Spanish Privacy Office Plans Active Multinationals Enforcement

Bloomberg Law: Privacy & Data Security brings you single-source access to the expertise of Bloomberg Law’s privacy and data security editorial team, contributing practitioners,...

By Brett Allan King

• Spain’s privacy office will continue investigations of Facebook and other multinationals

• New EU privacy regime poses compliance oversight challenges for the office

Spain’s privacy office will proceed in 2017 with investigations involving Facebook Inc., VTech Holdings Ltd., and Niantic, Inc.'s PokemonGo, the director of the office said.

The Spanish Data Protection Agency (AEPD) is investigating several multinationals over privacy policy or data breach issues, AEPD Director Mar Espana Marti told Parliament in a June 29 address coinciding with the release of the agency’s annual enforcement report for 2016.

Preparations for the May 25, 2018, effective date of the European Union’s new privacy regime, the General Data Protection Regulation (GDPR), will also be a primary focus for the office, Espana said.

The AEPD is participating in investigations in coordination with France, Belgium, and Germany over Facebook’s use of consumer data, Espana said. The office will also address a complaint over Facebook’s messaging service and the apparent inability of users to opt out of messaging that shows when they were last online.

The privacy office is working with other national privacy regulators to investigate the Hong Kong-based toy maker VTech concerning an alleged breach of the data of millions of customers and thousands of photos of parents and children.

The AEPD is investigating whether the privacy policies for the augmented reality game PokemonGo and related system services comply with Spanish regulations, Espana said. The investigation should be resolved soon, she said.

A Facebook spokesperson told Bloomberg BNA June 30 that the company is in confidential talks with the privacy office and can’t share any specifics at this time. VTech Holding Ltd. and Niantic didn’t immediately respond to Bloomberg BNA requests for comment.


EU Privacy Regime Challenges

Spain is working to amend its privacy laws to comport with the EU GDPR. Application of the GDPR in Spain will frame the AEPD’s agenda for years, Espana told Parliament.

However, legislative gridlock in Parliament may slow the adoption of changes, Efren Santos, a partner at ICEF Consultores in Madrid, told Bloomberg BNA.

The “unprecedented complexity” and “cross-border nature” of the GDPR may pose a “serious challenge” for her office, which for years has been seeking more resources, Marti said. Complaints filed with her office could rise significantly under the GDPR, she said.

The AEPD June 28 separately announced it would analyze personal data protection in the financial services sector to determine how companies are preparing for the GDPR. One-third of complaints received by her office involve that sector, Espana said.

Actions in the EU have already influenced the office’s work in data transfer authorization requests, the AEPD report said.

After the EU’s top court invalidated the U.S.-EU Safe Harbor data transfer program that allowed thousands of U.S. companies and tens of thousands of EU companies to more easily transfer data to the U.S., the AEPD saw a 475 percent rise in the number of data transfer requests, from 128 in 2015 to 737 in 2016, the office said in a statement.

By Brett Allan King

To contact the reporter on this story: Brett Allen King in Madrid at

To contact the editor responsible for this story: Donald Aplin at

Request Bloomberg Law: Privacy & Data Security