Overview of GDPR: Difference between revisions

From GDPRhub
Line 183: Line 183:
</div>
</div>
|}
|}
== Preface ==
''You can help us fill this section!''


== Intro ==
== Intro ==
Line 196: Line 199:


== Legal History ==
== Legal History ==
The first data protection laws can be traced back to the 1970 data protection act in the German state of Hessen or the US Privacy Act of 1974.
While the history of the right to privacy and now the right to data protection could itself fill books, the following short overview may be useful to understand the broader picture and the background of the GDPR:


At the core, the information age allows certain government and private entities to gather massive amounts of information about other people and entities. Given new technical possibilities of automated data processing, information is easy to generate, process and keep. These developments have overcome traditional economic and practical limitations of information gathering in the analogue age.  
=== Reaction to technological developments ===
The first explicit data protection laws can be traced back to the 1970 data protection act in the German state of Hessen or the US Privacy Act of 1974. At the core, the information age allows certain government and private entities to gather massive amounts of information about other people and entities. Given new technical possibilities of automated data processing, information is easy to generate, process and keep. For the first time, there was a realistic option to gather even rather trivial information in a fast, efficient and targeted manner and connect such information to generate a detailed picture on an individual.  


Digital information did not just become extremely valuable, fluid and invisible, but also allows to manipulate individuals. After all even relatively trivial uses of personal data, such as advertisement data can be used to trigger purchases that a data subject would not planned, enriching the data holder.  
These developments have overcome traditional economic and practical limitations of information gathering in the analogue age.
 
While political reactions may be different based on culture and history, within the European Member States, but also on a global scale, there is clearly an overall desire to increase protections of personal data globally.<ref>See XXX</ref> The fact that these desires are not always be turned into laws seems to be based on the lack of democratic participation in many areas of the world, or political gridlock in countries with political participation. While there is a common narrative that Europeans would care more about the protection of their personal data, there is clear empirical evidence that there are majorities for such protections globally.  


The information age is often not overcoming traditional information imbalances. While an airline may be able to gather data to find out a passenger is desperate to fly to a certain place, the passenger usually does not know that the flight is hardly booked and the airline is equally desperate to sell a seat. Such information imbalance is
The European Union has overcome such gridlock and had broad political support when passing the GDPR. In fact XX of XX Members of the European Parliament and all but one EU Member State (who has sought higher protections) have voted for the GDPR 


=== Technical ===
Digital information did not just become extremely valuable, fluid and invisible, but also allows to manipulate individuals. After all even relatively trivial uses of personal data, such as advertisement data can be used to trigger purchases that a data subject would not planned, enriching the data holder.


Realizing that protections would be undermined when personal data is sent across boarders, but the limitation of data flows would also undermine free trade and international integration, Convention 108 and following EU legislation were based on a simple equation: Once the right to data protection is standardized in a certain sphere, there is no reason to limit data flows anymore. Following this thought the GDPR's full title is still called the "''Regulation ... on the protection of natural persons with regard to the processing of personal data and on the free movement of such data''".
The information age is often not overcoming traditional information imbalances, but large scale data processing may even increase them. If for example airline would be able to gather data to find out a passenger is desperate to fly to a certain place at a certain time, it could likely double prices. At the same time, the passenger usually does not know that the flight is hardly booked and the airline is equally desperate to sell a seat. Such information imbalance can be overcome if a controller may not use the personal data of a passenger in such ways.


==== Directive 95/46/EC ====
=== International aspects of data protection laws ===
Realizing that protections would be undermined when personal data is sent across boarders, but the limitation of data flows would also undermine free trade and international integration, Convention 108 and following EU legislation were based on a simple equation: Once the right to data protection is standardized in a certain sphere, there is no reason to limit data flows anymore. Following this thought the GDPR's full title is still called the "''Regulation ... on the protection of natural persons with regard to the processing of personal data and on the free movement of such data''".
=== Directive 95/46/EC ===
Realizing the need for an EU framework, the European Commission has proposed an EU Directive in 1990, which would later become Directive 95/46/EC. By October 1998 all EU Member States had to pass a national data protection act that was aligned with Directive 95/46/EC.  
Realizing the need for an EU framework, the European Commission has proposed an EU Directive in 1990, which would later become Directive 95/46/EC. By October 1998 all EU Member States had to pass a national data protection act that was aligned with Directive 95/46/EC.  


