European integration and data protection

Table of Contents

List of Abbreviations

Bibliography

A. Introduction

B. The current EU regime on data protection
I. The rationale behind the Data Protection Directive
II. Realization in the EU
1. General observations
2. Key provisions of the Data Protection Directive
3. Cross-border data flows
III. Development after the adoption of the Data Protection Directive

C. The successfulness of the current regime
I. Impact on legislation
II. Real convergence after implementation?
III. Suitability for today’s technological challenges
IV. Fostering global data protection

D. Future developments

E. Conclusion

List of Abbreviations

illustration not visible in this excerpt

Bibliography

Article 29 Data Protection Working Party: The Future of Privacy. WP 168 (2009).

Barnes, Morey Elizabeth: Falling Short of the Mark: The United States Response to the European Union's Data Privacy Directive. Northwestern Journal of International Law & Business 27.1 (2006): 171.

Baumer, David L., Julia B. Earp, and J. C. Poindexter: Internet Privacy Law: A Comparison between the United States and the European Union. Computers & Security 23.5 (2004): 400.

Bergkamp, Lucas: EU Data Protection Policy: The Privacy Fallacy: Adverse Effects of Europe’s Data Protection Policy in an Information-Driven Economy. Computer Law & Security Review 18.1 (2002): 31.

Birnhack, Michael D.: The EU Data Protection Directive: An Engine of a Global Regime. Computer Law and Security Review: The International Journal of Technology and Practice 24.6 (2008): 508.

Bloss, Kevin: Raising Or Razing the e-Curtain?: The EU Directive on the Protection of Personal Data. Minnesota Journal of Global Trade 9 (2000): 645.

Bygrave, Lee A.: European Data Protection: Determining Applicable Law Pursuant to European Data Protection legislation. Computer Law & Security Review 16.4 (2000): 252.

Cheng, Fa-Chang, and Wen-Hsing Lai: The Impact of Cloud Computing Technology on Legal Infrastructure within Internet. Focusing on the Protection of Information Privacy. Procedia Engineering 29.0 (2012): 241.

Costa, Luiz, and Yves Poullet: Privacy and the Regulation of 2012. Computer Law & Security Review 28.3 (2012): 254.

Cunningham, McKay: Privacy in the Age of the Hacker: Balancing Global Privacy and Data Security Law. The George Washington International Law Review 44.4 (2012): 643.

De Hert, Paul, and Vagelis Papakonstantinou: The Proposed Data Protection Regulation Replacing Directive 95/46/EC: A Sound System for the Protection of Individuals. Computer Law & Security Review 28.2 (2012): 130.

DG Justice: Comparative study on different approaches to new privacy challenges. Available at: http://ec.europa.eu/justice/data-protection/document/studies/index_en.htm [18 March 2015].

Fromholz, Julia M.: The European Union Data Privacy Directive. Berkeley Technology Law Journal 15.1 (2000): 461.

Hallinan, Dara, Michael Friedewald, and Paul McCarthy: Citizens' Perceptions of Data Protection and Privacy in Europe. Computer Law & Security Review 28.3 (2012): 263.

Hijmans, Hielke, and Alfonso Scirocco: Shortcomings in EU Data Protection in the Third and the Second Pillars. can the Lisbon Treaty be Expected to Help? Common Market Law Review 46.5 (2009): 1485.

Hustinx, Peter: EU Data Protection Law: The Review of Directive 95/46/EC and the Proposed General Data Protection Regulation. Available at: https://secure.edps.europa.eu/EDPSWEB/edps/lang/de/EDPS/Publications/SpeechArticle/SA2014 [18 March 2015].

Jones, Richard, and Dalal Tahri: An Overview of EU Data Protection Rules on use of Data Collected Online. Computer Law & Security Review 27.6 (2011): 630.

King, Nancy J., and V. T. Raja: Protecting the Privacy and Security of Sensitive Customer Data in the Cloud. Computer Law & Security Review 28.3 (2012): 308.

Kuner,Christopher: The Challenge of 'Big Data' for Data Protection. International Data Privacy Law 2.2 (2012): 47.

Kuner,Christopher: Data Protection Law and International Jurisdiction on the Internet(Part 1). International Journal of Law and Information Technology 18.2 (2010): 176.

Kuner,Christopher: Data Protection Law and International Jurisdiction on the Internet (Part 2). International Journal of Law and Information Technology 18.3 (2010): 227.

Kuner,Christopher: An International Legal Framework for Data Protection: Issues and Prospects. Computer Law & Security Review 25.4 (2009): 307.

Miniwatts Marketing Group: Internet Usage in the European Union. Available at: http://www.internetworldstats.com/stats9.htm [18 March 2015].

