PappasLaw Attorneys at Law in Brussels - | The Reform of the data protection legal framework

21 Nov '12

The Reform of the data protection legal framework

Posted in

he European Commission proposes a new, clear and uniform legislative framework, which will ensure a strong protection of the fundamental right to data protection throughout the European Union and at the same time, will strengthen the functioning of the Single Market.

Building trust in online environment: a challenge for the Commission

The phenomenal development of new technologies has an undeniable effect on the ever-increasing volume of personal data collected, accessed, used and transferred. By using smart cards, cloud computing or social networking sites, we leave digital traces at every “click” we make. At the same time, collecting and analyzing personal data has become a real asset for many companies of which the economic activities are mainly based on the analysis of the data of potential customers.

When disclosing their personal data, people are absolutely aware that their data will be processed. They feel however that they are not in complete control of them and they are concerned that their personal data may be misused. This lack of confidence in online services definitely affects the growth and the competitiveness of the digital economy within the European Union.

Building trust in the online environment seems essential to economic development. A reform of the current legislative framework was therefore required in order to ensure a high level of data protection, enhancing thus trust in online services and fulfilling the potential of the digital economy. This reform is even more important given the central role of personal data protection in the Digital Agenda for Europe and in the Europe 2020 Strategy.
Current Legislative framework: Directive 95/46/EC
The existing legislation at European level on personal data protection is the Directive 95/46/EC4, adopted in 1995 with a double objective: to protect the fundamental right to data protection and to guarantee the free flow of personal data between Member States. Directive 95/46/EC has been completed by the Framework Decision 2008/977/JHA as a general instrument at Union level for the protection of personal data in the areas of police co-operation and judicial co-operation in criminal matters.
Nowadays, we are facing new challenges for the protection of personal data, principally due to the technological developments. The scale of data sharing and collecting having increased considerably, the objectives and principles protected by the current legal framework need more than ever a strong and coherent protection. Indeed, the current legal framework has a main weakness: it has not prevented fragmentation in the way personal data protection is implemented across the Union. Under Directive 95/46/EC the ways in which individuals are able to exercise their right to data protection are not sufficiently harmonized across Member States. Nor are the powers of the national authorities responsible for data in order to ensure consistent and effective application of the rules within the European Union. This fragmentation may lead however to legal uncertainty and as a result to the public perception that there are significant risks associated with online activity. Indeed, many Europeans consider that they are not properly informed of the processing of their personal data and they do not know how to exercise their rights online.

A stronger and more coherent data protection framework within the European Union is therefore essential. It would put individuals in control of their own data, reinforce legal and practical certainty for economic operators and public authorities and allow hence the digital economy to develop across the internal market.

The right to protection of personal data is protected by Article 8 of the Charter of Fundamental Rights of the EU as a fundamental right. Likewise, the Treaty on the Functioning of the European Union (TFEU) establishes in Article 16 (1) the principle that everyone has the right to the protection of personal data concerning him or her and introduced a specific legal basis (Article 16(2)) for the adoption of rules on the protection of personal data.
This is on that basis that the Commission proposes a new legal framework on data protection. After assessing the impacts of different policy options, the European Commission proposes a strong and consistent legislative framework across Union policies, enhancing individuals’ rights, cutting red tape for businesses, enhancing thus the Single Market dimension of data protection. One aspect of the reform is the nature of the legal text. Data protection requirements and
safeguards will be set out in a Regulation with direct application throughout the Union. The proposed legal framework consists of two legislative proposals:
– a proposal for a Regulation of the European Parliament and of the Council on the protection of individuals with regard to the processing of personal data and on the free movement of such data (General Data Protection Regulation), and a proposal for a Directive of the European Parliament and of the Council on the protection of individuals with regard to the processing of personal data by competent authorities for the purposes of prevention, investigation, detection or prosecution of criminal offences or the execution of criminal penalties, and the free movement of such data.

The right to protection of personal data
The right to protection of personal data is established by Article 8 of the Charter and Article 16

TFEU as well as in Article 8 of the ECHR. According to the Court of Justice of the EU6, the right to the protection of personal data is not an absolute right, but must be considered in relation to its function in society. Data protection is closely linked to respect for other rights established by the Charter such as i.e. freedom of expression (Article 11 of the Charter); the rights of the child (Article 24) the right to property and in particular the protection of intellectual property (Article 17(2)); the prohibition of any discrimination amongst others on grounds such as race, ethnic origin, genetic features, religion or belief, political opinion or any other opinion, disability or sexual orientation (Article 21).

