I. Privacy and data protection in the EU
Overview of the legal and institutional framework
The European Union (EU) is an economicand political union of 27 memberstates. Its structure, as well as they ways in which it ensures the protection for fundamental rights, have been profoundly affected by the entry into force on 1 December 2009 of the Lisbon Treaty,1 with significant implications for the insurance of the right to privacy and the right for the protection of personal data.
Currently, fundamental rights are protected in the EU legal framework through three complementary perspectives: (a) as general principles of the EU derived from the European Convention of Human Rights (ECHR) and the constitutional traditions common to member states;2 (b) as defined by the Charter of Fundamental Rights of the European Union3 (hereafter, "the Charter");4 and (c) as protected by the European Convention on Human Rights, to which the EU shall accede.5
The Charter, which is now generally binding in the EU, was originally proclaimed in 2000. It introduced then as a major novelty the separate recognition of a fundamental right to privacy, in its Article 7,6 on the one hand, and a fundamental right to the protection of personal data, in its Article 8,7 on the other. This latter right establishes that data concerning individuals must be processed fairly, for specified purposes, and on the basis of their consent or a legitimate basis laid down by law, that everyone has a right to access and rectify the data collected concerning them,8 and that compliance with these rules shall be subject to control by an independent authority.9
In turn, the European Court of Justice (ECJ), which is based in Luxembourg and is the highest court for the interpretation of EU law, began acknowledging the existence of a European right to the protection of personal data.10
The Lisbon Treaty put an end to the division of the EU into three pillars, which during decades had determined the development of EU law, and thus of EU data protection law. Since the entry into force of the Lisbon Treaty, the EU has in Article 16 of the Treaty on the Functioning of the European Union (TFEU) a new legal basis for the regulation of data protection, which is applicable to all processing of personal data, be it in the private or the public sector, including the processing in the area of police and judicial cooperation.11 This new legal basis could be used in the context of the revision of what is currently the main EU legal instrument for the protection of personal data, i.e., the Data Protection Directive.
The data protection directive
Directive 1995/46/EC, known as the Data Protection Directive,12 defines the basics of personal data protection that EU member states have to transpose into national law, where the actual regulation and enforcement are taking place. The provisions of the Directive can be invoked in the national courts against member states' data protection rules in order to oust the application of rules contrary to those provisions.
The Data Protection Directive applies to any automated processing of personal data and any other handling of personal data that form part of a filing system.13 Personal data is defined as any information that relates to an "identified or identifiable natural person".14 Processing operations concerning public security, defence, state security, and activities of the member states in areas of criminal law were left outside the scope of the Directive. Data processing by a natural person in the course of purely private and household activities is exempted as well.15
The Directive provides a list of legitimate reasons allowing for the processing of personal data16 and mandates that the person responsible for determining the purposes and means of the processing of personal data, referred to as the "data controller", ensures compliance with principles relating to data quality.17 The data controller has also information duties toward the person whose data are processed, who is designated the "data subject", applicable whenever personal data is collected directly from the person,18 but also when obtained otherwise.19 Strengthened protection is foreseen for the use of sensitive personal data relating, for example, to health, sex life, or religious or philosophical beliefs.20 The data controller is additionally mandated to implement appropriate technical and organisational measures against unlawful destruction, accidental loss, or unauthorised alteration, disclosure, or access.21
Data subjects' individual rights, as established by the Directive, are: the right to access, which includes the right to acquire from the data controller confirmation as to whether or not data relating to them are being processed and information on the purposes of the processing, the categories of data concerned, and the recipients to whom the data are disclosed, as well as the right to obtain the rectification, erasure, or blocking of data the processing of which does not comply with the provisions of the Directive;22 a right to judicial remedy;23 and the right to object to certain data processing practices.24 Any person who has suffered damage as a result of an unlawful processing operation is entitled to receive compensation from the data controller.25
In line with the fundamental right to data protection as established by Article 8 of the Charter,26 the Data Protection Directive requires member states to ensure that independent supervisory authorities monitor the application of its provisions.27 The ECJ recently clarified the meaning of the requirement of "complete independence" of data protection supervisory authorities, emphasising that is not compatible with being subject to State oversight.28 Supervisory authorities must be endowed with investigative powers and effective powers of intervention, such as powers to order blocking, erasure, and destruction of data, or to impose a temporary or permanent ban on processing.29
The Data Protection Directive set up a consultative body called the Working Party on the Protection of Individuals with regard to the Processing of Personal Data, or Article 29 Data Protection Working Party (hereafter, WP29).30 This body is made up of representatives of member states' supervisory authorities, and welcomes also a representative of the European Data Protection Supervisor (EDPS), a supervisory authority put in place in 2004 (more information below).
