Spain

Overview

EU Member State: Spain is subject to the GDPR, the Law Enforcement Directive, and the ePrivacy Directive. For the EU framework, see the EU Framework page. This page covers national laws, intelligence and surveillance, and Spain’s role in international data sharing.

In April 2022, Citizen Lab uncovered Catalangate — the largest documented case of mercenary spyware abuse in Europe: at least 65 individuals targeted with Pegasus and Candiru 2017–2020, including MEPs, Catalan Parliament members, presidents of the Generalitat, journalists, lawyers, and activists. In September 2025, a Barcelona court launched the first worldwide criminal prosecution of Pegasus developers. Spain is a Fourteen Eyes member, and NSA documents revealed collection of 60.5 million Spanish phone call records in a single month.^[1][2]

Spain’s LOPDGDD went further than any other EU member state by enshrining digital rights (including the right to digital disconnection from work) directly into organic law. The AEPD is one of the highest-volume GDPR enforcers in the EU. Data retention under Law 25/2007 (12 months) continues unreformed despite CJEU invalidation of the underlying EU directive. Spain supports mandatory Chat Control scanning.^[3]

Privacy Framework

The AEPD (Agencia Española de Protección de Datos) is one of the EU’s highest-volume enforcers by number of decisions, with major fines including E.ON Energia EUR 8.15M (telemarketing), Aena EUR 10M (airport facial recognition), CaixaBank EUR 6.2M, and La Liga EUR 250K (secretly activating fans’ phone microphones). Spain was the first EU member state to establish a dedicated AI supervision agency (AESIA), which published 16 AI Act guidance documents by December 2025.^[4]

The LOPDGDD (Ley Orgánica 3/2018) supplements the GDPR with age of consent at 14, and Title X “Digital Rights” including the right to digital disconnection, right to privacy in the use of digital devices at work, right to a digital testament, and right to digital education. Spain retains criminal sanctions for data protection violations alongside administrative fines.^[3]

Surveillance and Intelligence

Centro Nacional de Inteligencia (CNI)

Spain’s principal intelligence service (Law 11/2002, Organic Law 2/2002). Surveillance affecting communications secrecy requires prior authorisation from a single designated Supreme Court Magistrate (72-hour response, 24 in urgent cases). Parliamentary oversight via the Congressional Committee on Official Secrets, with members bound by strict secrecy. The CNI replaced CESID, which was disbanded in 2002 after 1990s unauthorised wiretapping scandals. The CCN (Centro Criptológico Nacional), a CNI department, handles cryptanalysis, cybersecurity, and the CCN-CERT.^[5][6]

Fourteen Eyes: SIGINT Seniors Europe

Spain participates through bilateral SIGINT arrangements between CNI/CCN and the NSA. As a third-party partner, Spain is not exempt from NSA collection. The alliance uses the CRUSHED ICE secure network for near-real-time counterterrorism intelligence sharing. NSA documents confirmed collection of 60.5 million Spanish phone records in December 2012 alone, triggering a major diplomatic crisis when published by El Mundo in October 2013. Spain is simultaneously a SIGINT alliance member and a target of NSA mass collection.^[2][7]

Catalangate: Europe’s Largest Mercenary Spyware Scandal

Citizen Lab identified at least 65 individuals targeted with Pegasus (NSO Group) and Candiru spyware 2017–2020, including MEPs, Catalan Parliament members, presidents of the Generalitat, journalists, lawyers, activists, and family members. PM Sánchez and Defence Minister Robles were also compromised by Pegasus, apparently by a foreign government.^[1][8]

Consequences: CNI Director Paz Esteban López fired. PM Sánchez pledged intelligence oversight reform and replacement of the 1968 Official Secrets Act (Franco-era legislation). A joint investigation identified three NSO Group executives (November 2024). Barcelona court launched criminal prosecution of Pegasus developers (September 2025) — the first worldwide. NSO Group CEO Shalev Hulio, co-founder Omri Lavie, and executive Yuval Somekh formally indicted (March 2025). The Audiencia Nacional shelved inquiry into PM’s phone infection after Israel ignored five judicial assistance requests (January 2026).^[9][10][11]

Systemic oversight failures: The single-magistrate authorisation model (Organic Law 2/2002) was designed for traditional wiretapping, not zero-click spyware granting total device access. PEGA Committee concluded Spain failed to conduct an adequate independent investigation. Court proceedings are entirely secret with no independent proportionality review. Once deployed, Pegasus accesses everything — making it technically impossible to limit collection to what was judicially authorised.^[12]

Data Retention

Law 25/2007 requires telecom providers to retain traffic and location data for 12 months. Spain has not comprehensively reformed the law despite the CJEU invalidating the underlying EU directive (Digital Rights Ireland, 2014) and subsequent rulings restricting blanket retention (Tele2/Watson, La Quadrature du Net, SpaceNet). Access requires judicial authorisation, but the blanket retention obligation itself has not been subjected to the proportionality analysis CJEU jurisprudence now demands.^[13]

Internet Infrastructure and NSA Mass Collection

ESPANIX (Madrid, established 1997) is Spain’s largest IXP. DE-CIX Barcelona extends the Frankfurt DE-CIX franchise into Iberia. Spanish traffic transiting through Frankfurt DE-CIX is exposed to BND bulk cable interception.^[14]

