Data Protection in the European Union: Difference between revisions

Data Protection in the European Union
Data Protection Authority:	EDPS
Regulation for EU institutions:	Regulation (EU) 2018/1725
Official Language(s):	24 EU Languages
European Legislation Database(s):	Link
European Decision Database(s):	Link

Legislation

History

Directive (EC) 95/46 was the first instrument to provide data protection rights to Europeans. European institutions had to comply with Regulation (EC) 45/2001 in respect of processing personal data. The Charter of Fundamental Rights attached to the Lisbon treaty also contains an article on the right of privacy. Protection of personal data of users of information society services in enshrined in the e-Privacy Directive. The update of the European legal framework of data protection was initiated in 2012 and the GDPR (Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation) (Text with EEA relevance) was adopted the 27th April 2016, entered into force the 24th May of the same year, 20 days after their publication in the Official Journal. The Law Enforcement Directive entered into force on 5 May 2016 and EU countries had to transpose it into their national law by 6 May 2018. The GDPR is directly applicable and has to be applied from 25th May 2018. It regulates the protection of personal data by controllers established in the EU and the data of EU residents by controllers outside the EU in some cases (monitoring behaviour of EU residents in the EU and offering goods or services to residents of the EU). In fact the GDPR is a text with EEA relevance, i.e. EEA residents have the same rights as EU residents. The Law Enforcement Directive deals with processing of personal data in the framework of preventing, detecting, investigating and prosecuting criminal offences.

The EUDPR, Regulation (EU) 2018/1725, regulating processing personal data by EU institutions, Bodies, Offices and Agencies has been published on November 21, 2018 and entered into force on December 11, 2018. It contains a separate chapter on "operational personal data", i.e. personal data processed in the course of the activities of the judicial cooperation. Europol and the European Public Prosecutor's Office will apply the EUDPR when their establishing legal acts will be modified. EU foreign and security policy missions do not fall neither under the GDPR, nor under the EUDPR, the Council will have to adopt their own rules, till then, they work according to their internal data protection rules.

The e-Privacy Directive is to be replaced by an e-Privacy Regulation (directly applicable) but this has not been adopted yet (July 2024).

Regulation (EU) 2018/1725

The European institutions are bound by Regulation 2018/1725, which provides the same rights to data subjects as the GDPR.

When the provisions of Regulation 2018/1725 follow the same principles as the GDPR, they should be interpreted homogeneously. This is because Regulation 2018/1725 should be understood as the EU bodies and institution's equivalent to GDPR (Recital 5 Regulation 2018/1725), meaning that the two regulations should be applied in parallel (Recital 4 Regulation 2018/1725). This often makes GDPR case law applicable to the interpretation of Regulation 2018/1725.

A way to understand Regulation 2018/1725, is to see it as a combination of the GDPR and Law Enforcement Directive (LED). While earlier chapters reflect principles enshrined in the GDPR, later chapters often reflect the LED.

Of particular note is Chapter IX Regulation 2018/1725 which addresses Operational Personal Data (personal data which is processed for the purposes of carrying out law-enforcement tasks).^[1] Given the specialised nature of these tasks, Regulation 2018/1725 creates carve-outs within Chapter IX for the processing of this type of data. For example, the right of access under GDPR and Regulation 2018/1725, is different to the right of access under Chapter IX. These carve outs are also reflected in the LED (Law Enforcement Directive) and in many cases Chapter IX will directly overlap in text with the LED.

Data Protection Authority

The European Data Protection Supervisor (European Data Protection Supervisor) is the data protection authority for European Union institutions, bodies, offices and agencies.

→ Details see EDPS

While the EDPS mostly relies on Regulation 2018/1725 to enforce data protection law against European Union institutions, bodies, offices and agencies, there are also specialised regulations which will apply. For example, among others, the EDPS supervises Europol which alongside Chapter IX of Regulation 2018/1725 requires the use of Regulation (EU) 2016/794 (Europol Regulation).

Judicial protection

General Court

The General Court is made up of two judges from each Member State. The judges are appointed by common accord of the governments of the Member States after consultation of a panel responsible for giving an opinion on candidates' suitability to perform the duties of Judge. Their term of office is six years, and is renewable. They appoint their President, for a period of three years, from amongst themselves. They appoint a Registrar for a term of office of six years.

The General Court has jurisdiction to hear and determine:

• actions brought by natural or legal persons against acts of the institutions, bodies, offices or agencies of the European Union (which are addressed to them or are of direct and individual concern to them) and against regulatory acts (which concern them directly and which do not entail implementing measures) or against a failure to act on the part of those institutions, bodies, offices or agencies; for example, a case brought by a company against a Commission decision imposing a fine on that company;
• actions brought by the Member States against the Commission;
• actions brought by the Member States against the Council relating to acts adopted in the field of State aid, trade protection measures (dumping) and acts by which it exercises implementing powers;
• Actions for annulment of a measure (in particular a regulation, directive or decision) adopted by an institution, body, office or agency of the European Union initiated by an individual.
• actions seeking compensation for damage caused by the institutions or the bodies, offices or agencies of the European Union or their staff;
• actions based on contracts made by the European Union which expressly give jurisdiction to the General Court;

• actions relating to intellectual property brought against the European Union Intellectual Property Office and against the Community Plant Variety Office;
• disputes between the institutions of the European Union and their staff concerning employment relations and the social security system.

The decisions of the General Court may, within two months, be subject to an appeal before the Court of Justice, limited to points of law.

Court of Justice of the European Union

he Court of Justice is composed of 27 Judges and 11 Advocates General. The Judges and Advocates General are appointed by common accord of the governments of the Member States after consultation of a panel responsible for giving an opinion on prospective candidates' suitability to perform the duties concerned. They are appointed for a term of office of six years, which is renewable. They are chosen from among individuals whose independence is beyond doubt and who possess the qualifications required for appointment, in their respective countries, to the highest judicial offices, or who are of recognised competence.

The Judges of the Court of Justice elect from amongst themselves a President and a Vice-President for a renewable term of three years.

The Advocates General assist the Court. They are responsible for presenting, with complete impartiality and independence, an ‘opinion' in the cases assigned to them.

The Registrar is the institution's secretary general and manages its departments under the authority of the President of the Court.

The Court may sit as a full court, in a Grand Chamber of 15 Judges or in Chambers of three or five Judges.

The Court deals with:

• References for preliminary rulings: questions asked by the national courts on interpretation of EU law
• Actions for failure to fulfil obligations: so-called infringement procedures against Member States if they fail for example to properly transpose (or at all to transpose) directives or to implement judgments of the Court. The Commission may ask the Court to impose fines after a judgment establishing failure.
• Action for annulment of a measure (in particular a regulation, directive or decision) adopted by an institution, body, office or agency of the European Union. The Court of Justice has exclusive jurisdiction over actions brought by a Member State against the European Parliament and/or against the Council (apart from Council measures in respect of State aid, dumping and implementing powers) or brought by one European Union institution against another.
• Appeals against judgments of the general Court.