EPIC --- Privacy and Human Rights Report
|Title Page Previous Next Contents | Country Reports >European Union|
The European Union (EU) unites under one roof the three pillars of European cooperation, with the European Community (EC) serving as the "First Pillar," the Common Foreign and Security Policy as the "Second Pillar," and the Cooperation in Justice and Home Affairs as the "Third Pillar." The EU and its three pillars have been established by the two major treaties between the 27 Member States.
The Council of Europe, which adopted the European Convention on Human Rights (ECHR) in 1950, is distinct from the EU and EC. Article 8 of the ECHR declares that everyone has the right to respect for his private and family life, his home and his correspondence. Article 6 (2) of the Treaty on European Union makes the European Union comply with the ECHR’s fundamental rights. All EU Member States have ratified this convention and are bound by its guarantees.
Following the advancements of information technologies, the Council of Europe issued a separate Convention on Data Protection in 1981. Parties to this convention, which include EU Member States, are required to implement the convention into their national laws. An additional protocol regarding supervisory authorities and transborder data flows, that entered into force on July 1, 2004, now complements the convention. The EU sought accession to this convention to help create a stronger international forum on data protection, particularly vis-à-vis third countries. The convention was amended in 1999, and once this amendment has entered into force the EU will be able to accede.
Article 286 of the EC Treaty was adopted in 1997 as part of the Treaty of Amsterdam. The treaty provides that EC institutions are required to adhere to European Community acts on the protection of individuals with regard to the processing of personal data and the free movement of such data from January 1, 1999.
Since 2000, the EU is committed to protect personal data pursuant to Article 8 of the Charter of Fundamental Rights of the European Union (CFREU). According to the CFREU, it is imperative that personal data be processed fairly for specified purposes, and based on the person’s consent, or some other legitimate basis laid down by law.
On October 29, 2004, all Member States and three of the candidate Member States signed the Treaty Establishing a Constitution for Europe. In order for the European Constitution to enter into force on November 1, 2006, it has to be ratified in all signatory countries. In June 2007, following ratification problems encountered in certain Member States, European leaders agreed to finalize and adopt, not a Constitution, but a "reform treaty" for the European Union.
All points of reference to data protection mentioned above require an independent authority to be in charge with supervision of compliance with data protection rules, in order to ensure the effective protection of individuals. European Data Protection is therefore institutionalized, contrary to the American approach. (For more discussion of this subject, see the subsection on Oversight and Privacy and Data Protection Commissioners.)
The Data Protection Directive (95/46/EC) defines the basics of data protection that Member States have to transpose into national law where the actual regulation of data protection and its enforcement are taking place. As a secondary EC measure, the directive does not have immediate effect, though its provisions can be invoked in the national courts against Member States' data protection rules in order to oust the application of rules of national law that are contrary to those provisions. In 2003, the European Commission issued a report on the status of the implementation of the Data Protection Directive. The report, which identified the shortcomings of harmonization, set out a work plan to narrow divergences of national legislation. It did not propose amendments to the directive itself, which will be examined during the second evaluation scheduled for 2005.
As an EC measure aiming at harmonization of Member States laws and the integration of the Internal Market, the Data Protection Directive is limited to EC activities ("First Pillar" of the EU). This directive applies to any automated processing of personal data and any other handling of personal data that forms part of a filing system. Personal data is defined as any information that relates to an "identified or identifiable natural person." Processing operations concerning public security, defense, state security and activities of a Member State in areas of criminal law fall outside the scope of the directive. Data processing by a natural person in the course of purely private and household activities are exempted as well.
The directive mandates that the data controller ensure compliance with the principles relating to data quality and provides a list of legitimate reasons for data processing. The data controller has information duties toward the data subject whenever personal data is collected directly from the person concerned or obtained otherwise. The data controller is also mandated to implement appropriate technical and organizational measures against unlawful destruction, accidental loss or unauthorized alteration, disclosure or access.
Data subjects' individual rights, as established by the directive, are: the right to know who the data controller is, the recipient of the data and the purpose of the processing; the right to have inaccurate data rectified; a right of recourse in the event of unlawful processing; and the right to withhold permission to use data in some circumstances. For example, individuals have the right to opt-out free of charge from being sent direct marketing material. The directive contains strengthened protections concerning the use of sensitive personal data relating, for example, to health, sex life or religious or philosophical beliefs.
