Data Protection in the European Union: Difference between revisions

From GDPRhub
No edit summary
(Legal act history)
 
(3 intermediate revisions by 2 users not shown)
Line 18: Line 18:
==Legislation==
==Legislation==
===History===
===History===
A data protection regulation for EUIs (European Institutions) came into force in 2001 under Regulation (EC) 45/2001. Under this regulation the EDPS was created and designated as the independent data protection authority in charge of supervising how EUIs process personal data. The regulation additionally laid down the tasks and powers of the EDPS.
Directive (EC) 95/46 was the first instrument to provide data protection rights to Europeans. European institutions had to comply with Regulation (EC) 45/2001 in respect of processing personal data. The Charter of Fundamental Rights attached to the Lisbon treaty also contains an article on the right of privacy. Protection of personal data of users of information society services in enshrined in the e-Privacy Directive. The update of the European legal framework of data protection was initiated in 2012 and the GDPR (Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation) (Text with EEA relevance) was adopted the 27th April 2016, entered into force the 24th May of the same year, 20 days after their publication in the Official Journal. The Law Enforcement Directive entered into force on 5 May 2016 and EU countries had to transpose it into their national law by 6 May 2018. The GDPR is directly applicable and has to be applied from 25th May 2018. It regulates the protection of personal data by controllers established in the EU and the data of EU residents by controllers outside the EU in some cases (monitoring behaviour of EU residents in the EU and offering goods or services to residents of the EU). In fact the GDPR is a text with EEA relevance, i.e. EEA residents have the same rights as EU residents. The Law Enforcement Directive deals with processing of personal data in the framework of preventing, detecting, investigating and prosecuting criminal offences.


The EDPS starts its work under the leadership of Peter Hustinx as the first European Data Protection Supervisor and Joaquín Bayo Delgado as the Assistant Supervisor.<ref>The role of assistant supervisor has been discontinued There is now the role of secretary general which fulfils many of the same functions as the assistant supervisor. </ref> 2004 marks the first of many EDPS initiatives: first Prior Check Opinions, first complaints addressed, first investigations, and first legislative Opinions. The EDPS counts 15 members of staff working in three sectors: the Administration, Personnel, Budget sector, the Policy and information sector and the Supervision sector. It's offices are located at 63 Rue Montoyer in Brussels,
The EUDPR, Regulation (EU) 2018/1725, regulating processing personal data by EU institutions, Bodies, Offices and Agencies has been published on November 21, 2018 and entered into force on December 11, 2018. It contains a separate chapter on "operational personal data", i.e. personal data processed in the course of the activities of the judicial cooperation. Europol and the European Public Prosecutor's Office will apply the EUDPR when their establishing legal acts will be modified. EU foreign and security policy missions do not fall neither under the GDPR, nor under the EUDPR, the Council will have to adopt their own rules, till then, they work according to their internal data protection rules.


The EDPS has its first intervention before the Court of Justice in 2005. Specifically on a case concerning international transfers of Passenger Name Record data of airline passengers to the United States.  
The e-Privacy Directive is to be replaced by an e-Privacy Regulation (directly applicable) but this has not been adopted yet (July 2024).


In 2009, The Treaty on the Functioning of the EU, or the Lisbon Treaty., enters into force on 1 December 2009, ensuring a strong legal basis for comprehensive data protection in all EU policy areas. Data protection becomes a directly enforceable right for everyone.
===Regulation (EU) 2018/1725===
The European institutions are bound by [https://eur-lex.europa.eu/legal-content/EN/TXT/?uri=celex:32018R1725 Regulation 2018/1725], which provides the same rights to data subjects as the GDPR.  


In 2012, a new sector, Information and Technology Policy (IT Policy Unit), is created in the organisation, to focus on the impact of technologies on data protection. Similarly, other organisational changes are made within the previously created units: Supervision & Enforcement, Policy & Consultation and Human Resources, Budget & Administration, head of activities are created. The EDPS now counts more than 52 privacy professionals and other experts working to protect individuals and their personal data. The EDPS also moves into its headquarters, 30 Rue Montoyer in Brussels, Belgium, which reflects the organisation's growth as a fully-fledged independent data protection institution. These are still the EDPS' headquarters.
When the provisions of Regulation 2018/1725 follow the same principles as the GDPR, they should be interpreted homogeneously. This is because Regulation 2018/1725 should be understood as the EU bodies and institution's equivalent to GDPR (Recital 5 Regulation 2018/1725), meaning that the two regulations should be applied in parallel (Recital 4 Regulation 2018/1725). This often makes GDPR case law applicable to the interpretation of Regulation 2018/1725.
 
