The new Royal Decree Law 14/2019 of October 31, 2019 adopting urgent measures for reasons of public security in matters concerning digital government, public procurement and telecommunications introduces important new provisions on data protection, blockchain technology or cybersecurity, among others.
Summarized below is a selection of the most prominent measures in the royal decree law approved by the government’s council of ministers’ meeting on Thursday October 31, published in the Official State Gazette on November 5 and in force since November 6, 2019.
1. Location of personal data and digital identification systems: Where citizens interact with the government electronically, the systems used to collect, store, process and manage personal data must be kept in the EU. If they also involve the special categories of data described in article 9 of the General Data Protection Regulation (GDPR), they must be located in Spain. An exception is allowed where has been an adequacy decision by the European Commission for international data transfers.
This point may clash with the GDPR which provides other mechanisms for international transfers, although this restriction appears to be linked to national security.
2. Blockchain technology: The use of blockchain based identification systems is forbidden in citizen government exchanges until technology of this type has been legislated. It has however been specified that in any central government legislation to be adopted on this subject the central government administration must act as an intermediate authority to safeguard public security. It is interesting to see how the first reference to blockchain and DLTs (Distributed Ledger Technologies) to appear in primary legislation is actually made to restrict its use (for the time being) for these aims.
3. Data protection: Data disclosure is allowed between all public authorities, and the intended recipients are forbidden from using those data for purposes other than those specified for the disclosure. Determining whether data are used for those other purposes is left to the decision of the central government administration, where it is the disclosing authority.
Nothing is mentioned about the information to be provided to the data subject on the disclosures that is required in the GDPR, so that obligation must be met.
4. Public procurement: Obligations concerning the contents of contracts are specified, such as an express agreement for data protection to be governed by European and Spanish law. Where the contract implies a data disclosure by a public authority to the contractor, the purpose of that disclosure must be specified. Rules are set out on the contents of contract documents in public procurement procedures, which expressly mention intellectual property and data protection among the elements to be included.
The rules on “data disclosure” must be interpreted, in most cases, as the “processing of data by the contractor on behalf of the contracting authority” (known as data processor). For these purposes, a number of items that must appear in the data processor’s agreement have been added to those specified in article 28 of the GDPR.
5. Telecommunications: The General Telecommunications Law amendment enabling the government to take control of electronic communications services is a minor amendment. That law already allowed the government to take on management of electronic communications services and operation of networks for reasons of national security, and also allowed the government to take control of those services and networks following a report from the Spanish Markets and Competition Commission. The amendment only removes the need for this report in order to take control (no report was required for taking on management) where justifiable by reasons of national security.
Also, any public authorities installing or operating electronic communications networks under self-provision mechanisms are required to inform the ministry of economy and finance of any project of this type.
The government's power to close down infringing activities before opening a penalty procedure and without a prior hearing had already been authorized in the General Telecommunications Law, although now the new law has added a new scenario concerning the existence of an immediate and serious threat to public policy, public security or national security. All the other scenarios have been kept or their wording has been changed slightly.
6. Administration of cybersecurity: Royal Decree 12/2018, transposing the NIS Directive (on security of network and information systems) has been amended to fill a space left by the original legislation, the assignment of technical coordination for cyber incidents affecting public authorities at the National Cryptology Center (CCN, attached to the Central Intelligence Center -CNI-).