EU data privacy laws

Primary tabs

1. EU Treaties and Charters

A foundational statement of European values in relation to privacy vis-à-vis electronic communications, telecommunications, and commercial solicitation is set forth in Articles 7 and 8 of the Charter of Fundamental Rights of the European Union. Article 7 provides for the European analog to the U.S. "right to be left alone": "Everyone has the right to respect for his or her private and family life, home, and communications." Article 8 sets forth basic rights relating to personal data protection. Strong rights of personal data protection and "respect for private life" are thus enshrined in the Charter under the overarching concepts of personal dignity and freedom. This "respect for private life" is also enshrined in Article 8 of the European Convention for the Protection of Human Rights and Fundamental Freedoms.

Under the Treaty on the Functioning of the European Union (Lisbon Treaty), that entered into force on December 1, 2009, the protection of personal data is recognized as a fundamental right. Article 16 of the Treaty on the Functioning of the European Union provides that:

(1) "Everyone has the right to the protection of personal data concerning them. (2) The European Parliament and the Council, acting in accordance with the ordinary legislative procedure, shall lay down the rules relating to the protection of individuals with regard to the processing of personal data by Union institutions, bodies, offices and agencies, and by the Member States when carrying out activities which fall within the scope of Union law, and the rules relating to the free movement of such data. Compliance with these rules shall be subject to the control of independent authorities."

The Lisbon Treaty marks a new approach of the EU privacy policy because as a fundamental right, the exercise of its core elements cannot be blocked under any situation.

2. EU Privacy Directives

These foundational values have been given further legal and administrative teeth in a series of European directives, two of which stand out as being of particular importance:

  • Directive 95/46/EC on the Protection of Individuals with regard to the Processing of Personal Data and on the Free Movement of Such Data (the "Data Privacy Directive")

  • Directive 2002/58/EC Concerning the Processing of Personal Data and the Protection of Privacy in the Electronic Communications Sector (the "E-Privacy Directive")

The Data Privacy Directive established the basic legal framework for data privacy protection in the EU, including the default requirement of "opt-in" consent to data sharing and the "adequacy requirement" for data-sharing with non-EU companies. In response to this latter requirement, the U.S. negotiated a "safe harbor" framework for U.S. companies doing business in Europe or with European companies. The Data Privacy Directive also reflects the basic principle that EU privacy protections must be balanced against the four "fundamental freedoms" of the European "internal market": free movement of persons, goods, services, and capital.

The E-Privacy Directive supplements the Data Privacy Directive, replacing a 1997 Telecommunications Privacy Directive, and providing a minimum standard for EU member state regulation of commercial solicitation by means of email and telecommunications technologies. It has specific provisions regarding unsolicited communications. Article 13 of the E-Privacy Directive sets forth a basic rule of "opt-in" consent for "unsolicited communications": automated telephone calls, faxes, texts, and email. With respect to unsolicited commercial emails, an exception is created in Article 13(2) for cases where a business has provided a good or service to an individual previously, the individual has provided his/her email, and an unsolicited email is sent to advertise "similar" goods or services. Unsolicited emails sent under this exception must, however, provide the customer with an opportunity to "opt-out" of future emails. Article 13(4) prohibits the sending of commercial emails that disguise or conceal the identity of the sender. See also European Commission Website: Unsolicited Communications - Fighting Spam.

The E-Privacy Directive is addressed to EU member states, which means that it was implemented through EU member state law. Click here for a chart comparing the implementation in each UE member state.

In 2006 and 2009, the E-Privacy Directive was amended as part of a wide-ranging initiative to create a "Telecoms Package": a comprehensive regulatory framework for electronic communication and telecommunications. Part of this Telecoms Package involved the creation of a Body of European Regulators for Electronic Communications ("BEREC"). See Regulation (EC) of November 25, 2009 Establishing the Body of European Regulators for Electronic Communications (BEREC) and its Office. The purpose of BEREC is to facilitate institutional coordination of "national regulatory authorities" (NRAs) - i.e. the regulatory bodies of EU member states - and it therefore is intended to supplement the regulatory framework for electronic communications established by Directive 2002/21/EC (the regulatory "Framework Directive").

3. Further Developments

In 2012, the European Commission launched a major reform of the EU legal framework regarding the protection of personal data. The aim is to insure a more comprehensive protection of individual rights while facing the challenges of new technologies. The new framework will unify the data protection rules within the European Union trough the General Data Protection Regulation that is planned for adoption in 2014 and should take effect in 2016 after a 2 years transition period.

One of the main improvements is the fact that there will be only one set of rules on data protection and the companies will have to answer to only one data protection authority. All this will save an important amount of money, especially for small and medium-size businesses. This reform shall equally give the European citizens the insurance that whenever the consent of the individual is required for the processing of their personal data, it is always given explicitly. See How will the EU’s data protection reform benefit European businesses.

Last revised in December, 2013 by Rodica Turtoi.