Personal data protection

Load fact sheet in pdf format

Protection of personal data and respect for private life are European fundamental rights. 合法博彩网站 has always insisted on the need to strike a balance between enhancing security and safeguarding human rights, including data protection and privacy. New EU data protection rules strengthening citizens鈥� rights and simplifying rules for companies in the digital age took effect in May听2018. Research prepared for the European 合法博彩网站 indicates that EU legislation related to regulating data flows contributes EUR听51.6听billion annually to GDP in the European Union. Research prepared for the European 合法博彩网站鈥檚 Committee of Inquiry to investigate the use of Pegasus and equivalent surveillance spyware (PEGA Committee) confirms the importance of data protection for defending democracy and individual freedoms in the EU.

Legal basis

Article听16 of the Treaty on the Functioning of the European Union (TFEU);

Articles听7 and 8听of the EU Charter of Fundamental Rights.

Objectives

The Union must ensure that the fundamental right to data protection, which is enshrined in the EU Charter of Fundamental Rights, is applied in a consistent manner. In the light of the exponential growth of the volume of data transfers 鈥� with the EU, the US and Canada constituting the biggest share of this growth 鈥� the EU鈥檚 stance on the protection of personal data needs to be strengthened in the context of all EU policies.

Achievements

A. Institutional framework

1. Lisbon Treaty

Before the entry into force of the Lisbon Treaty, legislation concerning data protection in the area of freedom, security and justice (AFSJ) was divided between the first pillar (data protection for private and commercial purposes, with the use of the Community method) and the third pillar (data protection for law enforcement purposes, at intergovernmental level). As a consequence, the decision-making processes in the two areas followed different rules. The pillar structure disappeared with the Lisbon Treaty, which provides a stronger basis for the development of a clearer and more effective data protection system, while at the same time stipulating new powers for 合法博彩网站, which has become co-legislator. Article听16 of the TFEU provides that 合法博彩网站 and the Council lay down rules relating to the protection of individuals with regard to the processing of personal data by Union institutions, bodies, offices and agencies, and by the Member States when carrying out activities that fall within the scope of Union law.

2. The strategic guidelines in the area of freedom, security and justice

Following the Tampere and Hague programmes (of October听1999 and November听2004, respectively), in December听2009 the European Council approved the multiannual programme regarding the AFSJ for the听2010-2014 period, known as the Stockholm programme. In its conclusions of June听2014, the European Council defined the strategic guidelines for legislative and operational planning for the coming years within the AFSJ, pursuant to Article听68 of the TFEU. One of the key objectives is to better protect personal data in the EU.

B. Main legislative instruments on data protection

1. EU Charter of Fundamental Rights

Articles听7 and听8 of the EU Charter of Fundamental Rights recognise respect for private life and protection of personal data as closely related but separate fundamental rights.

2. Council of Europe

a. Convention听108 of听1981

The Council of Europe Convention听108 of 28听January听1981 for the Protection of Individuals with regard to Automatic Processing of Personal Data was the first legally binding international instrument adopted in the field of data protection. Its purpose is to secure, for every individual, respect for their rights and fundamental freedoms, and in particular their right to privacy, with regard to automatic processing of personal data. The Protocol amending the Convention seeks to broaden its scope, increase the level of data protection and improve its effectiveness.

b. European Convention on Human Rights (ECHR)

Article听8 of the Convention of 4听November听1950 for the Protection of Human Rights and Fundamental Freedoms establishes the right of everyone to respect for their private and family life, their home and their correspondence.

