Spain

EU Member State: Spain is a member of the European Union and is therefore subject to the General Data Protection Regulation (GDPR), the Law Enforcement Directive, the ePrivacy Directive, and other EU-level data protection instruments. For a detailed treatment of the EU framework, see the EU Framework page. This page covers Spain’s national implementing legislation, domestic enforcement record, intelligence and surveillance laws, and its role in the Fourteen Eyes intelligence alliance.

Overview

Spain presents a notable contrast in European privacy law. On the civilian side, the Agencia Española de Protección de Datos (AEPD) has established itself as one of the highest-volume GDPR enforcers in the EU by number of decisions, issuing record fines year after year and pursuing violations that range from banking malpractice to a football league secretly activating millions of fans’ phone microphones. Spain’s national GDPR implementation, the LOPDGDD, went further than any other EU member state by enshrining an entirely new category of digital rights, including the right to digital disconnection from work, directly into organic law.^[1]

On the intelligence side, Spain is a member of the Fourteen Eyes surveillance alliance and maintains bilateral signals intelligence arrangements with the United States through its Centro Nacional de Inteligencia (CNI).^[2] In April 2022, the University of Toronto’s Citizen Lab uncovered what it called the largest documented case of mercenary spyware abuse in Europe: at least 65 Catalan independence advocates, including politicians, journalists, lawyers, activists, and their family members, had been infected with Pegasus and Candiru spyware between 2017 and 2020.^[3] The scandal, known as Catalangate, prompted the firing of the CNI director, pledges of intelligence oversight reform from Prime Minister Sánchez, and criminal investigations that remain open as of early 2026.

Understanding Spain’s privacy landscape requires grappling with both realities simultaneously: an active data protection authority on one hand, and on the other, an intelligence apparatus that deployed some of the most invasive commercial surveillance tools ever created against domestic political targets. Adding further complexity, Spain’s data retention regime, implemented under Law 25/2007 to transpose the since-invalidated EU Data Retention Directive, continues to operate without comprehensive reform, creating a persistent area of legal uncertainty that affects every telecommunications provider and internet user in the country.

Data Protection Authority: AEPD

The Agencia Española de Protección de Datos (AEPD) was established in 1993 under the Ley Orgánica de Regulación del Tratamiento Automatizado de los Datos de Carácter Personal (LORTAD), Spain’s first comprehensive data protection statute. It is an independent public authority with its own legal personality, reporting directly to the Spanish Parliament through an annual report on its activities. The AEPD has enforcement authority over both private-sector entities and public administrations, and its decisions can be appealed to the Audiencia Nacional (National High Court).^[4]

In addition to the national AEPD, Spain has regional data protection authorities in Catalonia (Autoritat Catalana de Protecció de Dades), the Basque Country (Datuak Babesteko Euskal Bulegoa), and Andalusia (Consejo de Transparencia y Protección de Datos de Andalucía). These regional authorities supervise data processing by their respective autonomous community public administrations and entities, while the AEPD retains jurisdiction over the private sector and national-level public bodies.^[4]

Enforcement Record

The AEPD has emerged as one of the highest-volume GDPR enforcers in the European Union by number of decisions issued, consistently issuing a high volume of fines across a broad range of sectors. In fiscal year 2024, the total value of fines reached a record EUR 35.5 million, a 19% increase over the previous year’s EUR 29.8 million.^[5] The authority issued 10 fines exceeding EUR 1 million in 2024, a sharp rise from only 3 such fines in 2023. Its enforcement focus has centered on banking, internet platforms, telecommunications, and employment, with common violations including lack of transparency, unlawful marketing, failure to implement adequate security measures, and disproportionate workplace surveillance.

In early 2025, the AEPD continued its enforcement activity with notable actions including a EUR 1.8 million fine on Informa D&B for violating GDPR requirements when processing personal data of business owners, a EUR 1.2 million fine against Orange España for unlawful data processing in connection with issuing SIM card duplicates, and a EUR 1 million fine on Ibermutua for a serious data protection breach.^[6]

Leadership Transition

In December 2024, Royal Decree 1323/2024 enabled the dismissal of the AEPD director. A new President and Deputy were appointed in February 2025, and a new strategic plan is underway, with increasing emphasis on the use of AI and biometric systems, workplace monitoring technologies, and school surveillance systems.^[5]

Major Fines

Enforcement by Sector

The AEPD’s enforcement activity spans a broad range of industries. In its most significant 2024 cases, the authority focused on personal data breaches, the gas, electricity, and water supply sector, fraudulent contracting (where third parties fraudulently use individuals’ data to sign up for services), and the financial sector. Unlike some EU data protection authorities that concentrate enforcement on a handful of high-profile tech companies, the AEPD pursues violations across sectors, from multinational banks to small businesses, from football leagues to healthcare providers.