Line 218: Line 228:
The nationalistic approach will however gradually be replaces by a truly European approach. Until such time, it is important to differentiate between concepts that can be derived from the GDPR or general principles of European law and artifacts that are still left  
The nationalistic approach will however gradually be replaces by a truly European approach. Until such time, it is important to differentiate between concepts that can be derived from the GDPR or general principles of European law and artifacts that are still left  


==== GDPR Proposal by the European Commission ====
=== GDPR Proposal by the European Commission ===
On 25.1.2012 the European Commission has published its proposal for the GDPR,<ref>https://eur-lex.europa.eu/legal-content/EN/TXT/PDF/?uri=CELEX:52012PC0011&from=EN</ref> together with a proposal for a directive on the use of personal data in the area of  
On 25.1.2012 the European Commission has published its proposal for the GDPR,<ref>https://eur-lex.europa.eu/legal-content/EN/TXT/PDF/?uri=CELEX:52012PC0011&from=EN</ref> together with a proposal for a directive on the use of personal data in the area of  


Line 225: Line 235:
In an attempt to grab headlines, elements of the proposal, such as the "right to be forgotten" in Article 17 GDPR were promoted as major changes, when in fact the European Commission has simply upgraded the previous right to erasure in Article 12(b) of Directive 95/46/EC and described the conditions and consequences of this right in more detail.
In an attempt to grab headlines, elements of the proposal, such as the "right to be forgotten" in Article 17 GDPR were promoted as major changes, when in fact the European Commission has simply upgraded the previous right to erasure in Article 12(b) of Directive 95/46/EC and described the conditions and consequences of this right in more detail.


==== Position of the European Parliament ====
=== Position of the European Parliament ===
The Members of the European Parliament have made about 4.000 amendments. As each Member was able to submit an unlimited amount of amendments, no matter if they had any realistic chance of getting passed, there is hardly a consisted position among them. Many amendments were repetitive or pointed in different directions.
The Members of the European Parliament have made about 4.000 amendments. As each Member was able to submit an unlimited amount of amendments, no matter if they had any realistic chance of getting passed, there is hardly a consisted position among them. Many amendments were repetitive or pointed in different directions.


Line 232: Line 242:
The so-called "Albrecht Report" with a number of amendments was approved by the European Parliament on XX.XX.20XX, setting out the position of the European Parliament. It was overall slightly more protective or privacy rights, but has especially removed the countless clauses that would have allowed the European Commission to further specify the GDPR through delegated acts.  
The so-called "Albrecht Report" with a number of amendments was approved by the European Parliament on XX.XX.20XX, setting out the position of the European Parliament. It was overall slightly more protective or privacy rights, but has especially removed the countless clauses that would have allowed the European Commission to further specify the GDPR through delegated acts.  


==== Position of the European Council ====
=== Position of the European Council ===
''You can help us fill this section!''
''You can help us fill this section!''


==== Trilogue ====
=== Trilogue ===
...
...


Given that the Trilogue is an informal format and takes place behind closed doors there are no materials that would allow to understand the rational of the negotiators when drafting the final version of the GDPR. Mostly the positions were taken from one of the three proposals, but certain new gaps or changes in wording cannot be traced back to one of the three positions.
Given that the Trilogue is an informal format and takes place behind closed doors there are no materials that would allow to understand the rational of the negotiators when drafting the final version of the GDPR. Mostly the positions were taken from one of the three proposals, but certain new gaps or changes in wording cannot be traced back to one of the three positions.


==== Lobbying Influence ====
=== Lobbying Influence ===
The GDPR was at the time seen as the most lobbied piece of European legislation. For the first time US lobbying approaches were widely used in Brussels. Looking back the input from industry lobbyists do not always seem to have been in the best interest of most average controllers. Instead of clear and precise wording, concepts like a "risk based approach" or various amendments that made the text less precise were floated, in an attempt to water down the Commission proposal. Much needed clarifications were often blocked by industry lobbyists, leading to obvious gaps in the final text.  
The GDPR was at the time seen as the most lobbied piece of European legislation. For the first time US lobbying approaches were widely used in Brussels. Looking back the input from industry lobbyists do not always seem to have been in the best interest of most average controllers. Instead of clear and precise wording, concepts like a "risk based approach" or various amendments that made the text less precise were floated, in an attempt to water down the Commission proposal. Much needed clarifications were often blocked by industry lobbyists, leading to obvious gaps in the final text.  



