Current European Union legislative instruments on Data Protection.
1. European Union Charter of Fundamental Rights
Articles 7 and 8 of the EU Charter of Fundamental Rights recognise respect for private life and protection of personal data as closely related but separate fundamental rights. The Charter is integrated into the Lisbon Treaty and is legally binding on the institutions and bodies of the European Union, and on the Member States when implementing EU law.
2. Council of Europe
a. Convention 108 of 1981
Council of Europe Convention 108 of 28 January 1981 for the Protection of Individuals with regard to Automatic Processing of Personal Data is the first legally binding international instrument adopted in the field of data protection. Its purpose is ‘to secure … for every individual … respect for his rights and fundamental freedoms and in particular his right to privacy, with regard to automatic processing of personal data’.
b. European Convention on Human Rights (ECHR)
Article 8 of the Convention of 4 November 1950 for the Protection of Human Rights and Fundamental Freedoms establishes the right to respect for private and family life: ‘Everyone has the right to respect for his private and family life, his home and his correspondence.’
3. Current EU legislative instruments on data protection
As a consequence of the old pillar structure, data protection at the EU level has until recently been regulated by various legislative instruments. These include former first-pillar instruments such as Directive 95/46/EC on data protection (replaced by the General Data Protection Regulation in May 2018), Directive 2002/58/EC on e-privacy (modified in 2009; new proposal currently under consideration), Directive 2006/24/EC on data retention (declared invalid by the Court of Justice of the European Union on 8 April 2014 owing to its serious interference with private life and data protection) and Regulation (EC) No 45/2001 on processing of personal data by Community institutions and bodies (new proposal currently under consideration), as well as former third-pillar instruments such as the Council Framework Decision 2008/977/JHA of 27 November 2008 on the protection of personal data processed in the framework of police and judicial cooperation in criminal matters (replaced by the Data Protection Law Enforcement Directive in May 2018).
a. General Data Protection Regulation (GDPR)
Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation), became applicable in May 2018.
The rules aim to protect all EU citizens from privacy and data breaches in an increasingly data-driven world, while creating a clearer and more consistent framework for businesses.
The new rights for citizens include a clear and affirmative consent for their data to be processed and the right to receive clear and understandable information about it; the right to be forgotten: a citizen can ask for his/her data to be deleted; the right to transfer data to another service provider (e.g. when switching from one social network to another); and the right to know when data has been hacked. The new rules apply to all companies operating in the EU, even if these companies are based outside of the EU. Furthermore, it will be possible to impose corrective measures, such as warnings and orders, or fines on firms that break the rules.
b. The Data Protection Law Enforcement Directive
Directive (EU) 2016/680 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data by competent authorities for the purposes of the prevention, investigation, detection or prosecution of criminal offences or the execution of criminal penalties, and on the free movement of such data, and repealing Council Framework Decision 2008/977/JHA, became applicable in May 2018.
The directive protects citizens’ fundamental right to data protection whenever personal data is used by law enforcement authorities. It ensures that the personal data of victims, witnesses, and suspects of crime are duly protected and facilitates cross-border cooperation in the fight against crime and terrorism.
4.European Data Protection Supervisor (EDPS) and European Data Protection Board (EDPB)
The European Data Protection Supervisor (EDPS) is an independent supervisory authority that ensures that the EU institutions and bodies meet their obligations with regard to data protection. The primary duties of the EDPS are supervision, consultation and cooperation.
The European Data Protection Board (EDPB), formerly the Article 29 Working Party, has the status of an EU body with legal personality and is provided with an independent secretariat. The EDPB brings together the EU’s national supervisory authorities, the EDPS and the Commission. The EDPB has extensive powers to determine disputes between national supervisory authorities and to give advice and guidance on key concepts of the GDPR and the Data Protection Law Enforcement Directive.