PERSONAL DATA PROTECTION
Personal data protection and respect for private life are important fundamental rights. The European Parliament insists on the need to keep a balanced approach between enhancing security and safeguarding human rights, including data protection and privacy. The Lisbon Treaty provides a stronger basis for the development of a clearer and more affective data protection system, while also foreseeing new powers for the European Parliament. There will be important developments in this area with the implementation of the Stockholm Programme.
Article 16 of the Treaty on the Functioning of the European Union (TFEU).
The Union must ensure that the fundamental right to data protection, which is enshrined in the EU Charter of Fundamental Rights, is consistently applied. We need to strengthen the EU stance on the protection of personal data of the individuals in the context of all EU policies, including law enforcement and crime prevention, as well as in our international relations. In a global society characterised by rapid technological changes, where information exchange knows no borders, it is particularly important to preserve privacy. Some of the challenges our modern society faces are: privacy protection online, access to the internet, video surveillance, radio frequency identification tags (smart chips), behavioural advertising, search engines and social networks (especially concerning profiles of minors).
A. A new institutional framework: the Lisbon Treaty and the Stockholm Programme 1. The Lisbon Treaty Before the entry into force of the Lisbon Treaty, legislation concerning data protection in the area of freedom, security and justice (AFSJ) was divided between the first pillar (data protection for private and commercial purposes, with the use of Community method) and the third pillar (data protection for law enforcement purposes, at intergovernmental level). Consequently, the decision making process followed different rules. The pillar structure has disappeared with the Lisbon Treaty, which provides a stronger basis for the development of a clearer and more effective data protection system and at the same time foresees new powers for the European Parliament, which becomes co-legislator. Article 16 of the TFEU provides that the Parliament and the Council shall lay down the rules relating to the protection of individuals with regard to the processing of personal data by Union institutions, bodies, offices and agencies, and by the Member States when carrying out activities which fall within the scope of Union law. 2. The Stockholm Programme and its Action Plan Following the previous Tampere (October 1999) and The Hague Programmes (November 2004), a new multi-annual programme in the area of freedom, security and justice for the period 20102014, the so-called Stockholm Programme, was approved by the European Council in December 2009. The European Parliament voted a resolution on it on 25 November 2009. On 20 April 2010, the European Commission adopted a Communication on an Action Plan implementing the Stockholm Programme, with concrete actions and clear timetables to meet current and future challenges. In its Conclusions of June 2010, the Justice and Home Affairs Council took note of
the Commission Action Plan. A mid-term review of the implementation of the Stockholm Programme by the European Commission is foreseen by June 2012. The Stockholm Programme contains important provisions concerning data protection. In the Action Plan implementing the Stockholm Programme, the European Commission announced that it would present a Communication and a legislative proposal concerning data protection by the end of 2010 and 2011. On 4 November 2010, the Commission adopted a Communication, thus paving the way for an overhaul of the existing data protection legislation. B. Main legislative instruments on data protection 1. The EU Charter of fundamental rights Respect for private life and protection of personal data have been recognised as closely related, but separate fundamental rights in Articles 7 and 8 of the EU Charter of Fundamental Rights. The Charter is integrated into the Lisbon Treaty and is legally binding on the European Union (and its institutions and bodies) and its Member States when they implement EU law. For more information on the respect for fundamental rights in the EU, see Fact Sheet 2.1.0. 2. The Council of Europe a. The Convention 108 of 1981 The Council of Europe Convention of 28 January 1981 for the protection of individuals with regard to automatic processing of personal data is the first legally binding international instrument adopted in the field of data protection. Its purpose is "to secure [...] for every individual [...] respect for his rights and fundamental freedoms and in particular his right to privacy, with regard to automatic processing of personal data". It sets out minimum standards aimed at protecting the individuals against abuses which might occur when personal data is being collected and processed. It also seeks to regulate the cross-border flow of personal data. b. The European Convention on Human Rights (ECHR) Article 8 of the European Convention of 4 November 1950 for the protection of human rights and fundamental freedoms introduces the right to respect for private and family life: "Everyone has the right to respect for his private and family life, his home and his correspondence". 3. The current EU legislative instruments on data protection As a consequence of the old pillar structure, there are at the moment different legislative instruments, such as EU Directives in the former first pillar (Directive 95/46 on data protection, Directive 2002/58, modified in 2009, on e-privacy, Directive 2006/24 on data retention, as well as Regulation 45/2001 on processing of personal data by Community institutions and bodies) and a Council Framework Decision of November 2008 on the protection of personal data processed in the framework of police and judicial co-operation in criminal matters (former third pillar). A new comprehensive legal framework on data protection at EU level is due to be adopted soon, so as to provide consistency on this sensitive issue. a. The Data Protection Directive 95/46 Directive 95/46 of 24 October 1995 on the protection of individuals with regard to the processing of personal data and on the free movement of such data is the central piece of legislation on the protection of personal data in the EU. The Directive stipulates general rules on the lawfulness of personal data processing and rights of the people whose data is being processed, while also foreseeing national independent supervisory authorities. According to this Directive, a person must clearly give specific consent and be informed before his/her personal information is processed. Directive 95/46 introduces new concepts, such as: personal data, processing of personal data, controller, processor, third party, recipient and data subjects. Directive 95/46 does not apply to the processing of personal data in the course of an activity which falls outside the
