EU data protection rules have been reformed by the new EU General Data Protection Regulation and the Law Enforcement Data Protection Directive, which have been adopted together to provide a more harmonised approach to data protection across the EU.
Article 8(1) of the Charter of Fundamental Rights of the European Union and Article 16(1) of the Treaty on the Functioning of the European Union provide that every individual has the right to the protection of personal data concerning him or her. The objective of the provisions are the protection of citizen’s personal data and simplification of the regulatory environment for businesses. The aim is to enable citizens to achieve the full benefits of the digital economy whilst adequately protecting and retaining control of their own personal data. The rules recognise that the right to protection of personal data is not absolute, but “must be considered in relation to its function in society and be balanced against other fundamental rights”. In this respect, due regard must be had to the principle of proportionality.
Major challenges have already, and will continue to arise, as a result of “rapid technological developments” and globalisation. As it stands, conflict within EU States data protection laws may lead to disruption of international exchanges. The formulation of common rules throughout the EU will provide more comprehensive protection for data as well as establishing a platform providing for complaints and redress where data is misused anywhere within the EU. Additionally, the Data Protection Directive has set out rules governing the exportation of personal data outside of Member States, with the aim of further providing the highest possible protection.
Under this EU directive, personal data can only be gathered under strict circumstances, where it is sought for a specified, explicit and legitimate purpose, and may only be processed in a manner compatible with those purposes. Information must not be stored longer than necessary for the achievement of these stated aims and Member States must provide for time limits to be placed on the periodic review and erasure of data, as well as mechanisms ensuring that these time limits are observed.
Specific provision is included stating that the processing of data concerning the racial or ethnic origin, political opinions, religious or philosophical beliefs, and trade union membership of persons shall be allowed only where “strictly necessary”. This applies also to genetic or biometric data for the purpose of uniquely identifying a natural person, and data concerning health or sexual orientation, subject to appropriate safeguards for the rights and freedoms of the natural person concerned.
Obligation is placed on persons and organisations gathering data to protect the rights of the data owners under European Union Law and to prevent relevant information from falling subject to misuse. Where a controller of data does breach the law on data protection they are required to inform the person concerned without undue delay, of the nature of the breach, its likely consequences and what steps are being taken by the controller. Each controller is required to designate a data protection officer, whose contact information must be provided to relevant persons in the instance of a breach.
The scope of the directive applies only to matters that fall within the capacity of Union law. The directive does not apply however to institutions, bodies, offices or agencies of the European Union itself. Member states must also appoint an independent public authority who must take a supervisory role over the implementation of the directive.
Following a two year implementation period, the regulations will be applied across the European Union from 25 May 2018, while the directive must be transposed in to national law by Member States by 6 May 2018.
Click here for EU regulation 2016/679, and here for directive (EU) 2016/680.
Click here for more on EU data protection law.