A way to understand [https://eur-lex.europa.eu/legal-content/EN/TXT/?uri=celex:32018R1725 Regulation 2018/1725], is to see it as a combination of the GDPR and Law Enforcement Directive (LED). While earlier chapters reflect principles enshrined in the GDPR, later chapters often reflect the LED.  


In 2013, the EDPS makes oral submissions at the hearing before the Grand Chamber of the Court of Justice in joint preliminary references C-293/12 and C-594/12 Digital Rights Ireland and Others. Both cases concern the validity of the Data Retention Directive 2006/24/EC. It is the first time that the Court decides, on the basis of Article 24 of its Statute, to invite the EDPS to attend a hearing in a preliminary reference procedure, to provide answers to specific questions.
Of particular note is Chapter IX Regulation 2018/1725 which addresses Operational Personal Data (personal data which is processed for the purposes of carrying out law-enforcement tasks).<ref>The AFSJ sector (Area of Freedom Justice and Security) at the EDPS mainly relies on this Chapter of Regulation 2018/1725.</ref> Given the specialised nature of these tasks, Regulation 2018/1725 creates carve-outs within Chapter IX for the processing of this type of data. For example, the right of access under GDPR and [https://eur-lex.europa.eu/legal-content/EN/TXT/?uri=celex:32018R1725 Regulation 2018/1725], is different to the right of access under Chapter IX. These carve outs are also reflected in the LED (Law Enforcement Directive) and in many cases Chapter IX will directly overlap in text with the LED.  


In 2017, with the new Europol Regulation, the EDPS begins to supervises Europol (the European Union Agency for Law Enforcement Cooperation) whose remit is to help make Europe safer by assisting law enforcement authorities in EU Member States. The new Regulation also provides for the establishment of the Europol Cooperation Board, for which the EDPS provides the secretariat. The Board facilitates cooperation between the EDPS and EU Member States' data protection authorities on its supervisory activities.
==Data Protection Authority==
The European Data Protection Supervisor (''European Data Protection Supervisor'') is the data protection authority for European Union institutions, bodies, offices and agencies.  


In 2018, Regulation (EU) 2018/1725, or EUDPR, repealing Regulation (EC) 45/2001 is adopted. This Regulation provides the new data protection rules for EUls which matches the GDPR, the latter applicable across the EU/European Economic Area. By the end of 2018, the EDPS reaches 100 employees.
→ Details see [[EDPS]]


In 2019, the EDPS starts supervising Eurojust - an EU agency in charge of combating serious forms of crime - in its processing of operational personal data.
While the EDPS mostly relies on [https://eur-lex.europa.eu/legal-content/EN/TXT/?uri=celex:32018R1725 Regulation 2018/1725] to enforce data protection law against European Union institutions, bodies, offices and agencies, there are also specialised regulations which will apply. For example, among others, the EDPS supervises Europol which alongside Chapter IX of [https://eur-lex.europa.eu/legal-content/EN/TXT/?uri=celex:32018R1725 Regulation 2018/1725] requires the use of Regulation (EU) 2016/794 (Europol Regulation).  


In 2021, the EDPS becomes responsible for supervising the European Public Prosecutor's Office (EPPO) in its operational capacity, the independent European body in charge of investigating and prosecuting criminal offences against the European Union's financial interests.
==Judicial protection==
===General Court===
''The General Court is made up of two judges from each Member State. The judges are appointed by common accord of the governments of the Member States after consultation of a panel responsible for giving an opinion on candidates' suitability to perform the duties of Judge. Their term of office is six years, and is renewable. They appoint their President, for a period of three years, from amongst themselves. They appoint a Registrar for a term of office of six years.''