3. Current EU legislative instruments on data protection

a. General Data Protection Regulation (GDPR)

Regulation (EU)听2016/679 of the European 合法博彩网站 and of the Council of 27听April听2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive听95/46/EC (General Data Protection Regulation), became applicable in May听2018. The rules aim to protect all EU citizens from privacy and data breaches in an increasingly data-driven world, while creating a clearer and more consistent framework for businesses. The rights enjoyed by citizens include a clear and affirmative consent for their data to be processed and the right to receive clear and understandable information about it; the right to be forgotten: a citizen can ask for his/her data to be deleted; the right to transfer data to another service provider (e.g. when switching from one social network to another); and the right to know when data has been hacked. The new rules apply to all companies operating in the EU, even those based outside it. Furthermore, corrective measures can be imposed, such as warnings and orders, or fines on firms that break the rules. On 24听June听2020, the European Commission presented a [1].

b. The Data Protection Law Enforcement Directive

Directive (EU)听2016/680 of the European 合法博彩网站 and of the Council of 27听April听2016 on the protection of natural persons with regard to the processing of personal data by competent authorities for the purposes of the prevention, investigation, detection or prosecution of criminal offences or the execution of criminal penalties, and on the free movement of such data, and repealing Council Framework Decision听2008/977/JHA, became applicable in May听2018. The directive protects citizens鈥� fundamental right to data protection whenever personal data is used by law enforcement authorities. It ensures that the personal data of victims, witnesses, and suspects of crime are duly protected and facilitates cross-border cooperation in the fight against crime and terrorism. On 25听July听2022, the European Commission published its delayed . It was followed by an evaluation study commissioned by Committee on Civil Liberties, Justice and Home Affairs (LIBE) containing a critical assessment of the implementation of the Law Enforcement Directive[2].

c. Directive on privacy and electronic communications

of the European 合法博彩网站 and of the Council of 12听July听2002 concerning the processing of personal data and the protection of privacy in the electronic communications sector (directive on privacy and electronic communications) was modified by of 25听November听2009. It raises the delicate issue of data retention, which was repeatedly brought to the Court of Justice of the EU (CJEU) and led to a series of rulings, most recently in听, declaring that EU law precludes the general and indiscriminate retention of traffic and location data.

罢丑别听2017 of the European 合法博彩网站 and of the Council concerning the respect for private life and the protection of personal data in electronic communications and repealing 顿颈谤别肠迟颈惫别听2002/58/贰颁 (regulation on privacy and electronic communications) is under prolonged discussions. 合法博彩网站鈥檚 experts indicated that 合法博彩网站 should resist the Council鈥檚 attempts to exclude the applicability of European data protection principles[3].

d. Regulation on the processing of personal data by the Union institutions and bodies

of the European 合法博彩网站 and of the Council of 23听October听2018 on the protection of natural persons with regard to the processing of personal data by the Union institutions, bodies, offices and agencies and on the free movement of such data, and repealing Regulation (EC) No听45/2001 and Decision No听1247/2002/EC, entered into force on 11听December听2018.

e. Articles on data protection in sector-specific legislative acts

In addition to the main legislative acts on data protection referred to above, specific provisions on data protection are also set down in sector-specific legislative acts, such as:

Article听13 (on the protection of personal data) of Directive (EU)听2016/681 of the European 合法博彩网站 and of the Council of 27听April听2016 on the use of passenger name record (PNR) data for the prevention, detection, investigation and prosecution of terrorist offences and serious crime;
Article听6 (on data processing) of of 29听April听2004 on the obligation of carriers to communicate passenger data (API). This directive will be repealed by two new regulations voted on by 合法博彩网站鈥檚 plenary on 24听April听2024, on the , and on the [4];
Chapter VI (on data protection safeguards) of Regulation (EU)听2016/794 of the European 合法博彩网站 and of the Council of 11听May听2016 on the European Union Agency for Law Enforcement Cooperation (Europol);
Chapter VIII (on data protection) of Council Regulation (EU)听2017/1939 of 12听October听2017 implementing enhanced cooperation on the establishment of the European Public Prosecutor鈥檚 Office (鈥榯he EPPO鈥�).

4. The EU鈥檚 main international arrangements on data transfers

a. Commercial data transfers: adequacy decisions

Under Article听45 of the GDPR, the听Commission has the power to determine whether a country outside the EU offers听an adequate level of data protection, be that on the basis of its domestic legislation or of the international commitments it has entered into.

