EU Data Protection Directive
- European High Court Strikes Down Data Retention Law: In a far-reaching and dramatic opinion, the European Court of Justice has ruled that the mass storage of telecommunications data violates the fundamental right to privacy and is illegal. The Data Retention Directive required telephone and Internet companies to keep traffic and location data as well as user identifying information for use in subsequent investigations of serious crimes. According to the Court, the Directive imposed "a wide-ranging and particularly serious interference with the fundamental rights to respect for private life and to the protection of personal data, without that interference being limited to what is strictly necessary." The Court found that the collection of metadata constitutes the processing of personal data and must therefore comply with Article 8 of the Charter of Rights. The Court also said to find a privacy violation, "it does not matter whether the information on the private lives concerned is sensitive or whether the persons concerned have been inconvenienced in any way." Last year EPIC, joined by dozens of legal scholars and former members of the Church Committee, urged the US Supreme Court to find the NSA's telephone record collection program unlawful. For more information, see EPIC - Data Retention, In re EPIC. (Apr. 8, 2014)
- European Parliament Committee Approves Comprehensive Privacy Law: The civil liberties committee of the European Parliament has voted to approve the EU Data Protection Regulation. Before voting, members of the committee inserted stronger safeguards for data transfers to non-EU countries, an explicit consent requirement, a right to erasure, and larger fines for noncomplying businesses. The regulation is a comprehensive update of the 1995 EU Data Protection Directive that sets out new enforcement powers for privacy agencies. In 2012 and 2013, over twenty US consumer, privacy, and civil liberties groups sent letters to the European Parliament in support of the new data protection law. Until the U.S. passes comprehensive privacy legislation, the groups wrote, "the European Union offers the best prospect for the protection of Internet users around the globe." EPIC spoke recently before the European Parliament in support of the initiative. For more information, see EPIC: EU Data Protection Directive. (Oct. 21, 2013)
- EPIC's Rotenberg Addresses European Parliament: EPIC President Marc Rotenberg addressed the European Parliament on the issue of The Electronic Mass Surveillance of EU Citizens. The Committee on Civil Liberties, Justice, and Home Affairs has convened a series of hearings to examine reports of the monitoring and surveillance of Europeans. Mr. Rotenberg explained that there is now a vigorous debate in the United States and that there would be some changes to the Foreign Intelligence Surveillance Act concerning surveillance within the United States. But he also warned that US lawmakers were unlikely to make changes that respond to the concerns of European citizens. He urged EU lawmakers to suspend trade negotiations with the US pending an adequate resolution of the surveillance inquiry. He also suggested a review of the PNR and SWIFT data transfer arrangements, which lack Privacy Act safeguards. Finally, Mr. Rotenberg recommended the adoption of an international framework for privacy protection. (Oct. 3, 2013)
- European Parliament to Investigate US NSA Surveillance Programs and impact on EU Citizens' Privacy: The European Parliament has voted overwhelmingly (483 to 98, with 65 abstentions) to investigate "PRISM" and other surveillance programs of the US National Security Agency. (Press release.) The investigation with be undertaken by the influential Committee on Civil Liberties, Justice, and Home Affairs ("LIBE"). Members of Parliament also urged European representatives to reexamine current arrangements that allow the transfer of banking and travel data from EU countries to the United States. The resolution was adopted as the European Union is considering a new trade deal with the United States and a proposal to strengthen privacy protections is pending. EPIC has appeared several times before the European Parliament to urge the adoption of a comprehensive privacy framework to safeguard the transatlantic transfer of personal information. For more information, see EPIC - EU Data Protection Directive, and Madrid Privacy Declaration. (Jul. 5, 2013)
- European Commissioner Asks Attorney General to Explain US Spying: European Justice Commissioner Viviane Reding has demanded that U.S. Attorney General Eric Holder explain the scope of US data collection about EU citizens. "Direct access of US law enforcement to the data of EU citizens on servers of US companies should be excluded unless in clearly defined, exceptional and judicially reviewable situations," the Commissioner wrote. The Commissioner's request is similar to that made by other European officials, such as German Justice Minister Sabine Leutheusser-Schnarrenberger, who also stated that "all facts must be put on the table." Recent reports indicate that United States lobbied the European Commission to weaken a comprehensive data protection law now pending in the European Parliament. Earlier this year, EPIC joined a coalition of leading US consumer and civil liberties organizations that expressed concern about the role of US officials in the development of European privacy law. The letter stated that "without exception," members of the European Parliament reported that the US government was "mounting an unprecedented lobbying campaign to limit the protections that European law would provide." For more information, see EPIC: EU Data Protection Regulation. (Jun. 13, 2013)
