EU Data Protection Law: Current State and Future Perspectives

Marta Kolodziejczyk.  Almanach. Volume 10, Issue 4. 2015.

On 25 January 2012 the EC proposed a comprehensive reform of the EC’s 1995 data protection rules. Although the core principles of the Directive 95/46 were still valid, it could no longer meet the challenges of rapid technological developments and globalization, and as a result required revision. Two years later (12 March, 2014) the progress on EU data protection reform is said to be irreversible following European Parliament vote that gave its strong backing to the architecture and the fundamental principles of the Commission’s data protection reform proposals, on both the General Data Protection Regulation and on the Data Protection Directive in the law enforcement context. To become law the proposed Regulation has to be adopted by the Council of Ministers using the “ordinary legislative procedure” (co-decision).

Privacy and Data Protection; History and Current State of Law

Privacy and data protection as a specific field of law have been elaborated over the last four decades, notably in the context of the Council of Europe and the European Union, stimulated by the growing impact of information and communication technology. The concept of the ‘right to privacy’ emerged in international law after the second World War. This was illustrated in the Article 12 of the Universal Declaration of Human Rights (UN General Assembly, Paris 1948) according to which no one shall be subjected to arbitrary interference with his privacy, family, home or correspondence. This declaratory level of protection became later lawful in Article 8 of the European Convention on Human Rights (Council of Europe, Rome, 1950), according to which everyone has the right to respect for his private and family life, his home and his correspondence, and no interference by a public authority with the exercise of this right is allowed except in accordance with the law and where necessary in a democratic society for certain important and legitimate interests. The above definition has been reflected in the series of judgments issued by the European Court of Human Rights in Strasbourg. However, in about 1970 the Council of Europe came to conclusion that Article 8 ECHR had a number of shortcomings, e.g. the uncertain scope of ‘private life’, the emphasis on interference by public authorities, as well as lack of a more proactive approach against the possible misuse of personal information by companies or other organizations in the private sector. As a result the Data Protection Convention, also known as Convention 108 (Strasbourg 1981) had been adopted and has been ratified by 44 Member states of the Council of Europe, including all EU Member States. Parties to this convention guarantee every individual, whatever his nationality or residence, respect for his/her rights and fundamental freedoms; in particular right to privacy, with regard to automatic processing of personal data relating to him/her (‘data protection’). In addition, the concept of ‘personal data’ is defined as “any information relating to an identified or identifiable (‘data subject’). Hence, ‘data protection’ is broader than ‘privacy protection’ because it also concerns other fundamental rights and freedoms, and all kinds of data regardless of their relationship with privacy.

Let us now consider some of the key provisions of the above mentioned Convention; personal data are to be “obtained and processed fairly and lawfully” and “stored for specified and legitimate purposes and not used in a way incompatible with those purposes”. Personal data should also be “adequate, relevant and not excessive in relation to the purposes for which they are stored”, “accurate and, where necessary, kept up to date”. Other crucial principles expressed in the text of the Convention are: ” appropriate security measures”, “additional safeguards for the data subject such as the right to have access to his or her own personal data, the right to obtain rectification or erasure of such data, and the right to remedy if such rights are not respected”. To conclude, the Convention’s philosophy is not that processing of personal data should always be considered as a breach of privacy, however, in its interests as well as other fundamental freedoms, any processing must always observe certain legal conditions. In this context, the core elements of Article 8 ECHR, such as interference with the right to privacy only on adequate legal basis, and where necessary for a legitimate purpose, have been transferred into a broader context. Furthermore, since 1997 the European Court of Human Rights has ruled in a number of cases that the protection of personal data is of “fundamental importance” for the right to respect of private life under Article 8 ECHR.

