Personal data protection  

Protection of personal data and respect for private life are important fundamental rights. The European Parliament has always insisted on the need to strike a balance between enhancing security and safeguarding human rights, including data protection and privacy. New EU data protection rules strengthening citizens’ rights and simplifying rules for companies in the digital age took effect in May 2018.

Legal basis  

Article 16 of the Treaty on the Functioning of the European Union (TFEU);

Articles 7 and 8 of the EU Charter of Fundamental Rights.

Objectives  

The Union must ensure that the fundamental right to data protection, which is enshrined in the EU Charter of Fundamental Rights, is applied in a consistent manner. The EU’s stance on the protection of personal data needs to be strengthened in the context of all EU policies, including law enforcement and crime prevention, as well as in international relations, especially in a global society characterised by rapid technological change.

Achievements  

A. Institutional framework

1. Lisbon Treaty

Before the entry into force of the Lisbon Treaty, legislation concerning data protection in the area of freedom, security and justice (AFSJ) was divided between the first pillar (data protection for private and commercial purposes, with the use of the Community method) and the third pillar (data protection for law enforcement purposes, at intergovernmental level). As a consequence, the decision-making processes in the two areas followed different rules. The pillar structure disappeared with the Lisbon Treaty, which provides a stronger basis for the development of a clearer and more effective data protection system, while at the same time stipulating new powers for Parliament, which has become co-legislator. Article 16 of the TFEU provides that Parliament and the Council lay down rules relating to the protection of individuals with regard to the processing of personal data by Union institutions, bodies, offices and agencies, and by the Member States when carrying out activities that fall within the scope of Union law.

2. The strategic guidelines in the area of freedom, security and justice

Following the Tampere and Hague programmes (of October 1999 and November 2004, respectively), in December 2009 the European Council approved the multiannual programme regarding the AFSJ for the 2010-2014 period, known as the Stockholm programme. In its conclusions of June 2014, the European Council defined the strategic guidelines for legislative and operational planning for the coming years within the AFSJ, pursuant to Article 68 TFEU. One of the key objectives is to better protect personal data in the EU. A mid-term review of the guidelines was initiated in 2017.

B. Main legislative instruments on data protection

1. EU Charter of Fundamental Rights

Articles 7 and 8 of the EU Charter of Fundamental Rights recognise respect for private life and protection of personal data as closely related but separate fundamental rights. The Charter is integrated into the Lisbon Treaty and is legally binding on the institutions and bodies of the European Union, and on the Member States when implementing EU law.

2. Council of Europe

a. Convention 108 of 1981

Council of Europe Convention 108 of 28 January 1981 for the Protection of Individuals with regard to Automatic Processing of Personal Data is the first legally binding international instrument adopted in the field of data protection. Its purpose is ‘to secure … for every individual … respect for his rights and fundamental freedoms and in particular his right to privacy, with regard to automatic processing of personal data’.

b. European Convention on Human Rights (ECHR)

Article 8 of the Convention of 4 November 1950 for the Protection of Human Rights and Fundamental Freedoms establishes the right to respect for private and family life: ‘Everyone has the right to respect for his private and family life, his home and his correspondence.’

3. Current EU legislative instruments on data protection

As a consequence of the old pillar structure, data protection at the EU level has until recently been regulated by various legislative instruments. These include former first-pillar instruments such as Directive 95/46/EC on data protection (replaced by the General Data Protection Regulation in May 2018), Directive 2002/58/EC on e-privacy (modified in 2009; new proposal currently under consideration), Directive 2006/24/EC on data retention (declared invalid by the Court of Justice of the European Union on 8 April 2014 owing to its serious interference with private life and data protection) and Regulation (EC) No 45/2001 on processing of personal data by Community institutions and bodies (new proposal currently under consideration), as well as former third-pillar instruments such as the Council Framework Decision 2008/977/JHA of 27 November 2008 on the protection of personal data processed in the framework of police and judicial cooperation in criminal matters (replaced by the Data Protection Law Enforcement Directive in May 2018).

a. General Data Protection Regulation (GDPR)

Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation), became applicable in May 2018. The rules aim to protect all EU citizens from privacy and data breaches in an increasingly data-driven world, while creating a clearer and more consistent framework for businesses. The new rights for citizens include a clear and affirmative consent for their data to be processed and the right to receive clear and understandable information about it; the right to be forgotten: a citizen can ask for his/her data to be deleted; the right to transfer data to another service provider (e.g. when switching from one social network to another); and the right to know when data has been hacked. The new rules apply to all companies operating in the EU, even if these companies are based outside of the EU. Furthermore, it will be possible to impose corrective measures, such as warnings and orders, or fines on firms that break the rules.

b. The Data Protection Law Enforcement Directive

Directive (EU) 2016/680 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data by competent authorities for the purposes of the prevention, investigation, detection or prosecution of criminal offences or the execution of criminal penalties, and on the free movement of such data, and repealing Council Framework Decision 2008/977/JHA, became applicable in May 2018. The directive protects citizens’ fundamental right to data protection whenever personal data is used by law enforcement authorities. It ensures that the personal data of victims, witnesses, and suspects of crime are duly protected and facilitates cross-border cooperation in the fight against crime and terrorism.

