by João Marques, Lawyer and member of the 
Portuguese Data Protection National Commission

▪

The right to be remembered – Directive 95/46/CE begins its twilight and makes way for the new General Data Protection Regulation (GDPR)

It was on May the 4^th that the EU paradigm regarding personal data protection started to write its chapter in the common book of legal unification. As the Regulation (EU) 2016/679 [together with Directive (EU) 2016/680] finally got published in the Official Journal of the EU, a new era is jumpstarted. The first “victim” of the new paradigm is the old Directive 95/46/CE, which for the past 20 years has served European citizens honourably.

Although it faced a challenging task, Directive 95/46/EC was generally capable of protecting EU citizens against the predatory instincts of our world regarding their personal data. A suitable testament in this regard is the fact that the principles enshrined in Chapter 2 of the Directive have been, for the most part, kept almost unchanged. Lawful processing, purpose specification and limitation, data quality, fair processing and accountability remain as the bedrock of data protection under the new legal framework.

As ever, the CJEU case-law has been of paramount importance in the consolidation of a European perspective in which the citizen’s fundamental rights are at the forefront of the Union’s responsibilities, with the recent case C-362/14 (Schrems V. Data Protection Commissioner and Digital Rights Ireland Ltd) being yet another example of the approach for which the court is well known.

Together with Convention 108 of the Council of Europe, the Charter of Fundamental Rights of the European Union (articles 7 and 8), the Treaty on the Functioning of the European Union (article 16) and the Treaty on the European Union (article 39), Directive 95/46/CE have helped define what is generally and peacefully considered to be the most protective legal environment for personal data around the world, a powerful example of EU leadership in the global scenario.

Nevertheless, Directive 95/46/CE has had its shortcomings, faults that become increasingly evident in an ever – changing world where personal data is becoming a sought – out currency, demanding clear notions and undisputable solutions to modern day quarrels. It wasn’t built (and couldn’t be built) to sustain the notion that we live in the freest of prisons ever known to man. In fact, digital freedom and digital incarceration walk hand-in-hand through intertwined paths of legal uncertainty. An uncertainty that demands the assurance of a European regulation.

The new regulation on the protection of natural persons with regard to the processing of personal data and on the free movement of such data lays down a comprehensive set of rules for the future to come. Novelties such as the mandatory data protection officer (article 34) for the private and public sector alike, a revamped “right to erasure/right to be forgotten” (article 17) and a new framework for administrative fines (that go up to as high as €20,000,000 or 4% of the total worldwide annual turnover of the undertaking), have been signalled as some of the more interesting and, perhaps, (r)evolutionary of the lot.

While these could prove to be the more media friendly news “hidden” in the GDPR, there are others that are just as important (if not more so). The one-stop shop mechanism, rebaptized as the “consistency mechanism” (article 63 onwards), is one of the major challenges this new regulation poses. Since January 2012, when the Commission first released the new regulation draft proposal, the one stop shop mechanism has been a cause for concern among Data Protection Agencies (Supervisory Authorities according to the GDPR) in the EU. Although Directive 95/46/CE already provided for a common platform on which to share ideas and to guarantee the coherent application of the Directive throughout the entire Union – Article 29 Working Party, the different national legislations and interpretation, spawned from national courts and data protection agencies, led to serious and inconclusive debates over both the rules themselves and the concrete actions demanded on any given case.

This is a truly decisive issue as much of the success of this consistency mechanism will depend on how well will the different authorities work together and how close with each others they can make their national procedures become. Furthermore, the new European Data Protection Board (substituting Article 29 Working Party), “established as a body of the Union and [with] legal personality” (article 68 of the GDPR), with its oversight powers over the consistency mechanism (that include the final say whenever Supervisory Authorities do not reach an agreement) will play a detrimental role in getting the balance between national procedures, fundamental rights and legitimate expectations completely right. This debate will surely surpass the two year vacatio legis provided, given that a proper test will only be possible when the regulation fully applies (25 May 2018) and complications, at least in its early stages of implementation, are nothing shy of guaranteed.

There are certainly improvements to be found in the new regulation, namely the need for an affirmative consent by the data subject, the broadening investigative powers of Supervisory Authorities, the new data breaches obligations, the already mentioned revamp of the right to erasure, the increased responsibilities of data processors and the inscription of cornerstone concepts into the GDPR, such as privacy by design or privacy by default, but there are still many challenges ahead. The fact that there is still a significant margin by member states to legislate on some of the matters included in the GDPR (fines, special categories of personal data, the need for mandatory DPO’s) and that there’s still a lot to come from the Commission, via delegated and implementing acts, only adds up to the said difficulties.

Admittedly the GDPR has come a long way since the Commission first presented its draft. It’s clear that there was an undeniable bias towards bigger (digital) market integration and predictability to the private sector, but only time, Supervisory Authorities, national courts and the CJEU will tell if the right to data protection remains, as it should, at the centre of the EU’s fundamental rights catalogue.

Picture credits: big-data_conew1,  by luckey_sun.