- EU Citizens Launch "Naked Citizen Campaign" to Safeguard Privacy: Objecting to business efforts to block updates to European Union data protection laws, a coalition of European Internet rights, freedom and privacy organizations have launched the Naked Citizen campaign. The organizations stated, "The campaign is a response to the unprecedented lobbying from tech companies, the US Government and the advertising industry. They are all trying to weaken the Regulation and make it easier for companies to use personal information in opaque, unaccountable ways." The groups published a new report -- "Don't let corporation strip citizens of their right to privacy" -- which describes the need to adopt stronger data protection rights. US consumer organizations have expressed support for the effort to modernize European Union privacy law. EPIC also supports US ratification of the Council of Europe Privacy Convention. For more information, see EPIC - EU Data Protection Directive and EPIC - Council of Europe Privacy Convention. (May. 8, 2013)
- US NGOs Urge US Government To Support EU Privacy Proposals: EPIC has joined a coalition of leading US consumer and civil liberties organizations who have expressed concern about the role of US officials in the development of European privacy law. In a letter to the US Secretaries of State, Justice, and Commerce, the groups wrote to seek a meeting to ensure that US lobbying efforts in Europe "are not averse to the views expressed by the president." The letter states that "without exception," members of the European Parliament reported that US governmental agencies and businesses were "mounting an unprecedented lobbying campaign to limit the protections that European law would provide." The letter, endorsed by 18 US NGOss, emphasizes the President's commitment to protecting privacy, set out in the Consumer Privacy Bill of Rights. Last fall, EPIC Executive Director Marc Rotenberg testified in support of a proposed EU privacy reform before the European Parliament, and a groups of transatlantic consumer organizations wrote a letter expressing their support for the EU effort to update and modernize privacy law. For more information, see EPIC: EU Data Protection Directive. (Feb. 5, 2013)
- European Parliament Moves Forward on Privacy Update: The European Parliament has indicated strong support for a proposal put forward by the European Commission to update European Union privacy law. In reports on the the New Directive and New Regulation, the Parliament recommends greater power for data protection agencies and new rights for data subjects. The comprehensive update of the 1995 EU Data Protection Directive simplifies compliance procedures and also creates new incentives for anonymized and psuedonymized data to help protect privacy. Last fall, EPIC President Marc Rotenberg testified before the European Parliament in support of the proposed reform. More than 20 US consumer organizations have expressed support for the European privacy initiative. For more information, see EPIC: EU Data Protection Directive. (Jan. 8, 2013)
- CPDP 2013 Calls for Papers in Advance of January Conference: The 6th Annual Computers, Privacy and Data Protection Conference has announced a Call for Papers. The conference will take place January 23-25, 2013, in Brussels. Both experienced and junior researchers, as well as Ph.D. candidates, are invited to submit work. The theme of the 2013 CPDP conference is “Reloading Data Protection.” Organizers are particularly interested in papers focusing on technology’s relationship to privacy, data protection, non-discrimination and surveillance. Deadline for submissions is October 19, 2012. EPIC is a participant in CPDP conferences and presents the ”EPIC International Champion of Freedom Awards” at CPDP. For more information, see EPIC Champion of Freedom Press Release, EPIC: EU Law, EPIC: Privacy. (Sep. 7, 2012)
- U.S. Consumer Groups Endorse Proposed European Privacy Law: In a letter to members of the European Parliament, over twenty U.S. consumer organizations expressed support for the new European data protection law. The coalition, including Consumers Union, Consumer Federation of America, and Public Citizen, said that the proposed regulation "provides important new protections for the privacy and security of consumers." The groups also explained that the European effort will raise privacy standards for consumers in other parts of the world. The European Union privacy regulation is a comprehensive update of the 1995 EU Data Protection Directive and adopts innovative new approaches to privacy protection, such as "Privacy by Design." BEUC, the association of European consumer groups, has also expressed support for the new law. For more information, see EPIC: EU Data Protection Directive. (Sep. 5, 2012)
The European Union is based on the respect for fundamental rights. The European Convention on Human Rights and Article 8 of the Charter of Fundamental Rights of the European Union expressly recognizes the fundamental right to the protection of personal data. For several years, law enforcement agencies in various countries have urged the adoption of "data retention" requirements, which would compel communications service providers to routinely capture and archive information detailing the telephone calls, e-mail messages and other communications of their users. While many providers currently retain certain traffic data for billing and other business-related purposes for short periods of time, there are no government-imposed retention requirements in the major industrialized countries.
