Royal Decree-Law 14/2019 on Urgent Measures for Public Security in Digital Administration, Public Contracting, and Telecommunications

OFFICIAL STATE BULLETIN No. 266 Tuesday, November 5, 2019 Sec. I. Page 121755 I. GENERAL PROVISIONS HEAD OF STATE 15790 Royal Decree-Law 14/2019, of October 31, adopting urgent measures for reasons of public security in matters of digital administration, public sector contracting, and telecommunications. I Current society requires adaptations in the digital sphere that demand translation into the normative plane. The development and use of new technologies and communication networks by Public Administrations is accelerating. This requires establishing without delay a legal framework that guarantees the general interest and, in particular, public security, ensuring the adequate provision of public services and, at the same time, that digital administration is used for legitimate purposes that do not compromise the rights and freedoms of citizens. The strategic nature for public security of the matters regulated in this royal decree-law is supported by Law 36/2015, of September 28, on National Security, which describes the risks associated with new technologies as one of the main challenges of current society. The National Security Strategy 2017, approved by Royal Decree 1008/2017, of December 1, identifies cyber threats and espionage as threats that compromise or undermine national security and, in coherence with this, singles out cybersecurity as one of its priority areas of action. Technological development implies greater exposure to new threats, especially those associated with cyberspace, such as data and information theft, hacking of mobile devices and industrial systems, or cyberattacks against critical infrastructures. Current hyperconnectivity exacerbates some of the vulnerabilities of public security and requires better protection of networks and systems, as well as the privacy and digital rights of the citizen. Among the main challenges that new technologies pose from the point of view of public security are disinformation activities, interference in citizens' political participation processes, and espionage. These activities benefit from the possibilities offered by computer sophistication to access huge volumes of information and sensitive data. At this point, the digital transformation process of the Administration, already very advanced, plays a decisive role. E-government sharpens the dependence on information technologies and extends the possible attack surface, increasing the risk of using cyberspace for the commission of illegal activities that impact public security and the privacy of citizens. The recent and serious events that have occurred in part of Spanish territory have highlighted the need to modify the current legislative framework to address the situation. Such events demand an immediate response to prevent the reproduction of events of this nature by establishing a preventive framework for this purpose, whose ultimate objective is to protect constitutionally recognized rights and freedoms and guarantee public security for all citizens. This royal decree-law aims to regulate this normative framework, which includes urgent measures regarding the national identity document; electronic identification before Public Administrations; data held by Public Administrations; public contracting; and the telecommunications sector. cve: BOE-A-2019-15790 Verifiable at http://www.boe.es

OFFICIAL STATE BULLETIN No. 266 Tuesday, November 5, 2019 Sec. I. Page 121756 II This royal decree-law consists of an explanatory part and an operative part structured as follows: Chapter I (Articles 1 and 2), Chapter II (Articles 3 and 4), Chapter III (Article 5), Chapter IV (Article 6), Chapter V (Article 7), an additional provision, three transitional provisions, and three final provisions. Chapter I contemplates two measures regarding the national identity document, aimed at configuring the National Identity Document, as exclusive and exclusive, as the only document with sufficient value on its own to accredit, for all purposes, the identity and personal data of its holder. For this purpose, Article 1 of this royal decree-law modifies Article 8.1 of Organic Law 4/2015, of March 30, on the protection of citizen security. In coherence with this, Article 2 of the royal decree-law modifies the regulation of the electronic National Identity Document collected in Article 15.1 of Law 59/2003, of December 19, on electronic signature. Chapter II of this royal decree-law, which contains Articles 3 and 4, establishes several measures regarding electronic identification before Public Administrations, the location of certain databases, and data ceded to other Public Administrations. The purpose of these measures is to guarantee public security, both in relations between different Public Administrations when they process personal data, and between citizens and Public Administrations when the latter proceed to collect, process, and store personal data in the exercise of a public function. Article 3 of this royal decree-law modifies Articles 9 and 10 of Law 39/2015, of October 1, on the Common Administrative Procedure of Public Administrations, while introducing a new sixth additional provision to the same. The