1. Origins and Development of European Data Protection Law Flashcards
Universal Declaration of Human Rights
Universal Declaration of Human Rights (‘Human Rights Declaration’), adopted on 10December 1948 by the General Assembly of the United Nations
Article 12 of the Human Rights Declaration
The right to a private life and associated freedoms is contained in Article 12 of the Human Rights Declaration, which states:
No one shall be subjected to arbitrary interference with his privacy, family, home or correspondence, nor to attacks upon his honour and reputation. Everyone has the right to the protection of the law against such interference or attacks.
Article 19 of the Human Rights Declaration
A fundamental aspect in the Human Rights Declaration is the right to freedom of expression as set out in Article 19:
Everyone has the right to freedom of opinion and expression; this right includes freedom to hold opinions without interference and to seek, receive and impart information and ideas through any media and regardless of frontiers.”
Article 29 of the Human Rights Declaration
“Article 29(2), which states that individual rights are not absolute and that there will be instances where a balance must be struck:
In the exercise of his rights and freedoms, everyone shall be subject only to such limitations as are determined by law solely for the purpose of securing due recognition and respect for the rights and freedoms of others and of meeting the just requirements of morality, public order and the general welfare in a democratic society.”
European Convention on Human Rights
In Rome, 1950, the Council of Europe invited individual states to sign the European Convention on Human Rights (ECHR), an international treaty to protect human rights and fundamental freedoms. Based on the Human Rights Declaration, it entered into force 3 September 1953. The ECHR applies only to member states. It has 47 states.
The ECHR is a powerful instrument because of the scope of the fundamental rights and freedoms it protects. These include the right to life; prohibition of torture; prohibition of slavery and forced labour; right to liberty and security; right to a fair trial; no punishment without law; respect for private and family life; freedom of thought, conscience and religion; freedom of expression; freedom of assembly and association; right to marry; right to an effective remedy; and prohibition of discrimination.
Court of Human Rights
(European) Court of Human Rights was established in Strasbourg, which examines alleged breaches of the ECHR and ensures that states comply with their obligations under the ECHR. Rulings of the European Court of Human Rights are binding on the states concerned and can lead to an amendment of legislation or a change in practice by national governments. At the request of the Committee of Ministers of the Council of Europe, the European Court of Human Rights may also give advisory opinions that concern the interpretation of the ECHR and the protocols.
On 1 November 1998, the court system was restructured into a single full-time Court of Human Rights.
Article 8 of the ECHR
Article 8 of the ECHR echoes Article 8 of the Human Rights Declaration and provides that:
Everyone has the right to respect for his private and family life, his home and his correspondence.
There shall be no interference by a public authority with the exercise of this right except such as is in accordance with the law and is necessary in a democratic society in the interests of national security, public safety or the economic well-being of the country, for the prevention of disorder or crime, for the protection of health or morals, or for the protection of the rights and freedoms of others.
Article 10 of the ECHR
Article 10 protects the right of freedom of expression and the right to share information and ideas across national boundaries. Article 10(1) of the ECHR reads: Everyone has the right to freedom of expression. This right shall include freedom to hold opinions and to receive and impart information and ideas without interference by public authority and regardless of frontiers. This right is also qualified so as to protect the privacy of individuals, as set forth in Article 10(2): The exercise of these freedoms, since it carries with it duties and responsibilities, may be subject to such formalities, conditions, restrictions or penalties as are prescribed by law and are necessary in a democratic society, in the interests of national security, territorial integrity or public safety, for the prevention of disorder or crime, for the protection of health or morals, for the protection of the reputation or the rights of others, for preventing the disclosure of information received in confidence, or for maintaining the authority and impartiality of the judiciary.
OECD Guidelines
The role of the OECD is to promote policies designed to achieve the highest sustainable economic growth and employment and a rising standard of living in both OECD member countries and nonmember countries, whilst maintaining financial stability and thus contributing to the development of the world economy. OECD membership extends beyond Europe and includes a number of major jurisdictions.
In 1980, OECD developed Guidelines on the Protection of Privacy and Transborder Flows of Personal Data (‘Guidelines’) laying out basic rules that govern transborder data flows and the protection of personal information and privacy in order to facilitate the harmonisation of data protection law between countries.
They are not legally binding but are intended to be flexible and to serve either as a basis for legislation in countries that have no data protection legislation or as a set of principles that may be built into existing legislation.
