Overview of GDPR: Difference between revisions
(→Intro) |
|||
Line 187: | Line 187: | ||
The General Data Protection Regulation (GDPR) is meant to regulate the processing of personal data within the European Economic Area (EEA). It largely replaced the Data Protection Directive 95/46/EC of 1995 and is based on EU fundamental rights enshrined in the European Charter of Fundamental Rights (CFR), the EU treaties and the European Convention of Human Rights (ECHR). | The General Data Protection Regulation (GDPR) is meant to regulate the processing of personal data within the European Economic Area (EEA). It largely replaced the Data Protection Directive 95/46/EC of 1995 and is based on EU fundamental rights enshrined in the European Charter of Fundamental Rights (CFR), the EU treaties and the European Convention of Human Rights (ECHR). | ||
The material privacy protections of the GDPR are largely similar to the protections under Directive 95/46/EC. The GDPR is therefore often described as not being a revolution, but an evolution. In fact the core principles of the GDPR can already be found in the Council of Europe Convention 108,<ref>https://rm.coe.int/1680078b37</ref> which was passed in 1981 and was signed by 57 countries, including non-European countries. | |||
Switching from a directive to a regulation, meant that the legal text is directly applicable to private entities, without the need to transpose the text into national law, as required under the previous Directive 95/46/EC. This approach was meant to bring a more consistent legal framework, as Member States could not change the meaning of EU law when implementing it into national law. The so-called "one stop shop" and the cooperation procedures between national supervisory authorities, were also meant to ensure consistency not only in the legal text, but also in enforcement. Considerably higher penalties, the option for data subjects to submit complaints and lawsuits were additional elements that were highlighted by the legislator. | |||
In practice this leads to situations where the core elements of European data protection law | However, the GDPR is not fully consistent when unifying the European landscape, as it was required to refer to Member State law or even providing for opening clauses, allowing to regulate certain issues in national law (such as employee data). Equally, budgets, appointments and procedural law is mainly regulated by each Member State. Consequently supervisory authorities follow very different practices, operate on very different budgets and have different priorities and approaches, despite the need for European cooperation. There is also no system that would allow appeals courts to cooperate when dealing with appeals from supervisory authorities. | ||
In practice this leads to situations where the core elements of European data protection law are found in the GDPR, but in many cases there is substantial interaction with national material and procedural laws. | |||
== Legal History == | == Legal History == | ||
The first data protection laws can be traced back to the XXX act in the German state of XXX or to the US XXX act. | |||
Realizing that personal data flows across boarders, such national laws quickly became an obstacle. The European Council Convention 108 was the first international framework to be passed in 1981, currently covering 57 countries. | |||
==== Directive 95/46/EC ==== | ==== Directive 95/46/EC ==== | ||
Realizing the need for an EU framework, the European Commission has proposed an EU Directive in 1990, which would later become Directive 95/46/EC. By 1998 all EU Member States had to pass a national data protection act that was aligned with Directive 95/46/EC. | |||
The basic principles of Directive 95/46/EC stayed the same in the GDPR. Consequently previous decisions by courts and authorities, as well a previous guidelines are often referred to when interpreting the GDPR. | |||
At the same time, Directive 95/46/EC allowed Member States to adapt the rules to national frameworks and traditions. National data protection laws hat to be interpreted in the line with Directive 95/46/EC, but were still subject to national developments, case law and national additions. Contrary to Directive 95/46/EC, the GDPR is directly applicable and must therefore be interpreted solely be reference to EU law, not national traditions. | |||
Despite the fact that EU law must be interpreted without reference to national law, these national traditions are still often present today, as experts, lawyers, authorities and courts have a tendency to hold on to more than 20 years of national data protection law. Some Member States have even copied elements of their previous national data protection law into national laws implementing the GDPR. The strong wish to hold on to existing national approaches is even present in party of the legal literature on the GDPR. | |||
The nationalistic approach will however gradually be replaces by a truly European approach. Until such time, it is important to differentiate between concepts that can be derived from the GDPR or general principles of European law and artifacts that are still left | |||
==== Proposal by the European Commission ==== | ==== Proposal by the European Commission ==== |
Revision as of 15:59, 2 August 2022
Intro
The General Data Protection Regulation (GDPR) is meant to regulate the processing of personal data within the European Economic Area (EEA). It largely replaced the Data Protection Directive 95/46/EC of 1995 and is based on EU fundamental rights enshrined in the European Charter of Fundamental Rights (CFR), the EU treaties and the European Convention of Human Rights (ECHR).
The material privacy protections of the GDPR are largely similar to the protections under Directive 95/46/EC. The GDPR is therefore often described as not being a revolution, but an evolution. In fact the core principles of the GDPR can already be found in the Council of Europe Convention 108,[1] which was passed in 1981 and was signed by 57 countries, including non-European countries.
