The Lisbon Treaty and Privacy

The Lisbon Treaty and Privacy


The European Union unites under one roof the three pillars of European cooperation, with the European Community serving as the “First Pillar,” the Common Foreign and Security Policy as the “Second Pillar,” and the Cooperation in Justice and Home Affairs as the “Third Pillar.”

On October 29, 2004, all member states and three of the candidate member states signed the Treaty Establishing a Constitution for Europe. In June 2007, following ratification problems encountered in certain Member States, European leaders agreed to finalize and adopt, not a constitution, but a “reform treaty” for the European Union. The treaty was signed in Lisbon on December 13, 2007, and ratified by the 27 European Union members. The Lisbon Treaty entered into force on December 2, 2009.


The Lisbon Treaty significantly affects the data protection framework. Specific changes and possible effects on the legal grounds for legislation are described below:

1. Personal Data Protection is a fundamental human right

Under the Lisbon Treaty, the protection of personal data is recognized as a fundamental right.

Article 16 of the Treaty on the Functioning of the European Union states that:

(1) “Everyone has the right to the protection of personal data concerning them.(2) The European Parliament and the Council, acting in accordance with the ordinary legislative procedure, shall lay down the rules relating to the protection of individuals with regard to the processing of personal data by Union institutions, bodies, offices and agencies, and by the Member States when carrying out activities which fall within the scope of Union law, and the rules relating to the free movement of such data. Compliance with these rules shall be subject to the control of independent authorities.”

Peter Hustinx, European Data Protection Supervisor, explained that under the Treaty: “[data protection] is comparable to other rights given under the EU treaties, like for instance the right of the EU citizens to move and reside freely within the territory of all the member states. “As a consequence,” he emphasized, “everyone will have a right to data protection, even in the absence of specific rules specifying the right.” He did concede that, “the exercise of this right by individuals is not unlimited. It can be subject to conditions and limitations under European law.” But, he argued, “due to its nature as a subjective and a fundamental right, these conditions can not render impossible the exercise of the core elements of the right to data protection, mentioned in the Charter.”

2. Charter of Fundamental Rights

Since 2000, the European Union is committed to protecting personal data pursuant to Article 8 of the Charter of Fundamental Rights of the European Union. Under the Charter every citizen has the right of personal data protection. Personal data should be processed fairly for specified purposes, and with the individual’s consent, or some other legitimate basis laid down by law supervised by an independent body.

The Lisbon Treaty makes the Charter of Fundamental Rights a legally enforceable document not only on the EU, its institutions, and the member states as regards the implementation of the European law.

3. The Elimination of the Pillar Structure

The First Pillar

The Data Protection Directive (95/46/EC) defines the basics elements of data protection that member states must transpose into national law. Each state manages the regulation of data protection and its enforcement within its jurisdiction, and data protection commissioners from the EU states participate in a working group at the community level, pursuant to Article 29 of the Directive.

As a European Community measure aiming at harmonization of member states’ laws and the integration of the internal market, the Data Protection Directive is limited to activities in the “First Pillar” of the EU.

Personal data is defined as any information that relates to an “identified or identifiable natural person.” The directive mandates that the data controller ensure compliance with the principles relating to data quality and provides a list of legitimate reasons for data processing. The data controller has information duties toward the data subject whenever personal data is collected directly from the person concerned or obtained otherwise. The data controller is also mandated to implement appropriate technical and organizational measures against unlawful destruction, accidental loss or unauthorized alteration, disclosure or access.

Data subjects’ individual rights, as established by the directive, are: the right to know who the data controller is, the recipient of the data and the purpose of the processing; the right to have inaccurate data rectified; a right of recourse in the event of unlawful processing; and the right to withhold permission to use data in some circumstances. For example, individuals have the right to opt-out free of charge from receiving direct marketing material. The directive contains strengthened protections concerning the use of sensitive personal data relating, for example, to health, sex life or religious or philosophical beliefs.

Enforcement of the regulatory framework on the processing of personal data can either be through administrative proceedings of the supervisory authority or judicial remedies. Member states’ supervisory authorities are endowed with investigative powers and effective powers of intervention, such as powers to order blocking, erasure and destruction of data or to impose a temporary or definite ban on processing. Any person who has suffered damage as a result of an unlawful processing operation is entitled to receive compensation from the liable controller.

The Data Protection Directive provides a mechanism by which transfers of personal data outside the territory of the EU have to meet a level of processing “adequate” to the one prescribed by the directive’s provisions.

The Second Pillar

The Council of the European Union is the hub of decision-making on the Common Foreign and Security Policy and adopts, at the instigation of the European Council, all legislative acts.

The European Council, which becomes one of the seven EU institutions, will share with the Council the responsibility for defining and implementing the common foreign and security policy.

The Third Pillar

The “Third Pillar” of the EU covers cooperation in the fields of justice and home affairs. There are separate data protection responsibilities in each principal field of activities, which are set up by the Europol Convention, the Council Decision setting up Eurojust, the Convention implementing the Schengen Agreement, and the Convention on the use of Information Technology for Customs Purposes.

In Europol, which is a cooperative effort of EU member states to combat serious forms of international organized crime, data protection supervision is in the hands of the Europol Joint Supervisory Body. The objective of Eurojust is to improve EU-wide investigations and prosecutions, thereby conferring data protection authority to the Eurojust Joint Supervisory Body.

The Schengen Information System (SIS) is a database that has been established in the conjunction of the abolition of international border controls in much of the EU (Schengen territory). The SIS records personal information required in the context of cross-border applications, e.g., missing or wanted persons. The Schengen Joint Supervisory Authority is responsible for data protection issues surrounding SIS. The same construction applies to the Customs Information Systems (CIS). Development of a new, second generation Schengen Information System (SIS II), is underway.

In May 2005, Austria, Belgium, France, Germany, Luxembourg, Spain and the Netherlands signed a treaty in Prüm to enhance cross-border police and judicial cooperation, especially with respect to the fight against terrorism, cross-border crime and illegal migration. Under the treaty, member states grant each other access rights to their automated DNA analysis files, automated fingerprint identification systems and vehicle registration data. In December 2006, Germany and Austria became the first countries in the world to share their DNA databases. The European Data Protection Supervisor, however, considers the privacy elements of the treaty to be incomplete.

No Pillar Structure

Under the Lisbon Treaty the pillar structure is eliminated. The area of police and judicial cooperation in criminal matters will be integrated in the European Community Treaty. The European Community will deal with police and judicial cooperation as well as other aspects of this area such as policies on border checks and immigration cooperation.

Peter Hustinx stressed, “The entry into force of the Lisbon Treaty leads to the end of the pillar structure, but that does not mean that Directive 95/46 will automatically apply to police and judicial cooperation. The scope of this directive is limited. It now excludes activities of the State in the area of criminal law. Only a precise amendment of the Directive on that point could change this situation.”

Now that the Lisbon Treaty is in force, the Data Protection Authorities, Article 29, the Schengen advisory authorities, EUROJust and its data protection office, among others, will need to analyze what work needs to be done to harmonize the approach to data protection and information sharing.

Legal Framework


News Items