In 2023, the EDPS opened a new office in the European Parliament in Strasbourg, France. With this new office, the EDPS provides additional support to the European Parliament in their legislative process, fulfilling their  role as advisor to the EU legislator. The year also marked organisational changes within the EDPS. Specialised sectors were created to tackle ongoing and future data protection challenges, including a sector to monitor the EU's Area of Freedom, Security, and Justice; one to address individuals' complaints; another to ensure that technologies embed privacy principles throughout their development, as well as a Legal Service.
The General Court has jurisdiction to hear and determine:


In 2024, the EDPS celebrates 24 years since its creation.
* actions brought by natural or legal persons against acts of the institutions, bodies, offices or agencies of the European Union (which are addressed to them or are of direct and individual concern to them) and against regulatory acts (which concern them directly and which do not entail implementing measures) or against a failure to act on the part of those institutions, bodies, offices or agencies; for example, a case brought by a company against a Commission decision imposing a fine on that company;
* actions brought by the Member States against the Commission;
* actions brought by the Member States against the Council relating to acts adopted in the field of State aid, trade protection measures (dumping) and acts by which it exercises implementing powers;
* Actions for annulment of a measure (in particular a regulation, directive or decision) adopted by an institution, body, office or agency of the European Union initiated by an individual.
* actions seeking compensation for damage caused by the institutions or the bodies, offices or agencies of the European Union or their staff;
* actions based on contracts made by the European Union which expressly give jurisdiction to the General Court;


===Regulation (EU) 2018/1725===
* actions relating to intellectual property brought against the European Union Intellectual Property Office and against the Community Plant Variety Office;
The European institutions are bound by [https://eur-lex.europa.eu/legal-content/EN/TXT/?uri=celex:32018R1725 Regulation 2018/1725], which provides the same rights to data subjects as the GDPR.  
* disputes between the institutions of the European Union and their staff concerning employment relations and the social security system.


When the provisions of Regulation 2018/1725 follow the same principles as the GDPR, they should be interpreted homogeneously. This is because Regulation 2018/1725 should be understood as the EU bodies and institution's equivalent to GDPR (Recital 5 Regulation 2018/1725), meaning that the two regulations should be applied in parallel (Recital 4 Regulation 2018/1725). This often makes GDPR case law applicable to the interpretation of Regulation 2018/1725.
The decisions of the General Court may, within two months, be subject to an appeal before the Court of Justice, limited to points of law.


A way to understand [https://eur-lex.europa.eu/legal-content/EN/TXT/?uri=celex:32018R1725 Regulation 2018/1725], is to see it as a combination of the GDPR and Law Enforcement Directive (LED). While earlier chapters reflect principles enshrined in the GDPR, later chapters often reflect the LED.  
=== Court of Justice of the European Union ===
he Court of Justice is composed of 27 Judges and 11 Advocates General. The Judges and Advocates General are appointed by common accord of the governments of the Member States after consultation of a panel responsible for giving an opinion on prospective candidates' suitability to perform the duties concerned. They are appointed for a term of office of six years, which is renewable. They are chosen from among individuals whose independence is beyond doubt and who possess the qualifications required for appointment, in their respective countries, to the highest judicial offices, or who are of recognised competence.              


Of particular note is Chapter IX Regulation 2018/1725 which addresses Operational Personal Data (personal data which is processed for the purposes of carrying out law-enforcement tasks).<ref>The AFSJ sector (Area of Freedom Justice and Security) mainly relies on this Chapter of Regulation 2018/1725.</ref> Given the specialised nature of these tasks, Regulation 2018/1725 creates carve-outs within Chapter IX for the processing of this type of data. For example, the right of access under GDPR and [https://eur-lex.europa.eu/legal-content/EN/TXT/?uri=celex:32018R1725 Regulation 2018/1725], is different to the right of access under Chapter IX. These carve outs are also reflected in the LED (Law Enforcement Directive) and in many cases Chapter IX will directly overlap in text with the LED.  
The Judges of the Court of Justice elect from amongst themselves a President and a Vice-President for a renewable term of three years.


==Data Protection Authority==
The Advocates General assist the Court. They are responsible for presenting, with complete impartiality and independence, an ‘opinion' in the cases assigned to them.
The European Data Protection Supervisor (''European Data Protection Supervisor'') is the data protection authority for European Union institutions, bodies, offices and agencies.  


→ Details see [[EDPS]]
The Registrar is the institution's secretary general and manages its departments under the authority of the President of the Court.