Pearce, Graham: Achieving Personal Data Protection in the European Union. Journal of Common Market Studies 36.4 (1998): 529.

Poullet, Yves: EU Data Protection Policy. the Directive 95/46/EC: Ten Years After. Computer Law and Security Review: The International Journal of Technology and Practice 22.3 (2006): 206.

Regan, Priscilla M.: Safe Harbors Or Free Frontiers? Privacy and Transborder Data Flows. Journal of Social Issues 59.2 (2003): 263.

Rotenberg, M., and D. Jacobs: Updating the Law of Information Privacy: The New Framework of the European Union. Harvard Journal of Law and Public Policy 36.2 (2013): 605.

Simitis, Spiros: From the Market to the Polis: The EU Directive on the Protection of Personal Data. Iowa Law Review 80.3 (1995): 445.

Steinke, Gerhard: Data Privacy Approaches from US and EU Perspectives. Telematics and Informatics 19.2 (2002): 193.

Strauss, Jared, and Kenneth S. Rogerson: Policies for Online Privacy in the United States and the European Union.Telematics and Informatics 19.2 (2002): 173.

Svantesson, Dan Jerker B., et al.: The Extraterritoriality of EU Data Privacy Law - Its Theoretical Justification and its Practical Effect on U.S. Businesses. Stanford journal of international law 50.1 (2014): 53.

Tan, Domingo R.: Personal Privacy in the Information Age: Comparison of Internet Data Protection Regulations in the United States and the European Union. Loyola of Los Angeles International & Comparative Law Review 21 (1999): 661.

The Gallup Organization: Flash Eurobarometer No. 225. Available at: http://ec.europa.eu/public_opinion/archives/flash_arch_239_225_en.htm#225 [18 March 2015].

Voss, W. Gregory.: One Year and Loads of Data Later, Where are we? An Update on the Proposed European Union General Data Protection Regulation. Journal of Internet Law 16.10 (2013): 1.

Whitley, Edgar A.: Informational Privacy, Consent and the “control” of Personal Data. Information Security Technical Report 14.3 (2009): 154.

Wong, Rebecca: Data Protection: The Future of Privacy. Computer Law and Security Review: The International Journal of Technology and Practice 27.1 (2011): 53.

Wuermeling, Ulrich U.: Harmonisation of European Union Privacy Law. The John Marshall Journal of Computer & Information Law 14.3 (1996): 411.

A. Introduction

Communication in today’s society has largely been influenced by the technical developments of the last decades. Most processes in our daily life are, at least partly, influenced or governed by the Internet or mobile telephony. This central role of electronic communication provides a multitude of advantages, but also entails dangers which often cannot be overseen or which are not even known to the majority of the public. Besides the potential misuse of personal data by undertakings there is also the increasing risk of an unjustified analysis of said data by law enforcement agencies and intelligence services.

It is well established that over the past years both the European and the national legislators are facing the challenge to balance both the public interest of security and the undertakings’ interest to capitalize private data against the protection of privacy and personal data. Evidence suggests that there has been a change in the perception of the significance of privacy in the population leading to more and more citizens being concerned with the protection of their personal data. According to a Eurobarometer conducted in 2008 around 64 percent of European citizens are worried about the way in which companies and organizations dealt with their personal data.^[1] Therefore, it is appealing to analyze if a balance has been realized with respect to data protection in the EU.

Regarding the processing and storing of personal data three key directives constitute the European regime on data privacy, namely the Data Protection Directive^[2], the ePrivacy Directive^[3] and the Cookies Directive^[4]. The paper at hand focuses on this current EU framework on data protection, mainly on the Data Protection Directive, and whether it can be considered as being successful. In order to comply with the course methodology the paper will first set out the rationale for the respective regime and how it has been realized in the EU. Then, the focus will rest on the successfulness of the current regime based on various criteria set out below. To give credit to future developments the European Commission’s ambition to reform the current EU data protection regime will be referred to.

