Privacy and Data Protection based on the GDPR. Leo Besemer
the GDPR:
References to the repealed Directive shall be construed as references to this Regulation. References to the Working Party on the Protection of Individuals with regard to the Processing of Personal Data established by Article 29 of Directive 95/46/EC shall be construed as references to the European Data Protection Board established by (the GDPR).
GDPR Article 94(2)
Article 94 makes clear that, even when Member States need more time to update national law that somehow complements law based on Directive 95/46/EC, there can be no confusion on which law applies. As an EU regulation, the GDPR takes precedence.
As mentioned before, the principles described in Article 5 of the GDPR are not new. They were already expressed by the Council of Europe in Convention 108 as early as 1981, and again in the “Data Protection Directive” 95/46/EC. The definition of processing, the need for a legitimate purpose for processing and most of the other requirements of the GDPR were also requirements of Directive 95/46/EC, so processes to meet these requirements should have been in place in business and organizations for over twenty years.
Following the adoption of the GDPR by the European Parliament and the European Council in April 2016, and its subsequent publication in the Official Journal of the European Union, there was initially little reaction, except for some careful written analysis from large legal firms, setting out the most important changes in legal English (usually with an invitation to hire them for a more detailed and bespoke solution). However, about a year before the new regulation would come into force and after newspapers had given it considerable attention, a storm of protest arose. Reports claimed that companies and organizations would not be able to become compliant within the two-year period before the regulation would apply. In addition, “horrendous fines” would cripple companies and lead to bankruptcy all over Europe. And, worst of all, the legal text was unclear and left a lot of issues open for debate, according to both lawyers and laymen. This opposition, however, calmed soon after the European Data Protection Board (EDPB) published a stream of publications explaining the details, among them many of which were updated versions of earlier publications of the Working Party according to Article 29 of Directive 95/46/EC (WP29).
1.1.2 Milestones in Data Protection history
The history of data protection law since World War II in milestones (continued):
| 1948 | United Nations General Assembly proclaims the Universal Declaration of Human Rights (UDHR).“Recognition of the inherent dignity and of the equal and inalienable rights of all members of the human family is the foundation of freedom, justice and peace in the world.” |
| 1950 | The Council of Europe invites individual states to sign the European Convention on Human Rights (ECHR). The ECHR came into force in 1953. |
| 1957 | Treaty of Rome establishing the European Economic Community (EEC). |
| 1980 | The Organization for Economic Co-operation and Development (OECD) publishes Guidelines on the Protection of Privacy and Transborder Flows of Personal Data. |
| 1981 | The Council of Europe invites countries to sign the Convention for Protection of Individuals with regard to Automatic Processing of Personal Data. (Convention 108 / Treaty of Strasbourg). The first binding international instrument to set standards for the protection of personal data. |
| 1992 | Treaty on the European Union (Treaty of Maastricht), establishing the European Union. |
| 1995 | Directive 95/46/EC on the protection of individuals with regard to the processing of personal data and on the free movement of such data. (”Privacy Directive”, repealed 25/5/2018) |
| 2000 | Charter of Fundamental Rights of the European Union. The Charter further defines people’s fundamental rights within the EU. The charter includes the general principles of the ECHR and explicitly refers to both privacy and data protection. |
| 2001 | Additional Protocol to the Convention for the Protection of Individuals with regard to Automatic Processing of Personal Data, regarding supervisory authorities and transborder data flows. |
| 2002 | Directive 2002/58/EC concerning the processing of personal data and the protection of privacy in the electronic communications sector (Directive on privacy and electronic communications). |
| 2007 | Treaty of Lisbon, strengthening and improving the structures of the EU and establishing the European Data Protection Supervisor (EDPS). Signed December13, 2007, entered into force 2009. The treaty includes the ECHR, making it binding law.The Treaty establishing the European Community is renamed the “Treaty on the Functioning of the European Union”. Declaration 17 attached to the Lisbon Treaty confirms that the Treaties and the law adopted by the Union on the basis of the Treaties have primacy over the law of Member States. |
| 2016 | Publication of General Data Protection Regulation (EU) 2016/679 (GDPR), applicable law in the EEA from May 25, 2018. All documents and acts referring to Directive 95/46/EC are supposed to refer to the GDPR from this date. |
| 2016 | Directive 2016/680 on police and judicial cooperation in criminal matters. (Law Enforcement Directive, LED) The directive complements the GDPR and is based on the same general principles, while also guaranteeing a high level of public security. |
| 2016 | Directive 2016/681 on the use of passenger name record (PNR) data, regulating the use of Passenger Name Record (PNR) data for the prevention, detection, investigation and prosecution of terrorist offences and serious crime. |
1.2 Context within European and national law
1.2.1 European legal acts
The European Union can issue various legal acts in order to achieve the aims set out in the treaties.
Figure 1.6 shows the interaction between EU law and member state law. In the center you can see the normal structure of an EU member state and its parliament, issuing national law. For subjects agreed to in the TFEU2, the EU Council or the EU Commission and the European Parliament can issue a directive. According to the TFEU, Member States must then (within a given time frame) issue national law to achieve the purposes set out in the directive, but the directive itself is not applicable law. Only in cases where less intrusive methods are not possible3, the EU Commission and Parliament can issue a regulation (like the GDPR). This is the most powerful legal act the EU has, as a regulation it supersedes national law. This is shown in the figure with the dotted area on the right, indicating that regulations and national law together constitute “applicable member state law”.
Figure 1.6 also shows that the other EU legal acts, decisions and recommendations, have no direct effect on member state law. In the following section we will look into the various legal acts in more detail.
Figure 1.6 Interaction between EU law and Member State law
1.2.1.1 Regulation
A “regulation” is a binding legislative act with a general application. It must be applied in its entirety across the EU and is directly applicable law in every Member State4. The general application relates to the objective and abstract description of the rules laid down in a regulation. “Directly applicable” means that a regulation