Personal data protection

Protection of personal data and respect for private life are important fundamental rights. The European Parliament has always insisted on the need to strike a balance between enhancing security and safeguarding human rights, including data protection and privacy. The EU data protection reform will strengthen citizens’ rights, giving them better control of their data and ensuring that their privacy continues to be protected in the digital age.

Legal basis

Article 16 of the Treaty on the Functioning of the European Union (TFEU);

Articles 7 and 8 of the EU Charter of Fundamental Rights.

Objectives

The Union must ensure that the fundamental right to data protection, which is enshrined in the EU Charter of Fundamental Rights, is applied in a consistent manner. The EU’s stance on the protection of personal data needs to be strengthened in the context of all EU policies, including law enforcement and crime prevention, as well as in international relations, especially in a global society characterised by rapid technological changes.

Achievements

a.Institutional framework

1.Lisbon Treaty

Before the entry into force of the Lisbon Treaty, legislation concerning data protection in the area of freedom, security and justice (AFSJ) was divided between the first pillar (data protection for private and commercial purposes, with the use of the Community method) and the third pillar (data protection for law enforcement purposes, at intergovernmental level). As a consequence, the decision-making processes in the two areas followed different rules. The pillar structure disappeared with the Lisbon Treaty, which provides a stronger basis for the development of a clearer and more effective data protection system, while at the same time stipulating new powers for Parliament, which has become co-legislator. Article 16 of the TFEU provides that Parliament and the Council lay down rules relating to the protection of individuals with regard to the processing of personal data by Union institutions, bodies, offices and agencies, and by the Member States when carrying out activities which fall within the scope of Union law.

2.The strategic guidelines in the area of freedom, security and justice

Following the Tampere and Hague programmes (of October 1999 and November 2004, respectively), in December 2009 the European Council approved the multiannual programme regarding the AFSJ for the 2010-2014 period: the Stockholm programme. In its conclusions of June 2014, the European Council defined the strategic guidelines for legislative and operational planning for the coming years within the AFSJ, pursuant to Article 68 TFEU. One of the key objectives is to better protect personal data in the EU. A mid-term review of the guidelines will take place in 2017.

b.Main legislative instruments on data protection

1.EU Charter of Fundamental Rights

Articles 7 and 8 of the EU Charter of Fundamental Rights recognise respect for private life and protection of personal data as closely related but separate fundamental rights. The Charter is integrated into the Lisbon Treaty and is legally binding on the institutions and bodies of the European Union, and on the Member States when implementing EU law.

2.Council of Europe
a.Convention 108 of 1981

Council of Europe Convention 108 of 28 January 1981 for the Protection of Individuals with regard to Automatic Processing of Personal Data is the first legally binding international instrument adopted in the field of data protection. Its purpose is ‘to secure [...] for every individual [...] respect for his rights and fundamental freedoms and in particular his right to privacy, with regard to automatic processing of personal data’.

b.European Convention on Human Rights (ECHR)

Article 8 of the Convention of 4 November 1950 for the Protection of Human Rights and Fundamental Freedoms establishes the right to respect for private and family life: ‘Everyone has the right to respect for his private and family life, his home and his correspondence.’

3.Current EU legislative instruments on data protection

As a consequence of the old pillar structure, various legislative instruments are currently in force. These include former first-pillar instruments such as Directive 95/46/EC on data protection, Directive 2002/58/EC on e-privacy (modified in 2009), Directive 2006/24/EC on data retention (declared invalid by the Court of Justice of the European Union on 8 April 2014 owing to its serious interference with private life and data protection), and Regulation (EC) No 45/2001 on processing of personal data by Community institutions and bodies, as well as former third-pillar instruments such as the Council Framework Decision of November 2008 on the protection of personal data processed in the framework of police and criminal justice. A new comprehensive legal framework on data protection at EU level is due to come into force shortly (see below).