B. The current EU regime on data protection

I. The rationale behind the Data Protection Directive

To understand the rationale behind the EU data protection regime one has to grasp the development of data protection as an emerging legal domain in the 20th century. Privacy has already been recognized as a fundamental right by the international community shortly after World War II, e.g. in Art. 12 UDHR as well as in Art. 8 ECHR allowing individuals to rely on this right against public authorities. The European approach to a right to privacy has been influenced and shaped especially by its broad interpretation of the ECtHR in the past.^[5] Nevertheless, the upcoming technological advancements in the 1970s challenged the existing privacy legislation and jurisprudence in Europe. It became evident that the new ways of processing and collecting data might have a negative impact on privacy protection and could not be addressed adequately anymore within the given regimes. Hence, several States, namely the Land Hessen in Germany and Sweden, decided to adopt domestic data protection laws. These national developments spilled over on the international sphere and resulted in the 1980 OECD Guidelines on the Protection of Privacy and Transborder Flows of Personal Data^[6] and the 1981 CoE Convention for the Protection of Individuals with regard to Automatic Processing of Personal Data^[7] having the primary aims of facilitating transborder data flows while simultaneously ensuring the protection of private data. Significant achievements of the various national and international instruments were a similar definition of personal data as information relating to an identified or an identifiable individual and the general obligation to obtain and process data fairly and lawfully including various important principles like the data quality principle, the limited use principle and the right to access for data subjects.^[8]

Until the 1990s the European Commission has been reluctant to contemplating a possible European data protection regime, because it was feared that this might impair the development of the IT sector being considered as one of the most promising markets in the EU. Nevertheless, as a result of the Treaty of Maastricht in 1992 the European Commission’s tasks were adjusted to not only focus on economic issues but also take fundamental rights, political and social matters into account. Therefore, the European Commission had to change its attitude towards the processing of personal. Due to the wide margins given to the Member States by the various international instruments and initiatives a patchwork of data protection laws existed in the EU and the European Commission decided to harmonize the different domestic regulations and to replace them with comprehensive European regime, in particular the adoption of the Data Protection Directive in 1995.^[9]

Considering the title and the Recitals 1-3 of the Data Protection Directive the intended aims are twofold: the protection of personal data when being processed automatically and safeguarding the free movement of said data in order to ensure the fundamental freedoms and the economic and social progress in the EU. Instead of giving preference to one of the seemingly conflicting aims the European Commission opted for an integrated approach linking the desired high level of protection of personal data with the fostering of the internal market by ensuring the flow of personal data. Recitals 4-6 acknowledge the growing importance of processing and exchanging personal data not only for social, technological and scientific activities but more importantly for economic cooperation. This understanding entails actions of both private and public actors in all Member States. Recitals 7-9 address the risks of having varying data protection regimes in the EU. Different levels of protection for the rights and freedoms of individuals might lead to hindrances on the internal market if Member States prohibit the transmission of personal data to other Member States.

To conclude, for the European legislator the approximation and coordination of data protection was necessary to guarantee the functionality and the fostering of the internal market as well as equal protection of personal data in the EU.

II. Realization in the EU

1. General observations

Due to the fact that the desired rules aimed at harmonizing the internal market the European Commission based its proposal on today’s Art. 114 TFEU as legal basis. After cumbersome negotiations on the European level^[10] and the final adoption in 1995 the provisions of the Data Protection Directive had to be transposed into domestic law by October 1998. Art. 1 of the Data Protection Directive sums up the reasoning of the European legislator. Firstly, the Member States have to ensure that the fundamental rights and freedoms, specifically data protection and the right to privacy, are adequately protected. Secondly, they shall safeguard the free flow of personal data between Member States to support the positive impact automated processing of personal data can have on economic and social activities in the EU.^[11]

The scope of the Data Protection Directive is astonishingly broad. Following Art. 3(1) its provisions apply to all processing of personal data wholly or partly by automatic means as well as to all processing by other means being part of or intending to be part of a filing system. Art. 3(2) sets out two exceptions to this rule. Firstly, the Data Protection Directive shall not apply to activities falling outside of the scope of EU law, in particular if the Treaties provide for it or if it is an activity related to public security, defense, State security and in the field of criminal law. Secondly, all purely personal or household activities by natural persons are exempted from the Data Protection Directive. The CJEU confirmed the wide scope of the Directive by stating that its provisions also apply to the processing of non-sensitive data, when there is no actual harm and even when there is no effective connection to the internal market to ensure the adequate protection of personal data in any event.^[12] Moreover, the CJEU limited the exceptions in Art. 3(2) to the activities which are expressly enumerated or which fall into the same category.^[13]

Furthermore, the definitions in Art. 2 allow for an extensive application of the Data Protection Directive. Pursuant to Art. 2(a) personal data is defined as: ‘any information relating to an identified or identifiable natural person (“data subject”); an identifiable person is one who can be identified, directly or indirectly, in particular by reference to an identification number or to one or more factors specific to his physical, physiological, mental, economic, cultural or social identity.’ Therefore, personal data is not limited to certain information, but includes everything that objectively could lead to the identification of a person. Combining this approach with the notion of processing in Art. 2(b) encompassing any operation performed upon personal data and the definitions of controller in Art. 2(d) and processor in Art. 2(e) including anyone that actively processes personal data clearly demonstrates the wide-ranging impact of the Data Protection Directive.^[14]