The Strait of Gibraltar is a strategic chokepoint through which many cables connecting Europe to Africa and the Americas are routed. Landing stations at Conil de la Frontera, Estepona, Valencia, and the Canary Islands serve: TAG (transatlantic), Columbus III (transatlantic), 2Africa (33 countries), and cables routed through the Gibraltar corridor including EllaLink (Europe-Brazil). The CNI has SIGINT authority extending to communications infrastructure, and Fourteen Eyes membership means collected intelligence is systematically shared.^[14]

NSA upstream programs collected 60.5 million Spanish phone call records in December 2012 alone through transatlantic cable tapping, regardless of whether Spain was itself the target — because cables carry mixed traffic that cannot be cleanly separated at the collection point.^[7]

Age Verification: Identity Infrastructure as Surveillance

An Organic Law (approved by Council of Ministers March 2025, proceeding through Parliament) would raise the digital age of consent from 14 to 16 and ban social media for under-16s without parental consent, requiring platforms to implement age verification. The AEPD published a privacy-preserving age verification framework (December 2023) advocating data minimisation and anonymisation — the verification provider should not know which sites users access, and platforms should not learn users’ identities. Spain is one of five EU pilot countries for W3C Verifiable Credentials age verification.^[15]

However, any mandatory age verification creates identity infrastructure that, once deployed, becomes surveillance-capable. The AEPD itself recognises the risk of “mandatory identity verification creating honeypots of sensitive data or enabling de facto universal digital identity requirements for accessing lawful content.” The Aena airport facial recognition fine (EUR 10M, November 2025) for deploying biometric boarding without a valid DPIA demonstrates the tension between biometric convenience and proportionality requirements.^[16]

International Data Sharing Agreements

Mutual Legal Assistance: Layered Framework

EU Member States (26 countries): EU MLA Convention 2000, Schengen Convention, EIO. Spain was an original Prüm Convention signatory (2005); Prüm II (2024) adds facial images and police records.

Council of Europe (50 signatory states): European Convention on MLA 1959 + Additional Protocols.

Bilateral MLAT with the United States: Spain is among 19 nations with an MLAT in force with the US. GDPR Article 48 precludes unilateral foreign requests without a treaty basis, but the MLAT itself creates a lawful channel for US access to Spanish person data.^[17]

Fourteen Eyes Intelligence Sharing

CNI shares SIGINT with Five Eyes partners through bilateral arrangements. The Catalangate affair demonstrated that intelligence alliances provide no protection against surveillance by partners or third parties using commercial tools outside those frameworks.^[2]

EU and Multilateral Frameworks

SIS II: Real-time query and alerts across Schengen. EU-US Umbrella Agreement: Spanish citizens get judicial redress before US courts. SWIFT/TFTP: International wire transfers subject to US Treasury subpoena. PNR: Passenger data for Spain-US flights. Europol: Major contributor; FBI cooperation channel. Interpol I-24/7. Egmont Group: SEPBLAC shares financial intelligence across 164+ FIUs.

The Privacy Backdoor Effect

Despite AEPD enforcement and GDPR Article 48, alternative access pathways exist:

• Fourteen Eyes: CNI shares SIGINT with Five Eyes partners; NSA collected 60.5M Spanish phone records in a single month
• EU Framework: Spanish data in SIS II, Prüm, or EIO channels accessible to 27 EU states and through Europol to US FBI
• MLAT: US requests through bilateral treaty, with potentially different evidentiary standards
• SWIFT/PNR: Financial transactions and air travel subject to US access
• Commercial spyware: Catalangate demonstrated that surveillance markets undermine both domestic protections and intelligence alliances

Recent Developments

NSO Group Executives Indicted (March 2025): Barcelona court issued the first worldwide criminal indictment of NSO Group executives (CEO Hulio, co-founder Lavie, executive Somekh) over Catalangate.^[11]

Catalangate: Audiencia Nacional Shelves PM Investigation (January 2026): Spain’s National High Court shelved inquiry into PM Sánchez’s Pegasus infection after Israel ignored five judicial assistance requests.^[10]

Classified Information Act (July 2025): Council of Ministers approved draft replacing the Franco-era 1968 Official Secrets Act. Four classification levels with automatic declassification periods (45 years Top Secret, 35 years Secret). Pledged by PM Sánchez after Catalangate.^[18]

Aena Airport Facial Recognition Fine (November 2025): AEPD imposed EUR 10 million on Spain’s 46-airport operator for biometric boarding without a valid DPIA. Facial recognition suspended at eight airports including Madrid-Barajas and Barcelona-El Prat.^[16]

Intelligence Oversight Reform Stalled: PEGA Committee’s recommendation for an independent investigation has not produced substantive legislative change. Reform of Organic Law 2/2002 and replacement of the 1968 secrets law remain subject to political negotiation.^[12]

Chat Control: Spain Supports Mandatory Scanning: Spain is among 15 EU member states supporting the CSA Regulation, contrasting with its strong domestic data protection enforcement.^[19]

Sources