While the EDPS mostly relies on [https://eur-lex.europa.eu/legal-content/EN/TXT/?uri=celex:32018R1725 Regulation 2018/1725] to enforce data protection law against European Union institutions, bodies, offices and agencies, there are also specialised regulations which will apply. For example, among others, the EDPS supervises Europol which alongside Chapter IX of [https://eur-lex.europa.eu/legal-content/EN/TXT/?uri=celex:32018R1725 Regulation 2018/1725] requires the use of Regulation (EU) 2016/794 (Europol Regulation).  
The Court may sit as a full court, in a Grand Chamber of 15 Judges or in Chambers of three or five Judges.


==Judicial protection==
The Court deals with:
===General Court===


===Court of Justice of the European Union===
* References for preliminary rulings: questions asked by the national courts on interpretation of EU law
* Actions for failure to fulfil obligations: so-called infringement procedures against Member States if they fail for example to properly transpose (or at all to transpose) directives or to implement judgments of the Court. The Commission may ask the Court to impose fines after a judgment establishing failure.
* Action for annulment of a measure (in particular a regulation, directive or decision) adopted by an institution, body, office or agency of the European Union. The Court of Justice has exclusive jurisdiction over actions brought by a Member State against the European Parliament and/or against the Council (apart from Council measures in respect of State aid, dumping and implementing powers) or brought by one European Union institution against another.
* Appeals against judgments of the general Court.

Latest revision as of 18:39, 4 July 2024

Data Protection in the European Union
Eu.png
Data Protection Authority: EDPS
Regulation for EU institutions: Regulation (EU) 2018/1725
Official Language(s): 24 EU Languages
European Legislation Database(s): Link
European Decision Database(s): Link

Legislation

History

Directive (EC) 95/46 was the first instrument to provide data protection rights to Europeans. European institutions had to comply with Regulation (EC) 45/2001 in respect of processing personal data. The Charter of Fundamental Rights attached to the Lisbon treaty also contains an article on the right of privacy. Protection of personal data of users of information society services in enshrined in the e-Privacy Directive. The update of the European legal framework of data protection was initiated in 2012 and the GDPR (Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation) (Text with EEA relevance) was adopted the 27th April 2016, entered into force the 24th May of the same year, 20 days after their publication in the Official Journal. The Law Enforcement Directive entered into force on 5 May 2016 and EU countries had to transpose it into their national law by 6 May 2018. The GDPR is directly applicable and has to be applied from 25th May 2018. It regulates the protection of personal data by controllers established in the EU and the data of EU residents by controllers outside the EU in some cases (monitoring behaviour of EU residents in the EU and offering goods or services to residents of the EU). In fact the GDPR is a text with EEA relevance, i.e. EEA residents have the same rights as EU residents. The Law Enforcement Directive deals with processing of personal data in the framework of preventing, detecting, investigating and prosecuting criminal offences.

The EUDPR, Regulation (EU) 2018/1725, regulating processing personal data by EU institutions, Bodies, Offices and Agencies has been published on November 21, 2018 and entered into force on December 11, 2018. It contains a separate chapter on "operational personal data", i.e. personal data processed in the course of the activities of the judicial cooperation. Europol and the European Public Prosecutor's Office will apply the EUDPR when their establishing legal acts will be modified. EU foreign and security policy missions do not fall neither under the GDPR, nor under the EUDPR, the Council will have to adopt their own rules, till then, they work according to their internal data protection rules.

The e-Privacy Directive is to be replaced by an e-Privacy Regulation (directly applicable) but this has not been adopted yet (July 2024).

Regulation (EU) 2018/1725

The European institutions are bound by Regulation 2018/1725, which provides the same rights to data subjects as the GDPR.

When the provisions of Regulation 2018/1725 follow the same principles as the GDPR, they should be interpreted homogeneously. This is because Regulation 2018/1725 should be understood as the EU bodies and institution's equivalent to GDPR (Recital 5 Regulation 2018/1725), meaning that the two regulations should be applied in parallel (Recital 4 Regulation 2018/1725). This often makes GDPR case law applicable to the interpretation of Regulation 2018/1725.

A way to understand Regulation 2018/1725, is to see it as a combination of the GDPR and Law Enforcement Directive (LED). While earlier chapters reflect principles enshrined in the GDPR, later chapters often reflect the LED.