2. Key provisions of the Data Protection Directive

As a result of choosing a directive to implement minimum requirements on data protection the Member States have transposed the provisions in the Data Protection Directive differently. Nevertheless, there are certain key elements constituting the baseline for the respective domestic legislation which will be addressed briefly in the subsequent paragraphs. For an in-depth analysis of the respective provisions, please consult the extensive literature available on that topic.^[15]

First and foremost, the Data Protection Directive outlaws in Art. 8(1) the processing of sensitive data, e.g. racial or ethnic origin, political opinions, religious or philosophical beliefs, trade-union membership, health, or sexual activity. Arts. 8(2)-(5) offer limited derogations from this general prohibition. Art. 6 Data Protection Directive provides that the Member States have to guarantee that controllers process personal data fairly and lawfully and do not retain it for longer than necessary. Moreover, personal data shall only be collected and processed for legitimate and specified purposes and it must be accurate, up to date, adequate, relevant and not excessive in relation to the respective purposes. To allow the legitimate processing of personal data the consent of the data subject has to be attained pursuant to Art. 7(a), unless one of the exceptions in Art. 7(b)-(f) and Art. 9 applies. Following Arts. 10 and 11 Data Protection Directive controllers have to notify the data subject with respect to the collection and use of the personal data as well as to provide information on the controller’s identity and other potentially necessary data. Besides these obligations, controllers also have to guarantee confidentiality (Art. 16 Data Protection Directive), data security (Art. 17 Data Protection Directive) and have to notify the national supervisory authority with respect to certain processing operations (Art. 18 Data Protection Directive). Data subjects have a right to access including the rectification of false data (Art. 12 Data Protection Directive) as well as a right not to be subject to an automated decision (Art. 15 Data Protection Directive) and can object certain processing operations (Art. 14 Data Protection Directive).

Art. 28(1) Data Protection Directives requires the Member States to create or appoint an independent public authority for monitoring the application within its territory of the provisions transposing the Directive. Pursuant to Art. 28(3) Data Protection Directive these authorities must be endowed with investigative powers, effective powers of intervention, and the power to engage in legal proceedings where provisions of the Directive have been violated.

Lastly, in line with Arts. 29-30 Data Protection Directive the Article 29 Working Party has been established having independent advisory status in the EU. It consists of the Data Protection Commissioners of each Member States plus representatives from the European Commission and has as its main functions the proper implementation of the Data Protection Directive by clarifying issues regarding the application of the Data Protection Directive, by advising the European Commission and the national supervisory authorities and by giving recommendations on all matters relating to the protection of personal data in the EU.

3. Cross-border data flows

The Data Protection Directive not only binds all Member States of the EU and Iceland, Lichtenstein and Norway as Members of the EEA, but also has an extraterritorial effect. Art. 4(1) sets out that the national legislations transposing the Directive’s provisions shall be applied to the processing of personal data carried out in the context of the activities of an establishment of the controller on the territory of a Member State. This also entails controllers not being established in a Member State but using equipment in the territory of a Member State or when the Member State’s law applies based on international public law. Hence, the Data Protection Directive has an effect beyond the territorial scope of the EU and the EEA.

Furthermore, this extraterritorial effect is reinforced through the system created by Arts. 25 and 26 Data Protection Directive dealing with the transfer of personal data to third countries. It is based on the premise in Art. 25(1) that Member States can only permit such a transfer if the respective third country ensures an adequate level of protection. Art. 25(2) determines that the adequacy assessment shall be consider all circumstances surrounding the datatransfer, e.g. the nature of the data, the purpose and duration of the proposed processing, the rules of law in the respective third country. The European Commission conducted a non-exhaustive list of minimum requirements and core principles of data protection and of national enforcement respectively procedural law that have to be fulfilled by a third country to be eligible for an adequacy declaration. In addition, specific schemes were found adequate, namely the ‘‘safe harbor’’ agreement with the USA. By using this approach the European Commission wants to guarantee that personal data of EU data subjects are protected adequately regardless of the location of the controller or processor. Following Art. 25(4) Data Protection Directive Member States have to prevent any transfer of personal data if the European Commission finds that a country does not fulfill the required conditions. In practice, this has never happened and the Directive offers additional venues allowing the lawful processing of personal data in third countries.^[16]