modification of letter a) of paragraph 2 of Articles 9 and 10 responds to the need to adapt their contents to Regulation (EU) No. 910/2014 of the European Parliament and of the Council, of July 23, 2014, on electronic identification and trust services for electronic transactions in the internal market and repealing Directive 1999/93/EC, known as the eIDAS Regulation, which establishes a common legal framework for electronic identification and signatures in the European Union. The modification of letter c) of paragraph 2 of Articles 9 and 10 aims to guarantee public security regarding the use of electronic identification and signature systems by interested parties when carried out with a concerted key or through any other system that has a prior registration as a user that allows guaranteeing their identity and that Public Administrations consider valid. Thus, in the words of the Constitutional Court itself expressed in Judgment 55/2018, of May 24, the possibility is maintained that "each administration designs its own electronic identification systems or admits those issued by other public or private entities and, with this, that these are more or less complex according to their preferences and the relevance or characteristics of the corresponding procedure or service." However, to guarantee public security, an exclusive competence of the State as provided in Article 1.1 of Organic Law 2/1986, of March 13, on Forces and Security Corps, the modification made subjects to a prior authorization regime by the General State Administration systems that are different from those of the electronic certificate and seal. Such authorization will have as its object, exclusively, to verify whether the system technologically validated by the Administration or Public Body in question can or cannot produce effects or risks to public security, so that, if so and only in this case, the State Administration will deny such authorization based on these public security considerations. In the same line, the new paragraph 3, which is added to both Article 9 and Article 10 of Law 39/2015, of October 1, establishes the obligation that, regarding the systems provided for in letter c) of paragraph 2 of Articles 9 and 10, the technical resources necessary for the collection, storage, processing, and management of cve: BOE-A-2019-15790 Verifiable at http://www.boe.es

OFFICIAL STATE BULLETIN No. 266 Tuesday, November 5, 2019 Sec. I. Page 121757 such systems must be located in the territory of the European Union, and in Spanish territory in the case of special categories of data referred to in Article 9 of Regulation (EU) 2016/679 of the European Parliament and of the Council, of April 27, 2016, on the protection of natural persons with regard to the processing of personal data and on the free movement of such data and repealing Directive 95/46/EC. Except for the exceptions introduced in the law, these data may not be transferred to a third country or international organization and, in any case, must be available for access by competent judicial and administrative authorities. Finally, Article 3 of this royal decree-law incorporates a sixth additional provision to Law 39/2015, of October 1, which provides that in the relations of interested parties with Public Administrations, identification systems based on distributed ledger technologies and signature systems based on the aforementioned will not be admissible in any case and, therefore, cannot be authorized, as long as they are not subject to specific regulation by the State within the framework of European Union Law. Furthermore, the new sixth additional provision establishes that any identification system based on distributed ledger technology that state legislation provides for must contemplate that the General State Administration will act as an intermediate authority that will exercise the corresponding functions to guarantee public security. The restrictions imposed on identification and signature systems based on distributed ledger technologies in no case constitute a general prohibition. Simply, the use of these systems as identification and signature systems for interested parties when they interact with the Administration is restricted punctually and merely provisionally until there is more data or an ad hoc regulatory framework of a state or European nature that addresses the weaknesses implied by their use for data and public security. The lack of an ad hoc regulatory framework on these new technologies justifies that, on an urgent basis and in exercise of its competence to issue basic legislation, the State intervenes in the matter on a provisional basis until progress is made within the European Union in the treatment of this type of technology. Article 4 of this royal decree-law proceeds, on the one hand, to the modification of Law 40/2015, of October 1, on the Legal Regime of the Public Sector, introducing a new Article 46 bis, and giving a new wording to Article 155. On the one hand, Article 46 bis obliges that, for reasons of public security, information and communication systems for the collection, storage, processing, and management of the electoral census, municipal registers of inhabitants, and other population registers, tax data related to own or ceded taxes, and data of users