Enforcement of the regulatory framework on the processing of personal data can either be through administrative proceedings of the supervisory authority or judicial remedies. Member States’ supervisory authorities are endowed with investigative powers and effective powers of intervention, such as powers to order blocking, erasure and destruction of data or to impose a temporary or definite ban on processing. In the event of the infringement of individual rights, the person concerned can lodge a complaint with the regulator or seek judicial remedies in front of the national courts. Any person who has suffered damage as a result of an unlawful processing operation is entitled to receive compensation from the liable controller.
The Data Protection Directive transfers some competences directly to EC institutions. It sets up a body called the Working Party on the Protection of Individuals with regard to the Processing of Personal Data, or "Article 29 Working Party" (WP29). This body is made up of representatives of Member States' data protection authorities (DPAs) and the European Data Protection Commissioner. As an independent body, it has advisory status and can issue opinions and recommendations. The WP29 can determine European Community codes of conduct that are submitted for approval by trade associations and other bodies. It also serves as a platform for exchange and coordination between EU Member States, addresses upcoming developments related to data protection policy, and conducts public consultations. Resulting working documents are a common point of reference for interpretation of the Data Protection Directive.
The Data Protection Directive provides a mechanism by which transfers of personal data outside the territory of the EU have to meet a level of processing "adequate" to the one prescribed by the directive's provisions. A finding by the European Commission of an adequate level of protection in a country outside the EU effectively clears the transfer of personal data to that third country. European Commission’s decisions on the adequacy of the protection of personal data in third countries presently cover Argentina, Canada, Guernsey, the Isle of Man and Switzerland. Commercial transfers of EU-originated data to the US is provided for under the Safe Harbor Agreement and its implementing decision. (For more discussion of this subject, see the section on Transborder Data Flows and Data Havens.)
The Court of Justice of the European Communities (CJEC) gives precedents on the interpretation of EC law that Member States’ court have to take into account when applying national law in order to stay in line with EC law. The CJEC has ruled on the Data Protection Directive in two instances that national courts conferred with questions on the interpretation of EC law. First, in an Austrian case (Rechnungshof), the CJEC held that the processing of personal data within the public sector is covered by the Data Protection Directive. The plaintiff can invoke specific provisions of the directive that grant individual rights before national courts if the national data protection law contradicts these rights. Second, in another case from Sweden (Bodil Lindqvist), the CJEC decided that the main principles of the directive also apply to Web sites, and that the uploading of personal information for Internet access does not trigger the provision for transfers of personal data to third countries even though the Web page is universally accessible.
The "Third Pillar" of the EU covers cooperation in the fields of justice and home affairs. There are separate data protection responsibilities in each principal field of activities, which are set up by the Europol Convention, the Council Decision setting up Eurojust, the Convention implementing the Schengen Agreement, and the Convention on the use of Information Technology for Customs Purposes. For Europol, which is a cooperative effort of EU Member States to combat serious forms of international organized crime, data protection supervision is in the hands of the Europol Joint Supervisory Body. The objective of Eurojust is to improve EU-wide investigations and prosecutions, thereby conferring data protection authority to the Eurojust Joint Supervisory Body. The Schengen Information System (SIS) is a database that has been established in the conjunction of the abolition of international border controls in much of the EU (Schengen territory). The SIS records personal information required in the context of cross-border applications, e.g., missing or wanted persons. The Schengen Joint Supervisory Authority is responsible for data protection issues surrounding SIS. The same construction applies to the Customs Information Systems (CIS). Development of a new, second generation Schengen Information System (SIS II), is underway.
In 2004, the Council of the European Union, which represents the Member States, determined that, as of 2008, the exchange of law enforcement information should be governed by the principle of availability. This means that throughout the EU, a law enforcement officer in one Member State who needs information in order to perform his duties can obtain it from the law enforcement agencies of another Member State. In 2005, the Commission proposed a framework for the protection of personal data processed in the framework of police and judicial cooperation in criminal matters.
In May 2005, seven Member States (Austria, Belgium, France, Germany, Luxembourg, Spain and the Netherlands) signed a treaty in Prüm to enhance cross-border police and judicial cooperation, especially with respect to the fight against terrorism, cross-border crime and illegal migration. Under the Treaty, Member States grant one another access rights to their automated DNA analysis files, automated fingerprint identification systems and vehicle registration data. In December 2006, Germany and Austria became the first countries in the world to match their DNA databases. The European Data Protection Supervisor, however, considers the privacy elements of the Treaty to be incomplete.
The European Network and Information Security Agency, ENISA, is a new agency of the European Union, which formally came into being in March 2004. The agency assists the European Commission, the Member States and the private sector in meeting the requirements of network and information security, including present and future European Community legislation. ENISA also follows the development of standards, promotes risk assessment activities and interoperable risk management routines, and produces studies on those issues that impact public and private sector organizations.