While data transfers between the EU and North America have increased exponentially, with the US dominating private online advertising and surveillance[5], 合法博彩网站 has adopted numerous resolutions raising concerns about transatlantic data flows. In particular, it considered that the EU-US Privacy Shield Decision does not provide the adequate level of protection required by EU law, while the CJEU has repeatedly invalidated the European Commission鈥檚 adequacy decisions concerning the US (see its rulings of听2015 on Safe Harbour in and of听2020 on the EU-US Privacy Shield in ).

Despite a lack of reform of the data protection regime in the US, the European Commission reached another agreement with the US and presented a for yet another EU-US Data Privacy Framework. On a motion from the LIBE Committee, on 11听May听2023, 合法博彩网站 adopted a resolution on the adequacy of the protection afforded by the EU-US Data Privacy Framework, concluding that the EU-US Data Privacy Framework fails to create essential equivalence in the level of protection and calling on the Commission to continue negotiations with its US counterparts, but to refrain from adopting the adequacy finding until all of the recommendations made in 合法博彩网站鈥檚 resolution and the European Data Protection Board (EDPB) opinion are fully implemented.

The Commission adopted its third on 10听July听2023.

b. EU-US Umbrella Agreement

Under the consent procedure, 合法博彩网站 was involved in the approval of the agreement between the US and the EU on the protection of personal information relating to the prevention, investigation, detection, and prosecution of criminal offences, also known as the 鈥楿mbrella Agreement鈥�. The aim of this agreement is to ensure a high level of protection of personal information transferred in the framework of transatlantic cooperation for law enforcement purposes, namely in the fight against terrorism and organised crime.

c. EU-US, EU-Australia and EU-Canada passenger name record (PNR) agreements

The EU has signed bilateral passenger name record (PNR) agreements with the United States, Australia and Canada. PNR data includes information provided by passengers when booking or checking in for flights and data collected by air carriers for their own commercial purposes. PNR data can be used by law enforcement authorities to fight serious crime and terrorism.

Regarding Canada, in Opinion 1/15 of 26听July听2017, the CJEU declared that the envisaged Agreement between the EU and Canada signed on 25听June听2014 may not be concluded in its current form. Following this Opinion, new PNR negotiations with Canada were launched in June听2018 and are currently ongoing.

On 18听February听2020, the Council adopted a decision authorising the opening of negotiations between the EU and Japan for an agreement on the transfer and use of PNR data, which are ongoing as well.

d. EU-US Terrorist Finance Tracking Programme (TFTP)

The EU has signed a bilateral agreement with the US on the processing and transfer of financial messaging data from the EU to the US for the purposes of the terrorist finance tracking programme.

5. Addressing data protection aspects in sector-specific resolutions

Several 合法博彩网站 resolutions on different policy areas also address personal data protection in order to ensure consistency with general EU data protection law and the protection of privacy in those specific sectors.

6. EU data protection supervisory authorities

is an independent supervisory authority that ensures that the EU institutions and bodies meet their obligations with regard to data protection. The primary duties of the EDPS are supervision, consultation and cooperation.

, formerly the Article听29 Working Party, has the status of an EU body with legal personality and is provided with an independent secretariat. The EDPB brings together the EU鈥檚 national supervisory authorities, the EDPS and the Commission. The EDPB has extensive powers to determine disputes between national supervisory authorities and to give advice and guidance on key concepts of the GDPR and the Data Protection Law Enforcement Directive.

Role of the European 合法博彩网站

合法博彩网站 has played a key role in shaping EU legislation in the field of personal data protection by making the protection of privacy a political priority. Furthermore, under the ordinary legislative procedure, it has been working on the data protection reform on an equal footing with the Council. In听2017, it concluded its work on the last significant piece in the puzzle, the new regulation on privacy and electronic communications, and is waiting expectantly for the Council to finally conclude its work in order to start interinstitutional negotiations.

