Privacy and Data Protection based on the GDPR. Leo Besemer
1.2.1 a directive allows Member States a certain level of flexibility while incorporating the requirements into their respective national laws, yet still achieving a level of harmonization.
1.2.2.5 Directive 2016/681 (on the use of passenger name record (PNR) data)
The Directive on European Passenger Name Records (PNR) requires harmonized rules on the collection and processing of PNR data for the prevention, detection, investigation and prosecution of terrorist offences and serious crime. In accordance with the directive, airlines will be obliged to provide EU countries with their passengers’ data in order to help the authorities fight terrorism and serious crime, taking fully into consideration the right to the protection of personal data and the right to non-discrimination. The Directive on European Passenger Name Records (PNR) is to apply to “extra-EU” flights (from the EU to third countries or from third countries to the EU), but Member States may also extend it to “intra-EU” ones, provided that they notify the Commission.
1.2.2.6 Regulation (EU) 2018/1725 (on processing by Union institutions)
Regulation (EU) 2018/1725 lays down the data protection obligations for the EU institutions and bodies when they process personal data and develop new policies. The regulation adopts, in line with GDPR, a principle-based approach. This legal instrument ensures that EU institutions and bodies provide transparent and easily accessible information on how personal data is used, as well as foresee clear mechanisms for individuals to exercise their rights; it also reconfirms, clarifies and enhances the role of data protection officers within each EU institution and of the EDPS.
1.2.3 GDPR implementation laws
The GDPR is applicable law in all of the EEA. Quite a few articles in the regulation, however, give the Member States12 room to add to the regulation, or even to “color it” to their liking. Article 23 allows Member States to pass laws restricting the obligations and rights regarding information to, and rights of, data subjects, together with the communications of data breaches when such a restriction respects the essence of the fundamental rights and freedoms and is a necessary and proportionate measure in a democratic society to safeguard national security, defense, public security, prevention, detection and prosecution of criminal offences, to name just a few items of a long list.
Besides that, there are a number of articles where the regulation gives a default, and Member States can vary or add to that. An examples is the age where a data subject is regarded to be a child, which can vary from 13 to 16 years. This is particularly important regarding the age where consent of a child in connection to social media can be lawful (see Sub-section 8.2.2).
Another example are types of personal data which require extra care in processing, although they are not deemed “sensitive data”. Most countries that use some kind of national identification number or social security number to identify citizens have deemed this number as requiring extra care, or have reserved it for use only by government and other organizations named in Member State law.
The reasons why the aim of harmonization was given up in these cases is not explicitly stated. It is partly because the European Commission and Parliament can only pass law in fields indicated in the treaties, and for instance not in the field of national security and policies. Another reason may be that in some instances different cultural backgrounds make it difficult to reach an agreement, and this option for Member States to specify their own rules means it is easier to make the national provisions coherent with existing national law and indeed more comprehensible to the persons to whom they apply. This takes time as is illustrated by the fact that at the time the GDPR came into force on 25 May 2018, only five countries (Austria, Denmark, Germany, Netherlands and United Kingdom) had their implementation law in place. By the end of 2018 this number had grown to ten.
Since the majority of EEA Member States have passed implementation law using at least part of the flexibility provided in the GDPR for national variation, you must always check for these variations in the jurisdiction where you operate, or where the data subjects are.
1.2.4 Other complementing law
The fact that the processing of personal data in a specific case would be outside of the scope of the GDPR, does not mean that everything would be allowed. The Treaty on the European Union (Chapter 2 of Title V) does not allow the EU to adopt legislative acts in relation to the common foreign and security policies. EU Member States have their own legislation in this field. Indeed, both the controller and a processor need to check for any complementing national law of the country where they are established regarding their processing operations.
1.2.5 The concepts of subsidiarity and proportionality
The history of Privacy and Data Protection law as described in Section 1.1 also illustrates how the concepts of subsidiarity and proportionality in European law work in practice.
The principle of subsidiarity is defined in Article 5 of the Treaty on European Union. It aims to ensure that decisions are taken as closely as possible to the citizen and that constant checks are made to verify that action at EU level is justified in light of the possibilities available at national, regional or local level.
Specifically, it is the principle whereby the EU does not take action (except in the areas that fall within its exclusive competence), unless it is more effective than action taken at national, regional or local level.
Source: Summaries of EU Legislations
(https://eur-lex.europa.eu/summary/glossary/subsidiarity.html).
The OECD Guidelines on the Protection of Privacy and Transborder Flows of Personal Data proved to be not effective enough in practice to achieve the set goal, namely the harmonization of data protection law. They were just guidelines, not binding law.
The Convention for Protection of Individuals with regard to Automatic Processing of Personal Data (Convention 108) was a binding instrument, but only to the countries that signed it. Again, the aim of effective, harmonized privacy law was not achieved.
Even the Directive 95/46/EC on the protection of individuals with regard to the processing of personal data and on the free movement of such data, while binding to all EU Member States, did not sufficiently achieve that aim of effective, harmonized law.
The next and most intrusive instrument the EU possesses is a regulation, like the GDPR. And even in the discussions towards the final text of this regulation, countries claimed a need for derogations. See for example GDPR Article 23.
Like the principle of subsidiarity, the principle of proportionality regulates the exercise of powers by the European Union (EU). It seeks to set actions taken by EU institutions within specified bounds. Under this rule, the action of the EU must be limited to what is necessary to achieve the objectives of the Treaties. In other words, the content and form of the action must be in keeping with the aim pursued.
The principle of proportionality is laid down in Article5 of the Treaty on European Union. The criteria for applying it are set out in the Protocol (No 2) on the application of the principles of subsidiarity and proportionality annexed to the Treaties.
Source: Summaries of EU Legislations
(https://eur-lex.europa.eu/summary/glossary/proportionality.html).
From the early 1980s, steps have been taken to create a basis in European law