The disclosure of cases of pedophilia in the Catholic Church
Recently, a serious incident related to the disclosure of cases of pedophilia in the Spanish Catholic Church has come to light. The Spanish Episcopal Conference (CEE) has published on its website the identity of 45 victims of pedophilia, as well as the details of their cases, in a document that was originally confidential. This information was available on the page for a period of 18 days, between December and January 2023. Although it was later removed from the page, it was discovered that it was still possible to find it on the internet even four months later.
The data revealed
Among the data that was revealed were the name, surname and age of the victims, as well as a description of the abuse they had suffered and the date on which it occurred. This data was part of an internal audit commissioned by the church to determine the number of cases of pedophilia that had been committed.
The consequences and possible sanctions
The disclosure of this private data by the Spanish Episcopal Conference (CEE) could have serious consequences. On the one hand, the Spanish Data Protection Agency (AEPD) could open an investigation and impose a sanction on the EEC. Additionally, victims could also take legal action against the church. According to the law, when a security breach occurs, it is the responsibility of the person responsible for the error to notify the AEPD within a maximum period of 72 hours. In this case, the EEC did not fulfill this obligation.
The possible fines
The law establishes that fines for security breaches can range between 300,000 and 20 million euros. Although the maximum figure has never been imposed until now, there are precedents for significant fines for similar non-compliance. For example, in 2021, the airline Air Europa was fined 600,000 euros for a security breach that exposed the banking and personal data of thousands of users. The first fine was 100,000 euros, but the figure was raised to 500,000 euros because the company did not inform the data protection agency within the established period of 72 hours. In the case of the EEC, more than 4 months have passed and they still have not reported the incident.
The justifications of the Episcopal Conference
The CEE tries to exempt itself from possible sanctions and blames the law firm Quemaduras & Calvo-Sotelo, in charge of the audit, for sending the information to the church without warning of its existence or having the authorization of those affected for its publication. Furthermore, the CEE argues that it is legally up to the law firm to take the necessary measures to protect the data, since they are responsible for the personal data file. They also note that they cannot contact the victims mentioned in the document, since their contact information is confidential and unknown to them.
