EU Data Protection Directive
- European Court Strikes Down "Safe Harbor," Focus Shifts to Adequacy of US Privacy Laws: In a stunning decision, the European Court of Justice today ruled that the transatlantic "Safe Harbor" data pact is invalid. Consumer organizations and civil liberties groups in Europe and the United States applauded the outcome. Safe Harbor had been widely criticized for failing to provide adequate data protection for users of Internet-based services. The European Parliament earlier recommended against renewal of Safe Harbor. Max Schrems, the Austrian law student who brought the case, praised the judgement and said the "solution will very likely require severe changes in US law" not "just an update to the current 'safe harbor' system." @maxschrems @EUCourtPress (Oct. 6, 2015)
- Decision by EU Legal Advisor Signals End of "Safe Harbor": An opinion by the top advisor for Court of Justice of the European Union indicates that the "Safe Harbor" arrangement, which permits the transfer of personal data to the US without legal protection, will come to an end. Under Safe Harbor, US companies self-certify compliance with EU data protection law. But the Advocate General has found the arrangement fails to protect privacy and should be declared invalid. Max Schrems, who initiated the case in Ireland, stated "This finding, if confirmed by the court, would be a major step in limiting the legal options for US authorities to conduct mass surveillance on data held by EU companies." The European Digital Rights Initiative also supported the decision. EPIC has recommended that the US update the Privacy Act to protect EU citizens and ratify the international convention for privacy protection. (Sep. 23, 2015) More top news »
The European Union is based on the respect for fundamental rights. The European Convention on Human Rights and Article 8 of the Charter of Fundamental Rights of the European Union expressly recognizes the fundamental right to the protection of personal data. For several years, law enforcement agencies in various countries have urged the adoption of "data retention" requirements, which would compel communications service providers to routinely capture and archive information detailing the telephone calls, e-mail messages and other communications of their users. While many providers currently retain certain traffic data for billing and other business-related purposes for short periods of time, there are no government-imposed retention requirements in the major industrialized countries.
The "Directive 95/46 of the European Parliament and the Council of 24 October 1995 on the protection of individuals with regard to the processing of personal data and on the free movement of such data" (Data Protection Directive 95/46/EC) was established to provide a regulatory framework to guarantee secure and free movement of personal data across the national borders of the EU member countries, in addition to setting a baseline of security around personal information wherever it is stored, transmitted or processed.The Directive contains 33 articles in 8 chapters. The Directive went into effect in October, 1998. This general Data Protection Directive has been complemented by other legal instruments, such as the e-Privacy Directive for the communications sector. There are also specific rules for the protection of personal data in police and judicial cooperation in criminal matters (Framework Decision 2008/977/JHA).
In 2009, the European Commission launched a review of the current legal framework on data protection, starting with a high-level conference in May 2009, followed by a public consultation running until the end of 2009. Targeted stakeholders consultations were organized throughout 2010. Appearing before the European Parliament on October 26, 2010, EPIC President Marc Rotenberg urged the adoption of a comprehensive framework to protect the flow of personal data between the United States and the European Union. Citing the growing concern about the misuse of sensitive data and the absence of effective legal remedies, Mr. Rotenberg said it was time for the US and the EU to develop an effective legal framework that would safeguard the rights of citizens and the users of Internet-based services. EPIC strongly supports full implementation of the EU Data Protection Directive as well as other efforts to fully safeguard the fundamental rights of citizens, consumers, and users of Internet-based services. This principles should apply to data collection that occurs by both private and public entities.