Objectives of the reform
Putting individuals in control of their personal data

One of the priorities of the new legal framework on data protection is to allow individuals to exercise an effective control on their personal data. This rejoins the expectations of many Europeans who although they consider that disclosure of their personal data online is inevitable, they feel that they are not in control of their data since they are not properly informed of what happens to their personal information once disclosed. Often, as already mentioned, they do not know how to exercise their rights online.
The reform of the EU data protection rules will namely ensure the “right to be forgotten” by introducing an explicit requirement that obliges online social networking services to minimize the volume of users’ personal data that they collect and process. The proposal foresees also an explicit obligation for data controllers to delete an individual’s personal data if that person explicitly requests deletion and where there are no other legitimate grounds to retain it. Moreover, it is foreseen that the default settings shall ensure that data is not made public.

The individual’s ability to control their data will be improved with the proposed Regulation, which will ensure that, when their consent is required, it is given explicitly and freely with a clear affirmative action by the person concerned.

In addition, the Regulation will strengthen the right to information so that individuals fully understand how their personal data is handled, particularly when the processing activities concern children. It will also guarantee an easy access to individual’s own data and a right to data portability, i.e. a right to obtain a copy of the stored data from the controller and the freedom to move it from one service provider to another.
The new legal framework intends to reinforce national data protection authorities’ independence and powers, so that they are properly equipped to deal effectively with complaints, with powers to carry out effective investigations, take binding decisions and impose effective and dissuasive sanctions. It also aims at improving administrative and judicial remedies when data protection rights are violated. The new text foresees namely the possibility for qualified associations to bring actions to Court on behalf of individuals.

Enhancing of the accountability of the data processors
The aim of the reform proposed by the Commission is to strengthen individual rights, by informing them of the processing of their data and by allowing them to exercise their rights more effectively. The reform of the EU’s data protection rules will oblige thus companies to strengthen their security measures to prevent and avoid breaches and to notify data breaches to both the national data protection authority – within 24 hour of the breach being discovered– and the individuals concerned without undue delay.
The Regulation introduces also the ” Privacy by Design” principle to make sure that data protection safeguards are taken into account at the planning stage of procedures and systems. Moreover, the new text introduces for organizations involved in risky processing the obligation to carry out Data Protection Impact Assessments.

In addition, the proposed Regulation introduces the concept of “risky processing” and requires from data controllers to designate a Data Protection Officer in companies with more than 250 employees and in firms which are involved in processing operations which, by virtue of their nature, their scope or their purposes, present specific risks to the rights and freedoms of individuals.

Strengthening the functioning of the Single Market
The Commission proposes a clear and uniform legislative framework at European level, which will help to strengthen the potential of the Digital Single Market and promote economic growth and innovation. The chosen form of the legal text will put an end to the fragmentation of different legal regimes across the Member States and remove thus the obstacles to market entry. A Regulation directly applicable in all Member States will avoid cumulative and simultaneous application of different national data protection laws. This will definitely simplify the regulatory environment and as a result will cut red tape and eliminate formalities. This will particularly help micro, small and medium sized enterprises to which a special attention is given their considerable importance for the competitiveness of the European economy.

In addition, Commission proposes to further enhance the independence and powers of national data protection authorities (DPAs) in order to make them more effective. They will be given the possibility to carry out investigations, to take binding decisions and to impose effective and dissuasive sanctions. Moreover the Regulation will give the possibility to data controllers in the EU to deal only with the DPA of the Member State where the company’s main establishment is located. Hence in case of violation of data protection, only the data protection authority where the company has its main establishment will be responsible for deciding whether the company is acting within the law or not. At the same time, the Regulation aims in ensuring a prompt, and effective coordination between national data protection authorities, by creating the conditions for an efficient cooperation between DPAs, including the obligation for one DPA to carry out investigations and inspections upon request from another as well as the mutual recognition of each other’s decisions.
Data protection in a globalized world: is it still possible?
What is sure is that it is a main concern for the Commission. Nowadays, only one “click” allow people to be in in different places in the world. That means however that personal data is being transferred across an increasing number of virtual and geographical borders and stored on servers in multiple countries. Besides, several companies offer cloud-computing services, allowing customers to access and store data on remote servers. This involves a real need for improvement of the current mechanisms for transferring data to third countries, in order to secure a high level of data protection in international processing operations and facilitate thus data movements across borders.

The Commission proposes therefore to establish clear rules defining when EU law is applicable to data controllers established in third countries. In addition, the Commission underlines the need to simplify and to strengthen the rules on international data transfers to countries. The Commission also suggests engaging negotiations with third countries – particularly EU strategic partners and European Neighbourhood Policy countries in order to promote high data protection standards worldwide.

