Protection of personal data

Summary:

The right to the protection of personal data is a fundamental right compliance with which is an important objective for the European Union. It is enshrined in the Charter of Fundamental Rights of the European Union (‘the Charter’) which provides, in Article 8, that:

1. Everyone has the right to the protection of personal data concerning him or her.
2. Such data must be processed fairly for specified purposes and on the basis of the consent of the person concerned or some other legitimate basis laid down by law. Everyone has the right of access to data which has been collected concerning him or her, and the right to have it rectified.
3. Compliance with these rules shall be subject to control by an independent authority.

That fundamental right is, moreover, closely connected with the right to respect for private and family life enshrined in Article 7 of the Charter.

The right to the protection of personal data is also laid down in Article 16(1) of the Treaty on the Functioning of the European Union (TFEU), which succeeded Article 286 EC in that respect.

As regards secondary legislation, the European Community has, since the mid-1990s, developed a range of instruments to ensure the protection of personal data. Directive 95/46/EC on the protection of individuals with regard to the processing of personal data and on the free movement of such data, adopted on the basis of Article 100a EC, is the Union’s principal legal instrument in this area. It lays down the general rules on the lawfulness of the processing of such data and the rights of data subjects and provides in particular for the establishment of independent supervisory authorities in Member States.

Directive 2002/58/EC subsequently supplemented Directive 95/46/EC by harmonising the provisions of Member States’ legislation on the protection of the right to privacy, notably with respect to the processing of personal data in the electronic communications sector. It should be noted that the Union legislature is considering a review of that directive. In that regard, on 10 January 2017, the Commission put forward a proposition to replace that directive by a regulation relating to privacy and electronic communications.

In addition, in the area of freedom, security and justice (ex Articles 30 and 31 TEU), Framework Decision 2008/977/JHA regulates (until May 2018) the protection of personal data in the areas of judicial cooperation in criminal matters and police cooperation.

In 2016, the European Union reformed the overall legal framework in this area. To that end, it adopted Regulation (EU) 2016/679 on data protection, which repeals Directive 95/46/EC and has been applicable from 25 May 2018, and Directive (EU) 2016/680 on the protection of such data in criminal matters, which repeals Framework Decision 2008/977/JHA and was required to be transposed by Member States by 6 May 2018.

Last, in the context of the processing of personal data by the EU institutions and bodies, Regulation (EC) No 45/2001 ensured, first of all, the protection of such data. In particular, the regulation enabled the European Data Protection Supervisor to be established in 2004. In 2018, the European Union adopted a new legal framework in this area, in particular through the adoption of Regulation (EU) 2018/1725, which repeals Regulation (EC) No 45/2001 and Decision No 1247/2002/EC 10 and is applicable from December 2018. In the interest of a coherent approach to personal data protection throughout the Union, that new regulation aims to align as far as possible the rules in this area with the regime established by Regulation (EU) 2016/679.