Notable Enforcement Actions

CaixaBank – Repeat Offender: Spain’s largest domestic bank has been fined by the AEPD on multiple occasions, illustrating the authority’s willingness to impose escalating penalties on institutions that fail to remediate systemic compliance failures:

• January 2021: EUR 6 million for violations of Articles 6 (lawfulness of processing) and 13/14 (information obligations) of the GDPR, the largest AEPD fine at the time^[7]
• October 2021: EUR 3 million (CaixaBank Payments & Consumer) for unlawful profiling for commercial purposes without specific and informed consent^[8]
• February 2022: EUR 2.1 million for conditioning service grants on data consent, violating Article 7(4) of the GDPR^[9]
• 2023: EUR 3.5 million for breach of security measures after unauthorized access by a former authorized representative persisted despite repeated complaints^[5]

La Liga – The Microphone Spy: One of the more unusual enforcement actions in European data protection targeted Spain’s top professional football league. In June 2019, the AEPD fined La Liga EUR 250,000 for a hidden feature embedded in its official mobile application, downloaded by more than 10 million users. The app used a Shazam-like audio fingerprinting system that activated users’ phone microphones and cross-referenced ambient audio with geolocation data to identify bars and restaurants that were broadcasting La Liga matches without paying for official broadcasting rights.^[10]

The AEPD found that La Liga violated Article 5(1) of the GDPR, the requirement that personal data be processed lawfully, fairly, and transparently, because the app’s audio recording functionality was not adequately disclosed in its description. The authority also found a violation of Article 7(3), which requires that users be able to withdraw consent at any time.^[10] La Liga denied wrongdoing and appealed the fine, but Spain’s Audiencia Nacional (National High Court) upheld the AEPD’s decision, affirming the transparency failures.^[11]

La Liga’s troubles did not end there. In 2024, the AEPD fined the league EUR 1 million for deploying fingerprint biometric access systems in stadium fan zones without establishing a proper legal basis for processing biometric data.^[5]

Orange España – SIM Swapping: In early 2025, the AEPD imposed a EUR 1.2 million fine on Orange España for unlawful data processing in connection with the issuing of SIM card duplicates. SIM swapping, where an attacker convinces a carrier to transfer a victim’s phone number to a new SIM card, has become a significant vector for identity theft and financial fraud. The AEPD’s enforcement action signaled that telecommunications providers bear responsibility for implementing adequate identity verification before issuing duplicate SIM cards, and that failures to do so constitute a violation of GDPR data processing obligations.^[6]

Informa D&B – Business Data Processing: In January 2025, the AEPD imposed EUR 1.8 million in fines on Informa D&B, a commercial data intelligence firm, for violating GDPR requirements when processing the personal data of business owners. The authority ordered the company to delete records valued at EUR 1.8 million, underscoring the AEPD’s position that the processing of personal data in commercial intelligence products is subject to the same standards as any other form of personal data processing.^[6]

National Framework: LOPDGDD

Ley Orgánica 3/2018, de Protección de Datos Personales y garantía de los derechos digitales

Spain’s national implementation of the GDPR is the Ley Orgánica de Protección de Datos Personales y garantía de los derechos digitales (LOPDGDD), which entered into force on December 7, 2018. Its full title, “Organic Law on the Protection of Personal Data and the Guarantee of Digital Rights,” signals its dual purpose: it does not merely adapt Spanish law to the GDPR, but goes significantly further by enshrining an entirely new category of digital rights that have no direct equivalent in the GDPR itself.^[1]

As an Ley Orgánica (Organic Law), the LOPDGDD occupies a special position in the Spanish constitutional hierarchy. Organic Laws require an absolute majority of the Congress of Deputies for passage, placing them above ordinary legislation and just below the Constitution itself. This elevated status reflects Spain’s recognition that data protection and digital rights carry fundamental constitutional weight.^[12]

Title X: Digital Rights

Title X of the LOPDGDD distinguishes Spain’s GDPR implementation from other EU member states. It establishes a comprehensive catalogue of digital rights that address the intersection of technology and daily life, with particular emphasis on the workplace:^[1]

• Art. 87 – Right to Privacy in Digital Device Use at Work: Limits employer access to digital devices provided for work purposes. Employers must establish clear policies on acceptable use, and access to employee devices must respect the right to privacy
• Art. 88 – Right to Digital Disconnection: Workers in both the public and private sectors have the right to respect for their rest time, leave, holidays, and personal and family life. Employers are required to prepare an internal policy, negotiated with employee representatives, specifying how the right to digital disconnection will be exercised in practice. This provision was designed to combat the “always-on” culture enabled by smartphones and email, and Spain was among the first countries in the world to codify it^[13]
• Art. 89 – Right to Privacy in Video Surveillance and Sound Recording at Work: Employers must inform workers and their representatives of workplace video surveillance. Use of sound recording is permitted only when relevant to ensure the safety of facilities, goods, or people
• Art. 90 – Right to Privacy in Geolocation Systems at Work: Employers must inform workers and their representatives of the existence and characteristics of geolocation devices in their work tools
• Art. 93 – Right to Digital Education: The educational system must guarantee digital literacy, including critical skills for an informed use of digital technologies
• Art. 94 – Protection of Minors Online: The Public Prosecutor’s Office must intervene in operations involving the personal data of minors on the internet
• Art. 96 – Right to Digital Testament: Individuals may designate a person to manage their digital assets after death, including requesting deletion of personal data from online services^[14]