At the EC level, the European Data Protection Supervisor (EDPS) was established by Article 41(f) of Regulation (EC) No 45/2001. This measure applies to EC institutions and activities, which derive their competences from the EC Treaty, which is the "First Pillar" in the EU. The obligations in the regulation are similar to the EC Data Protection Directive 95/46/EC. Also, the European Data Protection Supervisor has the influential task of advising the commission and other EC institutions on proposals for new legislation that might have an impact on the protection of personal data. According to the EDPS, “the consultative task is to analyse how policies affect the privacy rights of the citizens. This assessment helps to enable proper political discussions on how new legislation can be effective with due respect and adequate safeguards for citizens' freedoms. The advice makes it possible for the legislators in Europe to adopt better legislation that is in line with European values.”
In 2006 and 2007, the EDPS addressed several of the leading privacy concerns within the European Union, such as data protection initiatives and the Third Pillar and data protection under the reform Treaty. The EDPS joined in the successful challenge to the interim Passenger Name Record agreement, which permitted the transfer of travel record information on Europeans to the United States outside the framework of the EU Data Directive. The EDPS also expressed concern about the conduct of the European Central Bank in the SWIFT matter, which involved the interception of bank transfer data by the US secret services.
The Article 29 Working Party (WP29) is comprised of representatives from each of the EU Member States. The WP29 was established by Article 29 of Directive 95/46/EC. It is the independent EU Advisory Body on Data Protection and Privacy whose tasks are laid down in Article 30 of Directive 95/46/EC and in Article 14 of Directive 97/66/EC. Peter Schaar has been the Chairman since 2003.
The WP29 has conducted online consultations on data protection issues related to intellectual property rights, RFID, video surveillance, binding corporate rules, and most recently on electronic health records. It has issued several opinions on issues such as the transfer of travellers’ personal name record information to the US, the introduction of biometrics into passports and visas, the transfer of financial information to the US, and the introduction of EU-wide data retention requirements. The WP29 also issues an annual report in which it highlights data protection developments across the EU and within each EU and European Economic Area country.
In December 2001, the Data Protection Commissioners from the Czech Republic, Hungary, Lithuania, Slovakia, Estonia, Latvia, and Poland signed a joint declaration agreeing to closer cooperation and assistance. These countries have since been joined by new EU Members Bulgaria and Romania, and EU candidates Croatia and Macedonia. The Commissioners meet twice a year; Croatia hosted the CEEC’s 9th meeting in June 2007. Topics of the meeting included data protection in e-health; monitoring of public areas; security initiatives under the third pillar; and misuse of citizens’ personal data by government institutions.
The EC took specific measures to ensure the protection of privacy in the field of telecommunications. First, in 1997, with the Telecommunications Privacy Directive (1997/66/EC), which is no longer in force. Then, in 2002, with the Directive on Privacy and Electronic Communications that had to be transposed into Member States’ law by February 2004. The directive authorizes Member States to pass laws mandating the retention of the traffic and location data of all communications taking place over mobile phones, SMS, landline telephones, faxes, e-mails, chatrooms, the Internet, or any other electronic communication device. Such requirements can be implemented for purposes varying from national security to the prevention, investigation and prosecution of criminal offences. The directive also adds to the protections of the now-defunct Telecommunications Privacy Directive (1997/66/EC) new definitions and protections for "calls," "communications," "traffic data" and "location data" in order to enhance the consumer's right to privacy and control in all kinds of data processing. These new provisions ensure the protection of all information ("traffic") transmitted across the Internet, prohibit unsolicited commercial marketing by e-mail ("spam") without consent, and protect mobile phone users from precise location tracking and surveillance. The directive also gives subscribers to all electronic communications services (such as GSM and e-mail) the right to choose whether they are listed in a public directory.
In March 2006, the European Union amended the 2002 Directive on Privacy and Electronic Communications by enacting a Directive on Mandatory Retention of Communications Traffic Data. The new Directive requires Member States to require communications providers to retain communications data for a period of between 6 months and 2 years. Member States have until September 2007 to transpose the requirements of the Directive into national laws; however, a delay of 18 additional months, until March of 2009, is available. Sixteen of the 25 member states of the EU have declared that they will delay the implementation of data retention of Internet traffic data for the additional period.
The WP29 issued a decision on the Data Retention Directive in which it found that “The decision to retain communication data for the purpose of combating serious crime is an unprecedented one with a historical dimension. It encroaches into the daily life of every citizen and may endanger the fundamental values and freedoms all European citizens enjoy and cherish.” WP29 further noted that the Directive lacks some adequate and specific safeguards as to the treatment of communication data and leaves room for diverging interpretation and implementation by the Member States in this respect.
