Personal data protection

Protection of personal data and respect for private life are European fundamental rights. The European Parliament has always insisted on the need to strike a balance between enhancing security and safeguarding human rights, including data protection and privacy. New EU data protection rules strengthening citizens’ rights and simplifying rules for companies in the digital age took effect in May 2018. Research prepared for the European Parliament indicates that EU legislation related to regulating data flows contributes EUR 51.6 billion annually to GDP in the European Union. Research prepared for the European Parliament’s Committee of Inquiry to investigate the use of Pegasus and equivalent surveillance spyware (PEGA Committee) confirms the importance of data protection for defending democracy and individual freedoms in the EU.

Legal basis

Article 16 of the Treaty on the Functioning of the European Union (TFEU);

Articles 7 and 8 of the EU Charter of Fundamental Rights.

Objectives

The Union must ensure that the fundamental right to data protection, which is enshrined in the EU Charter of Fundamental Rights, is applied in a consistent manner. In the light of the exponential growth of the volume of data transfers -–with the EU, the US and Canada constituting the biggest share of this growth – the EU’s stance on the protection of personal data needs to be strengthened in the context of all EU policies.

Achievements

A. Institutional framework

1. Lisbon Treaty

Before the entry into force of the Lisbon Treaty, legislation concerning data protection in the area of freedom, security and justice (AFSJ) was divided between the first pillar (data protection for private and commercial purposes, with the use of the Community method) and the third pillar (data protection for law enforcement purposes, at intergovernmental level). As a consequence, the decision-making processes in the two areas followed different rules. The pillar structure disappeared with the Lisbon Treaty, which provides a stronger basis for the development of a clearer and more effective data protection system, while at the same time stipulating new powers for Parliament, which has become co-legislator. Article 16 of the TFEU provides that Parliament and the Council lay down rules relating to the protection of individuals with regard to the processing of personal data by Union institutions, bodies, offices and agencies, and by the Member States when carrying out activities that fall within the scope of Union law.

2. The strategic guidelines in the area of freedom, security and justice

Following the Tampere and Hague programmes (of October 1999 and November 2004, respectively), in December 2009 the European Council approved the multiannual programme regarding the AFSJ for the 2010-2014 period, known as the Stockholm programme. In its conclusions of June 2014, the European Council defined the strategic guidelines for legislative and operational planning for the coming years within the AFSJ, pursuant to Article 68 of the TFEU. One of the key objectives is to better protect personal data in the EU.

B. Main legislative instruments on data protection

1. EU Charter of Fundamental Rights

Articles 7 and 8 of the EU Charter of Fundamental Rights recognise respect for private life and protection of personal data as closely related but separate fundamental rights.

2. Council of Europe

a. Convention 108 of 1981

The Council of Europe Convention 108 of 28 January 1981 for the Protection of Individuals with regard to Automatic Processing of Personal Data was the first legally binding international instrument adopted in the field of data protection. Its purpose is to secure, for every individual, respect for their rights and fundamental freedoms, and in particular their right to privacy, with regard to automatic processing of personal data. The Protocol amending the Convention seeks to broaden its scope, increase the level of data protection and improve its effectiveness.

b. European Convention on Human Rights (ECHR)

Article 8 of the Convention of 4 November 1950 for the Protection of Human Rights and Fundamental Freedoms establishes the right of everyone to respect for their private and family life, their home and their correspondence.

3. Current EU legislative instruments on data protection

a. General Data Protection Regulation (GDPR)

Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation), became applicable in May 2018. The rules aim to protect all EU citizens from privacy and data breaches in an increasingly data-driven world, while creating a clearer and more consistent framework for businesses. The rights enjoyed by citizens include a clear and affirmative consent for their data to be processed and the right to receive clear and understandable information about it; the right to be forgotten: a citizen can ask for his/her data to be deleted; the right to transfer data to another service provider (e.g. when switching from one social network to another); and the right to know when data has been hacked. The new rules apply to all companies operating in the EU, even those based outside it. Furthermore, corrective measures can be imposed, such as warnings and orders, or fines on firms that break the rules. On 24 June 2020, the European Commission presented a report on the evaluation and review of the regulation[1].

b. The Data Protection Law Enforcement Directive

Directive (EU) 2016/680 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data by competent authorities for the purposes of the prevention, investigation, detection or prosecution of criminal offences or the execution of criminal penalties, and on the free movement of such data, and repealing Council Framework Decision 2008/977/JHA, became applicable in May 2018. The directive protects citizens’ fundamental right to data protection whenever personal data is used by law enforcement authorities. It ensures that the personal data of victims, witnesses, and suspects of crime are duly protected and facilitates cross-border cooperation in the fight against crime and terrorism. On 25 July 2022, the European Commission published its delayed report on application and functioning of the Law Enforcement Directive. It was followed by an evaluation study commissioned by Committee on Civil Liberties, Justice and Home Affairs (LIBE) containing a critical assessment of the implementation of the Law Enforcement Directive[2].