OECD made every effort to ensure consistency with the principles being developed on behalf of the Council of Europe, which means there are distinct similarities between the Guidelines and the Council of Europe Convention for the Protection of Individuals with regard to Automatic Processing of Personal Data.
The Council of Europe
The Council of Europe is the continent’s leading human rights organisation.
It includes 47 member states, 28 of which are members of the European Union. All Council of Europe member states have signed up to the European Convention on Human Rights, a treaty designed to protect human rights, democracy and the rule of law.
Official languages: English and French.
Headquarters: Palais de l’Europe in Strasbourg, France, designed French architect Henry Bernard.
Budget: The Council of Europe is financed by member states. Contributions are based on population and wealth.
Convention 108
The Convention for the Protection of Individuals with regard to Automatic Processing of Personal Data (‘Convention 108’) was adopted by the Council of Europe and opened for signature to the member states of the Council of Europe 28 January 1981. The fact that it was not referred to as the European Convention was to signify that it was open for signature to countries outside Europe.
The Convention requires signatories to take the necessary steps in their domestic legislation to apply the principles it lays down with regard to processing personal information.
In Convention 108, the Council of Europe took the view that those holding and using personal information in computerised form had a social responsibility to safeguard such personal information, particularly as at that time, decisions that affected individuals were increasingly based on information stored in computerised data files.
Convention 108 was the first binding international instrument to set standards for the protection of individuals’ personal data whilst also seeking to balance those safeguards against the need to maintain the free flow of personal data for the purposes of international trade.
Convention 108 consists of three main parts:
Substantive law provisions in the form of basic principles (Chapter II)
Special rules on transborder data flows (Chapter III)
Mechanisms for mutual assistance (Chapter IV) and consultation between the parties (Chapter V).
Convention 108 remains the only binding international legal instrument with a worldwide scope of application in the field of data protection that is open to any country, including countries that are not members of the Council of Europe. Indeed, the most recent (and 54th) accession was that of Argentina on 25 February 2019.
EU Directives
Directives are a form of legislation binding upon member states, but they ‘leave to the national authorities the choice of form and methods’ for implementation.
Data Protection Directive
- to harmonise national approaches towards data protection laws
- to enable the common market and free data flow
- Directive 95/46/EC on the protection of individuals with regard to the processing of personal data and on the free movement of such data
- There have been significant differences in the ways member states have implemented and applied the Directive, or derogations, making it difficult for businesses to take full advantage of the benefits of the internal market.
Charter of Fundamental Rights
Signed by the EU Parliament, Council and Commission in 2000.
The Charter includes the general principles set out in the ECHR but specifically refers to the protection of personal data. In December 2009, when the Treaty of Lisbon came into force, the Charter was given binding legal effect.
Articles 7 and 10 of the Charter reflect the provisions of the ECHR in Articles 8 and 10, respectively, and Article 8 deals specifically with data protection as follows:
Everyone has the right to the protection of personal data concerning him or her;
Such data must be processed fairly for specified purposes and on the basis of the consent of the person concerned or some other legitimate basis laid down by law. Everyone has the right of access to data which has been collected concerning him or her, and the right to have it rectified.
Compliance with these rules shall be subject to control by an independent authority.16
Article 8 therefore enshrines certain core values for the protection of personal data:
The processing must be fair
The processing must be carried out for specified purposes
There must be legitimate basis for the processing
Individuals must have the right to access and rectify personal data
There must be a supervisory authority
Treaty of Lisbon
Signed in 2007, became effective in 2009.
The Lisbon Treaty amends the EU’s two core treaties: the Treaty on European Union and the Treaty Establishing the European Community (renamed the ‘Treaty on the Functioning of the European Union’, or ‘TFEU’). The TFEU echoes Article 8 of the Charter and provides at Article 16(1) that everyone has the right to the protection of personal data concerning him or her. Article 16(2) TFEU provides that:
The European Parliament and the Council, acting in accordance with the ordinary legislative procedure, shall lay down the rules relating to the protection of individuals with regard to the processing of personal data by Union institutions, bodies, offices and agencies, and by the Member States where carrying out activities which fall within the scope of Union law, and the rules relating to the free movement of such data. Compliance with these rules shall be subject to the control of independent authorities.
This provision ensures that all institutions of the EU must protect individuals when processing personal data. There is a European data protection supervisor whose role is to regulate compliance with data protection law within the institutions of the EU, but the reference to ‘authorities’ implies that the national DPAs may.
