The new Spanish “Law of Information Society Services and Electronic Commerce” (LSSI)

The new Spanish “Law of Information Society Services and Electronic Commerce” (LSSI)

On October 12, 2002, The Spanish “Law of Information Society Services and Electronic Commerce” (Ley de Servicios de la Sociedad de la Información y de Comercio Electrónico (“LSSI”) (PDF) entered into force after its enactment by the Spanish Parliament on June 27, 2002. The LSSI is the implementation into Spanish law of the European Union Directive on electronic commerce (Dir. 2000/31/EC) and some of the provisions of the European Directive on Privacy and Electronic Communications (Dir. 2002/58/EC).

Contents of the LSSI

The new Spanish law applies to every Web site located in Spain that engages in commerce, stating that those Web sites now have to register with the government. If a Web site is not engaged in commerce but derives some income (even with a loss) from the operation of the Web site, its webmaster still has to publish his name, address and national identification number. Violators may be fined up to EUR 600,000 for non-compliance. The statute also compels Internet service and access providers to retain customer and traffic data for up to one year, which government agents will then be able to access with a judge’s order. Free speech activists successfully altered previous language of the LSSI draft that would have only required action by the government’s administrative authorities-instead of a judge-to shut down a Web site.

How is the LSSI a threat to fundamental rights?

The new law has drawn much criticism among human rights activists and small Web site owners around the world over its impact on the right to privacy and data protection, online free speech, the presumption of innocence, the right to confidentiality of communications, and the right to anonymous speech, as these rights are protected by international human rights conventions.

The data retention provision is of particular concern since it compels Internet service providers and telephone companies to retain all their customers’ traffic and location data for up to a year. The industry is concerned about these new requirements because of their excessive cost and privacy implications.

New registration and identification requirements may in some cases stifle the right to anonymous speech and could be used as a tool of indirect censorship, especially in the case of small and independent web site owners with views and interests running against the government.

NGOs’ Campaigns against the LSSI

Kriptopolis’ campaigns

Kriptopolis, a member of the Global Internet Liberty Campaign (GILC), has claimed that the law has serious implications for free speech on the Internet. It asserts that the LSSI “constitutes the biggest attack against free speech on the Internet since the enactment of the American Communications Decency Act of 1996.” After shutting down its heavily-visited Web site on October 1, 2002, several Web site owners spontaneously decided to follow their lead and shut down their own Web sites, either on a open-ended basis to protest against the law, or for good, out of fear of how the law could be applied to them in the future to silence dissenting views and political opponents. More than 350 Web sites have shut down in a matter of days (updated list).

Last July, Kriptopolis led a campaign to have the LSSI reviewed by the Spanish Constitutional Council before it entered into force, claiming that the LSSI violated the Constitution’s principles of presumption of innocence, freedom of speech and confidentiality of communications (Spanish Constitution, articles 18, 20, and 24) (Press coverage). The Constitutional Court can decide on a motion for review of constitutionality only if 50 Members of Parliament, 50 senators, the president, the “Defensor del Pueblo” (The People’s Defender), or the executive or legislative bodies of Spain’s Autonomous Communities seize the Court. More than 4,400 people urged the Constitutional Court’s intervention after Kriptopolis encouraged its readers to write to their representatives. On October 2, 2002, the Defensor del Pueblo’s resolution denied the request (more details). The LSSI became effective ten days later.

Stop1984‘s campaign (launched on November 4, 2002) (More information)

Periodista digital‘s campaign (launched in November 4, 2002)

La nueva Ley de Internet del Gobierno Aznar supone una amenaza letal para la libertad de prensa en España. Contiene artículos que son ìleyes en blancoî que permiten una total arbitrariedad en su aplicación y parece diseñada para proteger los intereses de los grandes grupos de comunicación e impedir el nacimiento, desarrollo y supervivencia de cualquier forma de periodismo que no se ajuste al ìpensamiento únicoî (…).

“The new Internet law of Aznar’s government [the LSSI] presents a lethal threat for the freedom of the press in Spain. It contains legal provisions that give carte blanche to the government, allowing total arbitrariness and seemingly designed to protect big communications companies’ interests and prevent the birth, development and survival of forms of journalism that do not conform to mainstream thought” (…). (more details)



International Conventions on Fundamental Rights protecting the freedom of speech, the right to privacy and data protection, the confidentiality of communications, the presumption of innocence and the right to anonymous speech:

  • Articles 6, 8, 9 and 10 of the Council of Europe Convention for the Protection of Human Rights and Fundamental Freedoms (1950). Explanations/summary also available.
  • Articles 7, 8, 10, 11 and 48 of the Charter of Fundamental Rights of the European Union. PDF documents available: [English] [français]
  • Articles 11, 12, 18 and 19 of the Universal Declaration of Human Rights (1948): [English] [español]

LSSI’s most controversial provisions

  • 1. Data retention requirements of 1 year

    Network operators and telecommunications network access providers offering information society services must retain customers’ traffic data for a period of one year. Data is to be “stored automatically,” to remain “confidential”, and to be used only in cases where “it may become necessary to put it at the disposal of judicial or police authorities within the framework of a criminal investigation resulting from the commission of a crime involving information society services. Such data could include “the data necessary to locate the user’s terminal equipment utilized to transmit information” (Article 12).

    For the government to compel ISPs and telecommunications companies to retain all their customers’ e-mails traffic information, telephone calls, mobile phone location data, Internet browsing, etc. (not including the contents of communications) for up to one year in a preventive and systematic manner, violates the presumption that everyone is innocent until proven guilty, may stifle freedom of speech, and constitutes a serious intrusion to the right to privacy and data protection protected by international human rights conventions. (More details.)