The right to digital disconnection has become the most widely discussed provision. In practice, it means that an employer who routinely sends emails or messages to employees outside of working hours, or who penalizes workers for not responding during evenings, weekends, or holidays, may be in violation of organic law. The requirement that employers negotiate a formal disconnection policy with employee representatives creates an enforceable framework rather than a mere aspiration.^[13]

Other LOPDGDD Provisions

Beyond Title X, the LOPDGDD addresses GDPR implementation matters including:

• Age of consent for minors: Set at 14 years, below the GDPR default of 16. Children under 14 require parental consent for data processing
• Political campaign data: Special provisions governing the processing of data by political parties for election campaigning, a topic that became controversial when the Spanish Constitutional Court struck down certain provisions in 2019
• Data Protection Officers: Detailed rules on DPO appointment, including mandatory designation criteria that go beyond the GDPR’s minimum requirements
• Credit information systems: Specific treatment of financial solvency files and credit reporting, reflecting Spain’s longstanding regulatory interest in the accuracy of financial data
• Deceased persons’ data: Provisions governing who may exercise data protection rights on behalf of deceased individuals, complementing the digital testament right in Title X^[12]

Surveillance and Intelligence

Centro Nacional de Inteligencia (CNI)

The Centro Nacional de Inteligencia (CNI) is Spain’s principal intelligence service, established by Law 11/2002 of May 6, 2002 and governed by Organic Law 2/2002 of the same date, which regulates prior judicial control of its activities. The CNI replaced the former Centro Superior de Información de la Defensa (CESID), which had itself been mired in wiretapping scandals in the 1990s.^[15]

Judicial authorization: Under Organic Law 2/2002, any CNI surveillance activity that affects the inviolability of the home or the secrecy of communications requires prior authorization from a designated Supreme Court Magistrate. The Magistrate must respond within 72 hours of a request (24 hours in urgent cases). This judicial oversight mechanism, entrusting authorization to a single Supreme Court judge rather than a panel or a specialized court, was intended to balance operational speed with fundamental rights protection.^[16]

The CNI operates under annual classified Directivas de Inteligencia (Intelligence Guidelines) issued by the Council of Ministers, which set its strategic priorities. These guidelines are not publicly disclosed. Parliamentary oversight is exercised through the Congressional Committee on Official Secrets (Comisión de Gastos Reservados), though its members are bound by strict secrecy obligations that limit public accountability.

The CNI’s predecessor, CESID, was disbanded in 2002 following a series of scandals in the 1990s, including revelations that it had conducted unauthorized wiretapping of politicians, journalists, and business figures during the government of Felipe González. The creation of the CNI with its judicial authorization requirement was intended to address these abuses, making the Catalangate revelations two decades later particularly troubling for those who believed the new framework had established adequate safeguards.^[15]

Centro Criptológico Nacional (CCN)

The Centro Criptológico Nacional (CCN) is a department within the CNI, established by Royal Decree 421/2004. It is responsible for cryptanalysis, cybersecurity coordination, protection of classified information systems, and management of the CCN-CERT, Spain’s government-level computer emergency response team. The CCN serves as the national coordination authority for cryptographic security and plays a central role in protecting government networks from cyber threats.^[17]

Fourteen Eyes: SIGINT Seniors Europe

Spain is a member of the Fourteen Eyes intelligence alliance, formally known as SIGINT Seniors Europe (SSEUR). Formed in 1982 during the Cold War with an initial focus on Soviet military intelligence, the alliance expanded to 14 members after September 11, 2001, shifting its primary focus to counterterrorism. Spain participates through bilateral signals intelligence arrangements between the CNI/CCN and the United States National Security Agency (NSA).^[2]

As a “3rd Party” partner under the UKUSA framework, Spain exchanges intelligence with the Five Eyes nations but is not automatically exempt from being targeted by their intelligence collection. Internal NSA documents disclosed by Edward Snowden state that “the NSA can, and often do, target the signals of most 3rd party foreign partners.”^[18] This means Spain’s participation in the alliance does not shield its own communications, including those of government officials, from surveillance by its allies.

