctioner, due to his specialty, are applicable to him, with some qualification but without
exceptions, the inspiring principles of the criminal order, being clear the full
virtuality of the principle of presumption of innocence.
C / Jorge Juan, 6 www.aepd.es
28001 - Madrid sedeagpd.gob.es 9/10
In this sense, the Constitutional Court, in Sentence 76/1990 considers that
the right to the presumption of innocence implies “that the sanction is based on
acts or means of proof of charge or incriminating the reproached conduct; what
The burden of proof rests with the accuser, without anyone being obliged to prove
his own innocence; and that any shortcomings in the test result
practiced, freely valued by the sanctioning body, should be translated into a
acquittal ”. This principle is expressly stated for
sanctioning administrative procedures in article 53.2.b) of the Law
39/2015, of October 1, of the Common Administrative Procedure of the
Public Administrations, which recognizes the interested party the right “To the presumption of
non-existence of administrative responsibility until proven otherwise "
In short, the application of the principle of presumption of innocence prevents
impute an administrative infraction when no evidence has been obtained or
evidence from which the existence of an infringement is derived.
Therefore, in accordance with what was stated, by the director of the Agency
Spanish Data Protection,
HE REMEMBERS:
FIRST: PROCEED TO THE FILING of these actions.
SECOND: NOTIFY this resolution to the Secretary of State for
Security of the Ministry of the Interior.
In accordance with the provisions of article 50 of the LOPDGDD, the
This Resolution will be made public once it has been notified to the interested parties.
Against this resolution, which puts an end to the administrative procedure according to
prescribed by art. 114.1.c) of Law 39/2015, of October 1, on the Procedure
Common Administrative of Public Administrations, and in accordance with the
established in arts. 112 and 123 of the aforementioned Law 39/2015, of October 1, the
Interested parties may optionally file an appeal for reconsideration before the
Director of the Spanish Data Protection Agency within one month to
counting from the day after the notification of this resolution or directly
contentious-administrative appeal before the Contentious-Administrative Chamber of the
National High Court, in accordance with the provisions of article 25 and section 5 of
the fourth additional provision of Law 29/1998, of July 13, regulating the
Contentious-Administrative Jurisdiction, within a period of two months from the
day following notification of this act, as provided in article 46.1 of the
referred Law.
Mar Spain Martí
Director of the Spanish Agency for Data Protection
C / Jorge Juan, 6 www.aepd.es
28001 - Madrid sedeagpd.gob.es 10/10
C / Jorge Juan, 6 www.aepd.es
28001 - Madrid sedeagpd.gob.es