Of particular note is Chapter IX Regulation 2018/1725 which addresses Operational Personal Data (personal data which is processed for the purposes of carrying out law-enforcement tasks).[1] Given the specialised nature of these tasks, Regulation 2018/1725 creates carve-outs within Chapter IX for the processing of this type of data. For example, the right of access under GDPR and Regulation 2018/1725, is different to the right of access under Chapter IX. These carve outs are also reflected in the LED (Law Enforcement Directive) and in many cases Chapter IX will directly overlap in text with the LED.

Data Protection Authority

The European Data Protection Supervisor (European Data Protection Supervisor) is the data protection authority for European Union institutions, bodies, offices and agencies.

→ Details see EDPS

While the EDPS mostly relies on Regulation 2018/1725 to enforce data protection law against European Union institutions, bodies, offices and agencies, there are also specialised regulations which will apply. For example, among others, the EDPS supervises Europol which alongside Chapter IX of Regulation 2018/1725 requires the use of Regulation (EU) 2016/794 (Europol Regulation).

Judicial protection

General Court

The General Court is made up of two judges from each Member State. The judges are appointed by common accord of the governments of the Member States after consultation of a panel responsible for giving an opinion on candidates' suitability to perform the duties of Judge. Their term of office is six years, and is renewable. They appoint their President, for a period of three years, from amongst themselves. They appoint a Registrar for a term of office of six years.

The General Court has jurisdiction to hear and determine:

  • actions brought by natural or legal persons against acts of the institutions, bodies, offices or agencies of the European Union (which are addressed to them or are of direct and individual concern to them) and against regulatory acts (which concern them directly and which do not entail implementing measures) or against a failure to act on the part of those institutions, bodies, offices or agencies; for example, a case brought by a company against a Commission decision imposing a fine on that company;
  • actions brought by the Member States against the Commission;
  • actions brought by the Member States against the Council relating to acts adopted in the field of State aid, trade protection measures (dumping) and acts by which it exercises implementing powers;
  • Actions for annulment of a measure (in particular a regulation, directive or decision) adopted by an institution, body, office or agency of the European Union initiated by an individual.
  • actions seeking compensation for damage caused by the institutions or the bodies, offices or agencies of the European Union or their staff;
  • actions based on contracts made by the European Union which expressly give jurisdiction to the General Court;
  • actions relating to intellectual property brought against the European Union Intellectual Property Office and against the Community Plant Variety Office;
  • disputes between the institutions of the European Union and their staff concerning employment relations and the social security system.

The decisions of the General Court may, within two months, be subject to an appeal before the Court of Justice, limited to points of law.

Court of Justice of the European Union

he Court of Justice is composed of 27 Judges and 11 Advocates General. The Judges and Advocates General are appointed by common accord of the governments of the Member States after consultation of a panel responsible for giving an opinion on prospective candidates' suitability to perform the duties concerned. They are appointed for a term of office of six years, which is renewable. They are chosen from among individuals whose independence is beyond doubt and who possess the qualifications required for appointment, in their respective countries, to the highest judicial offices, or who are of recognised competence.

The Judges of the Court of Justice elect from amongst themselves a President and a Vice-President for a renewable term of three years.

The Advocates General assist the Court. They are responsible for presenting, with complete impartiality and independence, an ‘opinion' in the cases assigned to them.

The Registrar is the institution's secretary general and manages its departments under the authority of the President of the Court.

The Court may sit as a full court, in a Grand Chamber of 15 Judges or in Chambers of three or five Judges.

The Court deals with:

  • References for preliminary rulings: questions asked by the national courts on interpretation of EU law
  • Actions for failure to fulfil obligations: so-called infringement procedures against Member States if they fail for example to properly transpose (or at all to transpose) directives or to implement judgments of the Court. The Commission may ask the Court to impose fines after a judgment establishing failure.
  • Action for annulment of a measure (in particular a regulation, directive or decision) adopted by an institution, body, office or agency of the European Union. The Court of Justice has exclusive jurisdiction over actions brought by a Member State against the European Parliament and/or against the Council (apart from Council measures in respect of State aid, dumping and implementing powers) or brought by one European Union institution against another.
  • Appeals against judgments of the general Court.
  1. The AFSJ sector (Area of Freedom Justice and Security) at the EDPS mainly relies on this Chapter of Regulation 2018/1725.