27 May 2018

EU Data Protection Handbook

A new edition of the Handbook on European data protection law from the Council of Europe, European Union Agency for Fundamental Rights (FRA) and European Data Protection Supervisor (EDPS) is now online.

It is particularly valuable for coverage of the modernisation of Convention 108, the applicability of the new data protection framework of the European Union (GDPR and Police and Justice Directive), and recent judgments of the European Court of Human Rights and Court of Justice of the European Union.

In discussing the GDPR the Handbook comments
European Union data protection law is composed of primary and secondary EU law. The treaties, namely the Treaty on European Union (TEU) and the Treaty on the Functioning of the European Union (TFEU), have been ratified by all EU Member States; they form ‘primary EU law’. The regulations, directives and decisions of the EU have been adopted by the EU institutions that have been given such authority under the treaties; they constitute ‘secondary EU law’.
Data protection in primary EU law
The original treaties of the European Communities did not contain any reference to human rights or their protection, given that the European Economic Community was initially envisaged as a regional organisation focused on economic integration and the establishment of a common market. A fundamental principle underpinning the creation and development of the European Communities – and one which is equally valid today – is the principle of conferral. According to this principle, the EU acts only within the limits of the competences conferred upon it by the Member States, as reflected in the EU treaties. In contrast to the Council of Europe, the EU treaties include no explicit competence on fundamental rights matters. As cases came before the CJEU alleging human rights violations in areas within the scope of EU law, however, the CJEU provided an important interpretation of the treaties. To grant protection to individuals, it brought fundamental rights into the so-called general principles of European law. According to the CJEU, these general principles reflect the content of human rights protection found in national constitutions and human rights treaties, in particular the ECHR. The CJEU stated that it would ensure compliance of EU law with these principles. In recognising that its policies could have an impact on human rights and in an effort to make citizens feel ‘closer’ to the EU, the EU in 2000 proclaimed the Charter of Fundamental Rights of the European Union (Charter). It incorporates the whole range of civil, political, economic and social rights of European citizens, by synthesising the constitutional traditions and international obligations common to the Member States. The rights described in the Charter are divided into six sections: dignity, freedoms, equality, solidarity, citizens’ rights and justice.
Originally only a political document, the Charter became legally binding27 as EU primary law (see Article 6(1) of the TEU) when the Lisbon Treaty came into force on 1Decembe 2009.The provisions of the Charter are addressed to EU institutions and bodies, obliging them to respect the rights listed therein while fulfilling their duties. The Charter’s provisions also bind Member States when they implement EU law.
The Charter not only guarantees the respect for private and family life (Article 7), but also establishes the right to the protection of personal data (Article 8). The Charter explicitly raises the level of this protection to that of a fundamental right in EU law. EU institutions and bodies must guarantee and respect this right, as do Member States when implementing Union law (Article 51 of the Charter). Formulated several years after the Data Protection Directive, Article 8 of the Charter must be understood as embodying pre-existing EU data protection law. The Charter, therefore, not only explicitly mentions a right to data protection in Article 8(1), but also refers to key data protection principles in Article  (2). Finally, Article 8(3) of the Charter requires an independent authority to control the implementation of these principles. The adoption of the Lisbon Treaty is a landmark in the development of data protection law, not only for elevating the Charter to the status of a binding legal document at the level of primary law, but also for providing for the right to personal data protection. This right is specifically provided for in Article 16 of the TFEU, under the part of the treaty dedicated to the general principles of the EU. Article 16 also creates a new legal basis, granting the EU the competence to legislate on data protection matters. This is an important development because EU data protection rules – notably the Data Protection Directive – were initially based on the internal market legal basis, and on the need to approximate national laws so that the free movement of data within the EU was not inhibited. Article 16 of the TFEU now provides an independent legal basis for a modern, comprehensive approach to data protection, which covers all matters of EU competence, including police and judicial cooperation in criminal matters. Article 16 of the TFEU also affirms that compliance with data protection rules adopted pursuant to it must be subject to the control of independent supervisory authorities. Article 16 served as a legal basis for the adoption of the comprehensive reform of data protection rules in 2016, i.e. the General Data Protection Regulation and the Data Protection Directive for Police and Criminal Justice Authorities (see below).