c. Directive on privacy and electronic communications

Directive 2002/58/EC of the European Parliament and of the Council of 12 July 2002 concerning the processing of personal data and the protection of privacy in the electronic communications sector (directive on privacy and electronic communications) was modified by Directive 2009/136/EC of 25 November 2009. It raises the delicate issue of data retention, which was repeatedly brought to the CJEU and led to a series of rulings, most recently in 2020, declaring that EU law precludes the general and indiscriminate retention of traffic and location data.

The 2017 proposal for a regulation of the European Parliament and of the Council concerning the respect for private life and the protection of personal data in electronic communications and repealing Directive 2002/58/EC (regulation on privacy and electronic communications) is under prolonged discussions. The European Parliament’s experts indicated that Parliament should resist the Council’s attempts to exclude the applicability of European data protection principles[3].

d. Regulation on the processing of personal data by the Union institutions and bodies

Regulation (EU)  2018/1725 of the European Parliament and of the Council of 23 October 2018 on the protection of natural persons with regard to the processing of personal data by the Union institutions, bodies, offices and agencies and on the free movement of such data, and repealing Regulation (EC) No 45/2001 and Decision No 1247/2002/EC, entered into force on 11 December 2018.

e. Articles on data protection in sector-specific legislative acts

In addition to the main legislative acts on data protection referred to above, specific provisions on data protection are also set down in sector-specific legislative acts, such as:

• Article 13 (on the protection of personal data) of Directive (EU) 2016/681 of the European Parliament and of the Council of 27 April 2016 on the use of passenger name record (PNR) data for the prevention, detection, investigation and prosecution of terrorist offences and serious crime;
• Article 6 (on data processing) of Council Directive 2004/82/EC of 29 April 2004 on the obligation of carriers to communicate passenger data (API);
• on 13 December 2022, the Commission adopted two legislative proposals on the collection and transfer of API data that will replace the API[4];
• Chapter VI (on data protection safeguards) of Regulation (EU) 2016/794 of the European Parliament and of the Council of 11 May 2016 on the European Union Agency for Law Enforcement Cooperation (Europol);
• Chapter VIII (on data protection) of Council Regulation (EU) 2017/1939 of 12 October 2017 implementing enhanced cooperation on the establishment of the European Public Prosecutor’s Office (‘the EPPO’).

4. The EU’s main international arrangements on data transfers

a. Commercial data transfers: adequacy decisions

Under Article 45 of the GDPR, the Commission has the power to determine whether a country outside the EU offers an adequate level of data protection, be that on the basis of its domestic legislation or of the international commitments it has entered into.

While data transfers between the EU and North America have increased exponentially, with the US dominating private online advertising and surveillance[5], Parliament has adopted numerous resolutions raising concerns about transatlantic data flows. In particular, it considered that the EU-US Privacy Shield Decision does not provide the adequate level of protection required by EU law, while the CJEU has repeatedly invalidated the European Commission’s adequacy decisions concerning the US (see its rulings of 2015 on Safe Harbour in Schrems and of 2020 on the EU-US Privacy Shield in Schrems II).

Despite a lack of reform of the data protection regime in the US, the European Commission reached another agreement with the US and presented a proposal for yet another EU-US Data Privacy Framework. On a motion from the LIBE Committee, on 11 May 2023, Parliament adopted a resolution on the adequacy of the protection afforded by the EU-US Data Privacy Framework, concluding that the EU-US Data Privacy Framework fails to create essential equivalence in the level of protection and calling on the Commission to continue negotiations with its US counterparts, but to refrain from adopting the adequacy finding until all of the recommendations made in Parliament’s resolution and the European Data Protection Board (EDPB) opinion are fully implemented.

