Data protection in the European Union

Thursday 14 December 2017

The fast-paced entrance of information technologies into our lives can make one rightfully scared that the legislation would be slow to adapt, notably in the face of large internet corporations such as Google, Amazon, Facebook or Apple (also known as GAFA).  It is not the case: the European Union has, since 1995, enacted and revised a wide range of regulations in the field of data protection.

The current issue in the matter of data protection is the use of freely given or unwilling collected data by private parties and national governments (including the judiciary). These aspects are covered in the EU legislative framework by several regulations at different stages of actualisation:

For judicial and criminal proceedings, the Directive (EU) 2016/680 relative to data in judiciary proceedings adopted in 2016 was a necessary update of the 2008 Directive, and binds the Member States in this matter. These must ensure the collected data is appropriate for the proceeding, relevant and limited to it. Additionally, it has to make sure that the person concerned is informed of the existence of the data and of the reasons they are collected, as well as giving to the individual the rights to complaint about the collection and have it removed. Interestingly, the Directive also states the requirement for the data itself to be secured from outside interference and circulation[1].

The case of the European Institutions is the most belated: While an independent European Data Protection Supervisor (EDPS) exists in order to monitor and enforce data protection of citizens by the EU Institutions, the rules specific to the Institutions (which are supranational bodies and therefore not submitted to any national regulation) are still under discussion between the EP and the Council[2]. In this regard, the EDPS has called for a better integration of data privacy and management between European and local authorities, and underlined tensions within this policy[3].

What is arguably the most important issue within the EU, the question of how data is collected, used and stored, is tackled by the General Data Protection Regulation (GDPR, Regulation (EU) 2016/679), which will be applied from May 2018 onwards. This Regulation changes radically the approach of the EU to data privacy, notably by introducing the right for citizens to access their data, to receive them in a portable way, to have them erased (“right to be forgotten”) and to know when the data have been hacked. For businesses, a revolutionary concept is also defined: data collection must be limited to what is useful and necessary, and companies are responsible for the collected data and its use. The rules are set with an objective of EU-wide simplification, and to differentiate between SMEs and large enterprises. For example, the mandatory designation of a data protection officer to tackle the necessary company Data protection strategy is optional for SMEs for costs reasons[4].

Furthermore, a proposal was put forth by the European Commission for a Regulation on Privacy and Electronic Communications, which is still being negotiated in trilogue with the Parliament and the Council. It comes in the context of the Digital Single Market Strategy established in 2015, as a review of the ePrivacy Directive of 2002 and following a Regulatory Fitness and Performance (REFIT) check led by the EC.  Its current form covers both companies and peoples, and covers several aspects of data ownership. First, it emphasizes on the confidentiality of electronic communications and personal (stored) data. Second, it stresses the users’ right to control their electronic communications, for example on unsolicited communications (spam). Third, it calls for independent supervisory authorities and enforcement at the EU level, proposing the European Data Protection Board to ensure the consistent application of the proposed Regulation. It finally establishes a framework for remedies, compensations, and liabilities for infringement[5].

Overall, the rapid evolution of the Internet dimension has forced the EU to rapidly improve its legislative framework in order to protect consumers from the loss of the new currency: data. It is visible however, that the race is not over yet, and that these rules, many of which remain to be applied, will certainly undergo further changes in the future.

[1] Directive (EU) 2016/680 of the European Parliament and of the Council of 27 April 2016

[2] EDPS calls for swift agreement on new Regulation - 21/11/2017

[3] It’s not the end of the world as we know it – 7/12/2017

[4] Summary of Legislation - Protection of personal data

[5]  European Commission - Proposal for a Regulation on Privacy and Electronic Communications

What's new on Twitter?

Le 21 février 2018, Samo Jereb, membre de @EUauditors , a présenté en Commission de l'#agriculture du Parlement eur…
On 21 February 2018, @EUauditors Member Samo Jereb presented to the Committee of #Agriculture of the European Parli…
Has #Greening made EU #agriculture more environmentally friendly? Read our latest article:…
Follow us

Meeting room for rent

Book now

Modern meeting room for 18 people. Catering can be provided.

Keep in touch,
sign up to our Newsletter

* Indicates require