4. European Data Protection Supervisor (EDPS) and European Data Protection Board (EDPB)

The European Data Protection Supervisor (EDPS) is an independent supervisory authority that ensures that the EU institutions and bodies meet their obligations with regard to data protection. The primary duties of the EDPS are supervision, consultation and cooperation. The European Data Protection Board (EDPB), formerly the Article 29 Working Party, has the status of an EU body with legal personality and is provided with an independent secretariat. The EDPB brings together the EU’s national supervisory authorities, the EDPS and the Commission. The EDPB has extensive powers to determine disputes between national supervisory authorities and to give advice and guidance on key concepts of the GDPR and the Data Protection Law Enforcement Directive.

Role of the European Parliament  

Parliament has always insisted on the need to strike a balance between enhancing security and protecting privacy and personal data. It has adopted various resolutions on these sensitive matters, specifically addressing ethno-racial profiling, the Prüm Council Decision on cross-border cooperation in combating terrorism and cross-border crime, the use of body scanners to enhance aviation security, biometrics in passports and common consular instructions, border management, the internet and data mining.

Parliament rejected in February 2010 under the consent procedure the provisional application of the Terrorist Finance Tracking Programme (TFTP) agreement (previously known as the SWIFT agreement) on transfers of bank data to the USA for counterterrorism purposes. Following the adoption of Parliament’s resolution of 8 July 2010, the TFTP agreement entered into force in August 2010. In July 2011, the Commission adopted a communication on the main options for establishing a European Terrorist Finance Tracking System (EU TFTS), about which Parliament expressed doubts. In November 2013, the Commission announced its intention not to present at this stage a proposal for an EU TFTS.

Another issue of crucial importance is the Passenger Name Records (PNR) agreement between the EU and the US on the processing and transfer of PNR data between air carriers and the US Department of Homeland Security. Following the consent given by Parliament, the Council adopted in April 2012 a decision on the conclusion of the new agreement, which replaced the previous EU-US PNR agreement, applied provisionally since 2007.

In February 2011, the Commission tabled a proposal for a directive on the use of PNR data for the prevention, detection, investigation and prosecution of terrorist offences and serious crime (EU PNR). In June 2013, Parliament decided in plenary to refer the matter back to its Committee on Civil Liberties, Justice and Home Affairs (LIBE), which in April 2013 voted against the EU PNR proposal, questioning its proportionality and compliance with fundamental rights. Following the 2015 terrorist attacks in Paris and new concerns over possible threats to the EU’s internal security posed by ‘foreign fighters’, the debate on the EU PNR proposal gained new momentum. In December 2015, Parliament and the Council reached a compromise solution on this sensitive matter. Directive (EU) 2016/681 of the European Parliament and of the Council of 27 April 2016 on the use of passenger name record (PNR) data for the prevention, detection, investigation and prosecution of terrorist offences and serious crime was to be transposed into national law by 25 May 2018.

Parliament has been involved in the approval (under the consent procedure) of a legally binding framework agreement with the USA on the exchange of information and data protection, known as the ‘Umbrella Agreement’. The aim is to ensure a high level of protection of personal information transferred in the framework of transatlantic cooperation in the fight against terrorism and organised crime. The signing of the Judicial Redress Act by President Obama in February 2016 paved the way for the signature of the EU-US Umbrella Agreement on 2 June 2016. In parallel, the ‘EU-US Privacy Shield’ was put in place in order to ensure a high level of data protection for commercial data transfers. The Privacy Shield reflects the requirements set out by the Court of Justice of the EU in its ruling of October 2015, which declared the old ‘Safe Harbour’ framework (voluntary data protection standards for non-EU companies transferring EU citizens’ personal data to the US) invalid. The Commission adopted the implementing decision pursuant to Directive 95/46/EC on the adequacy of the protection provided by the EU-US Privacy Shield on 12 July 2016, and it entered into force immediately. As of 1 August 2016, companies are able to sign up to the Privacy Shield with the US Department of Commerce, which then verifies that their privacy policies comply with the high data protection standards required by the Privacy Shield. Parliament, in its resolution of 26 May 2016 on transatlantic data flows, welcomed the efforts to achieve substantial improvements in the Privacy Shield compared to the Safe Harbour decision which it replaced, and expressed some criticisms. In its resolution of 6 April 2017 on the adequacy of the protection afforded by the EU-US Privacy Shield[1], Parliament called on the EU Commission to conduct a proper assessment and to ensure that the EU-US ‘Privacy Shield’ for data transferred for commercial purposes provides enough personal data protection for EU citizens to comply with the EU Charter of Fundamental Rights and new EU data protection rules.

On 12 March 2014 Parliament adopted a resolution on the US NSA surveillance programme, surveillance bodies in various Member States and their impact on EU citizens’ fundamental rights and on transatlantic cooperation in Justice and Home Affairs[2]. This resolution concluded a six-month inquiry by Parliament into the electronic mass surveillance of EU citizens, following the revelations that emerged in June 2013 concerning alleged spying by the US and some EU Member States. In this resolution, Parliament called for the suspension of the Safe Harbour privacy principles and of the Terrorist Finance Tracking Programme. On 29 October 2015, Parliament adopted a resolution on the follow-up to its resolution of 12 March 2014 on the electronic mass surveillance of EU citizens[3], in which it reiterated its call for the suspension of the Safe Harbour Decision and of the Terrorist Finance Tracking Programme.

Parliament has been involved, under the ordinary legislative procedure, in approving the data protection reform (see previous section). The new data protection rules will strengthen citizens’ fundamental rights in the digital age and facilitate business by simplifying rules for companies in the digital single market.

 

[1]Texts adopted, P8_TA(2017)0131. 
[2]Texts adopted, P7_TA(2014)0230. 
[3]Texts adopted, P8_TA(2015)0388. 

Kristiina Milt