  • 2. Identification and registration requirements may in some cases stifle web site publishers’ right to free and anonymous speech

    Providers of “information society services” (defined as the services normally provided at a cost, but not necessarily paid for by their addressees if they constitute an economic activity for their providers) have to notify their name or domain name in a commercial registry and publish contact information on their Web site. The law applies to all providers of information society services established in Spain or to the ones that offer their services through a permanent establishment located in Spain (Articles 2, 3, 4, 5, 9 and 10).

    Providers of information that do not have other commercial endeavors than, e.g., putting banner ads on their web sites, could still fall within the scope of the LSSI, and be compelled, as a result, to register. To compel those providers to identify themselves to the government could stifle speech and encourage self-censorship, especially if those information providers have dissenting ideas and views that run against the government’s interests. The Spanish law should therefore not be applied in a way that allows the government to use its registration requirement as a tool of indirect censorship.

Outline of the main provisions of the LSSI.

Comments on the LSSI:

Civil Society

  • Kriptopolis (Digital rights and Internet security web site)
    The LSSI “is a huge blow to freedom of expression in Spain.” It constitutes the biggest attack against free speech on the Internet since the enactment of the American Communications Decency Act of 1996” (The U.S. Supreme Court struck the CDA in 1997 for violating the Constitution’s First Amendment’s guarantee of freedom of speech. The law regulates the Internet much more broadly than what the limited scope of the European directive allows: it regulates speech within the framework of an e-commerce law and treats information as merchandise. The effect of the regulation is to restrict more speech than necessary instead of only focusing on commercial activities, while the preventive and extensive data retention regime is in violation of the principles of confidentiality of communications and presumption of innocence. Kriptopolis fears that Web site owners will try to censor themselves from now on in order to avoid attracting government attention and heavy fines. “Some of us among independent Web site publishers are definitely closing Weblogs, forums and mailing lists, in order to avoid being held responsible for other people’s opinions. . . [t]he true purpose of this statute is to control Web contents and force editors to self-censure.” (more comments)
  • Carlos Sánchez Almeida and Javier Maestre (Kriptopolis’ lawyers), La LSSI del 8 de febrero.
  • Spanish Internet Users Association (Asociación de Usuarios de Internet), La LSSI no se puede cumplir, según AUI, El País, October 17, 2002.
  • Miguel Pérez Subías (President of the “Asociación de Usuarios de Internet”(Internet Users Association)), LSSI-CE: ¿La ley de Internet o Internet y la ley?
  • Víctor Domingo (President of the “Asociación de Internautas” (Internauts Association), Proyecto de Ley de Comercio Electrónico; la ley del debate.
  • Prof. Manuel Castells, La experiencia española de regulación de Internet.
  • Computer Engineers Association, Una Ley, Siete Riesgos, February 2, 2002.
  • Various organizations, digital rights activists, and online publications and communities have organized a resistance to the LSSI:

    Maky Press

    Plataforma internauta

    Arturo Quirantes’s home page

    Liberta en Red

    Libertad Digital

    – Hackmeeting

    Barcelona Independent Media Center

Spanish Government

  • “La nueva Ley va a proporcionar una mayor seguridad jurídica y confianza a usuarios y prestadores de servicios, con el fin de promover la utilización de Internet y de otros servicios interactivos.
    El texto tiene como objetivo impulsar el desarrollo del comercio electrónico y el pleno aprovechamiento por parte de los ciudadanos y empresas de las ventajas de la Sociedad de la Información (…).”

“The new Law is going to provide greater legal certainty and trust for users and service providers, with the purpose of promoting the use of the Internet and other interactive services. The text’s objective is to foster the development of electronic commerce and rally citizens and companies’ support for the advantages of the Information Society (…).”

Spanish Ministry of Science and Technology, Explanations of the LSSI, October 2002.

“The government contends that the purpose of the new law is (…) to make the Internet a safer space to do business by subjecting online companies to the same tax and commerce laws as conventional corporations. It [also] feels that the protests are unnecessary and hasty as details on how the law will be applied are still being worked out.”

New e-commerce law has prompted protest,, October 29, 2002.

Spanish Data Protection Authority

  • Juan Manuel Fernández López (Director de la Agencia de Protección de Datos), Notas sobre la LSSI.


  • “Las empresas del sector consideran que las condiciones en las que, según la citada enmienda, debe realizarse la retención no evitan el grave peligro que estas actuaciones suponen para el secreto y la inviolabilidad de las communicaciones electrónicas, el derecho de intimidad de los usuarios, la protección de los datos personales, el principio de no supervision de los contenidos, etc., sin olvidar, que este tipo de disposiciones pueden ir en contra de la Convención Europea de Derechos Humanos. (…) [L]a obligación de retener todos los datos de tráfico durante un período de doce meses resulta excesiva y desproporcionada.”

    “The ISP industry considers that the conditions under which the retention of data must be made raise a risk for the secrecy and inviolability of electronic communications, the users’ right to privacy, the right to data protection, the principle of no control on contents, etc., not to mention that this kind of data retention could violate the European Convention of Human Rights. (…) [T]he obligation to retain all traffic data during a period of 12 months is excessive and disproportionate.”

  • Asociación Española de Proveedores de Servicios de Internet (Spanish ISP Association or AEPSI), AEPSI se pronuncia ante la enmienda a la LSSI sobre retención de datos, June 12, 2002 (PDF).

  • Javier Valiente (Secretario General de la AEPSI), “¿Policías de Internet?: Los Proveedores de Servicios de Internet y la LSSI.

More opinions on the LSSI.