In 2010, the European Commission circulated a document to the European Parliament, The Council of Europe, The Economic and Social Committee and The Committee of the Regions containing a draft strategy for improvements in data protection, including a set of proposals to change the EU Data Protection Directive. The key components of the new strategy appear to include:
- The establishment of EU-wide registration forms for databases
- New rules on privacy notices, including the promulgation of EU "standard form privacy information notices" and special rules with respect to minors
- New rules that strengthen and clarify the concept of consent to the collection, use and transfer of data
- New rules on data minimization
- The creation of a "right to be forgotten" by giving a right to demand deletion of data no longer needed for the purpose for which it was collected
- The creation of a right of "data portability," allowing individuals to take his/her photos, medical records or a list of friends from an application or service and transfer them into another one
- New rules on what constitutes "sensitive data"
- New remedies for violations of privacy, including expanded criminal sanctions and empowering data protection authorities with the right to go to court
- The establishment of security breach notification rules
- Clarification on the legal rules that will attach to data stored in the cloud, regardless of the geographic location of the controller
- The possible introduction of an "accountability" principle to ensure compliance with data protection laws
- New rules that make the appointment of corporate Data Protection Officers mandatory, along with privacy impact assessments and the employment of privacy by design principles
- The encouragement of self-regulatory schemes and privacy seals
- Improvements in current procedures for international data transfers, in order to ensure a more uniform and coherent EU approach vis-à-vis third countries and international organizations
- Clarification of the Commission's adequacy procedure and improved specification of the criteria and standards for assessing the level of data protection in a third countries
- A re-definition of standard data protection clauses to be used in international agreements, contracts, binding corporate rules or other legally binding instruments.
- Clarifying and strengthening the status and the powers of the national Data Protection Authorities in the new legal framework, including the concept of "complete independence"
- Exploration of ways to improve the cooperation and coordination between Data Protection Authorities and to ensure better enforcement of EU rules, particularly on issues having a cross-border dimension. This may include strengthening the role of the Article 29 Working Party and providing it with additional powers in order to give a European response to breaches of data protection rules at EU level, or to create a European Data Protection Authority.
- Enhancing international privacy enforcement in a cooperative fashion.
On November 4, 2010 the European Commission released a communication outlining its preliminary proposals to revise the EU Data Protection Directive (95/46/EC). The EU Commission announced a strategy to "protect individuals data in all policy areas, including law enforcement, while reducing red tape for business and guaranteeing the free circulation of data within the EU." This policy review will be used by the European Commission with the results of a public consultation to revise the EU's 1995 Data Protection Directive. Public submissions and comments can be made on the European Commission's public consultation web site until January 15, 2011. The EU Commission will then propose legislation in 2011.
The EU Commission's strategy sets out proposals on how to modernize the EU framework for data protection rules through a series of the following key goals:
- Strengthening the Rights of Individuals so that the collection and use of personal data is limited to the minimum necessary. Individuals should also be clearly informed in a transparent way on how, why, by whom, and for how long their data is collected and used. People should be able to give their informed consent to the processing of their personal data, for example when surfing online, and should have the "right to be forgotten" when their data is no longer needed or they want their data to be deleted.
- Enhancing the Free Flow of Information in the Single Market Dimension by reducing the administrative burden on companies and ensuring a true level-playing field. Current differences in implementing EU data protection rules and a lack of clarity about which country's rules apply harm the free flow of personal data within the EU and raise costs.
- Extending Privacy Safeguards to Police and Criminal Justice Records Systems so that individuals' personal data is also protected in these areas. Under the Lisbon Treaty, the EU now has the possibility to lay down comprehensive and coherent rules on data protection for all sectors, including police and criminal justice. Naturally, the specificities and needs of these sectors will be taken into account. Under the review, data retained for law enforcement purposes should also be covered by the new legislative framework. The Commission is also reviewing the 2006 Data Retention Directive, under which companies are required to store communication traffic data for a period of between six months and two years.
- Ensuring High Levels of Protection for Data Transferred Outside of the European Union by improving and streamlining procedures for international data transfers. The EU should strive for the same levels of protection in cooperation with third countries and promote high standards for data protection at a global level.
- More Effective Enforcement of Privacy Rules by strengthening and further harmonizing the role and powers of Data Protection Authorities. Improved cooperation and coordination is also strongly needed to ensure a more consistent application of data protection rules across the Single Market.
A draft version of the EU General Data Protection Regulation was released on the Internet in December 2011. The draft builds on Charter of Fundamental Rights of the European Union, which establishes a right of Information Privacy. Topics covered in the draft regulations include:
- Rights of Data Subjects - Transparency, Access to Data, Rectification, Erasure, Right to Object to Profiling
- Obligations of Companies - Data Security, Data Protection Assessment
- Increased Powers for Data Protection Agencies and New Efforts for Coordination and Collaboration
- New Remedies and Sanctions
Once the new measures are finalized they will need to be adopted by the European Council and the European Parliament.
The Data Protection Directive 95/46/EC defines the basics elements of data protection that member states must transpose into national law. Each state manages the regulation of data protection and its enforcement within its jurisdiction, and data protection commissioners from the EU states participate in a working group at the community level, pursuant to Article 29 of the Directive.
