Disclosure of confidential data
The Spanish Episcopal Conference (CEE) published on its website confidential information about 45 victims of pederasty in the Catholic Church. This document, which contained details of the cases, was available for 18 days between December and January 2023. Although it was later withdrawn, it was still available online for up to four months later.
The data disclosed
The leaked document contained detailed information about the victims, including their names, surnames, ages, a description of the abuses they suffered and the dates they occurred. This data was part of an internal audit commissioned by the church to investigate cases of child abuse.
The possible consequences
The disclosure of private data of victims can have several consequences for the Episcopal Conference. The Spanish Data Protection Agency (AEPD) can open an investigation and impose sanctions. In addition, victims can take legal action against the church. According to the law, when there is a security breach, it is the responsibility of whoever makes the mistake to notify the AEPD within 72 hours and inform those affected. So far, it has not been clarified whether there is an open investigation into the actions of the bishops.
The possible sanctions
The law provides financial penalties for data security violations. In this case, the Spanish Episcopal Conference could receive a fine ranging between 300,000 and 20 million euros. However, the maximum penalty has not yet been imposed. As a precedent, the airline Air Europa received two fines of 600,000 euros for a security breach that exposed the banking and personal data of its users. The first fine was 100,000 euros and the second 500,000 euros for not having informed the AEPD within the period established by law.
The justifications of the Episcopal Conference
The Episcopal Conference tries to absolve itself of responsibility and accuses the Cremades & Calvo-Sotelo law firm, in charge of the audit, of being responsible for the unauthorized disclosure of the data. He further argues that the law firm is the owner of the personal data file and is therefore liable to third parties, including the victims and the AEPD. He also emphasizes that he cannot contact the victims who appear in the document, as this information is confidential.