Digital Censorship in Spain: Closing Websites by Decree

The Royal Decree-Law 14/2019 of 31 October could limit online freedoms in Spain and is another regulation approved in reaction to a very specific situation, without a comprehensive analysis of all the areas it will affect.

Just like in the ongoing debate on encryption and the fight against crime, the Spanish government is justifying new powers to control cyberspace by emphasizing new threats such as data and information theft, hacking, and cyber-attacks against critical infrastructure.

Vague threats being used to justify more regulation

The vague statement citing "recent and serious events that have occurred in part of the Spanish territory" is being used to justify the state assuming a wide range of powers, which affect both public and private spheres. The problem is that these are intended to be permanent, they seriously affect citizens' rights, and are not even limited to the territory for which this amendment was made as an urgent measure.

There are two main areas that the state administration has assumed the control of: the optical fibre network that the regional administration of Catalonia has extended throughout Catalonia, and IdentiCAT, a self-sovereign digital identity (SSIs) system for citizens.

In the first area, it is surprising that the existing authorization included in the General Telecommunications Law was deemed insufficient and in need of urgent modification. The use of vague terms in the new legislation such as "public order", "public security" or "national security" creates an unacceptable framework of legal insecurity. We are talking about powers which, as the text itself points out, not only cover an electronic communications network or service, but also extend to the elements that necessarily accompany the installation of a network or the provision of an electronic communications service, such as the infrastructure that can host public electronic communication networks, their associated resources or any element or level of the network or service.

Ministry gives itself powers to bypass normal procedure

The new law also outlines a series of situations in which the Ministry of Economy and Business can adopt preventive measures without a hearing, again, citing vague threats to public order and public security. These measures could affect multiple citizens' rights and would be assumed directly by the state administration without any subsequent judicial control, which proves the introduction of this authorisation is, once again, highly debatable if it is approved as a decree-law.

With regard to the new models of digital identity based on blockchain, the Law specifically establishes that identification systems based on these distributed registration technologies and signature systems based on them will not be admissible under any circumstances and, therefore, cannot be authorized, so long as they are not subject to specific regulation by the state within the EU legal framework. Additionally, they reserve a supervising position for the state administration as an intermediate authority when such a regulation already exists.

The problem is that, in fact, multiple regulations are already applicable to these identification systems, starting with the European system of recognition of electronic identities (or eIDAS), or, for example, regulations such as those aimed at protecting personal data.

Authorities' justifications for law are shaky at best

As was the case in the Ruling 55/2018 of the Constitutional Court, the legitimacy of this interference in the sphere of the self-organisation powers of an autonomous administration is arguable, especially when it includes an important additional obligation, such as being an intermediate authority for these systems in the future.

Although the decree-law was drafted with the Catalan project in mind, other territories are also considering developing similar solutions, and we aren´t speaking about a technology designed to carry out illegal actions. The reports of the EU Blockchain Observatory mention these technologies of self-sovereign identity as mechanisms that allow users to control not only their identifier, but also all the information that is associated to it.

A prohibition that will affect the development of a neutral and useful technology, justified by an alleged lack of regulation is unacceptable, especially if it has been approved by an urgent decree-law.

While authorities justify the law by saying that is impossible to reacting in time due to the dissolution of the Chambers, or the need to respond, there are a series of proposed modifications regarding norms that have already been in force for years in some cases, or which are unnecessary in other cases, as well as new authorizations that could end up violating fundamental rights.

We cannot analyse this law only from the perspective of an autonomous community and a specific situation in time. The statements made regarding its objective are not the most important thing here, as its scope of application is not limited to this situation, and in the end, it constitutes a major interference in citizens' rights.

*This text was originally published in Rights International Spain's blog.