Privacy and Data Protection, though connected, are commonly recognised all over the world as two separate rights. In Europe, they are considered vital components for a sustainable democracy.
Though experts sometimes disagree over the finer points of these two rights, on this page you will find a general description of privacy and data protection, as well as an outline of data protection law; data protection in practice; the independence of supervisory authorities; cross border data protection; and the interaction between privacy, data protection and security.
In this notion of dignity, privacy or the right to a private life, to be autonomous, in control of information about yourself, to be let alone, plays a pivotal role. Privacy is not only an individual right but also a social value.
Historically, in other parts of the world, such as the U.S.A., privacy has often been regarded as an element of liberty, the right to be free from intrusions by the state. This distinction between Europe and other parts of the world is relative since it is also an element of privacy in the EU.
Almost every country in the world recognises privacy in some way, be it in their constitution or in other provisions.
Moreover, privacy is recognised as a universal human right while data protection is not – at least not yet.
The right to privacy or private life is enshrined in the Universal Declaration of Human Rights (Article 12), the European Convention of Human Rights (Article 8) and the European Charter of Fundamental Rights (Article 7).
Data protection is about protecting any information relating to an identified or identifiable natural (living) person, including names, dates of birth, photographs, video footage, email addresses and telephone numbers. Other information such as IP addresses and communications content - related to or provided by end-users of communications services - are also considered personal data.
The notion of data protection originates from the right to privacy and both are instrumental in preserving and promoting fundamental values and rights; and to exercise other rights and freedoms - such as free speech or the right to assembly.
Data protection has precise aims to ensure the fair processing (collection, use, storage) of personal data by both the public and private sectors.
Privacy and data protection are two rights enshrined in the EU Treaties and in the EU Charter of Fundamental Rights.
The Charter contains an explicit right to the protection of personal data (Article 8).
The entry into force of the Lisbon Treaty in 2009, gave the Charter of Fundamental Rights the same legal value as the constitutional treaties of the EU. Thus the EU institutions and bodies and the Member States are bound by it.
In addition, article 16 of the Treaty on the Functioning of the European Union (TFEU) obliges the EU to lay down data protection rules for the processing of personal data. The EU is unique in providing for such an obligation in its constitution.
For decades, the EU has held high standards of data protection law . The law entitles individuals to exercise specific data protection rights and obliges (public or private sector) organisations that process their data to respect these rights.
In April 2016, the EU adopted a new legal framework - the General Data Protection Regulation (GDPR) and the Data Protection Directive for the law enforcement and police area.
Fully applicable across the EU in May 2018, the GDPR is the most comprehensive and progressive piece of data protection legislation in the world, updated to deal with the implications of the digital age.
It applies to organisations or companies not established in the EU who offer goods and services to individuals in the EU or monitor their behaviour. It creates new rights for individuals in the digital environment and several new and detailed obligations for cooperation.
Globally, there is an increasing growth in data protection (sometimes referred to as data privacy in non-EU countries) laws. Many of these laws are strongly influenced by the EU rules, which have long been considered the gold standard in data protection law.
Over 100 countries around the world now have data protection laws in place: fewer than half of these countries are in Europe (28 EU Member States and others). The majority of data protection laws have been adopted outside of Europe, with the fastest growth seen in African countries.
The handbook on data protection law provides an overview of the EU’s and the CoE’s applicable legal frameworks. It also explains key case law, summarising major rulings of both the Court of Justice of the European Union and the European Court of Human Rights.
In most countries, national Data Protection Authorities (DPAs) or Regulators have been established to be the guardians of data protection.
For the enforcement of data protection laws to be effective, DPAs are given the power to investigate, detect and punish violations as well as the responsibility to raise awareness of data protection rights and obligations in general.
In the EU, this effectiveness is strengthened by the requirement for DPAs to be independent of any political, governmental or other influence.
Furthermore, good cooperation between DPAs (Article 29 Working Party, EDPB) ensures greater consistency of data protection in the EU.
In the EU the requirement for DPAs to be independent is laid down in law: Article 16(2) of the Treaty on the Functioning of the EU (TFEU) and Article 8(3) of the EU Charter of Fundamental Rights.
The Court of Justice of the European Union, has consistently emphasised that control by an independent authority is an essential component of the right to data protection and has laid down the criteria for such independence.
In particular, the supervisory authority must act with complete independence, which implies a decision-making power independent of any direct or indirect external influence.
The Court has also emphasised the crucial role of EU independent supervisory authorities in relation to control of international transfers to non-EU countries.
The General Data Protection Regulation (GDPR) also emphasises the importance of independence; Chapter VI of the GDPR provides detailed rules for the establishment and functioning of independent supervisory authorities, including provisions on the resources necessary for the effective performance of their tasks and powers.
The EDPS is an independent supervisory authority responsible for ensuring that EU institutions and bodies comply with data protection law when processing personal data.
Data protection laws are national but in the online environment, data does not respect borders.
Cross-border cooperation and agreements to deliver effective data protection are essential, particularly if the EU is to maintain its values and uphold its principles.
To achieve this, the EDPS regularly interacts with EU and international DPAs and Regulators to influence and develop cross-border enforcement.
In the EU, privacy and data protection are not absolute rights and can be limited under certain conditions according to the EU Charter of Fundamental Rights.
The rights to privacy and data protection may need to be balanced against other EU values, human rights, or public and private interests such as the fundamental rights to freedom of expression, freedom of press or freedom of access to information.
The rights to privacy and data protection may also need to be weighed up against other public interests, such as national security. EU Member States adopt measures to combat terrorist threats, but more generally to reinforce the judicial and police cooperation in criminal matters in the area of Freedom, Security and Justice (AFSJ).
In the EU, national security is the sole responsibility of each Member State and is outlined in the Treaty on the Functioning of the EU (article 4.2 TFEU).
However, the courts by means of the specific legal provision on data retention, are now exploring the boundaries of this competence: according to the Court of Justice of the EU (Case C-399/11; Case C-411/10), even measures derogating from EU law are subject to the Charter of Fundamental Rights.
In any case, the scale of collection, storage and cross-border exchange of personal data between Member States in crime and terrorism matters is enormous.
The increased access to European databases as well as to commercial data for law enforcement purposes are challenging the balance between privacy and security.
Data protection authorities in general have a pivotal role to play in ensuring this balance between privacy and other interests, including in the sensitive domain of security where their role is expanding; for instance on 1 May 2017, the EDPS will take over the data protection supervision of Europol, the EU body actively cooperating with law enforcement authorities to combat international crime and terrorism.
The EDPS' role of independent adviser to the EU institutions relates to all matters concerning the processing of personal data, including initiatives to improve security in the EU and new data-exchange tools for law enforcement agencies.
Indeed, the EDPS has issued numerous Opinions on initiatives to expand information sharing for law enforcement purposes inside the EU including on the Entry/Exit System and EU PNR - but also outside of Europe such as the Umbrella Agreement with the US and PNR agreements with non-EU countries.