Misplaced Pages

#235764

50-606: The Data Protection Directive, officially Directive 95/46/EC, enacted in October 1995, was a European Union directive which regulated the processing of personal data within the European Union (EU) and the free movement of such data. The Data Protection Directive was an important component of EU privacy and human rights law . The principles set out in the Data Protection Directive were aimed at

100-439: A combination of propaganda on social media and hacking to intentionally undermine the functioning of European institutions. European Union directive A directive is a legal act of the European Union that requires member states to achieve particular goals without dictating how the member states achieve those goals. A directive's goals have to be made the goals of one or more new or changed national laws by

150-551: A combination of legislation, regulation, and self-regulation, rather than governmental regulation alone. Former US President Bill Clinton and former Vice-President Al Gore explicitly recommended in their "Framework for Global Electronic Commerce" that the private sector should lead, and companies should implement self-regulation in reaction to issues brought on by Internet technology. The reasoning behind this approach has as much to do with American laissez-faire economics as with different social perspectives. The First Amendment of

200-789: A comprehensive data protection system throughout Europe, the Organisation for Economic Co-operation and Development (OECD) issued its "Recommendations of the Council Concerning Guidelines Governing the Protection of Privacy and Trans-Border Flows of Personal Data". The seven principles governing the OECD 's recommendations for protection of personal data were: The OECD Guidelines, however, were non-binding, and data privacy laws still varied widely across Europe. The United States, meanwhile, while endorsing

250-520: A directive in theory but has failed to abide by its provisions in practice. If a Member State fails to implement a Directive timely or correctly, the Directive itself becomes binding on the Member States, meaning that parties in proceedings against the state may rely on provisions of the untimely or incorrectly transposed Directive. An example of a case in which the applicant was able to invoke

300-497: A fetus may have legal capacity as well has been left open by the Federal Court of Justice , although there are indications of a positive response. The German Civil Code grants the fetus, which does not have full legal capacity, essential rights, which are subject to the condition of subsequent live birth. The question of whether the fetus can have rights before birth and possibly from the beginning of pregnancy, in particular

350-772: A new, controversial, passenger name record (PNR) agreement between the US and the EU was undersigned. In February 2008, Jonathan Faull , the head of the EU's Commission of Home Affairs, complained about the United States bilateral policy concerning PNR. The US had signed in February 2008 a memorandum of understanding (MOU) with the Czech Republic in exchange of a visa waiver scheme, without first consulting Brussels. The tensions between Washington and Brussels are mainly caused by

400-650: Is Article 288 of the Treaty on the Functioning of the European Union (formerly Article 249 TEC ). Article 288 To exercise the Union's competences, the institutions shall adopt regulations, directives, decisions, recommendations and opinions. A regulation shall have general application. It shall be binding in its entirety and directly applicable in all Member States. A directive shall be binding, as to

450-631: Is a natural person In many cases, fundamental human rights are implicitly granted only to natural persons. For example, the Nineteenth Amendment to the United States Constitution , which states a person cannot be denied the right to vote based on their sex, or Section 15 of the Canadian Charter of Rights and Freedoms , which guarantees equality rights, apply to natural persons only. Another example of

500-718: Is meant to be very broad. Data are "personal data" when someone is able to link the information to a person, even if the person holding the data cannot make this link. Some examples of "personal data" are: address, credit card number , bank statements, criminal record, etc. The notion processing means "any operation or set of operations which is performed upon personal data, whether or not by automatic means, such as collection, recording, organization, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, blocking, erasure or destruction" (art. 2 b). The responsibility for compliance rests on

550-810: Is prepared by the Commission after consultation with its own and national experts. The draft is presented to the Parliament and the Council —composed of relevant ministers of member governments, initially for evaluation and comment and then subsequently for approval or rejection. There are justifications for using a directive rather than a regulation: (i) it complies with the EU's desire for "subsidiarity" ; (ii) it acknowledges that different member States have different legal systems, legal traditions and legal processes; and (iii) each Member State has leeway to choose its own statutory wording, rather than accepting

SECTION 10

#1732764856236

600-639: The OECD 's recommendations, did nothing to implement them within the United States. However, the first six principles were incorporated into the EU Directive. In 1981, the Members States of the Council of Europe adopted the Convention for the Protection of Individuals with regard to Automatic Processing of Personal Data (Convention 108) to implement Article 8 of the ECHR. Convention 108 obliges

