The European Legal Context: EU Data Protection

(1) Context of EU data protection laws

Through rapid technological developments, the scale of data sharing and collecting has increased dramatically. Technology allows private companies and public authorities to receive personal data on a global scale and personal data protection therefore has played a central role in the Europe 2020 Strategy.1

At the present time, local spam laws in the European Union (“EU”) vary significantly from member state to member state. Currently there are two major EU instruments, the Data Protection Directive 95/46/EC and the e-Privacy Directive 2002/58/EC concerning the processing of personal data and the protection of privacy in the electronic communication sector (also known as the ePrivacy Directive or “ePD”). Member states remain free to adjust their national regimes to the Directive as they see fit in accordance with the Treaty on the Functioning of the European Union (“TFEU”).2  This resulted in an inconsistent patchwork of national laws as the Directive has been implemented in different ways across Europe.

Also, these data protection laws have been placing compliance requirements on businesses inside and outside the EU. It should be emphasized that data transfers outside the EU in particular have been in the public eye because of the Schrems Safe Harbor ruling (2015) of the European Court.3

As a result, the European Council invited the Commission to evaluate the functioning of EU instruments on data protection and to present, where necessary, further legislative initiatives.4 The Commission concluded that the EU needs a more comprehensive and coherent policy on the fundamental right to personal data protection. In order to curb the existing fragmentation of privacy rules, legal uncertainty and risks affiliated with online activity, the EU has adopted a more coherent data protection framework in the EU. Therfore, it decided to replace the Data Privcacy Directive and the e-Privacy Directive and change from a Directive to a binding Regulation.

-       Regulation (EU) 2016/679 for strengthening and unifying data protection for individuals within the EU. It also covers export of personal data outside the EU. It is published in April 16 and will apply from May 2018. Moreover, it replaces the Directive 95/46/EC5 on data protection (General Data Protection Regulation, “GDPR”);

-       The European Commission has submitted in 2017 a Proposal to Regulation (EU) 2017/0003 concerning the respect for private life and the protection of personal data in electronic communication, repealing the E-Privacy Directive6.

(2) Legal basis EU data protection laws

Protection of personal data and respect for private life are important fundamental rights. The European Parliament has stressed the necessity to find an equilibrium between further improving security and safeguarding human rights, including data protection and privacy. The Union believes that the EU data protection reform will strengthen citizens’ rights, giving them better control of their data and ensuring that their privacy continues to be protected in the digital age.7

The new data protection laws are based on Article 16 TFEU, which is the new legal basis for the adoption of data protection rules introduced by the Lisbon Treaty.8 This provision relates to the protection of individuals with regard to the processing of personal data by member states when carrying out activities which fall within the scope of Union law. The provision also covers the rules relating to the free movement of such data, including personal data processed by member states or private parties.9

In addition, the right to protection of personal data is provided by Article 8 of the EU Charter of Fundamental Rights (“EU Charter”)10, Article 16 TFEU11 and Article 8 of the European Convention on Human Rights (“ECHR”)12. As interpreted by the case law of the Court of Justice of the EU (“CJEU”)13, the right to the protection of personal data is not an absolute right, but must be considered in relation to its function in society. In accordance with Article 52(1) of the EU Charter, limitations may be imposed on the exercise of the right to data protection as long as these limitations are provided by law, respect the essence of the right and freedoms and are necessary to protect the rights and freedoms of others.14 Article 52(3) states that wherever the EU Charter conatins rights that correspond to the ECHR, "the meaning and scope of those rights shall be the same" as that granted by the ECHR. Therefor, the ECHR is seen as a "floor," where jurisprudence of the ECHR provides a minimum human rights standar protection.

Data protection is also narrowly related to the right to private and family life, which has been incorporated in Article 7 of the EU Charter. This is demonstrated by Article 1(1) of Directive 95/46/EC (E-Privacy Directive), which indicates that:15 “In accordance with this Directive, Member States shall protect the fundamental rights and freedoms of natural persons, and in particular their right to privacy with respect to the processing of personal data.”

Other fundamental rights linked to data protection and embedded in the Charter are enlisted as follows: freedom of expression (Article 11 of the Charter)16; freedom to conduct a business (Article 16)17; the right to property and in particular the protection of intellectual property (Article 17(2))18; the right of access to documents (Article 42)19.

