Legislation Names and Dates

Question 1

Data Protection Directive

Date / Status?

Answer 1

Adopted: 1995

Repealed in 2016 by the GDPR

After Convention 108 failed
Established WP29

• Ensured all E.U. members had to implement data protection laws after many failed to ratify Convention 108
• Meant to protect right to privacy and the internal market of Europe
• Many terms in the Directive were carried over into the GDPR and have the same meaning
• Applied to processing of personal data by both manual and automated means; primarily targeted toward controllers that were “established” in the E.U. or used equipment in an E.U. member state
• Set forth key data protection principles that member states were obligated to implement in national legislation
• Established the Article 29 Working Party, an influential advisory panel that provided guidance on issues related to data protection; eventually replaced by European Data Protection Board in the GDPR

Question 2

ePrivacy Directive

Date / Status?

Answer 2

Adopted: 2002 (amended in 2009 - EU Cookie Directive)

“Directive on Processing of Personal Data and the Protection of Privacy in the Telecommunications Sector”
or
“Directive 1997/66”

Amendments may be referred to as:
“Directive 2009/136”

Still in force, but regulation to replace and modernize was proposed by the Commission in 2017.

• Adopted in 2002 and expanded its scope in comparison to its predecessor to cover “all electronic communications services,” rather than just “telecommunication services”
• Applies only to processing of personal data over publicly available services (i.e., does not apply to internal intranet systems), but non-public services may still be subject to GDPR
  Requires that terminal equipment be constructed in a manner that will protect individual rights, but member states may not require specific types of technology be implemented if it would impede free trade
• The ePrivacy Directive imposes the following requirements (through implementing legislation):
  (1) Security – Appropriate technical and organizational safeguards must be implemented that are appropriate to the risk
  (2) Confidentiality – Communication and traffic data must remain confidential; interception is prohibited except with consent or where legally authorized
  (3) Traffic Data – Traffic data must be erased or anonymized when no longer needed, except as needed for billing, fraud detection, etc.
  (4) Privacy Enhancing Practices – Specific privacy enhancing practices, such as providing non-itemized billing, must be adopted
  (5) Location Data – Processing location data requires consent of the subscriber or anonymization
  (6) Restrictions on Unsolicited Marketing – Most digital marketing is restricted and requires opt-in consent
• Article 5(3) requires consent before web cookies are used
  Part of 2009 amendments, called E.U. “Cookie Directive”
  Only exceptions to consent are when cookies are (1) strictly necessary for the provision of the service requested by the subscriber; or (2) for the sole purpose of carrying out the transmission of a communication
  The specific means of obtaining consent are not set forth; left to enabling legislation
  Consent is defined the same as under the GDPR
  Additional 2009 amendments: (1) notice requirements for data breaches; and (2) private cause of action for those that receive unsolicited advertisements
  An “ePrivacy Regulation” has been proposed and negotiations are ongoing

Question 3

E-Commerce Directive

Date / Status?

Answer 3

Directive/2000/31/EC

Directive on electronic commerce in the Internal Market

Adopted: 2000

Information Society Services

Still in force, but the “Digital Services Act” to replace and modernize was proposed by the Commission

• Intended to strengthen internal market and foster a healthy online economic environment
• Applies to “information society services,” which are any services provided: (1) “at a distance” (i.e., without the parties being simultaneously present); (2) by “electronic means” (i.e., sent over electronic equipment); and (3) “at the individual request of a recipient of services”
  
  • Although definition also includes phrase “provided for remuneration,” Recitals make clear that it applies to any acts that “represent an economic activity”; ECJ has agreed in Papasavvas case, finding indirect remuneration (e.g., from paid ads) was enough
• Four primary principles: (1) protection of the single market; (2) no prior authorization is permitted; (3) basic e-commerce requirements; and (4) limitations on liability for certain organizations
• Does not apply to questions covered by the GDPR and the ePrivacy Directive; still important, however, because the interplay between these laws is not always clear
• Digital Services Act was proposed in late 2020 as a potential replacement; political agreement has been reached; set to go into effect on January 1, 2024

Question 4

Data Retention Directive

Date / Status?

Answer 4

Adopted: 2006

Invalidated by the European Court of Justice in 2014 in the Digital Rights Ireland, Ltd. Case

Question 5

GDPR

Date / Status?

Answer 5

Adopted: 2016

Still in force

Question 6

Law Enforcement Data Protection Directive
LEDPD

Date / Status?

Answer 6

Adopted: 2016

Directive 2016/680 on the Protection of Natural Persons with Regard to the Processing of Personal Data by Competent Authorities for the purposes of the Prevention, Investigation, Detection or Prosecution of Criminal Offences or the Execution of Criminal Penalties and on the Free Movement of Such Data.

Still in force

The LEDP Directive sets a baseline for how data is handled by criminal law enforcement authorities, but member states are free to set a higher level of protection for individuals.

The LEDP Directive fills an important gap left by both the Data Protection Directive and the GDPR. The Data Protection Directive applied to both private and public entities, as does the GDPR. Neither, however, applied or applies to the processing of personal data during activities that fall outside the scope of European Community law, which includes activities such as national defense, law enforcement, and judicial cooperation. Likewise, the GDPR does not apply to processing of personal data by competent authorities for the purposes of prevention, investigation, detection or prosecution of criminal offences or the execution of criminal penalties. The LEDP fills this hole. Unlike the relationship between the GDPR and the ePrivacy Directive, there is not a “lex generalis-lex specialis” relationship between the GDPR and the LEDP Directive.

Question 7

Network and Information Security Directive
NIS2

Date / Status?

Answer 7

Adopted: 2016

Still in force

Question 8

Convention 108

Date / Status?