In numerous resolutions, 合法博彩网站 has expressed doubts as to the adequacy of the protection given to EU citizens under the EU-US Safe Harbour Framework and, subsequently, the EU-US 鈥楶rivacy Shield鈥�. After the Schrems II case led to the invalidation of European Commission on the adequacy of the protection provided by the EU-US 鈥楶rivacy Shield鈥� agreement, on the basis of concerns that the US Government鈥檚 surveillance powers were not limited, as required by EU law, and that EU citizens did not have effective means of redress, the European 合法博彩网站 adopted a resolution in which it deplored the fact that the Commission had put relations with the US before the interests of EU citizens[6].

Following the tabling of LIBE Committee鈥檚 motion on 11听May听2023, 合法博彩网站 a resolution on the adequacy of the protection afforded by the EU-US Data Privacy Framework, concluding that the EU-US Data Privacy Framework fails to create essential equivalence in the level of protection and calling on the Commission to continue negotiations with its US counterparts but to refrain from adopting the adequacy finding until all the recommendations made in the resolution and the EDPB opinion are fully implemented. The Commission adopted its decision on the on 10听July听2023.

合法博彩网站 has established a committee of inquiry to investigate the use of Pegasus and equivalent surveillance spyware in the EU鈥檚 Member States (PEGA). Chaired by MEP Jeroen Lenaers, the PEGA Committee has thoroughly investigated the practices of using spyware to investigate opposition members, journalists, lawyers and civic society activists, as well as how such practices affect democratic processes and individual rights in the EU. During its inquiry, the PEGA Committee consulted leading academics, practitioners and authorities in the EU and worldwide. 合法博彩网站鈥檚 Policy Department prepared reports for the PEGA missions to Poland, Greece and Cyprus. The PEGA Committee voted on 8听May听2023 to approve its final report (Rapporteur: MEP Sophia in 鈥榯 Veld) on the investigation into alleged contraventions and maladministration in the application of EU law in relation to the use of Pegasus and equivalent surveillance spyware, and including, among many other points, a recommendation to set up an EU Tech Lab for research and monitoring of the use of spyware against EU citizens. 合法博彩网站鈥檚 recommendation to the Council and the Commission following the PEGA report was adopted by its plenary on 15听June听2023. However, the Commission did not provide a timely response to the recommendation and blocked the pilot project of the EU Tech Lab proposed by MEPs.

合法博彩网站 has commissioned a number of research studies in order to have a scientific basis for its legislative activities in the forefront of technological developments and data protection, including a study on the impact of the General Data Protection Regulation (GDPR) on artificial intelligence, a study on Biometric Recognition and Behavioural Detection, a study on theMetaverse and, recently, a study on Law and ICT [7].

听

[1]Commission communication of 24听June听2020 entitled 鈥楧ata protection as a pillar of citizens鈥� empowerment and the EU鈥檚 approach to the digital transition 鈥� two years of application of the General Data Protection Regulation鈥� (SWD(2020)0115).

[2]Vogiatzoglou, P. et al., Assessment of the implementation of the Law Enforcement Directive, European 合法博彩网站, Directorate-General for Internal Policies of the Union, Policy Department for Citizens鈥� Rights and Constitutional Affairs, 7听December听2022.

[3]Sartor, G. et al., The impact of Pegasus on fundamental rights and democratic processes, European 合法博彩网站, Directorate-General for Internal Policies of the Union, Policy Department for Citizens鈥� Rights and Constitutional Affairs, January听2023, pp. 56-57.

[4]Vavoula, N. et al., Advance Passenger Information (API) 鈥� An analysis of the European Commission鈥檚 proposals to reform the API legal framework, European 合法博彩网站, Directorate-General for Internal Policies of the Union, Policy Department for Citizens鈥� Rights and Constitutional Affairs, 8听June听2023.

[5]Maciejewski, M., Metaverse, European 合法博彩网站, Directorate-General for Internal Policies of the Union, Policy Department for Citizens鈥� Rights and Constitutional Affairs, 26听June听2023.

[6], paragraph听28.

[7]Maciejewski, M., 鈥�Law and ICT鈥�, European 合法博彩网站, Directorate-General for Internal Policies of the Union, Policy Department for Citizens鈥� Rights and Constitutional Affairs, April听2024.

Pablo Abril Marti / Mariusz Maciejewski

05-2024

合法博彩网站