Updating the law of information privacy: the new framework of the European Union.

• Author: Rotenberg, Marc
• Position: Privacy, Security, and Human Dignity in the Digital Age

1. ORIGINS OF EU PRIVACY LAW A. Integration of the European Union Economies B. Establishment of Privacy as a Fundamental Right C. Modern EU Privacy Instruments 1. The EU Data Protection Directive 2. The E-Privacy Directive 3. The Treaty of Lisbon 4. The Role of Data Protection Authorities D. New Challenges 1. New Technologies and Business Practices 2. Enforcement 3. Coordination and Harmonization II. THE EU GENERAL DATA PROTECTION REGULATION A. Overview of the GDPR B. Strengthening Individual Control: Substantive Rights and Transparency C. Increased Responsibility and Accountability of Data Processors and Controllers D. Harmonization, Consistency, and Clarification of Process III. APPLICATION TO THIRD COUNTRIES A. Under the EU Data Protection Directive (Articles 25 and 26) B. The EU-U.S. Safe Harbor Arrangement C. Under the General Data Protection Regulation D. The "Ratcheting-Up" Effect IV. RELATED DEVELOPMENTS A. The Need for a Third-Pillar Directive B. Modernization of Council of Europe Convention 108 C. OECD Privacy Guidelines D. Asia-Pacific Economic Cooperation Privacy Framework E. The U.S. Consumer Privacy Bill of Rights. CONCLUSION In early 2012, the European Commission published its proposed General Data Protection Regulation, (1) which updates European data protection law and will significantly impact business practices around the globe, much as did the European Union Data Protection Directive of 1995. Although there will be considerable debate about the various provisions contained in the Regulation, an overview of the developments leading up to it shows the natural evolution of the newest legal instrument to safeguard the modern right to privacy. This Article develops that picture.

   This Article proceeds in five parts. Part I describes the origins of European privacy law, including the development of the significant modern privacy instruments. Part II explores the key provisions of the proposed General Data Protection Regulation. Part III focuses on the Regulation's application outside the European Union (EU), and the "ratcheting-up" effect that is likely to result. Part IV examines related international privacy developments, including efforts to update the Council of Europe Privacy Convention, enforce the Organization of Cooperation and Development (OECD) Privacy Guidelines, and develop a privacy framework in the United States that is broadly applicable to global privacy challenges. Finally, the Article concludes by noting the significance of the Regulation in the development of modern privacy law. (2)

1. ORIGINS OF EU PRIVACY LAW

   After World War II, privacy attained the legal and cultural status of a fundamental right in Europe. The right of privacy was recognized in the Universal Declaration of Human Rights, (3) in other post-war international instruments such as the European Convention on Human Rights (ECHR), (4) and in legislation implementing these instruments at the national level. Although EU member states have interpreted these instruments in light of new practices, such as wiretapping and DNA collection, the advent of automated data processing prompted the adoption of the Data Processing Convention and, later, the Additional Protocol, which created data protection authorities in all of the member states. (5) Most recently, the evolution of privacy as a fundamental right is reflected for the EU member states in the adoption of the Lisbon Treaty and the Charter of Fundamental Rights, which added the protection of individuals' fundamental rights and freedom with regard to the processing of personal data ("data protection") as a fundamental right. (6)

   1. Integration of the European Union Economies

      After World War II, six European countries united to create the European Coal and Steel Community (ECSC), as well as the European Economic Community (EEC) and the European Atomic Energy Community (EAEC). (7) Over the next forty years the integration of the European economies grew in both scope and size until 1986 when, now called the European Community composed of twelve member states, it has become following the Single European Act treaty an "internal market" without internal borders. (8) In 1992, those twelve members signed the Maastricht Treaty, which formed the European Union (EU) covering at the same time the competencies of the European Community and new domains of external policy as well as justice and home affairs. (9) This treaty started the process by which the member states moved to consolidate their legal authorities and regulatory frameworks across a wide range of economic activity to facilitate the free movement of goods, services, labor, and capital. (10) As new member states were admitted to the European Union, they were required to comply with the "Copenhagen Criteria," as well as demonstrate that they had adequate privacy protection to safeguard personal data. (11) The countries were required to show the stability of democratic institutions and the protection of human rights, the existence of a functioning market economy, and the acceptance of the Community acquis, the ability to comply with the aims of political, economic and monetary union. (12) The adoption of a pan-European framework for privacy protection is thus part of the process of European integration.