Digital Rights Ireland filed a challenge to the EU government in July 2006. The case challenges the legal basis for the Data Retention Directive, alleging that this was a matter relating to criminal justice and as such the appropriate measure would have been a framework decision under the third pillar.
 Treaty on the European Union (in the consolidated version of Nice),  OJ C 325/1, available at <http://www.europa.eu.int/eur-lex/pri/en/oj/dat/2002/c_325/c_32520021224en00010184.pdf>; first pillar: The Treaty Establishing the European Community (as amended by the Treaty of Amsterdam),  OJ C 325, available at <http://www.europa.eu.int/eur-lex/en/treaties/dat/C_2002325EN.003301.html>; the second and third pillar are integrated in Titles V and VI of the Treaty on the European Union, id.
 Treaty on the European Union (in the consolidated version of Nice), supra.
for the Protection of Individuals with Regard to Automatic Processing of
Personal Data, adopted by the Council of Europe in Strasbourg, January 28, 1981,
 Additional Protocol to the Convention for the Protection of Individuals with regard to Automatic Processing of Personal Data, regarding supervisory authorities and transborder data flows (CETS No. 181), adopted by the Committee of Ministers of the Council of Europe in Strasbourg, November 8, 2001, available at <http://conventions.coe.int/treaty/en/Treaties/Html/181.htm>.
 Explanatory Memorandum on the amendments to Convention 108 allowing the accession of the European Communities, at No 4, available at <http://www.coe.int/T/E/Legal%5Faffairs/Legal%5Fco%2Doperation/Data%5Fprotection/Documents/International_legal_instruments/Explanatory%20Memorandum%20on%20the%20amendments%20to%20Convention%20108.asp#TopOfPage>.
 Amendments to the Convention for the Protection of Individuals With Regard to Automatic Processing of Personal Data (ETS No. 108) allowing the European Communities to Accede, adopted by the Committee of Ministers, in Strasbourg, June 15, 1999, available at <http://www.coe.int/T/E/Legal_affairs/Legal_co-operation/Data_protection/Documents/International_legal_instruments/Amendements%20to%20the%20Convention%20108.asp#TopOfPage>.
 Treaty Establishing the European Community (as amended by the Treaty of Amsterdam),  OJ C 325, available at <http://www.europa.eu.int/eur-lex/en/treaties/dat/C_2002325EN.003301.html>.
 Charter of Fundamental Rights of the European Union of the European Parliament, December 7, 2000,  OJ C 364/1, available at <http://www.europarl.eu.int/charter/pdf/text_en.pdf>.
Establishing a Constitution for Europe,  OJ C 310, available at
 EurActiv, “The EU's 'Reform Treaty',” August 3, 2007, <http://www.euractiv.com/en/future-eu/eu-reform-treaty/article-163412?Ref=RSS>.
1995/46/EC of the European Parliament and of the Council of 24 October 1995 on
the protection of individuals with regard to the processing of personal data and
on the free movement of such data, OJ L 281/31, available at
 CJEC, judgment of May 20, 2003, joint cases C-465/00, 138/01, 139/01 ("Rechnungshof").
 First Report from the Commission on the Implementation of the Data Protection Directive, COM(2003)265, available at <http://europa.eu.int/eur-lex/en/com/rpt/2003/com2003_0265en01.pdf>.
95/46/EC, Article 3 (2).
 Id. at Article 3 (1).
 Id. at Article 2 (a).
 Id. at Article 3 (2).
 Id. at Article 3 (2).
Article 6 (1).
 Id. at Article 7.
 This information must reveal the identity of the data controller and the purpose of the data processing, as well as further information on recipients of data, available options with corresponding legal consequences, and the right to access and rectify data if necessary. Id. at Article 10.
 Id. at Article 17.
 Directive 95/46/EC, supra at Article 12.
 Id. at Articles 22 and 23.
 Id. at Article 14.
 Id. at Article 8.
Articles 22 and 28.
 Directive 95/46/EC, supra at Article 28.
 Id. at Article 23.
 Homepage of the Article 29 Data Protection Working Party <http://europa.eu.int/comm/justice_home/fsj/privacy/workinggroup/index_en.htm>.
 A comprehensive list of working documents is available at <http://ec.europa.eu/justice_home/fsj/privacy/workinggroup/wpdocs/2007_en.htm>.
decisions on adequacy findings are published at
judgment of May 20, 2003, joint cases C-465/00, 138/01, 139/01
 CJEC, judgment of November 6, 2003, case C-101/01 ("Bodil Lindqvist").