Although the Data Protection was put on the agenda of the Council of Europe and, as a result, exposed in the binding Conventions, this intergovernmental organization was less successful in terms of ensuring greater consistency across the EU. Some Member States were late in implementing the Convention, and those who did so arrived at different outcomes, in some cases even imposing restrictions on data flows with other Member States. Concerned that this lack of consistency could hamper the development of internal market involving a circulation of peoples and services, where the processing of personal data was to play an increasingly important role, the European Commission submitted a proposal for a Directive to harmonize the national laws on data protection in the private and most of the public sector. After four years of negotiations the Directive 95/46/EC has been adopted. It specified the basic principles of data protection already included in the Convention 108 of the Council of Europe. In the first place, it required all Member States to protect the fundamental rights and freedoms of natural persons, and in particular the right to privacy with the respect to processing of personal data, in accordance with the Directive. In this context, the data could be processed only if the data subject has unambiguously given his consent, if processing was necessary for the performance of a contract to which the data subject was party, or for compliance with a legal obligation, for the performance of a government task, in order to protect the vital interests of the data subject, or to protect the legitimate interests pursued by the controller, except where such interests are overriden by the interests of the data subject. Furthermore, the Directive committed the controller to always inform the data subject about the purposes of the processing and other relevant matters in order to guarantee fair processing in respect of the data subject. In case of not fulfilling this condition, the data controller might become liable for committing an offence. Responsibility for compliance with national legislation on data protection belongs to supervisory authorities. Secondly, the Directive applies to the processing of personal data carried out “in the context of the activities of an establishment” of the controller on the territory of an EU Member State. In other words, where the controller is not established in the EU, the applicable law is that of the Member State in which the equipment used for processing is located. Thirdly, according to the Directive personal data may only be transferred to third countries that ensure adequate level of protection.

To conclude, the Directive 95/46/EC required the Member States neither to restrict nor prohibit the free flow of personal data between them for reasons connected with such protection. This provision aimed at achieving an equivalent high level of protection in all Member States and as a result assure a balanced development of the internal market. This goal has not been entirely fulfilled due to the fact that the above mentioned Directive allowed Member States fairly broad discretion on its transposition. Furthermore, the need for reform of current EU data protection legislation can be also explained by the rising impact of IT technologies on our lives. Specifically, at the time when the Directive was adopted the Internet barely existed, however, in nowadays reality the data processing is taking place on the web sites, by search engines or social networks. In this context , the European Commission in its official comment focused on such challenges for the protection of personal data in the future as: the astounding capabilities of modern technologies; the increased globalization of data flows; and access to personal data by law enforcement authorities that is greater than ever. Another crucial reason for the review of the Directive 95/46/EC has to do with the new institutional framework of the EU. The Lisbon Treaty (December 2009) emphasizes fundamental rights; Article 16 provides for comprehensive data protection in all policy areas, regardless of whether it relates to the internal market, law enforcement, or almost any other part of the public sector. Not to mention about the separate right to the protection of personal data laid down in Article 8 of the Charter of Fundamental Rights that became legally binding on the EU institutions and national governments with the entry into force of the Treaty of Lisbon.

The Choice of New Legislative Instruments

In the context of the reform of the EU data protection framework there had been a great deal of discussion as to whether the new instrument should take the form of a directive or regulation. Article 16 (2) TFUE mandates the European legislators to adopt ‘the rules relating to the protection of individuals with regard to processing of personal data’, without, however, specifying the type of legislative act to be chosen. As a consequence, in line with Article 289(1) TFEU on the ordinary legislative procedure, the rules can be laid down in a regulation, a directive, or a decision. Let us note that a regulation has general application being at the same time directly applicable (it does not require implementation by EU member states), whereas a directive sets forth the results to be achieved, but leaves the means for achieving them largely up to implementation into national law by the members states. That is why one of the major complaint with the data protection directive 95/46 has been the lack of harmonization caused by the distinctive features of this particular legal act. It is worth to mention that by now the Commission has launched several legal actions for improper implementation of the Directive; in March 2009, the Court of Justice in Luxembourg ruled (case against Germany) that the requirement of ‘complete independence’ for a supervisory authority means that it should be free from any external influence. This has been also recently confirmed and elaborated in a case against Austria. On the contrary, regulation leads to a greater degree of harmonization, since it immediately becomes part of a national legal system, without the need for adoption of separate national legislation; in other words, regulation has legal effect independent of national law and overrides contrary national laws. That is why the choice of regulation will according to the European Commission reduce legal fragmentation among member states in respect to different national data protection laws. This will lead e.g. to a net savings for companies of about euro2.3 billion a year in terms of administrative burden alone.