650-729: The United States Constitution guarantees the right to free speech. While free speech is an explicit right guaranteed by the United States Constitution, privacy is an implicit right guaranteed by the Constitution as interpreted by the United States Supreme Court , although it is often an explicit right in many state constitutions. Europe's extensive privacy regulation is justified with reference to experiences under World War II -era fascist governments and post-War Communist regimes, where there

700-662: The Video Privacy Protection Act of 1988, the Cable Television Protection and Competition Act of 1992, the Fair Credit Reporting Act , and the 1996 Health Insurance Portability and Accountability Act , HIPAA (US)). Therefore, while certain sectors may already satisfy parts of the EU Directive most do not. The United States prefers what it calls a 'sectoral' approach to data protection legislation, which relies on

750-420: The "certain rights of the data owners which are guaranteed by EU law". Personal data may be processed only insofar as it is adequate, relevant and not excessive in relation to the purposes for which they are collected and/or further processed. The data must be accurate and, where necessary, kept up to date; every reasonable step must be taken to ensure that data which are inaccurate or incomplete, having regard to

800-457: The Brussels' official " Eurospeak " terminology. For example, while EU Directive 2009/20/EC (which simply requires all vessels visiting EU ports to have P&I cover) could have been a regulation (without requiring member states to implement the directive), the desire for subsidiarity was paramount, so a directive was the chosen vehicle. The legal basis for the enactment of directives

850-515: The ECHR provides a right to respect for one's "private and family life, his home and his correspondence", subject to certain restrictions. The European Court of Human Rights has given this article a very broad interpretation in its jurisprudence. In 1973, American scholar Willis Ware published Records, Computers, and the Rights of Citizens , a report that was to be influential on the directions these laws would take. In 1980, in an effort to create

900-504: The EU in order to process data. (art. 4) Controllers from outside the EU, processing data in the EU, will have to follow data protection regulation. In principle, any online business trading with EU residents would process some personal data and would be using equipment in the EU to process the data (i.e. the customer's computer). As a consequence, the website operator would have to comply with the European data protection rules. The directive

950-671: The European Court of Justice developed the doctrine of direct effect where unimplemented or badly implemented directives can actually have direct legal force. In the important case of Francovich v. Italy , the ECJ extended the principle of Van Gend en Loos to provide that Member States who failed to implement a directive could incur liability to pay damages to individuals and companies who had been adversely affected by such non-implementation. Natural person According to Maria Helena Diniz , an individual or natural person "is

1000-437: The appropriate legislative procedure, both institutions can seek to make laws. There are Council directives and Commission directives. Article 288 does not clearly distinguish between legislative acts and administrative acts, as is normally done in national legal systems. Directives are binding only on the member states to whom they are addressed, which can be just one member state or a group of them. In general, however, with

1050-585: The capacity to be bearers of rights and obligations; they possess legal capacity . The point in time at which this legal capacity begins and ends is disputed in German case law and jurisprudence . According to section 1 of the German Civil Code (BGB), a person acquires legal capacity on completion of their birth. However, in certain conditions, fetuses also have certain legal rights, for example, that of becoming an heir . The question of whether

SECTION 20

#1732764856236

1100-439: The data protection level in that member state, give advice to the government about administrative measures and regulations, and start legal proceedings when data protection regulation has been violated. (art. 28) Individuals may lodge complaints about violations to the supervisory authority or in a court of law. The controller must notify the supervisory authority before he starts to process data. The notification contains at least

1150-564: The directive into internal law. Directive 95/46/EC on the protection of personal data had to be transposed by the end of 1998. All member states had enacted their own data protection legislation. On 25 January 2012, the European Commission (EC) announced it would be unifying data protection law across a unified European Union via legislation called the " General Data Protection Regulation ." The EC's objectives with this legislation included: The original proposal also dictated that

1200-488: The directive to be implemented correctly. This is done in approximately 99% of the cases. If a member state fails to pass the required national legislation, or if the national legislation does not adequately comply with the requirements of the directive, the European Commission may initiate legal action against the member state in the European Court of Justice . This may also happen when a member state has transposed

1250-524: The distinction between natural and legal persons is that a natural person can hold public office, but a corporation cannot. A corporation or non-governmental organization can, however, file a lawsuit or own property as a legal person. Usually a natural person perpetrates a crime , but legal persons may also commit crimes . In the U.S., animals that are not persons under U.S. law cannot commit crimes. In Germany, legal entities ( Rechtssubjekt ) such as natural persons ( Natürliche Person ) have