a.Data Protection Directive (95/46/EC) — to be repealed in May 2018

Directive 95/46/EC of 24 October 1995 on the protection of individuals with regard to the processing of personal data and on the free movement of such data is the central piece of legislation on the protection of personal data in the EU. The directive stipulates general rules on the lawfulness of personal data processing, sets out the rights of data subjects and makes provision for national independent supervisory authorities. The directive stipulates that personal information may only be processed if the person concerned has given his/her explicit consent to, and has been informed in advance of, the data processing.

b.Council Framework Decision 2008/977/JHA — to be repealed in May 2018

Council Framework Decision 2008/977/JHA of 27 November 2008 on the protection of personal data processed in the framework of police and judicial cooperation in criminal matters regulates data protection under the former third pillar. This is a sector not covered by Directive 95/46/EC, which applies to the processing of personal data under the former first pillar. The Framework Decision only applies to police and judicial data exchanged among Member States, EU authorities and associated systems, and does not cover domestic data.

4.European Data Protection Supervisor and Article 29 Working Party

The European Data Protection Supervisor (EDPS) is an independent supervisory authority which ensures that the EU institutions and bodies meet their obligations with regard to data protection as laid down in the Data Protection Regulation ((EC) No 45/2001). The primary duties of the EDPS are supervision, consultation and cooperation. The Article 29 Working Party is an independent advisory body on data protection and privacy, set up under Article 29 of the Data Protection Directive. It is composed of representatives of the EU national data protection authorities, the EDPS and the Commission. It issues recommendations, opinions and working documents. The Article 29 Working Party will be replaced by the European Data Protection Board under the new General Data Protection Regulation.

5.EU Data Protection Reform — to be applied from May 2018

On 25 January 2012, the Commission published a broad legislative package to reform EU legislation on data protection. The reform is aimed at safeguarding personal data across the EU, increasing users’ control of their data and cutting costs for businesses. Technological progress and globalisation have profoundly changed the way data is collected, accessed and used. In addition, the 28 Member States have implemented the 1995 rules in differing ways. A single law will do away with the current fragmentation and costly administrative burdens. This will help to reinforce consumer confidence in online services, providing a much-needed boost to growth, jobs and innovation in Europe. The package includes a policy communication on the main political objectives of the reform, a proposal for a general regulation to modernise the principles enshrined in the 1995 Data Protection Directive, and a proposal for a specific directive on the processing of personal data in the area of police and judicial cooperation in criminal matters. In December 2015, Parliament (at committee level) and the Council (at ambassadorial level) reached an agreement on the new data protection rules after almost three years of lengthy negotiations. New rules were published in April 2016 and will apply from May 2018:

  • Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation);
  • Directive (EU) 2016/680 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data by competent authorities for the purposes of the prevention, investigation, detection or prosecution of criminal offences or the execution of criminal penalties, and on the free movement of such data, and repealing Council Framework Decision 2008/977/JHA.

Role of the European Parliament

Parliament has always insisted on the need to strike a balance between enhancing security and protecting privacy and personal data. It has adopted various resolutions on these sensitive matters, specifically addressing ethno-racial profiling, the Prüm Council Decision on cross-border cooperation in combating terrorism and cross-border crime, the use of body scanners to enhance aviation security, biometrics in passports and common consular instructions, border management, the internet and data mining.

The Lisbon Treaty has introduced more accountability and legitimacy into the AFSJ, thus generalising, with a few exceptions, the Community method, which includes majority voting in the Council and the ordinary legislative procedure (formerly known as codecision). As regards international agreements, a new procedure (‘consent’) has been introduced. Parliament used these powers in February 2010 when it rejected the provisional application of the Terrorist Finance Tracking Programme (TFTP) agreement (previously known as the SWIFT agreement) on transfers of bank data to the USA for counterterrorism purposes. Following the adoption of Parliament’s resolution of 8 July 2010, the TFTP agreement entered into force in August 2010. In July 2011 the Commission adopted a communication on the main options for establishing a European Terrorist Finance Tracking System (EU TFTS), about which Parliament expressed doubts. In November 2013, the Commission announced its intention not to present at this stage a proposal for an EU TFTS.