But even the regulation cannot result in complete harmonization of all legal provisions affecting data protection or totally eliminate the need to amend national laws. This fact may confirm that the type of legal instrument used is not determinative with regard to harmonization; for example it is also possible for a directive to leave little margin for member state implementation.

Territorial Scope

Let us now concentrate on the most significant provisions of the proposals for two legislative instruments that form the core of the data protection reform package: in the first place, the Regulation, setting out the general EU framework for data protection; secondly, the Directive for the police and criminal justice sector which is due to replace Framework Decision 2008/977/JHA10 which covers the protection of personal data processed by police and judicial authorities in criminal matters. Article 3 of the proposed Regulation contains the rules governing its territorial scope. In spite of innovation in this respect there is a lot of continuity which is evidenced in the concept, already reflected in the Directive 95/46, of “the processing of personal data in the context of the activities of an establishment” in the EU as the basic test for determining when the EU data protection law applies (Article 3(1)). However, at the same time, under Article 3(2) of the Regulation, data controllers not established in the EU may become subjects to the EU law when their processing activities are related to “the offering of goods or services” to data subjects residing in the EU, or to the monitoring of the behavior of EU residents. The goal of these changes is to bring more nonEU-based companies offering services over the internet liable for data protection breaches under EU law. On the other hand, the proposed Directive aiming at achieving greater harmonization of EU member states’ rules on data protection in the area of police and criminal justice sector applies to domestic processing operations. This is necessary as neither article 8 of the EU Charter of Fundamental Rights nor Article 16 TFEU make a distinction between domestic and cross-border processing operations, but refer to processing activities that fall within the scope of EU law and the free movement of personal data. In addition, both the proposals for the Regulation and for the Directive are addressed to member states only, and therefore do not apply to the processing of personal data by the Union institutions, bodies, offices, and agencies, that will continue to apply Regulation (EC) No 45/2001.

In the context of the above described proposals for two legislative instruments, regulation and directive, that form the core of the data protection reform package, it is worth to mention the opinion of the European Data Protection Supervisor (EDPS) on the Commission’s proposal. In the first place, EDPS welcomed the proposal for Data Protection Regulation as “a huge step forward” towards more effective and consistent protection of personal data across the EU. However, the architecture of the package in itself—a Directive and a Regulation—signals that there might be a problem with its comprehensiveness. The main weakness of the package is that the level of protection in the proposed Directive is substantially lower than in the proposed Regulation.

Reinforcement of the Rights of Data Subjects

In a recent survey, more than two-thirds of Europeans-72 per cent- expressed their concerns connected to uncontrolled usage of their data personal data by companies on the Internet. That is why the aim of the new legislative acts proposed by the Commission is to strengthen individuals rights by improving the ability to control their data. In this context, the requirement of consent as one possible ground for lawful processing of personal data has been clarified. It is worth to mention that the ‘consent’ is currently defined in Articles 2(h) and 7(a) of Directive 95/46/EC as ‘any freely given specific and informed indication’ of a data subject’s wish to agree to the processing of his personal data. In addition, this agreement must be ‘unambiguously’ given in order to make the processing of personal data legitimate. However, national laws have transposed this concept quite differently. Consequently national supervisory authorities tend to apply variable interpretations of consent. Furthermore, the meaning of ‘unambiguously’ given consent is interpreted in a differentiated manner: in some member states consent has to be given ‘expressly’ and in some cases even in writing, while other member states also accept some forms of implied consent. As a consequence, valid consent in one member state may not be legally valid in others, therefore creating uncertainty amongst controllers operating in several member states on whether a data processing operation is lawful or not. Hence, in the proposed Regulation the definition of ‘the data subject’s consent’ of Article 4(8) is remedied by adding the criterion ‘explicit’ which allows to avoid the confusing parallelism with ‘unambiguous’. Moreover, where consent is the legal ground for data processing, Article 7 states that the controller must be able to demonstrate that consent has taken place. A the same time, the Regulation reaffirms that the data subject may withdraw his or her consent at any time, bearing in mind that this will only take full legal effect for future processing. Furthermore, consent is excluded in Article 7(4) as a ground for processing in specific cases of significant imbalance between data controller and data subject, for example in the framework of an employment relationship. Similarly. Article 8 sets out further conditions for the lawfulness of consent for processing of personal data of children below the age of 13 years in relation to services offered to them on-line.