1300-583: The exception of directives related to the Common Agricultural Policy , directives are addressed to all member states. When adopted, directives give member states a timetable for the implementation of the intended outcome. Occasionally, the laws of a member state may already comply with this outcome, and the state involved would be required only to keep its laws in place. More commonly, member states are required to make changes to their laws (commonly referred to as transposition ) in order for

1350-636: The export of subscribers' data by Facebook's European business to Facebook in the United States. The US and European Authorities worked on a replacement for Safe Harbour and an agreement was reached in February 2016, leading to the European Commission adopting the EU–US Privacy Shield framework on 12 July 2016. This was likewise found invalid in 2020 and replaced with the EU–US Data Privacy Framework in 2023. In July 2007,

1400-420: The following information (art. 19): This information is kept in a public register. Third countries is the term used in legislation to designate countries outside the European Union . Personal data may only be transferred to a third country if that country provides an adequate level of protection of the data. Some exceptions to this rule are provided, for instance when the controller himself can guarantee that

1450-611: The free flow of data within the EU and accordingly proposed the Data Protection Directive. The directive regulates the processing of personal data regardless of whether such processing is automated or not. Personal data are defined as "any information relating to an identified or identifiable natural person ('data subject'); an identifiable person is one who can be identified, directly or indirectly, in particular by reference to an identification number or to one or more factors specific to his physical, physiological, mental, economic, cultural or social identity" (art. 2 a). This definition

1500-528: The human being considered as a subject of rights and obligations". Every human being is endowed with legal personality and, therefore, is a subject of law. According to Sílvio de Salvo Venosa, "legal personality is a projection of the intimate, psychic personality of each person; it is a social projection of the psychic personality, with legal consequences". However, and in addition, the law also gives personality to other entities, formed by groups of people or assets: these are called legal person . A non-citizen

1550-587: The inclusion of "rights to be forgotten." The EC then set a compliance date of 25 May 2018, giving businesses around the world a chance to prepare for compliance, review data protection language in contracts, consider transition to international standards, update privacy policies , and review marketing plans. As of 2003, the United States has no single data protection law comparable to the EU's Data Protection Directive. United States privacy legislation tends to be adopted on an ad hoc basis, with legislation arising when certain sectors and circumstances require (e.g.,

Data Protection Directive - Misplaced Pages Continue

1600-411: The legislation would in theory "apply for all non-EU companies without any establishment in the EU, provided that the processing of data is directed at EU residents," one of the biggest changes with the new legislation. This change carried on through to the legislation's final approval on 14 April 2016, affecting entities around the world. "The Regulation applies to processing outside the EU that relates to

1650-528: The lower level of data protection in the US, especially since foreigners do not benefit from the US Privacy Act of 1974 . Other countries approached for bilateral Memoranda of Understanding included the United Kingdom, Estonia , (Germany) and Greece . EU directives are addressed to the member states, and are not legally binding for individuals in principle. The member states must transpose

1700-426: The member states before this legislation applies to individuals residing in the member states. Directives normally leave member states with a certain amount of leeway as to the exact rules to be adopted. Directives can be adopted by means of a variety of legislative procedures depending on their subject matter. The text of a draft directive (if subject to the co-decision process, as contentious matters usually are)

1750-608: The offering of goods or services to data subjects (individuals) in the EU or the monitoring of their behavior," according to W. Scott Blackmer of the InfoLawGroup, though he added "[i]t is questionable whether European supervisory authorities or consumers would actually try to sue US-based operators over violations of the Regulation." Additional changes include stricter conditions for consent, broader definition of sensitive data, new provisions on protecting children's privacy, and

1800-430: The processing of personal data for the purpose of direct marketing. (art. 14) An algorithmic-based decision which produces legal effects or significantly affects the data subject may not be based solely on automated processing of data. (art. 15) A form of appeal should be provided when automatic decision making processes are used. Each member state must set up a supervisory authority, an independent body that will monitor

1850-619: The protection of fundamental rights and freedoms in the processing of personal data. The General Data Protection Regulation , adopted in April 2016, superseded the Data Protection Directive and became enforceable on 25 May 2018. The right to privacy is a highly developed area of law in Europe. All the member states of the Council of Europe (CoE) are also signatories of the European Convention on Human Rights (ECHR). Article 8 of

1900-679: The protection of personal data, the Safe Harbour Principles were the result. According to critics the Safe Harbour Principles do not provide for an adequate level of protection, because they contain fewer obligations for the controller and allow the contractual waiver of certain rights. In October 2015 the European Court of Justice ruled that the Safe Harbour regime was invalid as a result of an action brought by an Austrian privacy campaigner in relation to