The General Data Protection Regulation
From 1995 until May 2018, the principal EU legal instrument on data protection was Directive 95/46/EC of the European Parliament and the Council of 24 October 1995 on the protection of individuals with regard to the processing of personal data and on the free movement of such data (Data Protection Directive).It was adopted in 1995, at a time when several Member States had already adopted national data protection laws, and emerged from the need to harmonise these laws to ensure a high level of protection and the free flow of personal data among the different Member States. Free movement of goods, capital, services and people within the internal market required the free flow of data, which could not be realised unless the Member States could rely on a uniform high level of data protection.
The Data Protection Directive reflected the data protection principles already contained in national laws and in Convention 108, while often expanding them. It drew on the possibility, provided for in Article 11 of Convention 108, of adding on instruments of protection. In particular, the introduction in the directive of independent supervision as an instrument for improving compliance with data protection rules proved to be an important contribution to the effective functioning of European data protection law. Consequently, this feature was incorporated into CoE law in 2001 by the Additional Protocol to Convention 108. This illustrates the close interaction and positive influence of the two instruments upon one another over the years.
The Data Protection Directive established a detailed and comprehensive data protection system in the EU. However, in accordance with the EU legal system, directives do not apply directly and must be transposed into the national laws of the Member States. Inevitably, Member States have a margin of discretion in transposing the directive’s provisions. Even though the directive was meant to provide complete harmonisation31 (and a full level of protection), in practice it was transposed differently in the Member States. This resulted in the establishment of diverse data protection rules across the EU, with definitions and rules interpreted differently in national laws. The levels of enforcement and the severity of sanctions also varied across the Member States. Finally, there were significant changes in information technology since the drafting of the directive in the mid-1990s. Taken together, these reasons prompted the reform of EU data protection legislation.
The reform led to the adoption of the General Data Protection Regulation in April 2016, after years of intense discussion. The debates on the need to modernise EU data protection rules began in 2009, when the Commission launched a public consultation about the future legal framework for the fundamental right to personal data protection. The proposal for the regulation was published by the Commission in January 2012, starting a long legislative process of negotiations between the European Parliament and the Council of the EU. After adoption, the General Data Protection Regulation provided for a two year-transitional period. It became fully applicable on 25 May 2018, when the Data Protection Directive was repealed.
The adoption of the General Data Protection Regulation in 2016 modernised EU data protection legislation, making it fit for protecting fundamental rights in the context of the digital age’s economic and social challenges. The GDPR preserves and develops the core principles and rights of the data subject provided for in the Data Protection Directive. In addition, it introduced new obligations requiring organisations to implement data protection by design and by default; to appoint a Data Protection Officer in certain circumstances; to comply with a new right to data portability; and to comply with the principle of accountability. Under EU law, regulations are directly applicable; there is no need for national implementation. The General Data Protection Regulation thus provides for a single set of data protection rules across the EU. This creates consistent data protection rules throughout the EU, establishing an environment of legal certainty from which economic operators and individuals as “data subjects” may benefit.
However, even though the General Data Protection Regulation is directly applicable, Member States are expected to update their existing national data protection laws to fully align with the regulation, while also reflecting a margin of discretion for specific provisions in recital 10. The main rules and principles established in the regulation, and the strong rights it affords to individuals, form a large part of the handbook and are presented in the following chapters. The regulation has comprehensive rules on territorial scope. It applies to businesses established in the EU, and also applies to controllers and processors not established in the EU that offer goods or services to data subjects in the EU or monitor their behaviour. As several overseas technology businesses have a key share in the European market and millions of EU customers, subjecting these organisations to EU data protection rules is important to ensure the protection of individuals, as well as to ensure a level playing field.