In the context of reinforcing the rights of data subject, it is worth to emphasize that the proposed Regulation enhances administrative and judicial remedies when data protection rights are violated. In particular Article 76 (1) enables certain associations, for example consumer protection associations whose statutory aim includes the protection of personal data, to bring actions, on behalf of one or a group of data subjects whose rights may have been violated, to court. Similarly, article 73 (3) of the proposed Regulation provides that these data protection NGOs, in cases of personal data breaches, may address a supervisory authority in any member state in their own right; without obligation to obtain data subject’s authorization to act on his behalf.

As far as the national authorities responsibilities for data protection are concerned, the proposed Regulation strengthens their potential for initiating legal actions by: a) clarifying the conditions for the establishment and for ensuring the complete independence of supervisory authorities in member states (Articles 46-50); b) providing for fully harmonized provisions for the competences, duties, and powers of the supervisory authorities (Articles 51 to 54); c) and as a result creating legal basis and conditions for an efficient cooperation between supervisory authorities established in EU Member States (Articles 55 to 56); d) introducing the ‘one-stop-shop rule that gives companies operating in more than one member state, a single supervisory authority responsible for monitoring their personal-data processing activities in the EU, rather than force a company to deal with multiple bodies in different countries.

Right to Be Forgotten

Although the right to request the controller to delete unlawfully processed personal data is already guaranteed in the Directive 95/46/EC, it is difficult, according to the European Commission, for an individual to enforce this right in the online environment. Therefore, data subjects have, according to Article 17 (1) (a) to (d), the right—under certain conditions—to ask search engines to remove links with personal information about them. This provision finds itself in line with the recent judgment of the EU Court of Justice according to which where the information is inaccurate, inadequate, irrelevant or excessive for the purposes of the data processing (§93 of the ruling) individuals have the right—under certain conditions—to ask search engines to remove links with personal information about them. In this vein, in case of giving consent as a child not being aware of risks by envisaged processing, the new law allows this individual to remove any such data which were made public on Internet at that time. At the same time, the Court explicitly clarified that the right to be forgotten is not absolute but will always need to be balanced against other fundamental rights, such as the freedom of expression and of the media (§85 of the ruling). Hence, a case-by-case assessment is needed considering the type of information in question, its sensitivity for the individual’s private life and the interest of the public in having access to that information. The role the person requesting the deletion plays in public life might also be relevant. Moreover, the traditional right to erasure (‘right to be forgotten’) expressed in the Regulation is further strengthen in such a way that the controller who has made the personal data public is obliged to inform third parties processing the data that the data subject has requested the controller to erase any links to, or copies or replications of that personal data. However, appreciating this provision the EDPS recognizes that it may be in some cases a huge effort to inform all third parties who may be processing such data, as there will not always be clear understanding of where the data may have been disseminated.

To conclude, “the right to be forgotten and to erasure” are likely to be one of the most controversial provisions of the proposed Regulation. That is why it is worth to mention that, according to the judgment of the European Union Court of Justice, ‘the right to be forgotten’ cannot amount to a total deletion of history.