(3) Current and upcoming EU legislative instruments on data protection

The Lisbon Treaty, which entered into force in December 2009, provided the Union a stronger basis for the development of data protection legislation. As mentioned above, article 16 of the TFEU made it possible to lay down rules to protect individuals with regard to the processing of personal data by law enforcement and member states when carrying out activities which fall within the scope of Union law.20

An earlier article on this website memorializes the patchwork of laws that came into being as a result.  To harmonize that fragmented legal framework on EU level, the Union introduced a new set of data protection rules. Therefore, the centerpiece of existing EU legislation on personal data protection, Directive 95/46/EC, which was adopted in 1995, will be repealed and replaced by the General Data Protection Regulation (GDPR) in May 201821 with new uniform rules fit for digital age.22

Secondly, the European Commission presented on January 11, 2017 a proposal for Regulation with regard to the respect for private life and the protection of personal data in electronic communications (Regulation on Privacy and Electronic Communications). Consumers and businesses have become more dependent on internet based services to communicate, such as instant messaging, voice over IP and web based email, and these services are not included in the current ePrivacy rules. The new  ePrivacy proposal that aims to replace the current ePrivacy Directive, on the other hand, has a much broader scope.

The ePrivacy proposal is furthermore lex specialis to the GDPR and will complement it with regard to electronic communications data that qualify as personal data. All matters concerning the processing of personal data not specifically addressed by the proposal are covered by the GDPR.23

Unsolicited commercial communications

One of the keystone principles of EU data protection legislation is that spam and direct marketing communications require prior consent. Irrespective of the technology used (e.g. automated calling machines, SMS, or email), users must give consent before commercial communications are addressed to them.

Current legislation concerning unsolicited commercial communications is covered by article 13 of ePrivacy Directive. Article 13(1) stipulates that prior opt-in consent is required before unsolicited commercial communications by email, including SMS, MMS and other kinds of similar applications can be sent on any fixed mobile terminal.24

An exception to this rule is incorporated in article 13(2) where in case of an existing customer relationship, it is allowed to use electronic contact details (email address) for offering similar products or services, but only by the same company that has obtained the electronic contact details in accordance with ePrivacy Directive. Also, the customer should be informed about their further use for direct marketing in a clear and distinct manner, and be given the opportunity to refuse such usage.25 Furthermore, article 13(4) bans the sending of commercial emails that disguise or conceal the identity of the sender.26  

In the new ePrivacy Regulation proposal, under article 16(1); the use of email and other electronic communications for making unsolicited marketing communications without consent will also be subject to an opt-in by the consumer and would otherwise be prohibited. And, the ePrivacy Regulation proposal retains the main exception applicable under article 13(2) of ePrivacy Directive.27

However, unlike the ePrivacy Directive, the new ePrivacy Regulation has expanded its rules. Under article 16, it provides rules against unsolicited marketing communications for wider categories in order to cover new platforms such as social media and other so-called Over-the-Top communications services28 (“OTTs”) as well as to marketing telephone calls. Marketing callers will need to display their phone number or use a special prefix number that indicates a marketing call.29

Additionally, the proposed regulation has introduced significant penalties with regard to offenses against unsolicited marketing communication, reflecting those incorporated in the GDPR. Infringement of article 16 can lead to penalties in amounts up to EUR 20 million or 4 percent of the total worldwide annual turnover of the offending entity, whichever is higher.30

Reform EU framework in progress

In 2016, prior to the start of the legislative process of the new ePrivacy Regulation proposal, consultations with stakeholders as well as meetings with expert groups such as the European Data Protection Supervisors and the Body of European Regulators for Electronic Communications (“BEREC”) took place.

In order for the legislative process to move forward, the European Parliament and the Council need to deliberate about this proposal, without delay, to guarantee a successful adoption by May 25, 2018, when the GDPR will take effect. Its intention is to provide citizens and businesses with a fully-fledged and complete EU framework for privacy and data protection by this date.31

(4) EU-US framework for transatlantic exchanges of personal data for commercial purposes

On October 6, 2015, the Court of Justice of the EU (CJEU) issued a judgement proclaiming that the US-EU Safe Harbor agreement32 between the European Commission and the U.S. Department of Commerce was “invalid” (Schrems case).33

As to understand what was Safe Harbor and why it was ruled invalid by the CJEU it is necessary to go back to Directive 95/46/EC34 on data protection. This Directive prohibits the transfer of personal data from EU member states to third-party countries when its data protection regulations cannot uphold the same protection levels as required by EU law. This was the case for the United States (U.S.) as it did not provide adequate data protection regulations.

