How data protection works in Europe

Data protection has a long history in European law. It is far from being a new concept.

The first data protection law in Europe was passed in 1970 in the German state of Hesse.

Data protection is distinct from, and should not be confused with, privacy, confidentiality or secrecy. Data does not have to be private or confidential in order for it to be personal data and therefore covered by European data protection law.

The Charter of Fundamental Rights of the European Union (2009)

Article 8 of the EU Charter of Fundamental Rights sets out your right to personal data protection in primary European legislation.The key elements of data protection are mentioned here – your data can only be processed using a lawful basis, you have the right to access data concerning you and to have that data corrected, and an independent supervisory authority is responsible for oversight.

Article 8 Charter: Protection of personal data
1. Everyone has the right to the protection of personal data concerning him or her.

2. Such data must be processed fairly for specified purposes and on the basis of the consent of the person concerned or some other legitimate basis laid down by law. Everyone has the right of access to data which has been collected concerning him or her, and the right to have it rectified.

3. Compliance with these rules shall be subject to control by an independent authority.

The General Data Protection Regulation (2016)

The General Data Protection Regulation is a European Regulation. This means it has direct effect in all European Union member states. The GDPR was introduced to give you more control over your personal data and to protect all your rights and freedoms.

Article 1(2) GDPR

This Regulation protects fundamental rights and freedoms of natural persons and in particular their right to the protection of personal data.

The very first recital of the GDPR reiterates that this is a fundamental right.

Recital 1 GDPR

The protection of natural persons in relation to the processing of personal data is a fundamental right. Article 8(1) of the Charter of Fundamental Rights of the European Union (the ‘Charter’) and Article 16(1) of the Treaty on the Functioning of the European Union (TFEU) provide that everyone has the right to the protection of personal data concerning him or her.
Necessity and proportionality

These are two related and very important concepts that can be overlooked in data processing projects.

Any processing of your personal data will have to restrict your fundamental right to data protection, which as stated above is provided for in the EU Charter of Fundamental Rights. So anyone wishing to process your personal data must be able to show that this restriction of your rights is necessary for the purpose they wish to achieve. They must consider whether they can possibly achieve the same purpose in a less intrusive way.

If it is deemed to be necessary then the way in which they wish to process personal data must also be assessed for proportionality.

For example, in 2011 the then Data Protection Commissioner investigated the Insurance Link database and concluded

However, the Data Protection Commissioner must also give consideration to the fact that only a small minority of people submit fraudulent insurance claims. A solution which provides for the sharing of over two million records may be deemed to be excessive in that context. As a consequence of this investigation the Data Protection Commissioner conveyed his concerns to the sector about the proportionality of the database and the continued justification for its operation. The sector will be required to continue to justify the necessity for a database of this nature.

The European Data Protection Supervisor (EDPS) recently published a one page guide to necessity and proportionality which is easy to understand (direct link to PDF).

If you want to find out more about necessity and proportionality you the EDPS website has a section dedicated to this.

Because data protection law has to cover all processing of personal data across all of Europe, from very small scale to very large scale, it frequently requires clarification and settlement of disputes and disagreements over interpretation of what the law means in practice. This clarification comes primarily from two sources: the independent supervisory authorities and their umbrella organisation the European Data Protection Board (EDPB), and the Courts of Justice of the European Union.

The Supervisory Authorities

The independent supervisory authorities in each Member State publish guidelines and recommendations as well as handling complaints from data subjects and investigating data controllers to ensure they are compliant.

In Ireland the independent supervisory authority is the Data Protection Commission of Ireland. The index page of their guidance for data subjects is here.

The European Data Protection Board

The EDPB is an umbrella organisation made up of representatives from each of the independent supervisory authorities. The board regularly publishes guidance on various data protection topics.The index page for their guidelines is here.

The Courts of Justice of the European Union

Cases regarding data protection rights in individual member states are sometimes referred to the Courts of Justice of the European Union. Data controllers must keep up to date with the rulings of the Courts of Justice and change their data protection practices to take account of what the rulings say.

 

Topics

Data Protection Fundamentals (basics, definitions and more …)
Your Rights (all your data protection rights: access, information, rectification and more …)
In More Detail (explorations and explanations of data protection concepts …)
Keeping Track (tracking Subject Access Requests and complaints to Supervisory Authorities …)