Revision as of 20:40, 2 August 2022

Overview of GDPR
Gdpricon.png
Chapter 10: Delegated and implementing acts

Preface

You can help us fill this section!

Intro

The General Data Protection Regulation (GDPR) is meant to regulate the processing of personal data within the European Economic Area (EEA). It largely replaced the Data Protection Directive 95/46/EC of 1995 and is based on EU fundamental rights enshrined in the European Charter of Fundamental Rights (CFR), the EU treaties and the European Convention of Human Rights (ECHR).

The material privacy protections of the GDPR are largely similar to the protections under Directive 95/46/EC. The GDPR is therefore often described as not being a revolution, but an evolution. In fact the core principles of the GDPR can already be found in the Council of Europe Convention 108,[1] which was passed in 1981 and was signed by 57 countries, including non-European countries.

Switching from a directive to a regulation, meant that the legal text is directly applicable to private entities, without the need to transpose the text into national law, as required under the previous Directive 95/46/EC. This approach was meant to bring a more consistent legal framework, as Member States could not change the meaning of EU law when implementing it into national law. The so-called "one stop shop" and the cooperation procedures between national supervisory authorities, were also meant to ensure consistency not only in the legal text, but also in enforcement. Considerably higher penalties, the option for data subjects to submit complaints and lawsuits were additional elements that were highlighted by the legislator.

However, the GDPR is not fully consistent when unifying the European landscape, as it was required to refer to Member State law or even providing for opening clauses, allowing to regulate certain issues in national law (such as employee data). Equally, budgets, appointments and procedural law is mainly regulated by each Member State. Consequently supervisory authorities follow very different practices, operate on very different budgets and have different priorities and approaches, despite the need for European cooperation. There is also no system that would allow appeals courts to cooperate when dealing with appeals from supervisory authorities.

In practice this leads to situations where the core elements of European data protection law are found in the GDPR, but in many cases there is substantial interaction with national material and procedural laws.

Legal History

While the history of the right to privacy and now the right to data protection could itself fill books, the following short overview may be useful to understand the broader picture and the background of the GDPR:

Reaction to technological developments

The first explicit data protection laws can be traced back to the 1970 data protection act in the German state of Hessen or the US Privacy Act of 1974. At the core, the information age allows certain government and private entities to gather massive amounts of information about other people and entities. Given new technical possibilities of automated data processing, information is easy to generate, process and keep. For the first time, there was a realistic option to gather even rather trivial information in a fast, efficient and targeted manner and connect such information to generate a detailed picture on an individual.

These developments have overcome traditional economic and practical limitations of information gathering in the analogue age.

While political reactions may be different based on culture and history, within the European Member States, but also on a global scale, there is clearly an overall desire to increase protections of personal data globally.[2] The fact that these desires are not always be turned into laws seems to be based on the lack of democratic participation in many areas of the world, or political gridlock in countries with political participation. While there is a common narrative that Europeans would care more about the protection of their personal data, there is clear empirical evidence that there are majorities for such protections globally.

The European Union has overcome such gridlock and had broad political support when passing the GDPR. In fact XX of XX Members of the European Parliament and all but one EU Member State (who has sought higher protections) have voted for the GDPR

Technical

Digital information did not just become extremely valuable, fluid and invisible, but also allows to manipulate individuals. After all even relatively trivial uses of personal data, such as advertisement data can be used to trigger purchases that a data subject would not planned, enriching the data holder.

The information age is often not overcoming traditional information imbalances, but large scale data processing may even increase them. If for example airline would be able to gather data to find out a passenger is desperate to fly to a certain place at a certain time, it could likely double prices. At the same time, the passenger usually does not know that the flight is hardly booked and the airline is equally desperate to sell a seat. Such information imbalance can be overcome if a controller may not use the personal data of a passenger in such ways.