The "Directive 95/46 of the European Parliament and the Council of 24 October 1995 on the protection of individuals with regard to the processing of personal data and on the free movement of such data" (Data Protection Directive 95/46/EC) was established to provide a regulatory framework to guarantee secure and free movement of personal data across the national borders of the EU member countries, in addition to setting a baseline of security around personal information wherever it is stored, transmitted or processed.The Directive contains 33 articles in 8 chapters. The Directive went into effect in October, 1998. This general Data Protection Directive has been complemented by other legal instruments, such as the e-Privacy Directive for the communications sector. There are also specific rules for the protection of personal data in police and judicial cooperation in criminal matters (Framework Decision 2008/977/JHA).In 2009, the European Commission launched a review of the current legal framework on data protection, starting with a high-level conference in May 2009, followed by a public consultation running until the end of 2009. Targeted stakeholders consultations were organized throughout 2010. Appearing before the European Parliament on October 26, 2010, EPIC President Marc Rotenberg urged the adoption of a comprehensive framework to protect the flow of personal data between the United States and the European Union. Citing the growing concern about the misuse of sensitive data and the absence of effective legal remedies, Mr. Rotenberg said it was time for the US and the EU to develop an effective legal framework that would safeguard the rights of citizens and the users of Internet-based services. EPIC strongly supports full implementation of the EU Data Protection Directive as well as other efforts to fully safeguard the fundamental rights of citizens, consumers, and users of Internet-based services. This principles should apply to data collection that occurs by both private and public entities.
In 2010, the European Commission circulated a document to the European Parliament, The Council of Europe, The Economic and Social Committee and The Committee of the Regions containing a draft strategy for improvements in data protection, including a set of proposals to change the EU Data Protection Directive. The key components of the new strategy appear to include:
- The establishment of EU-wide registration forms for databases
- New rules on privacy notices, including the promulgation of EU “standard form privacy information notices” and special rules with respect to minors
- New rules that strengthen and clarify the concept of consent to the collection, use and transfer of data
- New rules on data minimization
- The creation of a “right to be forgotten” by giving a right to demand deletion of data no longer needed for the purpose for which it was collected
- The creation of a right of “data portability,” allowing individuals to take his/her photos, medical records or a list of friends from an application or service and transfer them into another one
- New rules on what constitutes “sensitive data”
- New remedies for violations of privacy, including expanded criminal sanctions and empowering data protection authorities with the right to go to court
- The establishment of security breach notification rules
- Clarification on the legal rules that will attach to data stored in the cloud, regardless of the geographic location of the controller
- The possible introduction of an “accountability” principle to ensure compliance with data protection laws
- New rules that make the appointment of corporate Data Protection Officers mandatory, along with privacy impact assessments and the employment of privacy by design principles
- The encouragement of self-regulatory schemes and privacy seals
- Improvements in current procedures for international data transfers, in order to ensure a more uniform and coherent EU approach vis-à-vis third countries and international organizations
- Clarification of the Commission’s adequacy procedure and improved specification of the criteria and standards for assessing the level of data protection in a third countries
- A re-definition of standard data protection clauses to be used in international agreements, contracts, binding corporate rules or other legally binding instruments.
- Clarifying and strengthening the status and the powers of the national Data Protection Authorities in the new legal framework, including the concept of "complete independence"
- Exploration of ways to improve the cooperation and coordination between Data Protection Authorities and to ensure better enforcement of EU rules, particularly on issues having a cross-border dimension. This may include strengthening the role of the Article 29 Working Party and providing it with additional powers in order to give a European response to breaches of data protection rules at EU level, or to create a European Data Protection Authority.