The Fourteen Eyes alliance uses the CRUSHED ICE secure network for sharing signals intelligence related to counterterrorism, enabling collaboration through voice communications, file and email exchanges, analysis and reporting, mapping, and collection management. This infrastructure allows member states to share intercepted intelligence in near-real-time, but also raises concerns about the extent to which data collected in one jurisdiction may be shared across the alliance without the knowledge or consent of the individuals affected.^[2]

Catalangate: Europe’s Largest Mercenary Spyware Scandal

On April 18, 2022, the University of Toronto’s Citizen Lab published a report titled “CatalanGate: Extensive Mercenary Spyware Operation against Catalans Using Pegasus and Candiru,” revealing what it described as the most extensive case of mercenary spyware abuse documented in the European Union.^[3]

Scope and Targets

Citizen Lab identified at least 65 individuals whose devices were infected with Pegasus (developed by Israel’s NSO Group) and Candiru spyware between 2017 and 2020, the period surrounding the 2017 Catalan independence referendum and its aftermath. The targets included:

• Members of the European Parliament and the Catalan Parliament
• Presidents and former presidents of the Generalitat de Catalunya
• Journalists covering the independence movement
• Lawyers representing independence leaders
• Civil society activists and their family members^[3]

Pegasus is a “zero-click” spyware tool that can silently infiltrate a target’s smartphone, accessing encrypted messages, emails, photos, microphone, camera, and real-time location data, without the victim clicking a link or taking any action. It is a commercial surveillance tool sold to nation-state clients. Candiru, the second spyware tool identified by Citizen Lab, is a less well-known Israeli firm that sells exploitation tools targeting computers and mobile devices, and was sanctioned by the U.S. Department of Commerce in November 2021 alongside NSO Group.

Political Fallout

The scandal deepened in May 2022 when the Spanish government disclosed that the phones of Prime Minister Pedro Sánchez and Defense Minister Margarita Robles had also been compromised by Pegasus, in what appeared to be a separate operation, potentially by a foreign government.^[19]

In the immediate aftermath, the government fired CNI director Paz Esteban López, who had acknowledged to a parliamentary oversight committee that the CNI had legally targeted some Catalan figures with judicial authorization. On May 26, 2022, Prime Minister Sánchez announced plans to reform the organic law governing judicial control of the CNI, pledging to “strengthen guarantees” and ensure “maximum respect for individuals’ political and individual rights.” He also announced a new law on classified information to replace Spain’s existing Official Secrets Act, a law dating from 1968, during the Franco dictatorship.^[20]

Criminal Investigations

Multiple judicial proceedings have followed:

• November 2024: A joint investigation by Iridia (a Catalan human rights organization) and media partners identified those allegedly responsible. A police report named three NSO Group executives, CEO Shalev Hulio, co-founder Omri Lavie, and executive Yuval Somekh, as targets of criminal complaints^[21]
• September 2025: A Barcelona court launched a broader criminal probe into Pegasus developers, former CNI officials, and members of the Civil Guard. The defendants face accusations of revelación de secretos (disclosure of secrets) and illegal access to computer systems^[22]
• January 2026: Spain’s Audiencia Nacional (National High Court) shelved its separate inquiry into the Pegasus infection of Prime Minister Sánchez’s own phone, citing Israel’s repeated refusal to cooperate with the investigation. The presiding judge reported that Israel had ignored five formal requests for judicial assistance, effectively making it impossible to trace the origin of the attack^[23]

Systemic Oversight Failures

The Catalangate affair raises fundamental questions about the adequacy of Spain’s intelligence oversight framework. The single-magistrate authorization model under Organic Law 2/2002 was designed for traditional wiretapping, not for zero-click spyware that grants total access to a target’s digital life. Whether the judicial authorizations obtained by the CNI for specific Catalan targets were proportionate to the capabilities of the tools actually deployed, and whether the magistrate fully understood the extent of access Pegasus provides, remains a central unresolved question.

The Spanish Ombudsman (Defensor del Pueblo) recommended strengthening the guarantees of the judicial control mechanism, a recommendation that Prime Minister Sánchez cited when announcing reform plans.^[20] Critics have argued that meaningful reform would require moving from a single-judge model to a specialized court or multi-member panel, imposing mandatory disclosure of the specific surveillance tools being deployed, and establishing post-hoc audit requirements to verify that data collection remained within the scope of the original authorization.

The broader European dimension is also significant. Catalangate was one of several Pegasus scandals uncovered across the EU in 2022, with similar revelations emerging in France, Poland, Hungary, and Greece. These cases collectively prompted the European Parliament to establish the PEGA Committee (Committee of Inquiry to investigate the use of Pegasus and equivalent surveillance spyware), which conducted hearings throughout 2022 and 2023 and issued recommendations for each affected member state.^[27]

Data Retention

Law 25/2007 of October 18, 2007 transposes the EU Data Retention Directive (2006/24/EC) into Spanish law. It requires telecommunications operators and internet service providers to retain traffic and location data for a period of up to 12 months. The retained data includes information necessary to identify the source and destination of communications, the date, time, and duration of communications, the type of communication, the equipment used, and location data for mobile communications.^[24]

The legal status of Law 25/2007 exists in a state of persistent ambiguity. When the Court of Justice of the European Union (CJEU) invalidated the EU Data Retention Directive in its landmark Digital Rights Ireland judgment (April 2014), Spain’s national implementing law was not automatically struck down. Unlike some EU member states that moved swiftly to reassess their retention regimes in light of the ruling, Spain has not comprehensively reformed Law 25/2007.^[25]

Subsequent CJEU rulings, including Tele2 Sverige/Watson (2016) and La Quadrature du Net (2020), have further narrowed the circumstances under which general and indiscriminate data retention is permissible under EU law, generally limiting it to situations involving genuine and present or foreseeable serious threats to national security. Spain has not enacted targeted reforms to bring Law 25/2007 into alignment with these rulings, creating ongoing legal uncertainty for both telecommunications providers and individuals whose data continues to be retained under the existing regime.^[26]

Access to retained data requires judicial authorization under Spanish procedural law, but the underlying retention obligation itself, the blanket requirement that providers store traffic and location data for all users, has not been subjected to the proportionality analysis that CJEU jurisprudence now demands.