Art. 26(1) Data Protection Directive allows certain derogation from the general prohibition to transfer personal data to third countries having an inadequate level of protection, e.g. if the data subject gave consent or if the transfer is necessary for the conclusion or the performance of a contract concluded in the interest of the data subject. Additionally, Art. 26(2) Data Protection Directive offers multinational corporations the possibility to transfer personal data to third countries having an inadequate level of protection by using Binding Corporate Rules. These rules are subject to prior approval by a Member State and limited in scope, but are considered as being easier and cheaper than the alternatives despite the rather cumbersome process of approval. Another rarely used venue is the Model Contract authored by the European Commission on the basis of Art. 26(4) Data Protection Directive. It includes data protection principles and measures facilitating compliance with the European data protection regime including a thorough list of commitments for the third country data importer.^[17]

In September 2011 only nine countries have been declared as providing adequate data protection standards by the European Commission, namely Andorra, Argentina, Canada, Faroe Islands, Guernsey, the Isle of Man, Israel, Jersey, and Switzerland. Given the high number of existing countries, one may come to the conclusion that corresponding to the European data protection standards does not seem to be appealing for third countries. Contrary to this semblance many countries adhere to the European norms via their own national legislation. In the period between 1990 and 2010, 51 non-EU data privacy laws have been adopted and many followed the European approach reflecting its high level of protection. Hence, by linking its data privacy regime with the internal market the EU exerted pressure on third countries and multinationals corporations to adapt to its data protection criteria.^[18]

III. Development after the adoption of the Data Protection Directive

In this section several milestones will be addressed that impacted both the perception of data protection and its increasing influence in the EU.

Shortly after the entering into force of the Data Protection Directive, the European legislator adopted the ePrivacy Directive in 2002 dealing with the processing of personal data and the protection of privacy in the electronic communications sector. Its aim was to modernize and replace the former Telecommunications Data Protection Directive^[19] to provide adequate data protection in the advent of the digital economy. The ePrivacy Directive broadened the scope of the existing European data protection regime by including the protection of legal persons, standards for equipment manufacturers and new duties and limitations for providers and network operators, e.g. the cooperation with law enforcement agencies, the implementation of safety measures and notifications in the case of potential security breaches. Furthermore it regulates traffic and location data as being similar to personal data.^[20] In 2009, the ePrivacy Directive was amended by the Cookies Directive imposing higher security standards for the storage and processing of personal data as well as requiring users consent before third parties are permitted to place or access cookies in the user’s computer.^[21] The implementation period for the Cookies Directive ended in 2011, but so far only a few Member States have transposed its provisions into national law.^[22]

Besides these instruments specific rules for the protection of personal data in police and judicial cooperation in criminal matters have been enacted^[23] to ensure common standards and safeguards in the former third pillar. Despite being based on the Data Protection Directive, the scope and the level of protection are considerably reduced, e.g. it only applies in a cross-border context and not for sole domestic processing.^[24]

The enactment of the Lisbon Treaty fostered the evolution of the European data protection regime in two ways. Firstly, a new Art. 16 TFEU has been introduced not only elevating the right to personal data protection to EU primary law but also including it as one of the provisions of general application in Title II. Furthermore, Art 16(2) TFEU provides for a new prospective legal basis for the protection of processed personal data in all EU areas including the former second and third pillars.^[25]

Secondly, the Charter of Fundamental Rights of the EU has become binding not only for the EU institutions and bodies but also for the Member States by giving it the same legal value as the Treaties in Art 6(1) TEU. Besides the right to privacy in Art. 7, which corresponds to Art. 8 ECHR, the Charter also introduced in its Art. 8 the protection of personal data as a fundamental right. Art. 8(2) of the Charter recalls four of the major principles of the Data Protection Directive, namely that all personal data is covered, the data must be processed fairly and lawfully, the right to access and the right to rectification. Additionally, Art. 8(3) of the Charter reaffirms that compliance shall be subject to control by an independent authority.

The CJEU broadened the scope of application of the Charter by stating that its provisions have to be obeyed whenever Member States are acting within the scope of EU law^[26] purporting that in these circumstances national law has to respect the level of protection provided for in the Charter and the primacy, unity and effectiveness of EU law and implying that constitutional provisions cannot be exercised^[27].

C. The successfulness of the current regime

The successfulness of the current European data protection regime a multitude of factors can be taken into account. To not unduly exceed the limits of this paper the author determined four key criteria on whose basis the successfulness will be assessed. Firstly, its impact on existing and future legislation will be addressed. Secondly, the degree of convergence in the national laws of the Member States will be determined. Thirdly, the regime’s suitability for today’s technological challenges will be evaluated. Lastly, the paper will emphasize the role the European data protection regime played in fostering global data protection.

