Introduction to EU Privacy and Data Protection

• Author: Katherine H Woodcock; W Gregory Voss
• Pages: 1-25

1

1

Introduction to EU Privacy

and Data Protection

I. RELEVANT LEGI SLATIVE INSTRU MENTS

AND TREATIES

To properly understand EU privacy and data protection laws and requirements, it is

important to understand the essential EU legislative instruments and relevant treaties.

In the European Union, privacy and data protection are fundamental rights, mean-

ing that they cannot be waived or contracted away. It is also important to note the

difference between a right to privacy and a right to protection of one’s data. These

two concepts are closely linked both in their history and development of legisla-

tive instruments. Nevertheless, they are distinct concepts. This book will focus on

data protection law and privacy law as applied to companies in the private sector

operating or offering goods or services in Europe. This section will introduce the fun-

damental legal instruments and treaties, specically the EU’s enshrinement of privacy

and data protection as a fundamental right, the Council of Europe’s Convention 108

(Convention 108),1 the OECD Guidelines on the Protection of Privacy and Trans-

border Flowsof Personal Data (OECD Guidelines),2 both in their original form and

the version as amended on July 11, 2013 (Revised OECD Guidelines),3 and nally the

Directive.

A. Privacy and Data Protection as Fundamental Rights

The right to data protection is intimately associated with the right to privacy. The

Council of Europe rst adopted the European Convention on Human Rights4

1. Convention for the Protection of Individuals with regard to Automatic Processing of Personal Data,

Jan. 28, 1981, ETS No. 108 [hereinafter Convention 108], as amended, full text and protocol available at

http://www.conventions.coe.int/Treaty/en/Treaties/Html/108.htm.

2. OECD Guidelines Governing the Protection of Privacy and Transborder Flows of Personal Data,

Sept. 23, 1980, C(80)58/FINAL [hereinafter OECD Guidelines], available at http://www.oecd.org/internet/

ieconomy/oecdguidelinesontheprotectionofprivacyandtransborderowsofpersonaldata.htm.

3. OECD Guidelines, as amended on July 11, 2013 by C(2013)79 [hereinafter Revised OECD Guidelines];

for full text, see http://www.oecd.org.sti/ieconomy/2013-oecd-privacy-guidelines.pdf.

4. European Convention for the Protection of Human Rights and Fundamental Freedoms, Nov. 4,

1950, as amended and supplemented (ECHR) [hereinafter ECHR], http://www.echr.coe.int/Documents/

Convention_ENG.pdf.

woo51396_01_c01_001-024.indd 1 12/1/15 5:22 PM

2

Navigating E U Privacy and Data Protec tion Laws

(ECHR), which established a right to privacy. This right to privacy protects individu-

als against invasion of their personal life by public authorities unless it meets certain

conditions specied in the law.5 This was followed by the right to the protection of

one’s data, initially presented in Convention 108. This right was further enshrined

within the European Union in the Charter of Fundamental Rights of the European

Union (Charter), Article 8,6 which provides:

Protection of personal data

1. Everyone has the right to the protection of personal data concerning him or her.

2. Such data must be processed fairly for specied purposes and on the basis of

the consent of the person concerned or some other legitimate basis laid down

by law. Everyone has the right of access to data which has been collected

concerning him or her, and the right to have it rectied.

3. Compliance with these rules shall be subject to control by an independent

authority.

The right to privacy as established in Article 7 of the Charter is a right to “respect

for private and family life: everyone has the right to respect for his or her private

and family life, home and communications.”7 The Charter became legally binding

on all Member States on December 1, 2009, with the entry into force of the Treaty of

Lisbon, which made the ECHR legally binding in the European Union as well.

B. Convention 1 0 8

Convention 108 was the rst binding international treaty in the eld of data protec-

tion. It has been adopted by the European Union, by many European countries, and

increasingly by non-European jurisdictions8 and is open to accession by international

organizations.9 It was drafted with the aim of developing “common core of substan-

5. ECHR, art. 8, provides: “Right to respect for private and family life. 1. Everyone has the right to

respect for his private and family life, his home and his correspondence. 2. There shall be no interference by

a public authority with the exercise of this right except such as is in accordance with the law and is neces-

sary in a democratic society in the interest of national security, public safety or the economic well-being

of the country, for the prevention of disorder or crime, for the protection of health or morals, or for the

protection of the rights and freedoms of others.”

6. Charter of Fundamental Rights of the European Union, Dec. 7, 2000, 2010 O.J. (C 83) 389 (Mar. 30,

2010), art. 6, at 393, http://eurlex.europa.eu/LexUriServ/LexUriServ.do?uri=OJ:C:2010:083:0389:0403:E

N:PDF.

7. Id. art. 7, at 393.

8. For example, Uruguay, which is not a member of the Council of Europe, has ratied the Convention 108.

For a full list of signatories and the status of ratication, see http://conventions.coe.int/Treaty/Commun/

ChercheSig.asp?NT=108&CM=1&DF=&CL=ENG.

9. See modernized version of Convention 108, art. 23, http://www.coe.int/t/dghl/standardsetting/

dataprotection/TPD_documents/TPD%282012%2904Rev4_E_Convention%20108%20modernised%20

version.pdf.

woo51396_01_c01_001-024.indd 2 12/1/15 5:22 PM