Spain’s retention regime covers a comprehensive range of data types: the source and destination of a communication, the date, time, and duration, the type of communication service used, the terminal equipment employed, and, for mobile communications, the cell ID at the start of the communication, providing an approximate physical location. Content of communications is excluded from the retention obligation, but the retained metadata can reveal extraordinarily detailed information about an individual’s associations, movements, and habits over a 12-month period.^[24]

Age Verification and Child Protection

Spain has emerged as one of the more interventionist Member States on age verification requirements for online platforms, particularly for pornographic content. The Spanish Data Protection Agency (AEPD) published a detailed proposal in December 2023 outlining technical and procedural requirements for age verification systems to protect minors from harmful content online.^[29]

AEPD Age Verification Framework (2023)

In its December 2023 proposal, the AEPD laid out a framework for privacy-preserving age verification that balances child protection with data minimization principles:^[29]

• Data Minimization: Age verification systems should only verify that a user meets the minimum age requirement, without collecting or storing identity information beyond what is strictly necessary
• Anonymization: The verification process should be designed so that the content provider does not learn the user’s identity, and the verification provider does not learn which sites the user is accessing
• No Persistent Tracking: Verification should not create mechanisms for tracking users across multiple websites or over time
• Technical Standards: Systems should employ cryptographic techniques or tokenized credentials to prove age without revealing personally identifiable information

The AEPD’s proposal explicitly recognizes the privacy risks of poorly designed age verification systems, including the potential for mandatory identity verification to create honeypots of sensitive data or enable de facto universal digital identity requirements for accessing lawful content.

Regulatory Oversight and Enforcement

While the AEPD provides data protection oversight, Spain’s National Markets and Competition Commission (CNMC) also plays a role in enforcing age verification requirements under the audiovisual framework. This creates a dual regulatory structure where platforms may face scrutiny from both data protection authorities (concerned with privacy and proportionality) and audiovisual/content regulators (focused on child safety compliance).^[30]

Spain’s approach to age verification remains in active development as of February 2026, with ongoing discussions about mandatory implementation timelines and technical standards. The AEPD continues to advocate for privacy-by-design approaches that avoid creating new surveillance infrastructure in the name of child protection.^[31]

Commercial Surveillance Procurement: The Catalangate Scandal

The Catalangate scandal described above is also a case study in commercial surveillance procurement. The affair confirmed that Spain’s CNI had purchased and deployed NSO Group’s Pegasus, making Spain both a buyer and a victim of the same commercial spyware technology.^[32]

CNI Procurement and Oversight Failure

The Spanish government initially denied involvement in the Catalangate targeting, but subsequent reporting confirmed that the CNI had purchased and deployed Pegasus. The surveillance was reportedly authorized under Spain’s intelligence law framework, though the specific legal justifications remain classified.^[32]

The scandal illustrates a fundamental oversight gap. When the CNI conducts surveillance under Organic Law 2/2002, judicial authorization is required, but the court proceedings are entirely secret, the legal standards are classified, and there is no independent review to verify that the surveillance meets necessity and proportionality requirements. The use of Pegasus, which provides total device compromise, makes it impossible to technically limit collection to what was judicially authorized.

Political Fallout and Unresolved Accountability

As discussed in the Catalangate section, the CNI director was fired and the Prime Minister pledged intelligence oversight reform. However, as of February 2026, substantive reforms remain pending. The PEGA Committee concluded that Spain had failed to conduct an adequate independent investigation into the use of Pegasus against Catalan targets, recommending that Spain establish an independent, impartial, effective investigation.^[27]

The scandal demonstrates how commercial surveillance procurement can undermine democratic accountability. NSO Group sold the same tool to dozens of governments, authoritarian and democratic alike. When Spain deployed Pegasus against Catalan politicians exercising their political rights, it used the same technology that authoritarian regimes deploy against journalists and dissidents. And when Morocco allegedly used Pegasus against Spanish government officials, it revealed the inherent risk of participating in a global surveillance market where today’s vendor becomes tomorrow’s threat vector.

International Data Sharing Agreements

Despite Spain’s aggressive GDPR enforcement by the AEPD (Agencia Española de Protección de Datos), EUR 35.5 million in fines in 2024 alone, and GDPR Article 48 protections against unilateral foreign data demands, Spain participates in extensive international data sharing frameworks that provide foreign agencies with pathways to access Spanish person data through processes that often operate outside AEPD oversight.