Personal data is defined in the Data Protection Directive 95/46/EC as any information that relates to an "identified or identifiable natural person." The Directive mandates that the data controller ensure compliance with the principles relating to data quality and provides a list of legitimate reasons for data processing. The data controller has information duties toward the data subject whenever personal data is collected directly from the person concerned or obtained otherwise. The data controller is also mandated to implement appropriate technical and organizational measures against unlawful destruction, accidental loss or unauthorized alteration, disclosure or access.
Data subjects' individual rights, as established by the Directive, are: the right to know who the data controller is, the recipient of the data and the purpose of the processing; the right to have inaccurate data rectified; a right of recourse in the event of unlawful processing; and the right to withhold permission to use data in some circumstances. For example, individuals have the right to opt-out free of charge from receiving direct marketing material. The EU Data Protection Directive contains strengthened protections concerning the use of sensitive personal data relating, for example, to health, sex life or religious or philosophical beliefs.
Enforcement of the regulatory framework on the processing of personal data can either be through administrative proceedings of the supervisory authority or judicial remedies. Member states' supervisory authorities are endowed with investigative powers and effective powers of intervention, such as powers to order blocking, erasure and destruction of data or to impose a temporary or definite ban on processing. Any person who has suffered damage as a result of an unlawful processing operation is entitled to receive compensation from the liable controller. The Data Protection Directive provides a mechanism by which transfers of personal data outside the territory of the EU have to meet a level of processing "adequate" to the one prescribed by the directive's provisions.
- Cecilia Malmström Member of the European Commission responsible for Home Affairs Taking on the Data Retention Directive European Commission conference in Brussels. (Dec. 3, 2010)
- The "moment of truth" for the Data Retention Directive: EDPS demands clear evidence of necessity. Peter Hustinx, the European Data Protection Supervisor strongly argued in favor of seizing the opportunity of the ongoing evaluation process to clearly demonstrate the necessity and justification for the Data Retention Directive. (Dec. 3, 2010)
- European Commission ready to start talks with US on personal data agreement to fight terrorism or crime. EU Justice Ministers approved the start of talks between the European Union and the United States on a personal data protection agreement when cooperating to fight terrorism or crime. The aim is to ensure a high level of protection of personal information like passenger data or financial information that is transferred as part of transatlantic cooperation in criminal matters. Once in place, the agreement would enhance citizens' right to access, rectify or delete data when it is processed with the aim to prevent, investigate, detect or prosecute criminal offenses, including terrorism.(Dec. 3, 2010)
- Viviane Reding Vice-President of the European Commission, responsible for Justice, Fundamental Rights and Citizenship Privacy matters - Why the EU needs new personal data protection rules The European Data Protection and Privacy Conference Brussels. (Nov. 30, 2010)
- Council of Europe adopts recommendation on profiling and data protection. The Committee of Ministers for the Council of Europe has adopted a new recommendation on profiling and data protection, the first text to lay down internationally-agreed minimum privacy standards to be implemented through national legislation and self-regulation. (Nov. 25, 2010) Read more »
- Web firms face EU data privacy crackdown. (Nov. 4, 2010)
- EU May Propose Criminal Sanctions, Fines for Data Privacy Cases.European Union regulators may propose expanded criminal penalties to enforce data protection rules that limit what companies and governments can do with personal information. (Oct. 20, 2010)
- Brussels to tighten data protection rules. (Published Oct. 27, 2010/ Updated Sept. 8, 2010)
- German Federal Constitutional Court overturns law on data retention. (Sept. 3, 2010)
- European Commission Postpones Revision of the General Data Protection Directive. The French Data Protection Authority announced that the European Commission has adopted a new time frame for the revision of the Data Protection Directive 95/46/EC. The European Commission has decided to postpone the release of a proposal and will issue a statement in November 2010. (Aug. 3, 2010)