The Data Protection Directive provides a mechanism by which transfers of personal data outside the territory of the EU have to meet a level of processing "adequate" to the one prescribed by the Directive's provisions.31 A finding by the European Commission of an adequate level of protection in a country outside the EU effectively clears the transfer of personal data to that third country. European Commission's decisions on the adequacy of the protection of personal data in third countries presently cover Argentina, the Canadian Personal Information Protection and Electronic Documents Act, Andorra, the Bailiwick of Guernsey, the Bailiwick of Jersey, the Isle of Man, the Faeroe Islands, and Switzerland.32 Commercial transfers of EU data to the US can take place under the so-called Safe Harbour Agreement.33
The ECJ establishes the interpretation of EU law that member states' courts must take into account when applying national law in order to stay in line with EU law. The ECJ has ruled on the Data Protection Directive in a number of instances. In a 2003 judgment, it made it clear that the Directive's wide scope applies also to processing of personal data within the public sector, and confirmed that the Directive can be invoked by interested parties in national courts.34 In another 2003 ruling, the ECJ established that the Directive applies to websites, and that the uploading of personal information to the Internet does not trigger the provision for transfers of personal data to third countries even though the web page is universally accessible.35
Review of the data protection directive
EU institutions are currently considering the possibility to review the Data Protection Directive. In 2009, the European Commission launched a Consultation on the legal framework for the fundamental right to protection of personal data, opening the way to such a revision. In late 2010 the Commission released a Communication on outlining its plans for changes.36
The WP29 publicly expressed its support for the revision of the Directive, notwithstanding the fact that it considers that existing data protection principles are still relevant. In an ad hoc document,37 it advanced substantive suggestions, such as: to clarify some key notions of data protection law (notably, "consent" and "transparency");38 to introduce some additional principles (such as "privacy by design"39 and "accountability";40 to modernise some arrangements (e.g. by limiting bureaucratic burdens, but also by improving the protection of data subjects41); to establish a comprehensive legal framework, applying also to police and judicial cooperation in criminal matters; and to improve the conditions for data transfers to third countries, promoting international standards and new rules on applicable law, as well as regulating by law the use of Binding Corporate Rules (BCRs).
Privacy and electronic communications
The EU has taken specific measures to ensure the protection of privacy and personal data in the field of telecommunications. In 1997 the Telecommunications Privacy Directive (Directive 1997/66/EC) was adopted, replaced in 2002 by the e-Privacy Directive (Directive 2002/58/EC),42 then amended in 200643 and in 2009.44
The e-Privacy Directive applies to publicly available electronic communications services in public telecommunications networks in the EU. It regulates the processing of so-called "traffic" and "location data" ("traffic data" being the data necessary for the provision of communications, and "location data" being the data giving the geographic position of terminal equipment), as well as unsolicited communications ("spam"), cookies, and spyware, among other things.
The 2009 review of the e-Privacy Directive45 modified the previous text in various ways. First, it laid down a legal definition of data breaches.46 Providers of communications services falling under the scope of the Directive are obliged to notify breaches to the competent national authorities, as well as to subscribers or customers likely to be adversely affected by the breach (i.e. by identity theft, reputational loss, etc.), and unless they can demonstrate that they have implemented appropriate security measures to protect the data. Such notification shall be accompanied by a list of the measures suggested to counter the breach, and an inventory of all breaches that have happened should be created.47 To this end, supervisory authorities were granted extended competences. They gained the necessary investigative powers and resources to monitor service providers, stop infringements, and enforce the Directive's provisions. In addition, they acquired the means to pursue effective cross-border cooperation.48
Second, the revision strengthened measures on spyware and cookies, as well as spam. The former can be installed in the terminal equipment of subscribers, to gain access to information already stored in them, only with the explicit consent of the subscriber or the user, given after having been provided with clear information, in accordance with Directive 1995/46/EC, and after having been offered the right to refuse such access, unless such access is needed for the strict purposes of transmission of a communication or to provide an explicitly requested service.49 As for spam, infringements of the provisions on unsolicited communications can now be remedied via legal proceedings, by both individuals and legal persons.50
Personal data protection and access to EU documents
In 2001, a Regulation was adopted to make applicable the content of the Data Protection Directive for data processing undertaken by the institutions of the European Communities (EC), namely Regulation (EC) No. 45/2001.51 This Regulation did not only establish the EDPS, but is also relevant, inter alia, in reference to the access to documents held by EU institutions.