Mutual Legal Assistance Treaty with the United States

Spain is among the 19 nations with an MLAT in force with the United States. The MLAT allows Spanish law enforcement to request data on US persons, and US law enforcement to request data on Spanish persons, through diplomatic channels with average processing times of 10 months.^[33]

As an EU member, Spain is subject to GDPR Article 48, which precludes recognition of third-country data demands unless based on an international agreement such as an MLAT or the Council of Europe Cybercrime Convention. This means that unilateral US law enforcement requests to Spanish companies without an MLAT channel are not legally recognized under GDPR, providing some protection against extraterritorial data demands. However, the MLAT itself creates a lawful channel for US access to Spanish person data.

Fourteen Eyes (SIGINT Seniors Europe)

As a Fourteen Eyes member (described in detail in the Surveillance and Intelligence section above), the CNI shares signals intelligence with Five Eyes partners and other alliance members.^[34] Information flows hierarchically: Five Eyes members have access to all Fourteen Eyes intelligence, but Spain as a Fourteen Eyes member has more limited access. The Catalangate affair further demonstrated how intelligence sharing alliances provide no protection against surveillance by partners or third parties using commercial tools outside those frameworks.

EU Law Enforcement Data Sharing Frameworks

Schengen Information System (SIS II): Spain participates in the EU’s largest law enforcement database. Spanish police can query SIS II in real time and contribute alerts visible to law enforcement across all Schengen countries.

European Investigation Order (EIO): Spain participates in the EIO framework, allowing Spanish judges and magistrates to make binding requests to other EU member states for evidence, witness hearings, telephone interceptions, and banking information based on mutual recognition.

Prüm Convention: Spain was an original signatory of the Prüm Convention (2005) and participates in automated DNA, fingerprint, and vehicle registration data comparison across EU member states. The Prüm II Regulation (2024) expands this to include facial images and police records.

EU-US Data Sharing Frameworks

EU-US Umbrella Agreement: Entered into force February 1, 2017, governing personal data exchanged between EU and US law enforcement. Grants Spanish citizens judicial redress rights before US courts.

SWIFT/TFTP Agreement: US Treasury can subpoena SWIFT for financial transaction data, affecting Spanish persons’ international wire transfers, with Europol verification.

PNR Agreements: Spain participates in the EU-US PNR agreement, enabling transfer of passenger data from Spanish air carriers to US CBP. Every passenger on Spain-US flights has comprehensive personal data shared.

Catalangate and the PEGA Committee Findings

The Catalangate affair also has direct implications for international data sharing. The PEGA Committee’s findings documented that Spain, along with other EU member states, deployed commercial spyware in ways that raised serious rule of law concerns.^[32] Spain’s dual role as both user and victim of Pegasus demonstrates a fundamental problem with international surveillance markets: data sharing agreements provide no protection when partner nations or third parties use commercial tools operating entirely outside those frameworks.

Multilateral Frameworks

Interpol I-24/7: Spain participates in Interpol’s global network (195 countries, 100,000+ messages daily) for criminal intelligence sharing.

Egmont Group: The Spanish FIU (SEPBLAC) participates in the Egmont Group network of 164+ Financial Intelligence Units, sharing financial intelligence on money laundering and terrorist financing.

Europol: Spain is a major contributor to Europol data sharing, which includes cooperation agreements with US FBI (intelligence sharing increased 30% recently).

The Privacy Backdoor Effect

Despite aggressive AEPD enforcement (EUR 35.5M in fines in 2024), GDPR Article 48 protections, and Spanish judicial oversight, international data sharing agreements create alternative pathways for accessing Spanish person data:

• Fourteen Eyes Sharing: CNI shares SIGINT with Five Eyes partners; NSA/GCHQ can collect on Spanish persons and share with CNI
• EU Framework Sharing: Spanish person data entered into SIS II, Prüm, or EIO channels becomes accessible to 27 EU member states, and through Europol, potentially to US FBI
• MLAT Bypass: US authorities can request data via MLAT (lawful under GDPR Article 48), potentially with lower evidentiary standards than Spanish judicial warrants
• SWIFT/PNR Dragnet: All international financial transactions and air travel subject to US access
• Commercial Surveillance Market: The Catalangate affair demonstrated that surveillance markets undermine both domestic protections and intelligence alliances

For Spanish persons, this means data nominally protected by GDPR, AEPD enforcement, and GDPR Article 48 can be accessed through Fourteen Eyes intelligence sharing, EU law enforcement frameworks (SIS II, EIO, Prüm, Europol), MLAT channels, SWIFT/TFTP financial surveillance, or commercial spyware markets that operate entirely outside legal frameworks. As the Catalangate affair demonstrated, participation in intelligence alliances and data sharing frameworks provides no protection against surveillance by partners or third parties using commercial tools.