of the national health system, as well as the corresponding processing of personal data, must be located and provided within the territory of the European Union. It also establishes that they may only be ceded to third countries when these comply with sufficient guarantees that allow them to have been the subject of an adequacy decision by the European Commission, or when this is required by the fulfillment of international obligations assumed by the Kingdom of Spain. On the other hand, the purpose of the modification of Article 155 is to allow greater control of data ceded between Public Administrations, for the purpose of guaranteeing their adequate use. It is exceptionally allowed that the General State Administration may adopt the measure of suspending the transmission of data for reasons of national security on a precautionary basis for the time strictly indispensable for its preservation. The lawfulness of the processing of personal data for purposes other than the initial purposes is determined by the circumstance that they are compatible purposes. In the case of incompatible purposes, Regulation (EU) 2016/679 of the European Parliament and of the Council, of April 27, 2016, prohibits their processing. Nevertheless, the Regulation itself declares certain purposes that it considers compatible: further processing of personal data for archiving purposes in the public interest, scientific and historical research purposes, or statistical purposes. In this sense, in the event that the data controller (the assignee), after analyzing compatibility according to the criteria of Article 6.4 of the aforementioned Regulation, considers it compatible, the provision introduces the additional obligation to consult the assigning administration. The General State Administration may oppose motivatedly and suspend for reasons of national security. Chapter III of this royal decree-law regulates several measures regarding public contracting, all aimed at strengthening compliance with data protection legislation and the protection of public security in this area. Public sector contractors sometimes handle, for the execution of the respective contracts, a huge volume of personal data, whose improper use can, in turn, pose risks to public security. Therefore, it is necessary to ensure normatively their submission to certain specific obligations that guarantee both compliance with data protection legislation and the protection of public security. The royal decree-law modifies Law 9/2017, of November 8, on Public Sector Contracts, which transposes into the Spanish legal order Directives 2014/23/EU and 2014/24/EU of the European Parliament and of the Council, of February 26, 2014, with the aim of introducing measures that guarantee in all phases of contracting (contract file, tender, and contract execution) respect by contractors and subcontractors for European Union legislation on data protection. These modifications are coherent with what is provided in Article 6 of Regulation (EU) 2016/679 of the European Parliament and of the Council, of April 27, 2016, which, regarding data processing necessary for the fulfillment of a legal obligation or a mission carried out in the public interest or in the exercise of public powers, allows Member States to maintain or introduce specific provisions to set the specific requirements of the processing and other measures that guarantee lawful and fair treatment. Thus, first, this royal decree-law modifies Article 35 of Law 9/2017, of November 8, to include, as minimum content of contracts, the express reference to submission to national and European Union legislation on data protection. Secondly, and regarding the regime of invalidity of contracts, a sub-paragraph is added to Article 39.2 of Law 9/2017, of November 8, to include, as a cause of absolute nullity, the celebration of contracts by contracting authorities that omit to mention in the tender documents the obligations of the future contractor regarding data protection referred to in the new Article 122.2 of Law 9/2017, in the wording given to said provision by this royal decree-law. The application in this case of the maximum legal consequence contemplated by our legal order, that is, absolute nullity, has been considered appropriate once the opportunity of its incorporation into public sector contracting legislation has been weighed (following Opinion No. 116/2015 of the Council of State), given the importance that in certain cases it may present for national security interests to know the location of the servers where the data ceded by the Administration in the execution of a public contract will be hosted, from where the associated services will be provided, and to ensure the submission of the execution of that contract to national and European Union legislation on data protection. Thirdly, and in the context of the regulation of requirements to contract with the public sector, Article 116.1 of Law 9/2017, of November 8, is modified to include, as a circumstance that will prevent entrepreneurs from contracting with the entities included in Article 3 of said Law, having led to the firm resolution of any contract celebrated with one of such entities due to culpable breach of the obligations that the tender documents qualified as essential according to what is provided in Art. 211.1.f) of the Law itself. cve: BOE-A-2019-15790 Verifiable at http://www.boe.es

