Privacy and Data Protection based on the GDPR. Leo Besemer
national law. A transposition could lead to differences between the substantive meaning of a regulation and the national legislation, thus losing the effectiveness of the instrument. In practice, implementing measures must often be taken by the Member States in order to give full effect to a regulation. A Member State can only derogate from the provisions of a regulation if this is stated in the regulation. European law therefore supersedes Member State law.
In the case of the GDPR there are quite a number of articles where Member States can deviate from the GDPR, either to set the requirements even stricter, or to widen the scope of the law. A number of these topics are listed in GDPR Article 23.
The GDPR is “text with EEA Relevance”, as the subtitle indicates. This means that it does not apply to the EU Member States alone, but it applies to all countries within the European Economic Area (EEA). The EEA includes all EU Member States, Iceland, Liechtenstein and Norway. It allows them to be part of the EU’s single market.
1.2.1.2 Directive
A “directive” is a legislative act that sets out a goal that all EU countries must achieve. A directive is binding on every Member State for which it is intended, but it is left to the national authorities to choose the form and the means5. Member States must adapt their national legislation in such a way that the purpose of a directive can be achieved. Directives are addressed to the EU Member States. This is in contrast to regulations, which are addressed to everyone. The main purpose of a directive is to coordinate divergent legislation (harmonization).
1.2.1.3 Decision
A decision is binding in its entirety. If the addressees are mentioned (e.g. an EU Member State or an individual company), it is only binding on them6. It can therefore be an individual instrument. In relation to GDPR Article 45, the European Commission can make an “adequacy decision”, determining that a country or part of a country outside the EU offers an adequate level of data protection. Adequacy decisions will be covered in Part III on cross-border data transfers.
1.2.1.4 Recommendation
A recommendation is not binding7. An example of this is the recommendation that the Council might make to a Member State which has an excessive government deficit8. The country’s government can act upon the recommendation, and it is wise to do so if it is in need of support from the European Central Bank, but there is no legal obligation.
1.2.2 European legal acts complementing the GDPR
1.2.2.1 Directives 2002/58/EC and 2009/136/EC (on privacy and electronic communications)
The ePrivacy Directive, in full: “Directive 2002/58/EC of the European Parliament and of the Council of 12 July 2002 concerning the processing of personal data and the protection of privacy in the electronic communications sector (Directive on privacy and electronic communications)”, translated the principles set out in Directive 95/46/EC into specific rules for the telecommunications sector.
To keep up with technological and legislative developments, this directive was amended in 2009 by Directive 2009/136/EC9, also known as “the cookie law”. Because of the clauses in GDPR Article 94, Directive 2002/58/EC and Member State law based on it are now considered to refer to the GDPR.
1.2.2.2 ePrivacy Directive and Regulation
The updated Directive 2002/58/EC is meant to be replaced by the proposed “Regulation on Privacy and Electronic Communications10”, published in January 2017 and updated many times since. The regulation details the rules regarding the protection of personal data in electronic communications. The proposed changes will bring the e-Privacy Directive (then ePrivacy Regulation) in line with the GDPR.
The ePrivacy Regulation in particular targets the processing of data about the communication of data and the processing of metadata. Article 8 deals with “the protection of information stored in and related to end-user’s terminal equipment”, i.e. with cookies, but also with spyware, hidden identifiers, web bugs and “device fingerprinting”, etc. The original intention of the Commission was for the ePrivacy Regulation to enter into force on May 25, 2018, at the same time as the GDPR it interacts with. There is, however, still an ongoing discussion on various details of the regulation in almost monthly meetings.
Regarding the use of tracking, online identifiers, profiling and other methods to gather information on users visiting websites, the GDPR sets clear rules which will be explained in Chapter 7.
1.2.2.3 Decisions 2001/497, 2004/915 and 2010/87 (standard contractual clauses)
The European Commission can decide on standard contractual clauses that should be used in contracts between controllers, or between a controller and a processor, in order to guarantee sufficient data protection safeguards for personal data to be transferred internationally.
The Commission has issued two sets of standard contractual clauses for data transfers from data controllers established in the European Economic Area (EEA) to data controllers established outside the EEA: decision 2001/497/EC (amended December 2016) and decision 2004/915/EC. The latter model clauses are intended to provide greater flexibility for the contracting parties.
The Commission has also issued one set of contractual clauses for data transfers from controllers in the EEA to processors established outside the EEA, decision 2010/87/EU (which was amended in 2016). The controller-processor contract is discussed in more detail in Sub-section 2.1.5.
1.2.2.4 Directive 2016/680 (police and judicial cooperation in criminal matters)
The GDPR excludes “processing of personal data (…) by competent authorities for the purposes of the prevention, investigation, detection or prosecution of criminal offences”.11 At the time the Treaty of Lisbon was prepared, however, it was acknowledged that specific rules on the protection of personal data and the free movement of personal data in the fields of judicial cooperation in criminal matters and police cooperation “might prove necessary because of the specific nature of those fields”.
This led to a separate directive, providing the basis for a harmonized national law: “Directive (EU) 2016/680 on the protection of natural persons with regard to the processing of personal data by competent authorities for the purposes of the prevention, investigation, detection or prosecution of criminal offences or the execution of criminal penalties, and on the free movement of such data”. Directive 2016/680 was published the same day as the GDPR. It aims to protect the rights and freedoms of natural persons regarding the processing of their personal data on the same principles as the GDPR does, at the same time ensuring a high level of data protection while improving cooperation in the fight against terrorism and other serious crime.
The choice for an EU directive to complement the GDPR in this area is a logical one, because this subject is outside the scope of the EU’s legal powers. As shown in