scope of Community law and in no case does it apply to processing operations concerning public security, defence, State security and the activities of the State in areas of criminal law. b. The Council Framework Decision 2008/977/JHA Council Framework Decision 2008/977/JHA of 27 November 2008 on the protection of personal data processed in the framework of police and judicial cooperation in criminal matters regulates data protection in the old third pillar. This is a sector not covered by Directive 95/46, which applies to the processing of personal data in the old first pillar. This Council Framework Decision regulates issues like the right to be informed, right of access to one's personal data held by law enforcement authorities, right of compensation in case of damage as a result of unlawful processing of one's personal data and limitations on the use of sensitive data. The Framework Decision only covers police and judicial data exchanged between Member States, EU authorities and systems, and does not include domestic data. 4. The European Data Protection Supervisor and Article 29 Working Party The European Data Protection Supervisor (EDPS) is an independent supervisory authority that ensures that the EU institutions and bodies respect their data protection obligations, which are laid down in the Data Protection Regulation 45/2001. The primary duties of the EDPS are supervision, consultation and cooperation. The supervisory competences of the EDPS cover the processing of personal data by the EU institutions and bodies. They do not extend to processing in the Member States, which falls under the national legislation, adopted in order to comply with the Data Protection Directive 95/46. The EDPS also advises EU institutions and bodies on all matters having an impact on the protection of personal data. This may apply to proposals for new EU legislation, but also to other instruments, such as communications of the European Commission. In addition, the EDPS intervenes in cases before the Court of Justice. Article 29 Working Party on the protection of individuals with regard to the processing of personal data is an independent advisory body on data protection and privacy, set up under Article 29 of the Data Protection Directive. It is composed of representatives from the EU national data protection authorities, the EDPS and the Commission. Art. 29 Working Party's competence includes examining questions on the application of the national measures adopted under the data protection directives. It issues recommendations, opinions and working documents. The Secretariat of the Working Party is provided by the European Commission. 5. Towards a review of the EU data protection legislation In July 2009, the European Commission launched a public consultation on the future of the present legal framework for data protection to seek views on how to respond to new challenges for data protection presented by new technologies and globalization. The consultation was also motivated by the adoption of the Lisbon Treaty, which requires a reworking of the structure of the EU legal framework for data protection. In the Action Plan of April 2010 implementing the Stockholm Programme, the Commission announced a Communication and a legislative proposal concerning data protection by the end of 2010 and 2011. On 4 November 2010, the Commission adopted a Communication, thus paving the way for an overhaul of the existing data protection legislation. A comprehensive legal framework on data protection at EU level, for both the public and the private sectors (including police and judicial cooperation), should also include: "privacy by design", more accountability for controllers and stronger enforcement powers for data protection authorities. Individuals should have control over their own data, be clearly informed in a transparent way, and have the possibility to effectively exercise their rights.
ROLE OF THE EUROPEAN PARLIAMENT
The Parliament has always insisted on the need to keep a balanced approach between enhancing security and protecting privacy and personal data. The Parliament has adopted various resolutions on these sensitive matters, with regard to ethno-racial profiling, the Prüm Council
Decision on cross-border cooperation in combating terrorism and cross-border crime, the possible introduction of body scanners to enhance aviation security, biometrics in passports and common consular instructions, border management, internet, data mining. The Lisbon Treaty has introduced more effectiveness, accountability and legitimacy in the area of freedom, security and justice. It has generalized, with a few exceptions, the Community method, which includes co-decision with the Parliament (the ordinary legislative procedure) and majority voting in the Council. The old pillar structure disappears. The EU Charter of Fundamental Rights is integrated into the Lisbon Treaty and is legally binding on the European Union (and its institutions and bodies) and EU Member States when they implement EU law. As regards international agreements (including in the field of data protection and information sharing), a new procedure, the "consent", is foreseen. The role of the Parliament, only consulted under the former "third pillar" (police and judicial cooperation in criminal matters), is now enhanced with the Lisbon Treaty. The Parliament has already used these powers in February 2010 when it rejected the provisional application of the Terrorist Finance Tracking Programme (TFTP) agreement (previously known as SWIFT agreement), the anti-terrorist agreement on bank data transfers to the United States. Following the Parliament resolution of 8 July 2010, the TFTP agreement entered into force in August 2010. The final agreement meets the Parliament's key concerns, such as the elimination of "bulk" data transfers, the prohibition of data mining, the possibility of setting up an EU TFTP mechanism and a new role for Europol. This new momentum will be beneficial for another issue of crucial importance for data protection: the Passenger Name Records (PNR) agreement between the EU and the United States on the processing and transfer of PNR data by air carriers to the US Department of Homeland Security. The Parliament has been very active on the PNR dossier, its action leading to the annulment by the European Court of Justice of an earlier agreement with the US on PNR data. In May 2010 the Parliament decided (in order to avoid the risk of rejection, as in the case of the SWIFT agreement) to postpone its vote on the matter, so that a standard PNR model that meets Parliament's demands regarding data protection could be devised. Responding to the Parliament request, in September 2010 the European Commission adopted a package of proposals on the exchange of PNR data with third countries, consisting of an EU external PNR strategy and recommendations for negotiating directives for new PNR agreements with the United States, Australia and Canada. The Justice and Home Affairs Council of December 2010 adopted negotiating directives on the above-mentioned agreements. At the beginning of February 2011, the Commission tabled a proposal for a Directive on the use of PNR data for the prevention, detection, investigation and prosecution of terrorist offences and serious crime (EU PNR). Finally, the Parliament will be involved in the approval of a legally binding (framework) agreement with the United States on the exchange of information and data protection. The aim is to ensure a high level of protection of personal information, such as passenger data or financial information, which is transferred in the framework of transatlantic cooperation in the fight against terrorism and organised crime. The agreement would enhance the right of citizens to access, rectify or delete data, if necessary. Independent public authorities would be given a stronger role in helping people exercise their privacy rights and in supervising transatlantic data transfers. The European Parliament will be fully informed at all stages of the negotiations and will have to give its consent to the final agreement. Alessandro DAVOLI 03/2011