Answer 8

Council of Europe - 1981 (amended 2011)

“Convention for the Protection of Individuals with Regard to the Automatic Processing of Personal Data”

Convention 108 was the first binding agreement to address HOW the right to privacy needed to be protected.

Convention 108+ - 2018

In 1981, on the heels of the OECD Guidelines, the Council of Europe adopted the Convention for the Protection of Individuals with Regard to the Automatic Processing of Personal Data.16 This is commonly known as Convention 108. Pursuant to this Convention, the members of the Council of Europe agreed to, among other things, incorporate certain FIPs into their domestic laws so that they apply to both the public and private sectors.17 In this way, Convention 108 differs from the OECD Guidelines in that Convention 108 is a legally binding treaty.

Although Convention 108 was adopted by the Council of Europe, like the OECD Guidelines, other nations were free to join this convention; it is for this reason that the convention is referred to simply as a “Convention,” rather than a “European Convention.”18 The countries of Argentina, Burkina Faso, Cabo Verde, Mauritius, Mexico, Morocco, Senegal, Tunisia, and Uruguay have all joined this treaty.19 To this day, Convention 108 is the only international treaty with binding legal force related to data protection and privacy that is open to signature for every country throughout the world.

Convention 108 is divided into seven chapters. Chapters Two, Three, and Four are of particular importance. These chapters cover basic data protection principles, the transborder flow of data, and mutual assistance, respectively.

Chapter 2 of Conventin 108 - Principles of Data Protection
* Art. 5 - Quality of Data
* Art. 6 - Special Categories of Data
* Art. 7 - Data Security
* Art. 8 - Additional Safeguards for Data Subjects

Chapter 3 - Transborder flow of data

Chapter 4 - Mutual Assistance

Additional Protocol
Introduced the concept of an “adequacy decision” for transborder data flows to non-member nations;
called for the creation of national supervisory authorities that should be responsible for enforcement.

Convention 108+
“Protocol amending the Convention of the Protection of Individuals with Regard to the Automated Processing of Personal Data.”

• Defines the terms “controller” and “processor”
• There must be legal basis prior to processing personal data
• identifies “special categories” of data that must be treated with particular care
• Transborder Data Flow: *By becoming a signatory of Convention 108+, countries outside of Europe make it more likely that the EU will make an adequacy finding under the GDPR. This in turn permits the free flow of data between those countries.

Question 9

ECHR

European Convention on Human Rights

Date / Status?

Answer 9

Opened for signature 1950 in ROME, came into force 1953

Overseen by European Court of Human Rights in Strasbourg

Council of Europe is responsible

Question 10

EU Institutions?

Answer 10

European Commission (The Commission)
European Parleament
Council of the European Union

European Council
Court of Justice of the European Union

unrelated to data protection
European Central Bank
Court of Auditors

Question 11

European Court of Human Rights

Answer 11

Created in 1959

Enforces Convention 108+

Power is limited by inability to enforce decisions (must rely on Council of Europe to enforce) and may not override national interpretations of laws

Sits in Strasbourg as part of the Council of Europe

Although not an institution of the E.U., the European Court of Human Rights enforces the European Convention on Human Rights (ECHR). The interpretation of the ECHR, in turn, has a significant impact on how the Court of Justice of the European Union enforces and interprets the Charter of Fundamental Rights. The European Court of Human Rights therefore plays an important role in European data protection.

Question 12

Timeline of European Data Protection

Answer 12

1948

The United Nations General Assembly adopts the Universal Declaration of Human Rights (“UDHR”).

1950

The Council of Europe adopts the European Convention on Human Rights (“ECHR”).

1951

The Treaty Establishing the European Coal and Steel Community (a/k/a Treaty of Paris) is signed. This was a precursor to the Treaty of Rome.

1953

The ECHR enters into force.

1957

The Treaty Establishing the European Economic Community (a/k/a Treaty of Rome) is signed.

1965

The Treaty Establishing a Single Council and a Single Commission of the European Communities (a/k/a the Merger Treaty) was signed, establishing the European Commission, the Council of Ministers, the Court of Justice of the European Union, and European Parliament.

1973

Sweden adopts the first national privacy legislation (the “Data Act”)

1973

Resolution 73/22 was enacted, establishing a framework of specific principles for the protection of personal data held in automated data banks in the private sector.

1974

Resolution 74/29 was enacted, establishing a framework of specific principles for the protection of personal data held in automated data banks in the public sector.

1979

Seven member states pass national data protection laws, and Austria, Portugal, and Spain incorporate privacy protections into their national constitutions.

1980

The OECD Guidelines are adopted.

1981

Council of Europe adopts Convention 108.

1986

The Single European Act is adopted, leading to a common currency (the Euro) and an end to border regulations internally within the Europe.

1992

The Treaty on European Union (a/k/a the Maastricht Treaty) is adopted, establishing the E.U.

1995

The Data Protection Directive is adopted.

2000

The E-Commerce Directive is adopted.

2000

The Charter on Fundamental Rights of the European Union is adopted.

2001

The Additional Protocol to Convention 108 is adopted to address cross-border data flows.

2002

The ePrivacy Directive is adopted.

2006

The Data Retention Directive is adopted.

2007

The Treaty of Lisbon is signed, amending the European Treaty on the Functioning of the European Union (renamed from the Treaty Establishing the European Economic Community) and the Treaty on European Union.

2014

The European Court of Justice rules that the Data Retention Directive is invalid.

2016

The General Data Protection Regulation (“GDPR”) is adopted.

2016

The Law Enforcement Data Protection Directive (“LEDP Directive”) is adopted.

2018

The GDPR comes into effect.

2021

The United Kingdom officially exits the European Union (“Brexit”).

2021

An adequacy finding is adopted with respect to U.K. data protection law.