Data protection: adopting security measures as an obligation of means, not of results. Particularly the use of double opt-in methods to guarantee the identity of data subjects

José Luis Piñar

The 3rd Chamber of the Supreme Court’s ruling of February 15, 2022 (appeal no. 7359/2020) has shed some light on data protection security measures.

In short, the Spanish Data Protection Agency (or AEPD, as per its Spanish acronym) imposed a fine of €40,001 on an official and exclusive distributor of a well-known telecommunications company for the serious infringement of Article 9.1 of Law 15/1999, on Data Protection, which is no longer in force but was applicable at the time, for violations of security measures. The AEPD considered proven that customers who purchased products in person at the distributor’s shop had the option to finance said purchase, by filling out the necessary form, which required to state an email address since the copy of the financing contract and general terms were sent to this address. For some reason, one of the company’s employees entered a made-up e-mail address in several contracts, believing it to be non-existent. It turned out, however, that this address actually belonged to someone, who received 14 contracts in their inbox from people applying for financing, and that included personal data such as names, addresses, telephone numbers, marital status, dependents, income, employment status, charges, bank account numbers, amounts financed, monthly instalments and the signature of the contracting party.

The AEPD argued that the sanctioned company was obliged to adopt effective technical and organisational measures to prevent unauthorised third-party access to personal data and that the company therefore failed to comply with this obligation, stating that for the case at hand there is an obligation of results imposed. The AEPD’s decision was appealed before the National High Court, who considered that the obligation to adopt security measures is ‘an obligation of results that consists in enforcing the necessary measures to prevent data from being lost, misplaced or ending up in the hands of third parties, which is why any entity (or data processor) responsible for a file must guarantee that said measures are effectively implemented in practice’.    

The sanctioned company filed an appeal to the Supreme Court and the order of admission to carry out proceedings considered that the issue that is of interest to the court is to determine whether the infringements of the Data Protection Law due to failures of security measures committed by employees of a company should be assessed in regard to the result and, thefore, be attributed to the company to which the employee belonged, regardless of the means and preventive measures implemented. 

The Supreme Court issued a Judgement of great importance, that takes into account current legislation, such as the GDPR and the Law on Data Protection of 2018, which pointed out:

Firstly, regarding the obligation to adopt the necessary measures to ensure personal data security, the court ruled that it cannot be considered an obligation of result, which implies that ‘if there is a leak of personal data to a third party, this would give rise to liability regardless of the measures adopted and the course of action taken by the data controller’. On the contrary, the court argued that it would be an obligation of means, in which ‘the commitment is to adopt the technical and organisational methods, as well as conducting this process diligently with a view of achieving the expected result, through means that can reasonably be considered suitable and sufficient for such purpose’. For the latter, ‘the suitability of the security measures ... must be put into perspective with the available technology at any given time and the level of protection required in relation to the personal data processed, but there are no guaranteed results’. Consequently, the Public Attorney’s Office perspective cannot be maintained, which defended that a given company’s ‘best efforts’ is simply not enough, but rather when a security breach occurs, there will always be a harmful result for those affected.

Second, simply designing the technical and organisational means is not enough, as it would also be necessary to ensure their adequate implementation and appropriate use, so a lack of diligence in this regard, depending on the circumstances, will also give rise to liability. Such diligence extends to the fact that companies are liable for the actions of their employees or workers. Therefore, on the matter examined in this ruling, the company is liable for the employee’s negligence, by including false email addresses in the form.

Third, on the security measures introduced by the company, the court concluded that ‘the program used to collect customer data did not have any security features to check whether the entered e-mail address was real or fictitious and whether it actually belonged to the person whose data was being processed and who gave their consent. The available technology at the time these events took place would have easily accommodated measures to check the veracity of the e-mail address... Measures that were not taken in the case at hand’. The Court pointed out that ‘there is an e-mail verification system known as ‘double opt-in’ consisting of an acceptance process of certain rules or conditions of use, which aims to verify that users are who they say they are and rule out the possibility that they could be robots creating automatic subscriptions, Spam mails, or third parties generating fraudulent subscriptions using e-mail addresses that are not theirs. This is a double-check process that ensures that users have accepted the data processing policy and/or privacy conditions before receiving any type of communication’. By failing to implement this security measure, the company was in breach of data protection legislation. The fact that the infringement was due to an employee’s negligence is irrelevant. 

This article does not represent legal advice by its author(s). If you would like to regularly receive our Referencias Jurídicas CMS, which provide an insight into current legal and case law topics of interest, please fill in the form found here.