International aspects of data protection laws

Realizing that protections would be undermined when personal data is sent across boarders, but the limitation of data flows would also undermine free trade and international integration, Convention 108 and following EU legislation were based on a simple equation: Once the right to data protection is standardized in a certain sphere, there is no reason to limit data flows anymore. Following this thought the GDPR's full title is still called the "Regulation ... on the protection of natural persons with regard to the processing of personal data and on the free movement of such data".

Directive 95/46/EC

Realizing the need for an EU framework, the European Commission has proposed an EU Directive in 1990, which would later become Directive 95/46/EC. By October 1998 all EU Member States had to pass a national data protection act that was aligned with Directive 95/46/EC.

The basic principles of Directive 95/46/EC stayed the same in the GDPR. Consequently previous decisions by courts and authorities, as well a previous guidelines are often referred to when interpreting the GDPR.

At the same time, Directive 95/46/EC allowed Member States to adapt the rules to national frameworks and traditions. National data protection laws hat to be interpreted in the line with Directive 95/46/EC, but were still subject to national developments, case law and national additions. Contrary to Directive 95/46/EC, the GDPR is directly applicable and must therefore be interpreted solely be reference to EU law, not national traditions.

Despite the fact that EU law must be interpreted without reference to national law, these national traditions are still often present today, as experts, lawyers, authorities and courts have a tendency to hold on to more than 20 years of national data protection law. Some Member States have even copied elements of their previous national data protection law into national laws implementing the GDPR. The strong wish to hold on to existing national approaches is even present in party of the legal literature on the GDPR.

The nationalistic approach will however gradually be replaces by a truly European approach. Until such time, it is important to differentiate between concepts that can be derived from the GDPR or general principles of European law and artifacts that are still left

GDPR Proposal by the European Commission

On 25.1.2012 the European Commission has published its proposal for the GDPR,[3] together with a proposal for a directive on the use of personal data in the area of

The GDPR was always planned as mainly regulating the use of raw data. It mostly regulates if personal data may be used for a specific purpose, but not how the processing is actually taking place. Attempts to regulate the way personal data is processed via algorithms, artificial intelligence and alike were not included in the GDPR, even when traces of such thoughts can be found in the GDPR.

In an attempt to grab headlines, elements of the proposal, such as the "right to be forgotten" in Article 17 GDPR were promoted as major changes, when in fact the European Commission has simply upgraded the previous right to erasure in Article 12(b) of Directive 95/46/EC and described the conditions and consequences of this right in more detail.

Position of the European Parliament

The Members of the European Parliament have made about 4.000 amendments. As each Member was able to submit an unlimited amount of amendments, no matter if they had any realistic chance of getting passed, there is hardly a consisted position among them. Many amendments were repetitive or pointed in different directions.

In the European Parliament a "rapporteur" is in charge of finding a compromise among the amendments. In the case of the GDPR the rapporteur was Jan Albrecht of the German Green party. He had to negotiate this compromise with so-called "shadow rapporteurs" by each other European Parliament party. Generally the Greens, Social Democrats and Left Party were pushing for a higher level of protection, while the European People's Party was largely taking positions in the interest of the industry. The Liberals were usually split between economic liberal and social liberal positions.

The so-called "Albrecht Report" with a number of amendments was approved by the European Parliament on XX.XX.20XX, setting out the position of the European Parliament. It was overall slightly more protective or privacy rights, but has especially removed the countless clauses that would have allowed the European Commission to further specify the GDPR through delegated acts.

Position of the European Council

You can help us fill this section!

Trilogue

...

Given that the Trilogue is an informal format and takes place behind closed doors there are no materials that would allow to understand the rational of the negotiators when drafting the final version of the GDPR. Mostly the positions were taken from one of the three proposals, but certain new gaps or changes in wording cannot be traced back to one of the three positions.

Lobbying Influence

The GDPR was at the time seen as the most lobbied piece of European legislation. For the first time US lobbying approaches were widely used in Brussels. Looking back the input from industry lobbyists do not always seem to have been in the best interest of most average controllers. Instead of clear and precise wording, concepts like a "risk based approach" or various amendments that made the text less precise were floated, in an attempt to water down the Commission proposal. Much needed clarifications were often blocked by industry lobbyists, leading to obvious gaps in the final text.