I. Impact on legislation

The development of the European data protection regime might serve as a starting point for assessing its successfulness. Initiated as an internal market measure aiming at harmonizing the national data protection laws to foster the free flow of data it has gradually become a matter governing a multitude of issues in both the domestic and European context. Exemplary for this trend is the fact that since 2005 data protection falls no longer to the DG Internal Market and Services, but to the DG Justice and Consumers.^[28] By now, the protection of personal data has been accepted as a fundamental right and has been appended to the supreme sources of EU law, namely the Treaties and the Charter of Fundamental Rights. This change of status reflects the successfulness of the current EU data protection regime with regard to its overall influence on current and prospective legislation as a framework that necessarily needs to be taken into account.

II. Real convergence after implementation?

The intended objective of the Data Protection Directive as set out in Art. 1 is to oblige the Member States to ensure that the fundamental rights and freedoms, specifically data protection and the right to privacy, are adequately protected while simultaneously safeguarding the free flow of personal data to support the positive impact automated processing of personal data can have on economic and social activities in the EU. Hence, the idea was to create a legal framework imposing minimum protection requirements and general principles for the processing of personal data originating in the EU. A widespread analysis on the various national differences in the respective national regimes would exceed the purpose of this paper and has been dealt with extensively in earlier publications. In the following paragraphs their main findings will be summarized and assessed.

Already in 2003, a first report^[29] in line with Art. 33 Data Protection Directive has been published evidencing a large extent of margin that has been used by the Member States when transposing the Directive. Due to the inherent character of directives Member States are free to decide on the means with which they implement the provisions and principles as long as they meet the requirements stipulated by the respective directive and do not act contrary to its goals. This also includes the possibility to go beyond the standards if the European legislator opted for a minimum harmonizing directive as it was in the case of the Data Protection Directive. Recital 9 Data Protection Directive points to the risk of potential inequality when allowing varying national rules, but this risk was condoned to not endanger the adoption of the Directive.

Some Member States incorporated the provisions with only marginal amendments and others changed the structure completely, added new principles and definitions or even adopted further specific legislation. In turn, the national laws differ not only in their structure and scope, but also in the application and enforcement of their respective provisions. Another technical report published at that time confirmed that most of the underlying principles and concepts of the Data Protection Directive have been interpreted disparately by the Member States.^[30]

Although being advantageous for a far-reaching application various broadly formulated provisions included in the Data Protection Directive augmented the different national regimes leaving their scope and interpretative approach vaguely in the realms of the Member States. Exemplary are the definitions of personal data, data subject and controller in Art. 2 Data Protection Directive as essential elements which are not only construed and applied dissimilar in the various domestic systems, but also leave important issues like anonymization, profiling or data identifying used devices which are only indirectly relatable to persons.^[31] Additionally, some Member States have extended the list of sensitive data in Art. 8 Data Protection Directive by including further categories, e.g. financial standings, welfare benefits or criminal convictions.^[32] Another problem related to this is the fact that national data protection laws often refer to other domestic legislation allowing the processing of sensitive data potentially without providing the suitable safeguards as prescribed by Art. 8(4) Data Protection Directive. Moreover, the obligation in Art. 8(6) Data Protection Directive to notify such other domestic legislation has rarely been respected in the past.^[33]

Moreover, the competence for Member States granted in Art. 5 Data Protection Directive to specify the conditions for fair and lawful processing of personal data effectuated different national approaches. The Data Protection elaborates the main data protection principles in Art. 6, the criteria for lawful processing of personal in Art. 7 or the right to access in Art. 12 in a very general manner necessitating further specifications in national law. Hence, despite using varying terms and wording some Member States added additional criteria or supplementary clarifications, opted for different balancing tests, e.g. reasonable expectations of the data subject or a fairness-test, or defined purposes in excessively broad terms like ‘policing purposes’.^[34] As a further example, the important concept of consent varies vastly in the national frameworks. Art. 7(a) in conjunction with Art. 2(h) Data Protection Directive states that the data subject has to give unambiguous, free, specific and informed consent to legitimate any processing of personal data by a controller. Portugal, Spain and Sweden stuck to this definition while Germany and Italy ask, in principle, for consent in writing. In contrast, the UK also accepts an implied consent for the processing of non-sensitive data. Different definitions of consent can be problematic if the consent given under one jurisdiction at the time of data collection is considered as invalid under the definition of another Member State where the data is supposed to be processed.^[35]