- Enhancing international privacy enforcement in a cooperative fashion.
The EU Commission's strategy sets out proposals on how to modernize the EU framework for data protection rules through a series of the following key goals:
- Strengthening the Rights of Individuals so that the collection and use of personal data is limited to the minimum necessary. Individuals should also be clearly informed in a transparent way on how, why, by whom, and for how long their data is collected and used. People should be able to give their informed consent to the processing of their personal data, for example when surfing online, and should have the "right to be forgotten" when their data is no longer needed or they want their data to be deleted.
- Enhancing the Free Flow of Information in the Single Market Dimension by reducing the administrative burden on companies and ensuring a true level-playing field. Current differences in implementing EU data protection rules and a lack of clarity about which country's rules apply harm the free flow of personal data within the EU and raise costs.
- Extending Privacy Safeguards to Police and Criminal Justice Records Systems so that individuals' personal data is also protected in these areas. Under the Lisbon Treaty, the EU now has the possibility to lay down comprehensive and coherent rules on data protection for all sectors, including police and criminal justice. Naturally, the specificities and needs of these sectors will be taken into account. Under the review, data retained for law enforcement purposes should also be covered by the new legislative framework. The Commission is also reviewing the 2006 Data Retention Directive, under which companies are required to store communication traffic data for a period of between six months and two years.
- Ensuring High Levels of Protection for Data Transferred Outside of the European Union by improving and streamlining procedures for international data transfers. The EU should strive for the same levels of protection in cooperation with third countries and promote high standards for data protection at a global level.
- More Effective Enforcement of Privacy Rules by strengthening and further harmonizing the role and powers of Data Protection Authorities. Improved cooperation and coordination is also strongly needed to ensure a more consistent application of data protection rules across the Single Market.
A draft version of the EU General Data Protection Regulation was released on the Internet in December 2011. The draft builds on Charter of Fundamental Rights of the European Union, which establishes a right of Information Privacy. Topics covered in the draft regulations include:
- Rights of Data Subjects - Transparency, Access to Data, Rectification, Erasure, Right to Object to Profiling
- Obligations of Companies - Data Security, Data Protection Assessment
- Increased Powers for Data Protection Agencies and New Efforts for Coordination and Collaboration
- New Remedies and Sanctions
The Data Protection Directive 95/46/EC defines the basics elements of data protection that member states must transpose into national law. Each state manages the regulation of data protection and its enforcement within its jurisdiction, and data protection commissioners from the EU states participate in a working group at the community level, pursuant to Article 29 of the Directive.
Personal data is defined in the Data Protection Directive 95/46/EC as any information that relates to an "identified or identifiable natural person." The Directive mandates that the data controller ensure compliance with the principles relating to data quality and provides a list of legitimate reasons for data processing. The data controller has information duties toward the data subject whenever personal data is collected directly from the person concerned or obtained otherwise. The data controller is also mandated to implement appropriate technical and organizational measures against unlawful destruction, accidental loss or unauthorized alteration, disclosure or access.
Data subjects' individual rights, as established by the Directive, are: the right to know who the data controller is, the recipient of the data and the purpose of the processing; the right to have inaccurate data rectified; a right of recourse in the event of unlawful processing; and the right to withhold permission to use data in some circumstances. For example, individuals have the right to opt-out free of charge from receiving direct marketing material. The EU Data Protection Directive contains strengthened protections concerning the use of sensitive personal data relating, for example, to health, sex life or religious or philosophical beliefs.
Enforcement of the regulatory framework on the processing of personal data can either be through administrative proceedings of the supervisory authority or judicial remedies. Member states' supervisory authorities are endowed with investigative powers and effective powers of intervention, such as powers to order blocking, erasure and destruction of data or to impose a temporary or definite ban on processing. Any person who has suffered damage as a result of an unlawful processing operation is entitled to receive compensation from the liable controller. The Data Protection Directive provides a mechanism by which transfers of personal data outside the territory of the EU have to meet a level of processing "adequate" to the one prescribed by the directive's provisions.