Recent Developments

AEPD Leadership and Strategic Direction (2025)

The appointment of new AEPD leadership in February 2025 marks a potential inflection point for Spanish data protection enforcement. The new strategic plan is expected to increase proactive oversight of artificial intelligence and biometric systems, workplace monitoring technologies, and surveillance systems in educational settings. Given the AEPD’s active enforcement record, EUR 35.5 million in fines in 2024 alone, the new leadership inherits both considerable institutional momentum and a mandate for expansion.^[5]

Intelligence Oversight Reform

The intelligence reform pledged after the Catalangate affair, including the promised reform of Organic Law 2/2002 and the replacement of the 1968 Official Secrets Act, has proceeded slowly and remains subject to political negotiation. The PEGA Committee’s 2023 conclusion that Spain had failed to conduct an adequate independent investigation, and its recommendation that Spain “set up an independent, impartial, effective and prompt investigation,” has not yet produced substantive legislative change.^[27]

Catalangate Proceedings Continue

As of early 2026, the Catalangate legal saga spans multiple jurisdictions and proceedings. The Barcelona court probe opened in September 2025 represents the most comprehensive judicial effort to date, targeting not only the spyware manufacturers but also former intelligence and law enforcement officials who allegedly authorized or facilitated the surveillance.^[22] Meanwhile, the shelving of the National High Court’s inquiry into the PM’s phone, blocked by Israel’s non-cooperation, highlights the jurisdictional limitations that complicate accountability for commercial spyware abuse when the developers operate from states unwilling to assist foreign judicial proceedings.^[23]

Cybersecurity and Critical Infrastructure

Spain published draft legislation in early 2025 to implement the EU’s NIS2 Directive (Directive 2022/2555) on cybersecurity, which will repeal and replace Royal Decree-Law 12/2018. A parallel draft law on critical infrastructure resilience will transpose Directive 2022/2557 (the CER Directive), updating obligations for operators of critical entities. Together, these laws will significantly expand cybersecurity reporting requirements and incident notification obligations for Spanish organizations across sectors including energy, transport, healthcare, banking, digital infrastructure, and public administration.^[28]

The CCN-CERT plays a central role in Spain’s cybersecurity incident response capacity. Its coordination with the private-sector INCIBE-CERT (operated by the Instituto Nacional de Ciberseguridad) and the military joint cyber command reflects an evolving national cybersecurity architecture that increasingly intersects with data protection obligations, particularly around breach notification timelines and incident documentation requirements under both the GDPR and the forthcoming NIS2 implementing legislation.

Digital Rights in Practice

The LOPDGDD’s right to digital disconnection, now over seven years old, has become an increasingly cited reference point in European labor policy debates. Several other EU member states have introduced or are considering similar provisions: France enacted its own droit à la déconnexion as part of the El Khomri labor reforms, and Belgium, Italy, and Portugal have followed with their own versions. The concept was also discussed during negotiations over the proposed EU directive on platform work. Spain’s early codification of this right, and the AEPD’s enforcement of workplace privacy provisions more broadly, provides a reference point for digital labor rights legislation in Europe.^[13]

The LOPDGDD’s right to a digital testament (Art. 96) has also gained relevance as questions of digital inheritance become more pressing. The provision allows individuals to designate a person to manage their digital presence after death, including requesting the deletion of personal data from social media platforms and online services, addressing a gap that most other EU member states have not yet filled through legislation.

AESIA: First EU Dedicated AI Supervision Agency

Spain became the first EU member state to establish a dedicated AI supervision agency when it launched the Agencia Española de Supervisión de Inteligencia Artificial (AESIA). In December 2025, AESIA published 16 guidance documents designed to support organizations in complying with the EU AI Act, covering topics from risk classification to transparency obligations. The guidelines were developed through a regulatory sandbox programme involving 12 high-risk AI systems, giving AESIA practical insight into the compliance challenges facing deployers and providers of AI. Spain’s early-mover status positions it as a reference point for other member states that have yet to designate their own national competent authorities under the AI Act.^[35][36]

Classified Information Act (July 2025)

On July 22, 2025, Spain’s Council of Ministers approved a draft Classified Information Act, replacing the Franco-era Ley de Secretos Oficiales of 1968, one of the last surviving legislative relics of the dictatorship. The new law introduces four classification levels and, critically, establishes automatic declassification periods: 45 years for Top Secret material and 35 years for Secret material. The reform was first pledged by Prime Minister Sánchez in May 2022 in the wake of the Catalangate scandal, when the opacity of the existing regime drew intense criticism from civil liberties organizations and the European Parliament’s PEGA Committee.^[37]

Organic Law for Protection of Minors in Digital Environments

Approved by the Council of Ministers on March 25, 2025 and currently proceeding through Parliament, this Organic Law would raise the digital age of consent from 14 to 16 years, directly amending the LOPDGDD’s existing threshold. The bill also bans social media access for children under 16 without parental consent and imposes obligations on platforms to implement age verification mechanisms. If enacted, Spain would join a growing number of jurisdictions tightening minor protection online, though privacy advocates have raised concerns about the surveillance implications of mandatory age assurance systems.^[38][39]

AI Labelling Bill (March 2025)

