Peter Hustinx, EU Data Protection Law: The Review of Directive 95/46/EC and the Proposed General Data Protection Regulation

Conclusion form the article:

“The outcome of the current review of Directive 95/46/EC – and of the EU legal framework for data protection more in general – is not yet entirely clear, but its main direction now seems irreversible and well beyond the point of no return. In any case, a few conclusions may be drawn at this stage.

Privacy and data protection – more precisely: the right to respect for private life and the right to the protection of personal data – have important connections. They are both fairly recent expressions of a universal idea with strong ethical dimensions: the dignity, autonomy and unique value of every human being. However, there are also crucial differences. The concept of ‘data protection’ was developed in order to provide structural legal protection to individuals against the inappropriate use of information technology for processing information relating to them, regardless of whether that processing would be within the scope of the right to respect for private life or not. The resulting set of safeguards – in essence a system of checks and balances, consisting of substantive conditions, individual rights, procedural provisions and independent supervision – applies in principle to all processing of personal data.

This approach was developed by the Council of Europe in Convention 108 and further developed by the EU in Directive 95/46/EC, alongside the right to respect for private life as set out in Article 8 ECHR. Both must be distinguished from, on the one hand, the German concept of ‘informational self-determination’, with a strong emphasis on the data subject’s consent, and on the other hand, the approach followed by the OECD Guidelines, based on the notion of ‘risk’ as a threshold condition for protection, and assuming that all processing of personal data is in principle legitimate. These distinctions play an important – but often only implicit and insufficiently recognised – role in international discussions.

The EU has gradually taken over the role of the Council of Europe as a building platform for data protection. In this respect, we have seen two lines of development: the first having to do with making privacy and data protection rights stronger, and the second with ensuring a more consistent application of those rights across the EU …

The general basis for the review of the current legal framework in Article 16 TFEU offers a historic opportunity to deliver the main components of Article 8 Charter in a more effective and consistent set of rules across the EU. The General Data Protection Regulation, which is to replace Directive 95/46/EC in due course, is a combination of continuity and innovation. A directly binding Regulation will in principle bring much greater consistency, but in practice probably also allow some flexibility for interaction with national law, especially in the public sector. The greatest innovation is expected in larger responsibilities for controllers, although the impact of this shift will depend on the ‘progressive risk based approach’ currently under discussion. Innovation can also be expected in the area of supervision and enforcement, especially in relation to the details of one-stop-shops for citizens and business and in other mechanisms to ensure consistent outcomes of independent supervisory authorities. Finally, the territorial scope of the Regulation is likely to also include companies that are operating on the European market from an establishment elsewhere in the world….

Finally, we have seen that the governance issues relating to the one-stop-shop for companies and the consistency mechanism are among the most complicated issues that are currently still under discussion. Creativity and pragmatism will both be needed here, in order to ensure that the essential components of Article 8 Charter can be effectively delivered in practice”.

Related material

The full text is available at: https://secure.edps.europa…