While large controllers with large legal departments may use these ambiguities and gaps today in an attempt to escape the GDPR, it seems to us that most normal controllers suffer from these approaches. Some years into the application of the GDPR it seems that most small and medium businesses just want to ensure compliance, without the need for expensive legal council or expert advice.

Legal Structure

The GDPR is not just itself consisting of 99 articles, but is embedded in a broader legal structure all the way from the European treaties down to national law and guidance by regulators. A good understanding of the overall legal environment allows to navigate the GDPR efficiently and understand the bigger picture.

Treaty Law

The European Union does not have a constitution, but is primary law is instead found in the treaties. Treaty law is higher ranking than normal European legal acts, like regulations, directives or decisions. The European treaties require the protection of personal data as a human right, which can only be changed by a unanimous agreement of all EU Member States.

If a European legal act like the GDPR would violate treaty law, it would have to be annulled by the European Court of Justice (CJEU). To avoid such a situation legal acts are usually interpreted to be in compliance with treaty law. Consequently the CJEU usually interprets the GDPR in light of treaty law, which makes treaty law especially relevant when working with the GDPR.

Article 8 CFR

The Charter of Fundamental Rights (CFR) is part of the treaties of the European Union since the Treaty of Lisbon entered into force in 2009. The 50 Articles of the CFR ensure that there is a distinct Human Rights catalogue for the EU, which did not exist before.

Article 8 of the CFR

Article

Article 7 CFR

xxx

Article 7 CFR also corresponds to Article 8 of the European Convention of Human Rights (ECHR). Article 52(3) CFR

You can help us fill this section!

Article 16 TFEU

You can help us fill this section!

GDPR

You can help us fill this section!

Recitals

You can help us fill this section!

Chapters

You can help us fill this section!

Articles

You can help us fill this section!

Other EU law

The GDPR is by far not the only relevant data protection law on the European level. The following other regulations and directives apply to certain processing operations or sectors:

ePrivacy Directive 2002/58/EC

The ePrivacy Directive 2002/58/EC is dealing with various privacy-related matters in the telecoms sector, including specific rules like privacy in telecommunication, the option to hide the caller number, the use of metadata by telecoms providers and alike.

Outside of the telecoms sector, this directive is mainly known as the "EU cookie law": Article 5(3) of the ePrivacy Directive requires that information in a terminal equipment (such as a phone or a computer) may only be stored or accessed if a user gave consent within the meaning of the GDPR.

In addition, Article 13 of the ePrivacy Directive regulates unsolicited communication ("Spam") in the EU, requiring that controllers either get consent or merely send information to existing customers ("direct marketing"), with the option to object to such marketing emails.

Currently the ePrivacy Directive acts as a lex specials, further determining the right to privacy in communication. Currently each Member States has an implementation of the ePrivacy Directive, often as a separate national law, as part of the GDPR implementation or as part of a telecommunication act. Each Member State can choose the authority that is in charge of enforcing the ePrivacy Directive. In many cases this is (at least for certain articles) the relevant supervisory authority, but often also the telecoms regulator.

The ePrivacy Directive was planned to be turned into a regulation, together with the coming into force of the GDPR, but so far there is no agreement between the European Commission, the European Parliament and the European Council on the details of the new regulation.

eCommerce Directive 2000/31/EC

While the eCommerce Directive does not directly regulate data protection matters, but fair market behavior in online commerce. However, certain elements like the requirement to have a proper imprint, or the need to have functioning contact details on each website that operates on the European market often overlap with information and communication requirements under the GDPR.

Data Protection Regulation (EU) 2018/1725 on EU Institutions

The GDPR generally applies to private and public entities, but not to EU institutions itself. The processing of personal data by EU agencies, the European Commission, the European Parliament or for example EUROPOL is regulated by a separate Regulation (EU) 2018/1725. In general, the Regulation is very similar to the GDPR.

There is a separate supervisory authority for EU institutions, the European Data Protection Supervisor (EDPS), who is tasked with enforcing Regulation (EU) 2018/1725 within the EU institutions.

Data Protection Directive (EU) 2016/680 on the Criminal Law Sector

You can help us fill this section!

National Implementation Laws

You can help us fill this section!

Interpretation of the GDPR

General remarks on the interpretation of EU law

You can help us fill this section!

EDPB and National Guidance

You can help us fill this section!

Enforcement of the GDPR

You can help us fill this section!