On March 11, 2025, Spain advanced a bill imposing mandatory labelling requirements for AI-generated content, with fines ranging from €7.5 million to €35 million for non-compliance. The legislation also prohibits biometric classification systems based on race, political opinion, or religion, aligning with the AI Act’s prohibited practices provisions. AESIA is designated as the enforcement body, consolidating Spain’s AI oversight under a single institutional roof.^[40]

NSO Group Executives Formally Indicted (March 2025)

On March 3, 2025, a Barcelona court issued what is believed to be the first worldwide criminal indictment of NSO Group executives in connection with the Catalangate affair. Former CEO Shalev Hulio, co-founder Omri Lavie, and executive Yuval Somekh were formally charged by the investigating magistrate. The indictment marks a significant escalation from the November 2024 criminal complaints and the September 2025 Barcelona court probe discussed above, establishing direct personal criminal liability for spyware company leadership over the deployment of their products against political targets.^[41][42]

First EU DPA Fine for AI-Generated Deepfakes (November 2025)

On November 6, 2025, the AEPD issued what is believed to be the first fine by any EU data protection authority for AI-generated deepfake content. A minor was sanctioned with a €2,000 fine (reduced to €1,200) for creating AI-generated nude images of another minor. The case establishes that the creation of non-consensual AI-generated intimate imagery constitutes a data protection violation, and signals that existing GDPR frameworks can be applied to deepfake harms without requiring new legislation.^[43]

Chat Control: Spain Backs Mandatory Scanning

Spain has been among 15 EU member states supporting the controversial “chat control” proposal, which would require messaging platforms to scan private communications for child sexual abuse material. The EU Council reached a compromise position on November 26, 2025, though the proposal continues to face opposition from privacy advocates, end-to-end encryption proponents, and several member states. Spain’s support for mandatory scanning contrasts with its strong domestic data protection enforcement, reflecting the persistent tension between child safety objectives and communications privacy.^[44]

DSA Enforcement Stalled

Despite the EU Digital Services Act’s February 2024 full applicability deadline, Spain’s implementation has stalled. The CNMC (Comisión Nacional de los Mercados y la Competencia) was designated as the Digital Services Coordinator but lacks formal enforcement powers because Parliament has not passed the necessary enabling legislation. More than 20 civil society organizations have petitioned Parliament to act, warning that the absence of a functioning DSA enforcement framework leaves Spanish users without the platform accountability mechanisms the regulation was designed to provide.^[45]

AEPD 2025–2030 Strategic Plan

The AEPD published its 2025–2030 Strategic Plan, setting out 6 strategic priorities, 45 objectives, and more than 200 individual measures. The plan reflects the authority’s expanding mandate across AI governance, children’s digital rights, biometric systems, and cross-border enforcement coordination, and signals an intent to maintain Spain’s position as one of the EU’s most active data protection enforcers.^[46]

AEPD Generative AI Guidance Series (November 2025 – January 2026)

Between November 2025 and January 2026, the AEPD published a series of five guidance documents on generative AI, covering data protection impact assessments for GenAI systems, lawful bases for training data, transparency obligations, the right to erasure in the context of large language models, and risk management for GenAI deployment. The series represents one of the most comprehensive national DPA guidance efforts on generative AI in the EU to date.^[47]

NIS2 Transposition: Infringement Proceedings

On May 7, 2025, the European Commission issued a reasoned opinion to Spain for failure to transpose the NIS2 Directive by the October 2024 deadline. Spain’s draft cybersecurity legislation remains in parliamentary process, and the Comisión Nacional de Ciberseguridad (CNC), the body intended to serve as the national cybersecurity coordination authority, has not yet been formally established. The infringement proceedings add external pressure to a transposition process already complicated by political fragmentation in the Spanish Parliament.^[48]

W3C Verifiable Credentials Age Verification Pilot

Spain is one of five EU pilot countries participating in a W3C Verifiable Credentials-based age verification initiative, which aims to develop privacy-preserving digital credentials that can prove a user’s age without revealing their full identity. The pilot aligns with the AEPD’s longstanding advocacy for data-minimizing age assurance systems and the broader EU digital identity framework under the eIDAS 2.0 Regulation.^[49]

Neurorights and Neurodata Protection

The AEPD and the European Data Protection Supervisor (EDPS) published a joint report on the data protection implications of neurodata, data derived from brain-computer interfaces and neuroimaging technologies. Separately, the autonomous community of Cantabria is advancing what would be the first European neurorights law, establishing protections for cognitive liberty, mental privacy, and the integrity of neural data. Spain’s engagement on both the regulatory and legislative fronts positions it alongside Chile as one of the early movers on neurotechnology governance.^[50]

Digital Governance Law (DSA/EMFA Implementation)

On February 25, 2025, the Spanish government presented a draft Digital Governance Law intended to implement both the Digital Services Act and the European Media Freedom Act (EMFA) into national law. The bill would establish the institutional framework for DSA enforcement and media freedom protections. However, as of February 2026, the legislation has stalled in Parliament, contributing to the enforcement gap described above and leaving Spain without a complete domestic framework for EU digital platform regulation.^[51]

Sources