Without doubt Europe is driving the emergence of Data Protection laws across the globe. This tends to be framed as a result of the introduction of GDPR. However as we have noted previously because of the two supranational legal orders in Europe, today there are two subtlety different laws governing data protection as well as data privacy in Europe. One originating from the European Union (EU) and the other from the Council of Europe (CoE)
Data Protection and Privacy law
Data Privacy V Data Protection
It is worth pausing for a moment and considering the difference between Data Protection and Privacy. While experts sometimes disagree over the exact definition of these two connected rights, they are commonly recognised all over the world as separate.
Data Privacy is about a right, to be autonomous and to be in control of information about yourself. Data protection is about a responsibility to protect information relating to an identified or identifiable natural (living) person.
Globally there is a right to privacy enshrined in the Universal Declaration of Human Rights (Article 12) but there is no matching right to Data Protection. In Europe we have rights to both Data Privacy & Data Protection, from both the CoE and EU. Rights which come from different structures and evolved in two different ways.
CoE Privacy and Protection
The CoE started with a right to Data Privacy, with the adoption of the ECHR in 1950. The ECHR established in Article 12 a right to Data Privacy, a real milestone as the first articulation of a Data Privacy right in European law.
In 1981, with the rise of automatic processing of data a new convention which tackled Data Protection (Convention 108) was drafted. Convention 108 was the first legally binding international instrument in the Data Protection field. At the end of 2018 a modernised version was finalised and is being adopted. The update reaffirms and stabilises important principles and provides new rights to individuals, while simultaneously increasing the responsibilities of entities that process personal data and ensuring greater accountability.
The new rights in Convention 108 would be familiar to students of the EU’s GDPR. For example, individuals whose personal data are being processed have the right to obtain knowledge of the reasoning of such data processing and the right to object to that processing.
Convention 108 has been adopted by a total of fifty four countries. Not just the members of the CoE but also Argentina, BurkinaFaso, CaboVerde, Mauritius, Mexico, Morocco, Senegal, Tunisiaand Uruguayfrom outside of the CoE
EU Data Protection and Privacy law
The original treaties of the European Communities did not contain any reference to human rights or data protection or privacy. This makes sense given that the European Economic Community was initially envisaged as a regional organisation focused on economic integration and the establishment of a common market.
The first change was the 1998 Data Protection Directive (Directive 95/46/EC), introduced as part of the then European Community single market reforms. The concept was to make sure that trade in data was possible across the Union.
The big change came when the EU in 2000 proclaimed the Charter of Fundamental Rights of the European Union. Originally this was just a political document, that evolved as the Charter became legally binding as EU primary law. This happened when (see Article 6 (1) of the TEU) when the Lisbon Treaty came into force on 1 December 2009.
The adoption of the Lisbon Treaty marks a turning point in the development of data protection law, not only for elevating the Charter to the status of a binding legal document at the level of primary law, but also for providing for the right to personal data protection.
This right is specifically provided for in Article 16 of the TFEU, under the part of the treaty dedicated to the general principles of the EU. Article 16 also creates a new legal basis, granting the EU the competence to legislate on data protection matters. Instead of legislating to protect commerce, Article 16 now provides an independent legal basis for a, comprehensive approach to data protection.
Both the new powers under Article 16 and working with the Directive for over 20 years, gave the impetus to develop the GDPR. The change which has been described as giving the rules teeth.
We have produced this post as well as its predecessor, to help clarify confusion about European law. It should clear that EU citizens have rights to Data Protection and Data Privacy, both under EU and CoE law. How the rights arose and are implemented give rise to subtle differences. But these are right which we can all exercise.
If you have any questions about this or any data protection issues please contact us.