Data Protection in the European Union: Difference between revisions
No edit summary |
No edit summary |
||
Line 59: | Line 59: | ||
==Judicial protection== | ==Judicial protection== | ||
===General Court=== | ===General Court=== | ||
===Court of Justice of the European Union=== | ===Court of Justice of the European Union=== | ||
Revision as of 12:48, 10 May 2024
Data Protection in the European Union | |
---|---|
Data Protection Authority: | EDPS |
Regulation for EU institutions: | Regulation (EU) 2018/1725 |
Official Language(s): | 24 EU Languages |
European Legislation Database(s): | Link |
European Decision Database(s): | Link |
Legislation
History
A data protection regulation for EUIs (European Institutions) came into force in 2001 under Regulation (EC) 45/2001. Under this regulation the EDPS was created and designated as the independent data protection authority in charge of supervising how EUIs process personal data. The regulation additionally laid down the tasks and powers of the EDPS.
The EDPS starts its work under the leadership of Peter Hustinx as the first European Data Protection Supervisor and Joaquín Bayo Delgado as the Assistant Supervisor.[1] 2004 marks the first of many EDPS initiatives: first Prior Check Opinions, first complaints addressed, first investigations, and first legislative Opinions. The EDPS counts 15 members of staff working in three sectors: the Administration, Personnel, Budget sector, the Policy and information sector and the Supervision sector. It's offices are located at 63 Rue Montoyer in Brussels,
The EDPS has its first intervention before the Court of Justice in 2005. Specifically on a case concerning international transfers of Passenger Name Record data of airline passengers to the United States.
In 2009, The Treaty on the Functioning of the EU, or the Lisbon Treaty., enters into force on 1 December 2009, ensuring a strong legal basis for comprehensive data protection in all EU policy areas. Data protection becomes a directly enforceable right for everyone.
In 2012, a new sector, Information and Technology Policy (IT Policy Unit), is created in the organisation, to focus on the impact of technologies on data protection. Similarly, other organisational changes are made within the previously created units: Supervision & Enforcement, Policy & Consultation and Human Resources, Budget & Administration, head of activities are created. The EDPS now counts more than 52 privacy professionals and other experts working to protect individuals and their personal data. The EDPS also moves into its headquarters, 30 Rue Montoyer in Brussels, Belgium, which reflects the organisation's growth as a fully-fledged independent data protection institution. These are still the EDPS' headquarters.
In 2013, the EDPS makes oral submissions at the hearing before the Grand Chamber of the Court of Justice in joint preliminary references C-293/12 and C-594/12 Digital Rights Ireland and Others. Both cases concern the validity of the Data Retention Directive 2006/24/EC. It is the first time that the Court decides, on the basis of Article 24 of its Statute, to invite the EDPS to attend a hearing in a preliminary reference procedure, to provide answers to specific questions.
In 2017, with the new Europol Regulation, the EDPS begins to supervises Europol (the European Union Agency for Law Enforcement Cooperation) whose remit is to help make Europe safer by assisting law enforcement authorities in EU Member States. The new Regulation also provides for the establishment of the Europol Cooperation Board, for which the EDPS provides the secretariat. The Board facilitates cooperation between the EDPS and EU Member States' data protection authorities on its supervisory activities.
In 2018, Regulation (EU) 2018/1725, or EUDPR, repealing Regulation (EC) 45/2001 is adopted. This Regulation provides the new data protection rules for EUls which matches the GDPR, the latter applicable across the EU/European Economic Area. By the end of 2018, the EDPS reaches 100 employees.
In 2019, the EDPS starts supervising Eurojust - an EU agency in charge of combating serious forms of crime - in its processing of operational personal data.
In 2021, the EDPS becomes responsible for supervising the European Public Prosecutor's Office (EPPO) in its operational capacity, the independent European body in charge of investigating and prosecuting criminal offences against the European Union's financial interests.
In 2023, the EDPS opened a new office in the European Parliament in Strasbourg, France. With this new office, the EDPS provides additional support to the European Parliament in their legislative process, fulfilling their role as advisor to the EU legislator. The year also marked organisational changes within the EDPS. Specialised sectors were created to tackle ongoing and future data protection challenges, including a sector to monitor the EU's Area of Freedom, Security, and Justice; one to address individuals' complaints; another to ensure that technologies embed privacy principles throughout their development, as well as a Legal Service.
In 2024, the EDPS celebrates 24 years since its creation.
Regulation (EU) 2018/1725
The European institutions are bound by Regulation 2018/1725, which provides the same rights to data subjects as the GDPR.
When the provisions of Regulation 2018/1725 follow the same principles as the GDPR, they should be interpreted homogeneously. This is because Regulation 2018/1725 should be understood as the EU bodies and institution's equivalent to GDPR (Recital 5 Regulation 2018/1725), meaning that the two regulations should be applied in parallel (Recital 4 Regulation 2018/1725). This often makes GDPR case law applicable to the interpretation of Regulation 2018/1725.
A way to understand Regulation 2018/1725, is to see it as a combination of the GDPR and Law Enforcement Directive (LED). While earlier chapters reflect principles enshrined in the GDPR, later chapters often reflect the LED.
Of particular note is Chapter IX Regulation 2018/1725 which addresses Operational Personal Data (personal data which is processed for the purposes of carrying out law-enforcement tasks).[2] Given the specialised nature of these tasks, Regulation 2018/1725 creates carve-outs within Chapter IX for the processing of this type of data. For example, the right of access under GDPR and Regulation 2018/1725, is different to the right of access under Chapter IX. These carve outs are also reflected in the LED (Law Enforcement Directive) and in many cases Chapter IX will directly overlap in text with the LED.
Data Protection Authority
The European Data Protection Supervisor (European Data Protection Supervisor) is the data protection authority for European Union institutions, bodies, offices and agencies.
→ Details see EDPS
While the EDPS mostly relies on Regulation 2018/1725 to enforce data protection law against European Union institutions, bodies, offices and agencies, there are also specialised regulations which will apply. For example, among others, the EDPS supervises Europol which alongside Chapter IX of Regulation 2018/1725 requires the use of Regulation (EU) 2016/794 (Europol Regulation).