by Rita de Sousa Costa, law student at UMinho and Tiago Sérgio Cabral, law student at UMinho
Most people do not have any idea of how much the processing of their personal data affects their daily life. In today’s world, our e-mail has the ability to distinguish between important and unimportant e-mails based on our previous communications. When we want to read the news our phones and tablets are able to predict the events and sources that we would be interested in. Facebook knows more about our friends than we do. If you want to watch a movie, Netflix has a broad selection and may give you some tips based on your previously watched list, same with Youtube. If we have a favorite supermarket chain it probably knows what we like to buy through our customer cards. Our keyboards are able to predict the very words we will type[i].
We would find a rather different scenario if we looked to the world in 1995. Twenty years ago, the Internet was still in its early stages of development and was rather different from what we know and use today[ii]. E-mail and instant messaging were unknown to the general population. Google (and search engines as we know them today) did not exist. Social networking and smartphones did, but only in science fiction movies. With this in mind, it is rather astonishing that the EU legal framework regarding the protection of personal data managed to stay, more or less, unchanged for more than twenty years. In these twenty years, the Directive 95/46/CE ensured the protection of personal data for EU citizens fulfilling the required by the Article 16 of the TFUE and the Article 8 of the EUCFR[iii]/[iv].
If there were any gaps in the system, the ECJ would fill it with its case law and bring the legal framework up to date again. However, in the last decade, the need for ECJ’s intervention started to arise too often. For instance, in Ryneš[v] the ECJ had to clarify the second indent of the Article 3(2) of the Directive 95/46/EC, regarding its scope of application, according to which “the operation of a camera system (…) installed by an individual on his family home (…), but which also monitors a public space, does not amount to the processing of data in the course of a purely personal or household activity, for the purposes of that provision”. In Digital Rights Ireland[vi], the ECJ ruled that the Directive 2006/24/EC on the retention of data generated or processed in connection with the provision of publicly available electronic communications services or of public communications networks is invalid. Seven years ago, in Rijkeboer[vii], the ECJ underlined the importance of the right of access to the data[viii] enshrined in the Article 12 of Directive 95/46/CE as a consequence of the right to privacy. The ECJ stressed that the content of the data disclosed should include the past, as well as the present data. Therefore, a national rule “limiting the storage of information on the recipients or categories of recipient of personal data and on the content of the data disclosed to a period of one year and correspondingly limiting access to that information, while basic data is stored for a much longer period, do not constitute a fair balance of the interest and obligation at issue”. Article 15 of the newest Regulation (EU) 2016/679 is an expanded and more accurate version of the Article 12 of the previous Directive. In Schrems[ix], the Court ruled that the Decision 2000/520 is invalid, since the safe harbour privacy principles did not provide an adequate protection for personal data. This decision was highly influential on the final version of the new legislative package.
However, there is a limit to how much we can reinvent a piece of legislation before we need to write a new one. Thus, in 2012 the Commission finally decided that it was time to give the Directive 95/46/CE its golden watch and proposed a new legislative package which included a regulation concerning the “protection of individuals with regard to the processing of personal data and on the free movement of such data” and a directive concerning the “protection of individuals with regard to the processing of personal data by competent authorities for the purposes of prevention, investigation, detection or prosecution of criminal offences or the execution of criminal penalties, and the free movement of such data”. After years of debate, on 4 May 2016 the new legislation was finally published in the Official Journal of the EU. The path was not without its challenges, in the European Parliament the package (mainly the Directive) faced some opposition. Fortunately, due to the enormous effort of some MEPs the Parliament overcame its initial skepticism. Principal among those MEPs was Jan Philipp Albrecht, chief negotiator for the European Parliament on the General Data Protection Regulation, whose contributions made him one of the 40 most influential MEPs according to Politico[x].
The debate concerning the legislative package, lengthy as it was, made positive contributions to its redaction[xi]. Small changes like merging and lightly rearranging the definitions of “personal data” and “data subject” made it clearer. The definition of genetic data is scientifically much better. The administrative fines for failing to comply with the Regulation are now much higher than originally proposed, making the legislation more effective. Informed consent became even more significant in the package[xii]. The right to non-indexation[xiii] became a true right to be forgotten going further than Google Spain SL[xiv]. The law is also more demanding in regard to the security measures needed to protect the personal data.
Still there are some imprecisions. For example, the definition of biometric data is not scientifically adequate in a world where monozygotic twins exist[xv]. Provisions related to encryption may also not protect the data subject appropriately in a world where encryption may be breached at any moment by a sudden technological leap[xvi].
