Overview
1. Privacy in Europe – A Sensitive Subject
Since the judgment of the Court of Justice of the European Union (CJEU) on October 6, 2015 in Maximillian Schrems vs Data Protection Commissioner, the EU and US have stepped up their efforts to ensure continued transatlantic transfers of personal data. The debate has been heated and is still not settled.
This briefing summarizes the current EU legal position, reports on the latest results of the EU-US dialogue and comments on how companies can comply in the future.
2. The Genesis of the Right to Privacy
First, however, why are Europeans so exercised about protection of personal data and privacy? A good place to start is the European Convention on Human Rights, which was adopted in 1950 – just as the Cold War became apparent and only five years after the end of the Second World War – and as a direct consequence of the adoption of the UN Universal Declaration of Human Rights. Article 8 of the 1950 version of the Convention states,
“(1) Everyone has the right to respect for his private and family life, his home and his correspondence.
(2) There shall be no interference by a public authority with the exercise of this right except such as is in accordance with the law and is necessary in a democratic society in the interests of national security, public safety or other economic wellbeing of the country, for the prevention of disorder or crime, for the protection of health or morals, or for the protection of the rights and freedoms of others.”
Article 8 has been the basis for the right to protection of personal data, in particular the 1980 “Convention of the Council of Europe for the Protection of Individuals with regard to Automatic Processing of Personal Data.” In the same year, the Organization of Economic Cooperation and Development (OECD) codified its “Guidelines on the Protection of Privacy and Transborder Flows of Personal Data.” In the EU, these texts culminated in the 1995 Data Protection Directive. More recently, the “Charter of Fundamental Rights of the European Union” reaffirms rights to privacy and protection of personal data. Article 7 enshrines “the right to respect for his or her private and family life, home and communications,” while Article 8 provides,
“1. Everyone has the right to the protection of personal data concerning him or her.
2. Such data must be processed fairly for specified purposes and on the basis of the consent of the person concerned or some other legitimate basis laid down by law. Everyone has the right of access to data which has been collected concerning him or her, and the right to have it rectified.
3. Compliance with these rules shall be subject to control by an independent authority.”
Societies that share comparable rights and values develop comparable responses: for the US see, for example, “Fair Information Practice Principles” discussed in the US Department of Health, Education and Welfare’s 1973 report and enshrined in the Privacy Act of 1974.