Privacy and Data Protection based on the GDPR. Leo Besemer
between most EEC Member States and the political changes in Europe in the 1980s lead to the ‘Single European Act’ (SEA), which came into force on 1 July 1987. An important aim of this Act was to establish a single European market by 31 December 1992. It was the first major revision of the 1957 Treaty of Rome1. The SEA reformed the legislative processes of the European Community, particularly with regard to the decision-making procedure within the Council, the powers of the European Commission and the powers of the European Parliament, changing it into a formal legislative body. The SEA was intended to remove barriers and to increase harmonization and competitiveness among European countries.
Figure 1.4 EU logo.
A next step in the development of an “ever-closer union among the peoples of Europe” was the Maastricht Treaty, which entered into force on 1 November 1993. The Treaty merged the European Economic Community (EEC), the European Coal and Steel Community (ECSC) and the European Atomic Energy Community (Euratom) into a single institutional structure, the European Union (EU). The EU consists of the Council, the European Parliament, the European Commission, the Court of Justice and the Court of Auditors which exercise their powers in accordance with the Treaties.
1.1.1.5 Data Protection Directive 95/46/EC
Though the objective of Convention 108 was to introduce a harmonized approach, even among the few countries that adopted national laws based on the principles described in it, the implementation was quite diverse. Growing concerns about this fragmented approach lead to a proposal for a Council directive on the protection of individuals with regard to the processing of personal data and on the free movement of such data, generally known as “Data Protection” Directive 95/46/EC. As the title indicates, the directive aims to reconcile the free flow of data between Member States and the protection of the fundamental rights of individuals, at the same time complying with articles 8 and 10 of the ECHR. It is based on the same protection principles as CoE Convention 108, but now as an EU directive binding to the Member States, forcing them to create national law in line with the framework.
1.1.1.6 Charter of Fundamental Rights
The rights of every individual in the EU were established at different times, in different ways and in different forms. At the beginning of the new millennium the EU decided to include all of those fundamental rights in a single document. The Charter of Fundamental Rights of the European Union (the ‘Charter’, proclaimed in December 2002) included the general principles set out in the ECHR. The Charter also covers all the rights found in the case law of the Court of Justice of the EU and other rights and principles resulting from the common constitutional traditions of EU countries.
The Charter explicitly refers to both the protection of privacy and the protection of personal data as a fundamental right:
Article 7 – Respect for private and family life
Everyone has the right to respect for his or her private and family life, home and communications.
Article 8 – Protection of personal data
1. Everyone has the right to the protection of personal data concerning him or her.
2. Such data must be processed fairly for specified purposes and on the basis of the consent of the person concerned or some other legitimate basis laid down by law. Everyone has the right of access to data which has been collected concerning him or her, and the right to have it rectified.
3. Compliance with these rules shall be subject to control by an independent authority
Charter of the Fundamental Rights of the European Union (2000/C 364/01).
After 2000 the European Union grew even more rapidly, both in terms of the number of countries and in political power. From 1 January 2002 the Euro becomes the currency in twelve EU countries. In May 2004 ten countries joined the EU, in 2007 followed by Bulgaria and Romania, bringing the number of Member States to 27 and effectively expanding its area over a 1.000 km eastward. The only addition since 2007 has been Croatia, which joined the EU in July 2013.
Figure 1.5 Between 2004 and 2007 ten countries joined the EU
1.1.1.7 Treaty of Lisbon
On 1 December 2009, the Treaty of Lisbon became effective. Its main aim was to strengthen the structures of the enlarged European Union. The Lisbon Treaty amended the Treaty establishing the European Community again and renamed it to “Treaty on the Functioning of the European Union” (TFEU).
The Lisbon Treaty for the first time clarifies the powers of the Union. It distinguishes three types of competences: exclusive competence, where the Union alone can legislate, and Member States only implement; shared competence, where the Member States can legislate and adopt legally binding measures if the Union has not done so; and supporting competence, where the EU adopts measures to support or complement Member States’ policies. Union competences can now be handed back to the Member States in the course of a treaty revision.
The Lisbon Treaty gives the EU full legal personality. Therefore, the Union obtains the ability to sign international treaties in the areas of its attributed powers or to join an international organization. Member States may only sign international agreements that are compatible with EU law.
(Sokolska 2019)
One of the main objectives of the Lisbon Treaty is to “constitute an area of freedom, security and justice with respect for fundamental rights and the different legal systems and traditions of the Member States” (Article 67(1)).
The amended TFEU provides that:
The European Parliament and the Council, acting in accordance with the ordinary legislative procedure, shall lay down the rules relating to the protection of individuals with regard to the processing of personal data by Union institutions, bodies, offices and agencies, and by the Member States when carrying out activities which fall within the scope of Union law, and the rules relating to the free movement of such data. Compliance with these rules shall be subject to the control of independent authorities.
Treaty on the Functioning of the European Union (TFEU) Article 16(2)
This article requires all EU institutions to protect individuals when processing their personal data. The European Data Protection Supervisor (EDPS) sees to compliance with data protection law within the EU institutions. The reference to “independent authorities” implies that, depending on the circumstances, national data protection authorities may also have jurisdiction.
In the following years, the possibilities of computers and computer networks developed at lightning speed. Millions of computers are connected worldwide via the internet. Personal data is processed in countless places, often with cross-border data traffic. International trade is also growing fast. Multinationals are becoming a normal form of business and mergers of companies to better serve the European market are the order of the day. Since then, the development of automatic computers and the internet have accelerated even more.
However, the rules and regulations in the Member States, although based on Directive 95/46/EC, were still quite diverse, requiring international companies and organizations to deal with a different set of laws in each of the countries where they had establishments.
1.1.1.8 General Data Protection Regulation (EU) 2016/679
After years of discussion, the GDPR was published on 25 May 2016. The GDPR applies as law in all countries of the EEA as of 25 May 2018. At the same time Directive 95/46/EC is repealed. This means that all national law based