In the end, the package is mostly well written and a positive evolution in EU legal framework of personal data protection. Its imprecisions will probably be resolved by the ECJ case law with relative ease. However, we certainly cannot hope for it to have a twenty-year lifespan. Every day the technological progress gets faster, and so the EU lawmaker must be alert and ready to intervene when eventually the need for new legislation on this matter arises.
[i] Regarding the growing threats to privacy in modern times, see Alexandra Rengel, Privacy in the 21st Century (Studies in Intercultural Human Rights), Vol. 5, Leiden, Martinus Nijhoff Publishers, 2013, pp. 41 ff.
[ii] See Rita de Sousa Costa, «Algumas Nótulas sobre o Acolhimento da e-Procedimentalização no Novo Código do Procedimento Administrativo», in Isabel Celeste M. Fonseca (Coord.), O Novo Código Código do Procedimento Administrativo. Para o Professor Doutor António Cândido de Oliveira, uma Oferta Singela dos Jovens Investigadores de Direito Público da Escola de Direito da Universidade do Minho, Braga, Núcleo de Estudos de Direito Ius Pubblicum, 2015, pp. 382-385.
[iii] See Catarina Sarmento e Castro «Artigo 8.º – Protecção de Dados», in Alessandra Silveira / Mariana Canotilho (Ed.), Carta dos Direitos Fundamentais da União Europeia Comentada, Coimbra, Almedina, 2013, pp. 120 ff.
[iv] Regarding the differences between the European and the North-American legal framework on personal data protection see Russell L. Weaver / David F. Partlett / Mark D. Cole, «Protecting Privacy in a Digital Age», in Dieter Dörr / Russell L. Weaver (Ed.), The Right to Privacy in the Light of Media Convergence. Perspectives from Three Continents, Berlin, de Gruyter, 2012, pp. 1-30.
[v] C‑212/13, 11 December 2014, ECLI:EU:C:2014:2428.
[vi] C‑293/12 and C‑594/12, 8 April 2014, ECLI:EU:C:2014:238.
[vii] C‑553/07, 7 May 2009, ECLI:EU:C:2009:293.
[viii] See Herke Kranenborg, «Article 8: Protection of Personal Data», in Steve Peers/Tamara Hervey (Ed.), The EU Charter of Fundamental Rights: A Commentary, Oxford, Hart Publishing, 2014, pp. 254 ff.
[ix] C‑362/14, 6 October 2015, ECLI:EU:C:2015:650.
[x] See http://www.politico.eu/article/the-40-meps-who-actually-matter-european-parliament-mep/.
[xii] Regarding the problem of consent in the old Directive, see Eleni Kosta, Consent in European Data Protection Law (Nijhoff Studies in EU law), Vol. 3, Leiden, Martinus Nijhoff Publishers, 2013, pp. 88 ff.
[xiii] See http://www.rtp.pt/noticias/pais/o-direito-ao-esquecimento_a919217.
[xiv] C-131/12, 13 May 2014, ECLI:EU:C:2014:317.
[xv] Even if there has been some scientific progress in the identification/distinction of monozygotic twins using DNA the most recent techniques still need further testing and reviewing. See Leander Stewart / Neil Evans / Kimberley J. Bexon / Dieudonne J. van der Meer / Graham A. Williams, «Differentiating between monozygotic twins through DNA methylation-specific high-resolution melt curve analysis», in Analytical Biochemistry, May of 2005, pp. 36 ff.
[xvi] See Tiago Sérgio Cabral, «Administração Electrónica: Confidencialidade e Segurança», in Isabel Celeste M. Fonseca (Coord.), O Novo Código Código do Procedimento Administrativo. Para o Professor Doutor António Cândido de Oliveira, uma Oferta Singela dos Jovens Investigadores de Direito Público da Escola de Direito da Universidade do Minho, Braga, Núcleo de Estudos de Direito Ius Pubblicum, 2015, pp. 478-480; Alex Biryukov / Dmitry Khovratovich, «Related-key Cryptanalysis of the Full AES-192 and AES-256», in Mitsuru Matsui (ed.), Advances in Cryptology – ASIACRYPT 2009: 15th International Conference on the Theory and Application of Cryptology and Information Security Tokyo, Japan, December 6-10, 2009 Proceedings, Berlin, Springer, 2009, pp. 1-19.