Another issue of crucial importance is the Passenger Name Records (PNR) agreement between the EU and the USA on the processing and transfer of PNR data by air carriers to the US Department of Homeland Security. Following the consent given by Parliament, the Council adopted in April 2012 a decision on the conclusion of the new agreement, which replaced the previous EU-US PNR agreement, applied provisionally since 2007.

In February 2011 the Commission tabled a proposal for a directive on the use of PNR data for the prevention, detection, investigation and prosecution of terrorist offences and serious crime (EU PNR). In June 2013, Parliament decided in plenary to refer the matter back to its Committee on Civil Liberties, Justice and Home Affairs (LIBE), which in April 2013 voted against the EU PNR proposal, questioning its proportionality and compliance with fundamental rights. Following the 2015 terrorist attacks in Paris and new concerns over possible threats to the EU’s internal security posed by ‘foreign fighters’, the debate on the EU PNR proposal gained new momentum. In December 2015, Parliament (at committee level) and the Council (at ambassadorial level) reached a compromise solution on this sensitive matter. Directive (EU) 2016/681 of the European Parliament and of the Council of 27 April 2016 on the use of passenger name record (PNR) data for the prevention, detection, investigation and prosecution of terrorist offences and serious crime will have to be transposed into national law by 25 May 2018.

Parliament will be involved in the approval (under the consent procedure) of a legally binding framework agreement with the USA on the exchange of information and data protection, known as the ‘Umbrella Agreement’. The aim is to ensure a high level of protection of personal information transferred in the framework of transatlantic cooperation in the fight against terrorism and organised crime. The signing of the Judicial Redress Act by President Obama in February 2016 paved the way for the signature of the EU-US Umbrella Agreement on 2 June 2016. In parallel, the ‘EU-US Privacy Shield’ was put in place in order to ensure a high level of data protection for commercial data transfers. The Privacy Shield reflects the requirements set out by the Court of Justice of the EU in its ruling of October 2015, which declared the old ‘Safe Harbour’ framework (voluntary data protection standards for non-EU companies transferring EU citizens’ personal data to the US) invalid. The Commission adopted the implementing decision pursuant to Directive 95/46/EC of the European Parliament and of the Council on the adequacy of the protection provided by the EU-US Privacy Shield on 12 July 2016 and it entered into force immediately. As of 1 August 2016, companies are able to sign up to the Privacy Shield with the US Department of Commerce, which then verifies that their privacy policies comply with the high data protection standards required by the Privacy Shield. Parliament, in its resolution of 26 May 2016 on transatlantic data flows, welcomed the efforts to achieve substantial improvements in the Privacy Shield compared to the Safe Harbour decision which it replaced, and expressed some criticism.

On 12 March 2014, Parliament adopted a resolution on the US NSA surveillance programme, surveillance bodies in various Member States and their impact on EU citizens’ fundamental rights and on transatlantic cooperation in Justice and Home Affairs. This resolution concluded a six-month Parliament inquiry into electronic mass surveillance of EU citizens, following the revelations made in June 2013 concerning alleged spying by the USA and some EU countries. In this resolution, Parliament called for the suspension of the Safe Harbour privacy principles and of the Terrorist Finance Tracking Programme. On 29 October 2015, Parliament adopted a resolution on the follow-up to the European Parliament resolution of 12 March 2014 on the electronic mass surveillance of EU citizens, in which it reiterated its call for the suspension of the Safe Harbour Decision and of the Terrorist Finance Tracking Programme.

Parliament has been involved, under the ordinary legislative procedure, in approving the data protection reform (see previous section). The new data protection rules will strengthen citizens’ fundamental rights in the digital age and facilitate business by simplifying rules for companies in the digital single market.

Kristiina Milt

09/2016