 Homepage of
the Europol Joint Supervisory Body
 Compare Rules of Procedure on the Processing and Protection of Personal Data at Eurojust,  OJ C 68/1, available at <http://www.eurojust.europa.eu/official_documents/eju_dp_rules.htm>.
 Homepage of the Joint Supervisory Authority of Schengen <http://www.schengen-jsa.dataprotection.org/>.
 Decision EC No 2001/886/JHA Council Decision of 6 December 2001 on the development of the second generation Schengen Information System (SIS II), OJ L 328/1.
 The Hague
Programme, OJ C 53, March 3, 2005 at
 Available at <http://eur-lex.europa.eu/LexUriServ/site/en/com/2005/com2005_0475en01.pdf>.
Treaty of Prüm makes Europe safer - EU police forces share data,”
German Ministry of the Interior, March 15, 2007,
 “European DNA-data interchanges raise privacy concern,” BJHC&IM Newsletter, February 2007 <http://www.bjhcim.co.uk/news/1/2007/n702002.htm>.
 ENISA's homepage <http://www.enisa.europa.eu/index.htm>.
(EC) No 45/2001 of the European Parliament and of the Council of 18 December
2000 on the protection of individuals with regard to the processing of personal
data by the Community institutions and bodies and on the free movement of such
data,  OJ L 8/1, available at
 European Data Protection Supervisor, <http://www.edps.europa.eu/EDPSWEB/edps/pid/1>.
Data Protection Supervisor, “PNR: EDPS first reaction to the Court of
Justice judgment,” May 30, 2006,
 European Data Protection Supervisor, “SWIFT: EDPS preliminary findings on the role of the ECB,” October 4, 2006, <http://www.edps.europa.eu/EDPSWEB/webdav/site/mySite/shared/Documents/EDPS/PressNews/Press/2006/EDPS-2006-10-EN_swift.pdf>.
 Article 29
Working Party, Online Consultations
 Article 29 Working Party, Documents adopted in 2006 <http://ec.europa.eu/justice_home/fsj/privacy/workinggroup/wpdocs/2006_en.htm>; Article 29 Working Party, Documents adopted in 2007 <http://ec.europa.eu/justice_home/fsj/privacy/workinggroup/wpdocs/2007_en.htm>.
 Annual Reports of the Article 29 Working Party <http://ec.europa.eu/justice_home/fsj/privacy/workinggroup/annual_reports_en.htm>.
 Central and
Eastern Europe Data Protection Authorities Webpage <http://www.giodo.gov.pl/234/j/en/>.
 9th meeting of the Central and Eastern Europe Data Protection Authorities – Agenda, available at <http://www.ip-rs.si/fileadmin/user_upload/Pdf/konf._zadar2007.pdf>.
1997/66/EC of the European Parliament and of the Council of 15 December 1997 on
the Processing of Personal Data and the Protection of Privacy in the
Telecommunications Sector (Directive), available at
 This directive established specific protections covering telephone, digital television, mobile networks and other telecommunications systems. It imposed wide-ranging obligations on carriers and service providers to ensure the privacy of users' communications, including Internet-related activities. It covered areas that, until then, had fallen between the cracks of data protection laws. Access to billing data was severely restricted, as was marketing activity. Caller ID technology was required to incorporate an option for per-line blocking of number transmission. Information collected in the delivery of a communication was required to be purged once the call was completed.
 Directive 2002/58/EC of the European Parliament and of the Council of 12 July 2002 concerning the Processing of Personal Data and the Protection of Privacy in the Electronic Communications Sector (Directive on Privacy and Electronic Communications), available at <http://europa.eu.int/comm/justice_home/fsj/privacy/law/index_en.htm>.
2006/24/EC of the European Parliament and of the Council of 15 March 2006 on the
retention of data generated or processed in connection with the provision of
publicly available electronic communications services or of public
communications networks and amending Directive 2002/58/EC, available at
 Opinion 3/2006 on the Directive 2006/24/EC of the European Parliament and of the Council on the retention of data generated or processed in connection with the provision of publicly available electronic communications services or of public communications networks and amending Directive 2002/58/EC, March 25, 2006, available at <http://18.104.22.168/search?q=cache:QcCVXfA06AEJ:ec.europa.eu/justice_home/fsj/privacy/docs/wpdocs/2006/wp119_en.pdf+article+29+working+party+data+retention&hl=en&ct=clnk&cd=1&gl=us&client=firefox-a>.
 Digital Rights Ireland Data Retention page <http://www.digitalrights.ie/2006/07/29/dri-challenge-to-data-retention/>.