The Commission adopted its third EU-US Data Privacy Framework on 10 July 2023.

b. EU-US Umbrella Agreement

Under the consent procedure, Parliament was involved in the approval of the agreement between the US and the EU on the protection of personal information relating to the prevention, investigation, detection, and prosecution of criminal offences, also known as the ‘Umbrella Agreement’. The aim of this agreement is to ensure a high level of protection of personal information transferred in the framework of transatlantic cooperation for law enforcement purposes, namely in the fight against terrorism and organised crime.

c. EU-US, EU-Australia and EU-Canada passenger name record (PNR) agreements

The EU has signed bilateral passenger name record (PNR) agreements with the United States, Australia and Canada. PNR data includes information provided by passengers when booking or checking in for flights and data collected by air carriers for their own commercial purposes. PNR data can be used by law enforcement authorities to fight serious crime and terrorism.

d. EU-US Terrorist Finance Tracking Programme (TFTP)

The EU has signed a bilateral agreement with the US on the processing and transfer of financial messaging data from the EU to the US for the purposes of the terrorist finance tracking programme.

5. Addressing data protection aspects in sector-specific resolutions

Several Parliament resolutions on different policy areas also address personal data protection in order to ensure consistency with general EU data protection law and the protection of privacy in those specific sectors.

6. EU data protection supervisory authorities

The European Data Protection Supervisor (EDPS) is an independent supervisory authority that ensures that the EU institutions and bodies meet their obligations with regard to data protection. The primary duties of the EDPS are supervision, consultation and cooperation.

The European Data Protection Board (EDPB), formerly the Article 29 Working Party, has the status of an EU body with legal personality and is provided with an independent secretariat. The EDPB brings together the EU’s national supervisory authorities, the EDPS and the Commission. The EDPB has extensive powers to determine disputes between national supervisory authorities and to give advice and guidance on key concepts of the GDPR and the Data Protection Law Enforcement Directive.

Role of the European Parliament

Parliament has played a key role in shaping EU legislation in the field of personal data protection by making the protection of privacy a political priority. Furthermore, under the ordinary legislative procedure, it has been working on the data protection reform on an equal footing with the Council. In 2017, it concluded its work on the last significant piece in the puzzle, the new regulation on privacy and electronic communications, and is waiting expectantly for the Council to finally conclude its work in order to start interinstitutional negotiations.

In numerous resolutions, Parliament has expressed doubts as to the adequacy of the protection given to EU citizens under the EU-US Safe Harbour Framework and, subsequently, the EU-US ‘Privacy Shield’. After the Schrems II case led to the invalidation of European Commission Implementing Decision (EU) 2016/1250 on the adequacy of the protection provided by the EU-US ‘Privacy Shield’ agreement, on the basis of concerns that the US Government’s surveillance powers were not limited, as required by EU law, and that EU citizens did not have effective means of redress, the European Parliament adopted a resolution in which it deplored the fact that the Commission had put relations with the US before the interests of EU citizens[6].

Following the tabling of LIBE Committee’s motion on 11 May 2023, Parliament adopted a resolution on the adequacy of the protection afforded by the EU-US Data Privacy Framework, concluding that the EU-US Data Privacy Framework fails to create essential equivalence in the level of protection and calling on the Commission to continue negotiations with its US counterparts but to refrain from adopting the adequacy finding until all the recommendations made in the resolution and the EDPB opinion are fully implemented. The Commission adopted its decision on the EU-US Data Privacy Framework on 10 July 2023.

Parliament has established a committee of inquiry to investigate the use of Pegasus and equivalent surveillance spyware in the EU’s Member States (PEGA). Chaired by MEP Jeroen Lenaers, the PEGA Committee has thoroughly investigated the practices of using spyware to investigate opposition members, journalists, lawyers and civic society activists, as well as how such practices affect democratic processes and individual rights in the EU. During its inquiry, the PEGA Committee consulted leading academics, practitioners and authorities in the EU and worldwide. Parliament’s Policy Department prepared reports for the PEGA missions to Poland, Greece and Cyprus. The PEGA Committee voted on 8 May 2023 to approve its highly critical final report with recommendations on the investigation into alleged contraventions and maladministration in the application of EU law in relation to the use of Pegasus and equivalent surveillance spyware, and including, among many other points, a recommendation to set up an EU Tech Lab for research and monitoring of the use of spyware against EU citizens. Parliament’s recommendation to the Council and the Commission following the PEGA report was adopted by its plenary on 15 June 2023. However, the Commission did not provide a timely response to the recommendation and blocked the pilot project of the EU Tech Lab proposed by MEPs.

Parliament has commissioned a number of research studies in order to have a scientific basis for its legislative activities in the forefront of technological developments and data protection, including a study on the impact of the General Data Protection Regulation (GDPR) on artificial intelligence, a study on Biometric Recognition and Behavioural Detectionand a study on theMetaverse.

This fact sheet was prepared by the European Parliament’s Policy Department for Citizens’ Rights and Constitutional Affairs.

 

Mariusz Maciejewski

11-2023