Security measures: an undertaking of means, not of result

Last May, the Supreme Court admitted a cassation appeal to determine whether data protection is an undertaking of means or of result, with special focus on the undertakings laid out in relation to the necessary implementation of security measures to keep data protected against external attacks or fortuitous losses.

The ruling of the National Court established that it was an obligation of result, whereby the necessary measures must be taken to prevent the data from being lost, misplaced or ending up in the hands of third parties. The Court requested an adequate and reasonable explanation of how such personal data may end up in a place where they are susceptible to retrieval by third parties, arguing that simply proving that a series of measures have been taken is insufficient.

In the appeal filed before the Administrative Chamber of the Supreme Court, it was argued that this obligation of result contradicts current legislation and jurisprudence, which establishes an obligation of means, by considering that the party obliged to comply with data protection regulations must design and implement a series of security measures so as not to be sanctioned, and if it complies with them it will not be sanctioned, even if a fortuitous event or an unforeseeable occurrence creates a security breach that the party would not have been able to avoid even if it had applied even more stringent measures.

The Supreme Court issued a ruling on 15 February 2022, which states that this is an obligation of means, arguing that “the obligation to adopt the necessary measures to guarantee the security of personal data cannot be considered an obligation of result, which implies that if personal data is leaked to a third party, there is liability regardless of the measures adopted and the activity carried out by the data controller.

The difference lies in the liability in one case and the other, because while in the obligation of result there is a liability for a harmful result due to the error of the security system, whatever the cause and the diligence used, in the obligation of means it is sufficient to establish technically adequate measures and to implement them and use them with reasonable diligence.

The Court added that “in the latter, the adequacy of the security measures that the data controller must establish must be assessed in relation to the state of technology at any given time and the level of protection required in relation to the personal data processed, but no result is guaranteed”.

Furthermore, the ruling of the Supreme Court addresses three very important issues that will have to be taken into account when adopting the necessary measures:

Effective design and implementation

Simply designing the necessary technical and organisational measures will not suffice. It is also necessary to implement and use them properly, meaning that the data controller will also be held accountable for any lack of diligence in their use.

Responsibilities of the data processor

L’encarregat de tractament haurà d’adoptar les mesures tThe data processor must adopt the technical and organisational measures necessary to guarantee the security of personal data, regardless of whether the system is enforced in its entirety by the data controller. The data processor must also evaluate the measures provided or enforced by the data controller, detect whether the system does not incorporate the appropriate measures and, if this is the case, refrain from using it or seek or recommend alternatives.

Validation systems

Finally, it stated the need to implement the double opt-in system (i.e. emails, phone numbers, etc.), as a means of verifying that the information collected is correct and valid, because if this were not the case, the security measures would in effect be breached under the terms established by the regulation with regard to the obligation of the means.