- European Privacy Officials Publish Opinion on Online Advertising. The European Union's data protection authorities have released an opinion declaring that online advertisers must obtain "informed" consent before tracking consumers' web browsing to target ads at consumers. The Opinion states that "although online behavioral advertising may bring advantages to online business and users alike, its implications for personal data protection and privacy are significant." The opinion of the Article 29 Working Party clarifies how the Article 5(3) of the ePrivacy Directive and Directive 95/46/EC apply to online behavioral advertising, stressing that companies engaging in online behavioral advertising using cookies are bound by the new EU rules on electronic privacy that require "informed" consent from consumers. For more information, see EPIC - International Privacy Standards. (Jun. 25, 2010)
- Google convictions reveal two flaws in EU law, not just Italian law. (Mar. 3, 2010)
- Article 29 Working Party Issues Contribution to Consultation on the EU Data Protection Framework. On December 1, 2009, the Article 29 Working Party adopted a Contribution to the Consultation of the European Commission on the legal framework for the fundamental right to the protection of personal data. The European Commission will evaluate all the contribution received under the Consultation and consider whether changes to the EU legal framework should be proposed. (Jan. 5, 2010)
- Data protection authorities call for strict general privacy agreement with United States. Article 29 Working Party, call upon the European institutions to ensure a strict and far reaching general privacy agreement with the United States. It also welcomes the initiative for a general agreement with the United States, since this could ensure a high level of protection of personal data of individuals when exchanged in police and criminal justice cooperation matters. (Nov. 19, 2010)
- Data protection in transatlantic relations: searching for a framework agreement. Future EU-US data protection agreement in the framework of police and judicial cooperation in criminal matters was discussed on October, 2010 by MEPs, representatives of the Council and the Commission, the US ambassador to the EU and several experts in the field from both sides of the Atlantic. The hearing, organized by the EP's Civil Liberties Committee, was divided in three sessions and focused on issues such as strengthening the transatlantic dialogs on data protection, shared values, constitutional constraints and possible common solutions or the impact of a new EU-US framework agreement. (Oct. 27, 2010)
- At European Parliament EPIC Urges Support for Comprehensive Data Protection Framework. Appearing before the European Parliament in Brussels, EPIC President Marc Rotenberg urged the adoption of a comprehensive framework to protect the flow of personal data between the United States and the European Union. Citing the growing concern about the misuse of sensitive data and the absence of effective legal remedies, Mr. Rotenberg said it was time for the US and the EU to develop an effective legal framework that would safeguard the rights of citizens and the users of Internet-based services. EPIC has previously supported the Madrid Privacy Declaration and the Council of Europe Privacy Convention as good models for international privacy frameworks. (Oct. 25, 2010)
- EU approves Israel's Adequacy Status. The European Union yesterday approved the adequacy status of Israel's Protection of Privacy Act in a declaration by the EU Article 31 Data Protection Committee. There is now an additional legal basis for transferring personal data from the European Union to Israel. (Oct. 21, 2010)
- European Parliament Agrees to Data Transfer Deal with US. In the ongoing dispute between Europe and the US over the transfer of private financial information of Europeans to US law enforcement agencies, the European Parliament has agreed to a revised proposal that would replace bulk data transfers with specific information requests. The Parliament has also required that European officials exercise greater control over the data transfer process. An earlier US proposal was rejected by the Parliament as a violation of fundamental rights. For more information, see EPIC - International Privacy Law and EPIC - Lisbon Treaty. (Jul. 8, 2010)
- European Commission seeks high privacy standards in EU-US data protection agreement. (May 26, 2010)
- No EU-US Agreement on Transfer of EU Financial Data to US or Deployment of Airport Body Scanners. A meeting between top United States counter-terrorism officials and European counterparts ended in Madrid today with no agreement to restart a program that gave the US access to European financial data. The Terrorist Finance Tracking Program operated in secret from 2001 to 2006. European legislators objected to the program as a violation of EU privacy law. There also appeared to be no EU support for the further deployment of body scanners in European airports. EPIC has raised several objections to the body scanner program, including a letter with Ralph Nader to the administration, Congressional Testimony, and open government litigation, which revealed that the devices store and record images. For more information, see EPIC International Privacy Standards, EPIC Lisbon Treaty, EPIC Body Scanners. (Apr. 9, 2010)
- El Parlamento Europeo rechaza el acuerdo con EE.UU. sobre datos bancarios. (Feb. 11, 2010)
Share this page:
EPIC relies on support from individual donors to pursue our work.
Subscribe to the EPIC Alert
The EPIC Alert is a biweekly newsletter highlighting emerging privacy issues.
Machines of Loving Grace by John Markoff