   2. Establishment of Privacy as a Fundamental Right

      European countries have recognized privacy as a fundamental right for many years. Although the EU has only officially existed since 1993, (13) privacy is well established in the constitutions of member countries and the national courts. Most notably, the German Constitutional Court has set out substantial opinions on the right to privacy, (14) as well as the right to "informational privacy." (15)

      International agreements, declarations, and treaties have deeply influenced EC and EU privacy law. The initial post-war expression of privacy as a fundamental right is found in the United Nations's Universal Declaration of Human Rights (UDHR). (16) Soon after its inception, and very shortly after the experiences of World War II, the UN adopted the UDHR to recognize formally the inalienable rights of every person. (17) The UDHR enumerates many rights, including those established in Article 12, which states that "[n]o one shall be subjected to arbitrary interference with his privacy, family, home or correspondence, nor to attacks upon his honour and reputation. Everyone has the right to the protection of the law against such interference or attacks." (18) The UNHR thus not only set out a universal articulation for the right of privacy; it simultaneously called on nations to establish privacy as a legal right.

      Soon after the UNHR, European countries followed suit and established a privacy right within the Council of Europe (COE). Created in 1949, the COE is an organization of forty-seven member states, including Belgium, Denmark, France, Germany, Latvia, Spain, and Sweden, all of which are also members of the EU. (19) In 1953, the COE ratified the Convention for the Protection of Human Rights and Fundamental Freedoms, commonly known as the European Convention on Human Rights. (20) Drawing inspiration from the UNHR, the Convention set the broad goal of "maintenance and further realisation of human rights and fundamental freedoms," (21) and aimed to "take the first steps for the collective enforcement of certain of the rights stated in the Universal Declaration." (22) To meet this goal, the Convention bound all member states to "secure to everyone within their jurisdiction [the] rights and freedoms" contained within the Convention. (23) Furthermore, the Convention established a European Court of Human Rights and gave individuals, as well as states, standing to file claims in that venue. (24)

      Among the rights the Convention enumerated is privacy. Article 8, entitled "Right to respect for private and family life," states, "[e]veryone has the right to respect for his private and family life, his home and his correspondence." (25) Article 8 ensures privacy rights in relation to government actors and, although it contains some exceptions, (26) the European Court of Human Rights has interpreted "private life" broadly. (27) In fact, the court has said that

      [I]t would be too restrictive to limit the notion [of "private life"] to an "inner circle" in which the individual may live his own personal life as he chooses and to exclude there from entirely the outside world not encompassed within that circle. Respect for private life must also comprise to a certain degree the right to establish and develop relationships with other human beings. (28) This broad interpretation includes the right to protection against government monitoring of employees' e-mails and telephone conversations to obtain evidence of improper actions at work, (29) wiretapping phone calls without the proper checks and minimization procedures, (30) collecting and accessing stored personal data without consent, (31) and the right to have the government prevent tabloid magazines from publishing photographs of a person's private life. (32)

      Additionally, the European Court of Human Rights has held that the United Kingdom's practice of collecting DNA samples from each individual who is arrested--even if the charges were subsequently dropped or the accused were acquitted at trial--and storing the samples in a nationwide database violates an individual's right to privacy. (33) The court first ruled that the collection of the DNA samples was an interference with a person's right to privacy. (34) However, because of the government's right to enforce its laws, the court also went on to analyze whether this interference was valid. The court acknowledged the United Kingdom's authority to store samples taken from those people who had been convicted, but held that samples collected from people who were either found innocent, or whose charges had been dropped, must be destroyed. (35)

      Despite Article 8's broad scope, technological...