OFFICIAL STATE BULLETIN No. 266 Tuesday, November 5, 2019 Sec. I. Page 121759 Fourthly, a new wording is given to Article 116.1 of Law 9/2017, of November 8, introducing a second paragraph regarding the contract file of contracts whose execution requires the cession of data by public sector entities to the contractor. By virtue of this modification, the obligation of the contracting body to specify in the file what the purpose of the data to be ceded will be is included. Fifthly, a new wording is given to Article 122.2 of Law 9/2017, of November 8, regarding the special administrative clauses. Specifically, a third paragraph is added to this paragraph to include the obligation of the tender documents to expressly mention the obligation of the future contractor to respect the current legislation on data protection. Likewise, a fourth paragraph is added regarding contracts that require the contractor to process personal data on behalf of the data controller, indicating that in these cases it will be mandatory to state in the tender documents both the purpose of the data cession and the obligation of the winning company to keep the contractor informed of the location of the corresponding servers. A fifth paragraph is also added to establish that the matters mentioned in the fourth paragraph must be stated in the tender documents as essential obligations for the purposes of the contract resolution regime. Sixthly, this royal decree-law gives a new wording to Article 202.1 of Law 9/2017, of November 8, regulating the special conditions of execution of contracts of a social, ethical, environmental, or other nature. Specifically, a third paragraph is introduced regarding the tender documents corresponding to contracts whose execution implies the cession of data by public sector entities to the contractor. Through this addition, the requirement is imposed that the tender documents include, as a special condition of execution, the obligation of the contractor to submit to national and European Union legislation on data protection. Likewise, the tender documents must warn the contractor that this obligation has the character of an essential contractual obligation for the purposes of the contract resolution regime. Seventhly, Article 5 of the royal decree-law gives a new wording to Article 215.4 of Law 9/2017, regarding subcontracting, to include, among the obligations of the main contractor, the assumption of total responsibility for the execution of the contract before the Administration also with regard to the obligation of submission to national and European Union legislation on data protection. Chapter IV of this royal decree-law regulates several measures to reinforce security in telecommunications. Thus, Article 6 of this norm undertakes five modifications of Law 9/2014, of May 9, General on Telecommunications, with the objective of enhancing the powers available to the Government, through the Ministry of Economy and Enterprise, to address situations that may affect the maintenance of public order, public security, or national security. Thus, specifically, Articles 4.6 and 6.3 of Law 9/2014, of May 9, are modified to reinforce the powers of the Ministry of Economy and Enterprise to carry out greater control and to improve its possibilities of action when the commission of a presumed infringing act through the use of electronic communications networks and services may constitute a serious and immediate threat to public order, public security, or national security or when in certain exceptional circumstances that may also compromise public order, public security, and national security, the assumption of direct management or intervention of electronic communications networks and services is necessary. These greater possibilities of action recognized are not limited in their application to a strict concept of a network or an electronic communications service, but extend their efficacy to the elements that necessarily accompany the installation or deployment of a network or the provision of an electronic communications service, such as infrastructures capable of hosting public electronic communications networks, cve: BOE-A-2019-15790 Verifiable at http://www.boe.es

OFFICIAL STATE BULLETIN No. 266 Tuesday, November 5, 2019 Sec. I. Page 121760 their associated resources, or any element or level of the network or service that is necessary to preserve or restore public order, public security, and national security. In necessary correlation with this reinforcement of public functions in these exceptional situations, the sanctioning power of the Ministry of Economy and Enterprise is also enhanced with the objective of making effective and real the actions that it may adopt in the use of these new powers of action aimed at preserving or restoring public order, public security, and national security. For this purpose, this royal decree-law gives a new wording to Articles 76.15, 77.28, and 81.1 of Law 9/2014, of May 9. In particular, the circumstances in which the Ministry of Economy and Enterprise may adopt precautionary measures in cases of imperative urgency without prior hearing of the presumed infringer are expanded, which may