Access to documents held by EU institutions is governed by Regulation (EC) No. 1049/2001.52 The relation between access to documents and the protection of personal data has been clarified by the ECJ in the context of a case that opposed the European Commission, on the one hand, to a private company (The Bavarian Lager Co.) supported by the EDPS.53 In its judgement on the case, the ECJ confirmed the applicability of EU data protection provisions in this field, and underlined that the application of such data protection provisions cannot be reduced to a mere examination of whether an interference in the sense of Article 8 of the ECHR has taken place.54
- 1. Treaty of Lisbon amending the Treaty on European Union and the Treaty establishing the European Community, signed at Lisbon, OJ C 306, 17 December 2007, at 1-271. EU treaties and relevant adopted or under adoption legislation as well as other official documents are also available online at http://europa.eu/documentation/legislation/index_en.htm.
- 2. Art. 6(3) of the Consolidated Version of the Treaty on European Union (TEU). Consolidated versions of the Treaty on European Union and the Treaty on the Functioning of the European Union, OJ C 83, 30 March 2010, at 1-388.
- 3. Charter of Fundamental Rights of the European Union, OJ C 83 30 March 2010,at 389-403.
- 4. Art. 6(1) TEU.
- 5. Art. 6(2) TEU.
- 6. Art. 7 of the Charter, "Respect for private and family life," reads: "Everyone has the right to respect for his or her private and family life, home and communications".
- 7. Art. 8 of the Charter, "Protection of personal data," reads: "1. Everyone has the right to the protection of personal data concerning him or her. 2. Such data must be processed fairly for specified purposes and on the basis of the consent of the person concerned or some other legitimate basis laid down by law. Everyone has the right of access to data which has been collected concerning him or her, and the right to have it rectified. 3. Compliance with these rules shall be subject to control by an independent authority."
- 8. Art. 8(2) of the Charter.
- 9. Art. 8(3) of the Charter.
- 10. ECJ, Case C-73/07,Tietosuojavaltuutettu v. Satakunnan Markkinapörssi Oy, Satamedia Oy, Judgment of the 16 December 2008; Case C-275/06, Productores de Música de España (Promusicae) v Telefónica de España SAU, Judgment of 29 January 2008, § 63.
- 11. Art. 16 TFEU reads: "1. Everyone has the right to the protection of personal data concerning them. 2. The European Parliament and the Council, acting in accordance with the ordinary legislative procedure, shall lay down the rules relating to the protection of individuals with regard to the processing of personal data by Union institutions, bodies, offices and agencies, and by the member states when carrying out activities which fall within the scope of Union law, and the rules relating to the free movement of such data. Compliance with these rules shall be subject to the control of independent authorities. The rules adopted on the basis of this Article shall be without prejudice to the specific rules laid down in Article 39 of the Treaty on European Union." Art. 16 TFEU also applies to processing in the area of Common Foreign and Security Policy (CFSP), as far as EU institutions process personal data (Art. 39 TEU provides for a specific legal basis for data processing by the member states in the second pillar; it reads: "In accordance with Article 16 of the Treaty on the Functioning of the European Union and by way of derogation from paragraph 2 thereof, the Council shall adopt a decision laying down the rules relating to the protection of individuals with regard to the processing of personal data by the member states when carrying out activities which fall within the scope of this Chapter, and the rules relating to the free movement of such data. Compliance with these rules shall be subject to the control of independent authorities").
- 12. Directive 1995/46/EC of the European Parliament and of the Council of 24 October 1995 on the protection of individuals with regard to the processing of personal data and on the free movement of such data, OJ L 281/31, 23 November 1995, at 31-50.
- 13. Id., Art. 3(1).
- 14. Id., Art. 2(a).
- 15. Id., Art. 3(2).
- 16. Id., Art 7.
- 17. Id., Art. 6(1).
- 18. Id., Art. 10.
- 19. Id., Art. 11.
- 20. Id., Art. 8.
- 21. Id., Art. 17.
- 22. Id., Art. 12. The ECJ clarified the meaning of this Article in: Case C 553/07, College van burgemeester en wethouders van Rotterdam v M.E.E. Rijkeboer, Judgment of 7 May 2009.
- 23. Directive 1995/46/EC, supra at Art. 22.
- 24. Id., Art. 14.
- 25. Unless the data controller proves he is not responsible for the event given rise to the damage, Id., Art. 23.
- 26. Art. 8(3) of the Charter, supra.
- 27. Directive 1995/46/EC, supra at Art. 28.
- 28. ECJ, Case C-518/07, European Commission v. Federal Republic of Germany, Judgment of 9 March 2010.
- 29. Directive 1995/46/EC, supra at Art. 28(3).
- 30. Id., Art. 29.
- 31. Id., Art. 25. This is however not the only possibility for transfers to third countries to take place (see, in particular, Art. 26 of Directive 1995/46/EC).
- 32. Updated decisions on adequacy findings are published at http://ec.europa.eu/justice/policies/privacy/thridcountries/index_en.htm.
