The European Union has traditionally aimed to set comparably high standards of privacy and personal data protection. Indeed, the protection of personal data constitutes a fundamental right, enshrined in Article 8 of the Charter of Fundamental Rights and in Article 16(1) of the Treaty on the Functioning of the European Union. This part of the picture is also closely linked to the protection of privacy set out in Article 7 of the Charter. Therefore, it is not surprising that the question of personal data was already addressed in 1995, in a dedicated instrument, while the importance of confidentiality and anonymity was consequently underlined in the first "e-directives": on e-privacy and on e-commerce. At the same time, processing of personal and non-personal data is an element of the freedom to conduct a business and its free flow is crucial from the point of view of the internal market and international trade. All of these dimensions are, of course, highly relevant to the European consumers and have gained even more prominence in the era of digitalisation.
Last year brought several major developments in that regard, with General Data Protection Regulation as a top highlight. While the GDPR is certainly a quantum leap, it is by no means the only measure which had spurred heated debates. Let us summarise the state of play.
GDPR and e-Privacy
Five years after first consultations about the need for a legal reform of personal data protection framework in Europe had been launched, a new instrument - General Data Protection Regulation - was finally adopted on 27 April 2016 and will soon replace the existing Directive 95/46/EC. The regulation entered into force on 24 May 2016 and will become directly applicable in all Member States from 25 May 2018 (see also our earlier post on this topic here).
One of the important novelties concerns the act's extraterritorial reach. Applicablity of the European regime will no longer depend on “the use of equipment” situated in a Member State, but rather on the context and effects of the processing of personal data. The content of the GDPR largely builds upon the existing Data Protection Directive. The instrument strengthens the conditions for a valid consent and defines an age threshold for the consent of a child. More emphasis in placed on the rights of data subjects such as the right to information and access to one’s personal data as well as to rectification and restriction of the processing. Article 22 reiterates the right not to be subject to a measure based on automated data processing and explicitly clarifies that this includes profiling. Furthermore, the GDPR introduces a widely cited right to be forgotten and an equally important right of data portability. Rights of data subjects are correlated with respective obligations of data controllers and data processors, in accordance with the newly formulated principles of data protection ‘by design’ and ‘by default’.
Throughout 2016 preparatory works on the review of the Directive 2002/58/EC on privacy and electronic communications were also carried out in order to ensure the consistency of this sector-specific instrument with the overall framework enshrined in the GDPR. As we have already reported, the proposed e-Privacy Regulation was eventually tabled on 10 January 2017.
Apart from the shift in the legal form (from a directive to a directly binding regulation), the proposal provides for a number of substantive changes. A major difference concerns the scope of the measure, which would be extended to all electronic communications providers, i.e. not only telcos, but also over-the-top players. Requirements relating, among others, to the confidentiality of electronic communications, would therefore also apply to providers of services such as voice over IP or instant messaging (Skype, Whatsapp, Messenger). The proposal also clearly refers to machine-to-machine communications - a circumstance which, together with a broad definition of personal data in the GDPR, has not been warmly welcomed by the tech companies. Other novelties include an updated approach to cookies and enhanced protection against spam. With respect to the former, the Commission eventually opted against the principle of 'privacy by default' - a reason for relief for the industry. Emphasis is now placed on the availability of privacy settings in the relevant software applications (such as internet browsers) and not on the ubiquitous pop-up windows. The reform should further ensure terminological consistency not only between the GDPR and the e-Privacy Regulation, but also with the updated telecom framework. In the proposed e-Privacy Regulation itself, the concept of ‘electronic communications data’ was introduced, covering both content data and metadata. As before, electronic communications which remain under protection may contain both personal and non-personal data, for example data related to a legal person. From the Commission’s perspective, the new framework should ideally apply from the same day as the GDPR.
As for now, preparatory works at the Council appear to be at a very early stage. The responsible committee in the European Parliament is the Civil Liberty, Justice and Home Affairs (LIBE). Two weeks ago the committee held a hearing to discuss the proposal. The plenary vote on the committee’s report is expected in October.
Further notheworthy developments refer to data transfers between the EU and the United States. This strand of the debate clearly shows that there is no single, universally recognised approach to data protection and privacy online. As seen from the efforts to ensure extraterritorial application of both GDPR and the proposed e-Privacy regulation, the European legislator would like to see its framework applied also where data of European citizens are processed outside the Union. A similar approach is observed with respect to cross-border data transfers. According to an established rule, dating back to the 1995 Data Protection Directive, personal data of the European citizens may only be transfered to third countries that ensure “an adequate level of protection”. In the United States, home country to the thriving tech industry, the European approach is often regarded as paternalistic. The importance of transatlantic data flows for the international trade forces European and American decision-makers to meet halfway.
Until October 2015, transfers of personal data between the EU and the U.S. had been governed by the so-called Safe Harbour Decision. Following the Snowden revelations, the decision was, however, successfully challenged before the Court of Justice. In the widely cited Schrems case, the Court confirmed that the Commission's decision, and therefore the underlying agreement with its U.S. counterparts, failed to ensure that the level of personal data protection in the United States was “essentially equivalent” to the one guaranteed within the EU. After renegotiations a new agreement was reached and, in the decision of 12 July 2016, the European Commission reconfirmed the adequacy of the American framework. The so-called EU-U.S. Privacy Shield provides for a number of new safeguards, including the entirely new Ombudsperson mechanism, the functioning of which shall be monitored annually.
As expected, a few months after the decision came into force, the Privacy Shield was challenged by privacy advocacy groups before the General Court. The Commission is naturally defending its compromise, but the stance taken by the new U.S. administration is not helping its case. Only last week the European Parliament adopted a resolution voicing its concerns about new U.S. laws allowing National Security Agency to share diverse personal data with other agencies and criticising the rejection of the rules preventing unrestricted sharing of customers’ browsing data. While in the current resolution these issues are discussed only in the context of the Privacy Shield, one may wonder if similar concerns cannot be raised with respect to the Umbrella Agreement - another transatlantic agreement adopted last year, this time in the field of law enforcement.
Have your say
As seen from above, the wealth of issues and regulatory approaches to privacy and data protection as well as the pace of new developments are astonishing. Even where new rules have already been developed with all these needs and concerns in mind, they are likely to face criticism and require further modifications. Sceptics argue that the GDPR will be out-dated from day one. For what it's worth, European policy-makers appear to be aware that the struggles over privacy and data protection are bound continue. Most recently, the European Commission launched a series of public consultations as part of its Next Generation Internet Initiative. Over the coming weeks a number of questionnaires will be available online, allowing everyone to share their views. The first questionnaire, entitled “New technologies for disrupting the economy: business, employment and skills”, is available here. We invite our readers to have a say.