Since U.S. Privacy framework did not meet EU standards, the Commission created a US Adequacy Decision also known as the “Safe Harbor Privacy Principles” (Decision 2000/520/EC).35 The European Commission had therefore decided that the U.S. “ensure[s] an adequate level of protection by reason of [its] domestic law or of the international commitments it has entered into” according to article 25(6) Directive 95/46/EC.36 As noted above, the Court found in October 2015 that the solution depicted by the Commission (Safe Harbor) did not provide a sufficient level of data protection as required by EU law. First of all, the “Principles” only bind US companies that have self-certify authorities. By contrast, US public authorities are exempt from the scheme (Article 1(3) Decision 2000/520/EC)37 Secondly, the Court observed that the exemptions to the “Principles” were broadly formulated, based on national security, public interest and law enforcement. In case of conflict, these exemptions would overrule the safe harbor agreement.

EU-US Privacy Shield

After negotiations between the European Commission and the US Government, parties agreed on a new framework related to transatlantic data transfers, replacing the U.S.-EU Safe Harbor framework and known as the EU-U.S. Privacy Shield.38  

The Court of Justice of the EU has laid down requirements in 2015, which the Privacy Shield has implemented, including limitations for access to personal data for national security purposes, handling and resolving individual complaints and an annual joint review of adequacy decisions.39

The Privacy Shield framework was deemed “adequate” by the European Commission, meaning it provides a “mechanism [for companies] to comply with EU data protection requirements when transferring personal data from the European Union to the U.S. in support of transatlantic commerce”.40 The European Commission adopted the Privacy Shield framework on July 16, 2016.41

Since August 1, 2016 the US Department of Commerce started receiving applications from US companies for the Privacy Shield. As from January 2017, more than 1,500 organizations are listed on the US Department of Commerce Privacy Shield List, including companies such as Google, Amazon or Twitter.42  Next to the Privacy Shield, there are alternative mechanisms, which enable data transfer from within the EU to third-party countries such as EU Model Contracts approved by the European Commission with Binding Corporate Rules43 and Standard Contractual Clauses ("SCC").44  SCC are template agreements adopted by the European COmmission through its SCC Decisions,45 which conform to EU law and which European corporations can commit to with their foreign opposite party. 

Adaption of the EU-USA Privacy Shield to EU data protection legislation

In January 2017, Parliamentary questions have been raised about the new data protection legislation (GDPR) and a possible adaption of the EU-USA Privacy Shield. For companies whose activities gravitate towards data transfers for commercial purposes across the Atlantic, it is of particular importance that they should not have to constantly change compliance systems. This would undermine the legal certainty and reliability of the EU-USA Privacy Shield toward businesses.

As a response, the European Commission commented in April 2017 that it will assess whether there might be a need to adapt the decision in the light of the entry into application of the GDPR. This will also form part of the discussions with the US authorities in the context of the annual (first) review planned for the second half of 2017.46

Another challenging issues is the possible impact of the CJEU deicsion on July 26, 2017 to delcare the EU-Canada Passenger Names Record ("PNR") Agreement incompatible with the EU Charter rights to privacy and personal data protection.47  For example, the PNR data was stored for five years even for people that were not suspected of involvement with terrorism or transnational crime.  PNR data is a kind of personal data, which now plays a key role in most online activities.  It is therefore likely that the PNR ruling will have its effect on all such ersonal data flows across the Atlantic.48

Furthermore, the Privacy Shield and other issues concerning the exchanges of data between Europe and other countries are challenged in court.49  This inclused the case (Schremss II) where a reference is sought to the CJEU concerning the validity of SCC to allow the transfer of peronsal data from the EU to the US.  The proceedings commenced on February 7, 2017 in the Irish High Court.50

Last revised in August, 2017 by Rachel de Vries.