An increasing number of undertakings in the EU are either established in various Member States or actively pursuing cross-border activities. As a result of the minimum harmonization they have to comply with the national laws of several Member States, in particular with the different definitions and concepts mentioned above as well as with the notification systems imposed by Arts. 18-20 Data Protection Directive. This precludes an EU-wide equal level of protection and creates not only additional costs, but also legal uncertainty for both controllers and data subjects, if the responsible Member State cannot easily be allocated. The conflict rule in Art. 4 Data Protection Directive has not solved this complex situation regarding the applicable law when several jurisdictions are involved.^[36] Cross-border data flows, however, do not stop at the borders of the EU. As described earlier, Arts. 25 and 26 Data Protection Directive introduced a system for the transfer of personal data originating in the EU to third countries, if the European Commission or a Member State approves the respective data protection standards as adequate. The fact that the Data Protection Directive does not specify which body should have the competence to assess the adequacy of third countries furthers the discrepancies between the national data protection systems. Consequently, multiple bodies fulfill this task emphasizing different aspects when evaluating, e.g. in Luxembourg by the controllers, in France by the supervisory authority and in the Netherlands by the Ministry of Justice.^[37]

Even though these flaws have been known since 2003 and repeatedly confirmed by subsequent reports and studies the European Commission decided to gain more practical experience before reviewing the Data Protection Directive. Additionally, it was felt that the legal solutions provided by the Directive were still suitable and the existing problems were judged as being no threat to the internal market in general.^[38] This attitude has now changed and the European Commission arrived in its impact assessment for the recent proposal of the General Data Protection Regulation at the conclusion that ‘the current divergences in the implementation, interpretation and enforcement of the Directive by Member States hamper the functioning of the internal market and cooperation between public authorities in relation to EU policies’ and ‘may discourage some economically or socially beneficial activities which would require cross-border transfers of data within the EU’. It is estimated that the domestic discrepancies cause companies established in the EU up to €3 billion per year due to compliance costs.^[39] Furthermore, the European Commission admits that there is currently no possibility to shift towards a uniform interpretation and application of the current EU data protection regime. The recommendation of the Article 29 Working Party are not binding for the Member States and their respective supervisory authorities^[40], the resources and powers of the national authorities vary greatly and the European Commission has primarily the capacity to influence data transfers to third countries.^[41] The additional instruments dealing with further areas of law and specific issues adopted on European level have not changed anything to that effect.

When assessing the successfulness of the European data protection regime with respect to its converging effect one has to acknowledge that the European legislator achieved something, especially with the Data Protection Directive, that no other international initiative could accomplish. The EU adopted the first comprehensive instrument binding numerous countries to essentially the same standards and concepts. Given the diverse national approaches^[42] and the lack of a common understanding^[43] of data protection in the Member States as demonstrated by the cumbersome negotiations prior to the adoption of the Data Protection Directive it is unrealistic to expect ‘identical or fully consistent solutions’^[44]. Rather, the decision to enact a directive entailing minimum requirements represents the consensus that could be reached. The, at that time, ambitious and innovative approach of a Data Protection Directive should be seen as the first step in the evolution of data protection on European level supplemented by subsequent instruments and developing over time.

Nevertheless, from today’s point of view and given the flaws elaborated above it would be deceptive to accredit a real harmonization. Evidently, the adoption of European rules on data protection, in particular the Data Protection Directive, has led to convergence in the Member States to a certain extent. Given the leeway granted by the minimum harmonizing character of the respective directives and the different transpositions of the provisions by the Member States the EU is now facing multiple regimes encompassing, in principle, the same principles and standards causing a loss of effectiveness and additional costs.^[45] Bearing in mind that our society and the business environment has changed in the last 20 years by virtue of technological advancements, which will be discussed in the next section, there is a clear need for modernization of the current EU data protection regime to safeguard the efficient protection of personal date while simultaneously providing a fair and comprehensive framework for the growing digital economy.

[...]

---

^[1] cf. The Gallup Organization, Flash Eurobarometer No. 225, available at: http://ec.europa.eu/public_opinion/archives/flash_arch_239_225_en.htm#225 [18 March 2015].

^[2] Directive 95/46/EC, [1995] OJ L 281/31.

^[3] Directive 2002/58/EC, [2002] OJ L 201/37.

^[4] Directive 2009/136, [2009] OJ L 337/11.

^[5] cf. Kuner, An international legal framework for data protection: Issues and prospects, 25 Computer Law & Security Review 4 (2009), 309.

^[6] OECD, OECD Guidelines on the Protection of Privacy and Transborder Flows of Personal Data (1980), available at http://www.oecd.org/document/18/0,3746,en_2649_34223_1815186 1 1_1_1 ,00.html [18 March 2015].

^[7] CoE, Convention for the Protection of Individuals with regard to Automatic Processing of Personal Data (1981), available at http://conventions.coe.int/Treaty/en/Treaties/Html/108.htm [18 March 2015].

^[8] cf. Birnhack, The EU Data Protection Directive: An engine of a global regime, 24 Computer Law & Security Review 6 (2008), 511.

^[9] cf. Simitis, From the market to the polis, 80 Iowa Law Review 3 (1995), 446 f.