- 33. Commission Decision 2000/520/EC of 26 July 2000 pursuant to Directive 95/46/EC of the European Parliament and of the Council on the adequacy of the protection provided by the safe harbour privacy principles and related frequently asked questions issued by the US Department of Commerce (notified under document number C(2000) 2441), OJ L 215, 25 August 2000, at 7-47.
- 34. ECJ, Joined Cases C-465/00, C-138/01 and C-139/01, Rechnungshof, Judgment of 20 May 2003.
- 35. RCJ, Case C-101/01, Bodil Lindqvist, Judgment of 6 November 2003.
- 36. European Commission, A comprehensive approach on personal data protection in the European Union, Brussels, 4 November 2010, COM(2010)609Final.
- 37. The Article 29 Data Protection Working Party and the Working Party on Police and Justice, "The Future of Privacy: Joint contribution to the Consultation of the European Commission on the legal framework for the fundamental right to the protection of personal data," 1 December 2009, Brussels.
- 38. In addition, the complex interplay between the roles of "data controllers" and "data processors" in a globalised world had been tackled in a previous Opinion: The Article 29 Data Protection Working Party, Opinion 1/2010 on the concepts of "controller" and "processor", WP 169, 16 February 2010, Brussels.
- 39. Encouraging the integration of data protection and privacy requirements since the early design and creation of the technology, especially in risky areas. See also EDPS, Opinion on Promoting Trust in the Information Society by Fostering Data Protection and Privacy, 19 March 2010, Brussels.
- 40. Defined as the data controllers' ability to demonstrate that they have taken all the necessary data protection measures. See, on this subject, The Article 29 Data Protection Working Party, Opinion 3/2010 on the principle of accountability, WP 173, 13 July 2010, Brussels.
- 41. For instance, via the introduction of class actions, or by providing easier and more affordable complaint procedures.
- 42. Directive 1997/66/EC of the European Parliament and of the Council of 15 December 1997 on the Processing of Personal Data and the Protection of Privacy in the Telecommunications Sector, OJ L 24, 30 January 1998, at 1-8. The Directive required member states to ensure an equivalent level of protection of fundamental rights and freedoms, and in particular the right to privacy, with respect to the processing of personal data in the telecommunications sector, and introduced provisions on security (Ar. 4), the confidentiality of the communications (Art. 5); traffic and billing data (Art. 6); itemised billing: (Art. 7); the presentation and restriction of calling and connected line identification (Art. 8); automatic calling forwarding (Article 10); directories of subscribers (Art. 11); unsolicited calls (Art. 12); and technical features and standardisation (Art. 13).
- 43. Directive 2002/58/EC of the European Parliament and of the Council of 12 July 2002 concerning the Processing of Personal Data and the Protection of Privacy in the Electronic Communications Sector (Directive on Privacy and Electronic Communications), OJ L 201, 31 July 2002, at 37-47.
- 44. Cfr. Section "The data retention directive," infra.
- 45. Directive 2009/136/EC of the European Parliament and of the Council of 25 November 2009 amending Directive 2002/22/EC on universal service and users' rights relating to electronic communications networks and services, Directive 2002/58/EC concerning the processing of personal data and the protection of privacy in the electronic communications sector and Regulation (EC) No. 2006/2004 on cooperation between national authorities responsible for the enforcement of consumer protection laws, OJ L 337, 18 December 2009, at 11-36 (to be transposed into national laws by 25 May 2011).
- 46. Art. 2(2)(c) of Directive 2009/136/EC: "'personal data breach' means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored, or otherwise processed in connection with the provision of a publicly available electronic communications service in the Community."
- 47. Id., Art. 2(4).
- 48. Id., Art. 2(10).
- 49. Id., Art. 2(5) (resulting in the amended Art. 5(3) of Directive 2002/58/EC). See, on the issue: The Article 29 Data Protection Working Party, Opinion 2/2010 on online behavioural advertising, WP 171, 22 June 2010, Brussels.
- 50. Id., Art. 2(7).
- 51. Regulation (EC) No 45/2001 of the European Parliament and of the Council of 18 December 2000 on the protection of individuals with regard to the processing of personal data by the Community institutions and bodies and on the free movement of such data, OJ L 8, 12 January 2001, at 1- 22.
- 52. Regulation (EC) No 1049/2001 of the European Parliament and of the Council of 30 May 2001 regarding public access to European Parliament, Council and Commission documents, OJ L 145, 31 May 2001, at 43-48.
- 53. ECJ, Case C-28/08 P, European Commission v. The Bavarian Lager Co. Ltd, Judgment of 29 June 2010.
- 54. Id., § 58-59.