Spain. Privacy, Data Protection and Cybersecurity
Cybersecurity and data protection are becoming essential values for society and, consequently, both areas have undergone significant legal development in recent years. In particular, a new law on cybersecurity and a new national data protection law were passed in the second half of 2018. Both laws are based on and mirror the corresponding EU Security of Network and Information Systems Directive (the NIS Directive, which has recently been replaced and updated by the passing of the NIS 2 Directive in December 2022, yet to be transposed in Spain) and the General Data Protection Regulation (GDPR). Nevertheless, data protection and privacy rules are more consolidated in the EU and Spain than cybersecurity regulations, which are currently being developed and pending of approval (such as the Cyber Resilience Act or the Cyber Solidarity Act).
Data protection and privacy are distinct rights under Spanish law, but both are deemed fundamental rights derived from the respect for the dignity of human beings. They are primarily based on the free choice of individuals to decide whether to share with others (public authorities included) information that relates to them (personal data) or that belongs to their private and family life, home and communications (privacy). Both fundamental rights are recognised in the Lisbon Treaty (the Charter of Fundamental Rights of the European Union) and the Spanish Constitution of 1978. Data protection rules address, inter alia, security principles and concrete measures that are helpful to address some cybersecurity issues; in particular, because specific cybersecurity legislation (which not only covers personal data and private information but rather any information) is not sufficiently developed yet.