Switching from a directive to a regulation, meant that the legal text is directly applicable to private entities, without the need to transpose the text into national law, as required under the previous Directive 95/46/EC. This approach was meant to bring a more consistent legal framework, as Member States could not change the meaning of EU law when implementing it into national law. The so-called "one stop shop" and the cooperation procedures between national supervisory authorities, were also meant to ensure consistency not only in the legal text, but also in enforcement. Considerably higher penalties, the option for data subjects to submit complaints and lawsuits were additional elements that were highlighted by the legislator.
However, the GDPR is not fully consistent when unifying the European landscape, as it was required to refer to Member State law or even providing for opening clauses, allowing to regulate certain issues in national law (such as employee data). Equally, budgets, appointments and procedural law is mainly regulated by each Member State. Consequently supervisory authorities follow very different practices, operate on very different budgets and have different priorities and approaches, despite the need for European cooperation. There is also no system that would allow appeals courts to cooperate when dealing with appeals from supervisory authorities.
In practice this leads to situations where the core elements of European data protection law are found in the GDPR, but in many cases there is substantial interaction with national material and procedural laws.
Legal History
The first data protection laws can be traced back to the XXX act in the German state of XXX or to the US XXX act.
Realizing that personal data flows across boarders, such national laws quickly became an obstacle. The European Council Convention 108 was the first international framework to be passed in 1981, currently covering 57 countries.
Directive 95/46/EC
Realizing the need for an EU framework, the European Commission has proposed an EU Directive in 1990, which would later become Directive 95/46/EC. By 1998 all EU Member States had to pass a national data protection act that was aligned with Directive 95/46/EC.
The basic principles of Directive 95/46/EC stayed the same in the GDPR. Consequently previous decisions by courts and authorities, as well a previous guidelines are often referred to when interpreting the GDPR.
At the same time, Directive 95/46/EC allowed Member States to adapt the rules to national frameworks and traditions. National data protection laws hat to be interpreted in the line with Directive 95/46/EC, but were still subject to national developments, case law and national additions. Contrary to Directive 95/46/EC, the GDPR is directly applicable and must therefore be interpreted solely be reference to EU law, not national traditions.
Despite the fact that EU law must be interpreted without reference to national law, these national traditions are still often present today, as experts, lawyers, authorities and courts have a tendency to hold on to more than 20 years of national data protection law. Some Member States have even copied elements of their previous national data protection law into national laws implementing the GDPR. The strong wish to hold on to existing national approaches is even present in party of the legal literature on the GDPR.
The nationalistic approach will however gradually be replaces by a truly European approach. Until such time, it is important to differentiate between concepts that can be derived from the GDPR or general principles of European law and artifacts that are still left
Proposal by the European Commission
You can help us fill this section!
Position of the European Parliament
You can help us fill this section!
Position of the European Council
You can help us fill this section!
Trilogue
You can help us fill this section!
Negotiation Documents
You can help us fill this section!
Legal Structure
The GDPR is not just itself consisting of 99 articles, but is embedded in a broader legal structure all the way from the European treaties down to national law and guidance by regulators. A good understanding of the overall legal environment allows to navigate the GDPR efficiently and understand the bigger picture.
Treaty Law
The European Union does not have a constitution, but is primary law is instead found in the treaties. Treaty law is higher ranking than normal European legal acts, like regulations, directives or decisions. The European treaties require the protection of personal data as a human right, which can only be changed by a unanimous agreement of all EU Member States.
If a European legal act like the GDPR would violate treaty law, it would have to be annulled by the European Court of Justice (CJEU). To avoid such a situation legal acts are usually interpreted to be in compliance with treaty law. Consequently the CJEU usually interprets the GDPR in light of treaty law, which makes treaty law especially relevant when working with the GDPR.
Article 8 CFR
The Charter of Fundamental Rights (CFR) is part of the treaties of the European Union since the Treaty of Lisbon entered into force in 2009. The 50 Articles of the CFR ensure that there is a distinct Human Rights catalogue for the EU, which did not exist before.
Article 8 of the CFR
Article
Article 7 CFR
xxx
Article 7 CFR also corresponds to Article 8 of the European Convention of Human Rights (ECHR). Article 52(3) CFR
You can help us fill this section!
Article 16 TFEU
You can help us fill this section!
GDPR
You can help us fill this section!
Recitals
You can help us fill this section!
Chapters
You can help us fill this section!
Articles
You can help us fill this section!
Other EU law
You can help us fill this section!
ePrivacy Directive 2002/58/EC
You can help us fill this section!
eCommerce Directive 2000/31/EC
You can help us fill this section!
EU Data Protection Regulation 45/2001/EC
You can help us fill this section!
National Implementation Laws
You can help us fill this section!
Interpretation of the GDPR
General remarks on the interpretation of EU law
You can help us fill this section!
EDPB and National Guidance
You can help us fill this section!
Enforcement of the GDPR
You can help us fill this section!