Processing of data in police and criminal justice cooperation
The proposal of the Commission foresees also a Directive on the protection of individuals with regard to the processing of their personal data by competent authorities for the purposes of prevention, investigation, detection or prosecution of criminal offences or the execution of criminal penalties, and the free movement of such data. The introduction of a new legal basis (Article 16 TFEU) with the Lisbon Treaty allows the establishment of a coherent data protection framework ensuring a high level of protection for individuals’ data, whilst respecting the specific nature of the field of police and judicial cooperation in criminal matters.To ensure a high level of protection of personal data in that specific field, the Commission proposes a Directive, which will apply general data protection principles to police cooperation and judicial cooperation in criminal matters and provide for a minimal harmonization of criteria and conditions on possible limitations to the general rules, especially as regards the rights of individuals to be informed when police and judicial authorities handle or access their data.

Conclusion
Nowadays, people are aware that the protection of their personal data is a right. However they do not know how to ensure the respect of their right. When they are online even when they are only looking for an information online- they immediately realize that their data are processed but they do not know to what extend they are processed. The reform of the legal framework on data protection will therefore first benefit those individuals by strengthening their data protection rights and their trust in the digital environment. By its clarity and its coherence, the reform will furthermore simplify the legal environment on data protection helping thus businesses, but also the public sector significantly. This is expected to
stimulate the development of the digital economy across the European Single Market, in line with the objectives of the Europe 2020 strategy and the Digital Agenda for Europe.

-- --

Case Law

Recent cases

European Court of Human Rights : ECHR 46862/14, ECHR 46819/14, ECHR 30287/14, ECHR 23544/14, ECHR 5485/14, ECHR76530/13, ECHR 68918/13, ECHR 59003/13, ECHR 57424/13, ECHR 39173/13, ECHR 39165/13, ECHR 32194/13, ECHR 23542/13, ECHR 53601/12, ECHR 48499/12, ECHR 18096/12, CHR 1317/07, ECHR 3735/06
European Commission (Competition) : C 2015/078217, C 2015/071997, SA.39119 (2014-CP), SA. 32060 (2014/NN), SA 35191 (20121CP), C(2011)3504, C 16/10 (ex NN 22/10, ex CP 318/09), COMP/B1-39826/2010
Conseil d’Etat and Symvoulio tis Epikrateias : ΣτΕ 469/2012, Conseil d’Etat, arrêt nº 221.250 du 30 octobre 2012, ΣτΕ (ΕΑ) 259/2012, ΣτΕ (ΕΑ) 256-257/2012, ΣτΕ (ΕΑ) 254/2012, Conseil d’Etat arrêt nº 211.866 du 9 mars 2011, ΣτΕ 1786/2010
Court of Justice of the European Union : C-131/15 P, T-484/15, T-351/15, T-306/15, T-104/15, F-68/15, Τ-791/14, T-787/14 P, F-93/14, F-77/14, F-69/14, F-35/14, F-34/14, C-673/13 P, T-653/13, T-338/13, T-73/13, T-58/13, T-57/13, T-44/13, T-29/13, F-117/13, T-403/12, T-296/12, -192/12, T-36/12, T-14/12, F-137-138-139/12, F-26/12, T-635/11, T-422/11, T-419/11, T-317/11 P, T-59/11, F-124/11, F-87/11, F-24/10 RA, C-362/09 P, T-164/09, T-384/08, T-43/07 P, F-143/07, F-128-129/07, C-521/06 P, T-94/05 RENV II, T-94/05, F-100/05, T-471/04

"I say I know one thing: that I know nothing.

That, indeed makes me more knowledgeable than anybody else"

- Socrates -

Contact

+32-2-231 57 04

The Reform of the data protection legal framework

Pappas & Associates

Recent cases

European Court of Human Rights : ECHR 46862/14, ECHR 46819/14, ECHR 30287/14, ECHR 23544/14, ECHR 5485/14, ECHR76530/13, ECHR 68918/13, ECHR 59003/13, ECHR 57424/13, ECHR 39173/13, ECHR 39165/13, ECHR 32194/13, ECHR 23542/13, ECHR 53601/12, ECHR 48499/12, ECHR 18096/12, CHR 1317/07, ECHR 3735/06

European Commission (Competition) : C 2015/078217, C 2015/071997, SA.39119 (2014-CP), SA. 32060 (2014/NN), SA 35191 (20121CP), C(2011)3504, C 16/10 (ex NN 22/10, ex CP 318/09), COMP/B1-39826/2010

Conseil d’Etat and Symvoulio tis Epikrateias : ΣτΕ 469/2012, Conseil d’Etat, arrêt nº 221.250 du 30 octobre 2012, ΣτΕ (ΕΑ) 259/2012, ΣτΕ (ΕΑ) 256-257/2012, ΣτΕ (ΕΑ) 254/2012, Conseil d’Etat arrêt nº 211.866 du 9 mars 2011, ΣτΕ 1786/2010