^[10] cf. Pearce, Achieving personal data protection in the European Union, 36 Journal of Common Market Studies 4 (1998), 533-538.

^[11] cf. Rotenberg, Updating the Law of Information Privacy, 36 Harv.J.Law Public Policy 2 (2013), 617.

^[12] Case C-465/00, Österreichischer Rundfunk, [2003] ECR I-04989, para 42.

^[13] Case C-101/01, Bodil Lindqvist, [2003] ECR I-12971, paras. 43-44.

^[14] cf. Cunningham, Privacy in the age of the hacker, 44 Geo. Wash. Int'l L. Rev. 4 (2012), 15 ff.

^[15] e.g. Wuermeling, Harmonisation of European Union privacy law, 14 The John Marshall Journal of Computer & Information Law 3 (1996), 435 ff.

^[16] cf. Birnhack, The EU Data Protection Directive: An engine of a global regime, 24 Computer Law & Security Review (2008) 6, 513.

^[17] cf. ibid., 514 f.

^[18] cf. Cunningham, Privacy in the age of the hacker, 44 Geo. Wash. Int'l L. Rev. 4 (2012), 22 f.

^[19] Directive 97/66/EC [1997], OJ L 24/1.

^[20] cf. Poullet, EU data protection policy, 22 Computer Law & Security Review 3 (2006), 215 f.

^[21] cf. Rotenberg, Updating the Law of Information Privacy, 36 Harv.J.Law Public Policy 2 (2013), 620 f.

^[22] cf. Jones, An overview of EU data protection rules on use of data collected online, 27 Computer Law & Security Review 6 (2011), 630.

^[23] e.g. Council Framework Decision 2008/977/JHA [2008], OJ L 350/60.

^[24] cf. Hustinx, EU Data Protection Law: The Review of Directive 95/46/EC and the Proposed General Data Protection Regulation, 15, available at: https://secure.edps.europa.eu/EDPSWEB/edps/lang/de/EDPS/Publications/SpeechArticle/SA2014 [18 March 2015].

^[25] cf. Article 29 Data Protection Working Party, The Future of Privacy, WP 168 (2009), 5.

^[26] Case C-617/10, Åkerberg Fransson Judgment of 7 May 2013, paras. 17-21, not yet published.

^[27] Case C-399/11, Melloni Judgment of, 26 February 2013, paras 59-60, not yet published.

^[28] cf. Hijmans, Shortcomings in EU Data Protection in the Third and the Second Pillars, 46 Common Market Law Review 5 (2009), 1492 f.

^[29] COM(2003) 265 final.

^[30] cf. Poullet, EU data protection policy, 22 Computer Law & Security Review 3 (2006), 207.

^[31] cf. DG Justice, Comparative study on different approaches to new privacy challenges, 27, available at: http://ec.europa.eu/justice/data-protection/document/studies/index_en.htm [18 March 2015].

^[32] cf. King, Protecting the privacy and security of sensitive customer data in the cloud, 28 Computer Law & Security Review 3 (2012), 310.

^[33] cf. DG Justice, Comparative study on different approaches to new privacy challenges, 33 f., available at: http://ec.europa.eu/justice/data-protection/document/studies/index_en.htm [18 March 2015].

^[34] ibid., 29.

^[35] ibid., 31.

^[36] cf. COM(2010) 609 final, 10 f.

^[37] cf. Poullet, EU data protection policy, 22 Computer Law & Security Review 3 (2006), 211 f.

^[38] cf. Hustinx, EU Data Protection Law: The Review of Directive 95/46/EC and the Proposed General Data Protection Regulation, 24 f., available at: https://secure.edps.europa.eu/EDPSWEB/edps/lang/de/EDPS/Publications/SpeechArticle/SA2014 [18 March 2015].

^[39] cf. SEC(2012) 72 final, 11.

^[40] cf. Rotenberg, Updating the Law of Information Privacy, 36 Harv.J.Law Public Policy 2 (2013), 629 f.

^[41] cf. SEC(2012) 72 final, 12 ff.

^[42] cf. Simitis, From the market to the polis, 80 Iowa Law Review 3 (1995), 451 f.

^[43] cf. Wuermerling, Harmonisation of European Union privacy law, 14 The John Marshall Journal of Computer & Information Law 3 (1996), 459.

^[44] Hustinx, EU Data Protection Law: The Review of Directive 95/46/EC and the Proposed General Data Protection Regulation, 9, available at: https://secure.edps.europa.eu/EDPSWEB/edps/lang/de/EDPS/Publications/SpeechArticle/SA2014 [18 March 2015].

^[45] ibid., 27.