Right to Access and Right to Data Portability

In line with the current state of EU data protection law any person must be able to exercise his right of access to personal data relating to him, so that they can verify the accuracy of the data and the lawfulness of the processing. However, in a reality of the vast amount of personal data being processed in the on-line environment, the easier access to one’s own personal data must be further assured. That is why article 15 of the proposed Regulation adds new elements, such as the controller’s obligation to inform the data subjects about the applied storage period, and of the rights to rectification, to erasure and to lodge a complaint with the competent supervisory authority. Moreover, the Regulation introduces a new right; the data subject’s ‘right to data portability’. Hence, article 18 provides the right to obtain from the controller a copy of the personal data ‘ in a structured and commonly used electronic format’, allowing for any further use by the data subject, in particular allowing the data subject to transfer this personal data from one automated processing system of the controller to and into another, without being prevented from doing so by the controller.

Enhancing the Responsibility of Controllers and Processors

As far as the controller’s responsibilities are concerned (article 22 of the Regulation) in the framework of data protection reform, the new legislative acts (regulation, directive) focus on controllers’ obligation to be able to ‘demonstrate’ compliance with the Regulation by adoption of internal policies for ensuring such compliance. The effectiveness of such mechanisms must be verifiable either by internal or external data protection specialists or by data protection certification mechanism envisaged under Article 39. In addition, in order to give data subjects greater control over their personal data, the Regulation sets out further obligations for the controller by requiring him to apply the principles of ‘data protection by design’ and ‘data protection by default’ (Article 23).

In the first place, data protection by design means that controllers of data—whether companies or public bodies—take a positive approach to protecting privacy, by embedding it into both technology (for example hardware like computer chips or services like social networking platforms) and into their organizational policies (through, for example, the completion of privacy impact assessments). Secondly, privacy by default means that when a user receives a product or service, privacy settings should be as strict as possible, without the user having to change them. In this way, everyone feels comfortable to consciously choose the privacy setting within which he feels most comfortable with. Rather than allowing the service provider making a guess about what he might prefer. In addition, service providers should support their users in this by providing user-friendly methods to change privacy settings. Not to mention about the need for transparency enshrined in data processing practices.

Ensuring Protection of Personal Data by Police and Criminal Justice Authorities

The scope of the draft Directive is similar to the draft Regulation, but there are important differences. In the first place, police and justice are the areas where the use of personal information inevitably has an enormous impact on the lives of private individuals. That is why it is difficult to understand why the Commission, instead of proposing comprehensive legislative framework, has decided to frame the dataprotection into two separate, unequal in terms of data protection guarantees, legislative acts; namely, the regulation and the directive. Moreover, the choice for a self-standing instrument is regrettable and constitutes a missed opportunity to clarify and ensure the consistent application of rules applicable to situations in which activities of the private sector and of the law enforcement sector interact with each other and borderlines are becoming increasingly blurred. Examples of these situations are the transfer of PNR data and data on financial transfers to law enforcement authorities. Furthermore, the Directive fails to include important elements regarding the retention of personal data, transparency towards individuals, keeping personal data up to date, and ensuring it is adequate, relevant and not excessive. Similarly the European Data Protection Supervisor regrets in particular that “the Commission does not propose stricter rules for the transfer of personal data outside the EU; data protection authorities are not given mandatory powers to effectively control the processing of personal data in this area; the possibilities for the police to access data processed in the private sector are not regulated. To conclude, the proposed directive might cause fragmentation in the EU Data Protection System, rather than introducing consistency.

Final Remarks

The above described reform constitutes a huge step forward for data protection in Europe, considered by some as “Copernican revolution.” The proposed rules will strengthen the rights of individuals and make controllers more accountable for how they handle personal data. Furthermore, the role and powers of national supervisory authorities (alone and together) are effectively reinforced. The fact that the proposed Regulation would be directly applicable in the Member States and would liquidate many complexities and inconsistencies stemming from the different implementing laws of the Member States constitutes another advantage. On the other hand, the Directive for data protection in the law enforcement area provides for an inadequate level of protection, by far inferior to the proposed Regulation. Furthermore, the proposed instruments taken together do not fully address factual situations which fall under both policy areas, such as the use of PNR or telecommunication data for law enforcement purposes. An advantage of the proposed Directive is that it covers domestic processing, and thus has a wider scope than the current Framework Decision.