1950-754: The provisions of an untimely transposed Directive is the Verkooijen case, in which the European Court of Justice rendered a judgement on 6 June 2000 (case no. C-35/98). The United Kingdom passed a statutory instrument , the Unfair Terms in Consumer Contracts Regulations 1994 , to implement the EU Unfair Terms in Consumer Contracts Directive 1993 . For reasons that are not clear, the 1994 SI

2000-458: The purpose of processing, the recipients of the data and all other information required to ensure the processing is fair. (art. 10 and 11) Data may be processed only if at least one of the following is true (art. 7): Personal data can only be processed for specified explicit and legitimate purposes and may not be processed further in a way incompatible with those purposes. (art. 6 b) The personal data must have protection from misuse and respect for

2050-714: The purposes for which they were collected or for which they are further processed, are erased or rectified; The data shouldn't be kept in a form which permits identification of data subjects for longer than is necessary for the purposes for which the data were collected or for which they are further processed. Member States shall lay down appropriate safeguards for personal data stored for longer periods for historical, statistical or scientific use. (art. 6). When sensitive personal data (can be: religious beliefs, political opinions, health, sexual orientation, race, membership of past organisations) are being processed, extra restrictions apply. (art. 8). The data subject may object at any time to

Data Protection Directive - Misplaced Pages Continue

2100-416: The ranks of the world's 10 most valuable tech companies in recent years, even China is moving ahead of Europe in the performance of its digital economy, which was valued at $ 5.09 trillion in 2019 (35.8 trillion yuan). Meanwhile, Europe's preoccupation with the US is likely misplaced in the first place, as China and Russia are increasingly identified by European policymakers as "hybrid threat" aggressors, using

2150-482: The recipient will comply with the data protection rules. The Directive's Article 29 created the "Working party on the Protection of Individuals with regard to the Processing of Personal Data", commonly known as the " Article 29 Working Party ". The Working Party gives advice about the level of protection in the European Union and third countries. The Working Party negotiated with United States representatives about

2200-459: The result to be achieved, upon each Member State to which it is addressed, but shall leave to the national authorities the choice of form and methods. A decision shall be binding in its entirety upon those to whom it is addressed. Recommendations and opinions shall have no binding force. The Council can delegate legislative authority to the Commission and, depending on the area and

2250-400: The shoulders of the "controller", meaning the natural or artificial person , public authority, agency or any other body which alone or jointly with others determines the purposes and means of the processing of personal data (art. 2 d). The data protection rules are applicable not only when the controller is established within the EU, but whenever the controller uses equipment situated within

2300-643: The signatories to enact legislation concerning the automatic processing of personal data, and was modernised and reinforced in 2018 to become "Convention 108+". In 1989 with German reunification, the data the East German secret police ( Stasi ) collected became well known, increasing the demand for privacy in Germany. At the time West Germany already had privacy laws since 1977 ( Bundesdatenschutzgesetz ). The European Commission realized that diverging data protection legislation amongst EU member states impeded

2350-439: The years following World War II. (Germany) and France, in particular, set forth comprehensive data protection laws. Critics of Europe's data policies, however, have said that they have impeded Europe's ability to monetize the data of users on the internet and are the primary reason why there are no Big Tech companies in Europe, with most of them instead being in the United States. Furthermore, with Alibaba and Tencent joining

2400-437: Was deemed inadequate and was repealed and replaced by the Unfair Terms in Consumer Contracts Regulations 1999 . The Consumer Rights Act 2015 , a major United Kingdom statute consolidating consumer rights, then abolished the 1999 SI; so presumably the 2015 Act complies with the 1993 EU directive, which remains extant. Even though directives were not originally thought to be binding before they were implemented by member states,

2450-483: Was widespread unchecked use of personal information. World War II and the post-War period was a time in Europe when disclosure of race or ethnicity led to secret denunciations and seizures that sent friends and neighbours to work camps and concentration camps. In the age of computers, Europeans' guardedness of secret government files has translated into a distrust of corporate databases, and governments in Europe took decided steps to protect personal information from abuses in

2500-498: Was written before the breakthrough of the Internet, and to date there is little jurisprudence on this subject. Personal data should not be processed at all, except when certain conditions are met. These conditions fall into three categories: transparency, legitimate purpose, and proportionality. The data subject has the right to be informed when his personal data is being processed. The controller must provide his name and address,

#235764