EU TFEU: Personal data protection

Protection of personal data looks nice on paper for the citizen of the European Union, but what are the principles worth in practice when assailed by the US administration’s ‘war on terror’, unscrupulous ICT business practices beyond the reach of EU jurisdiction, or the EU member states’ common foreign and security concerns as well as their combat against terrorism and crime?

The first step towards answers is to get acquainted with the basic provisions at the EU treaty level, both the current ones and those proposed by the Treaty of Lisbon.

***

In the Treaty of Lisbon (ToL) the intergovernmental conference (IGC 2007) inserts a provision on personal data protection in the Treaty establishing the European Community (TEC), to be called the Treaty on the Functioning of the European Union (TFEU). The Article is placed in TFEU Part One, Title II Provisions having general application. See Official Journal (OJ) 17.12.2007 C 306/50:

29) An Article 16 B shall be inserted, replacing Article 286:

Article 16b TFEU (ToL), when renumbered Article 16 TFEU

1. Everyone has the right to the protection of personal data concerning them.

2. The European Parliament and the Council, acting in accordance with the ordinary legislative procedure, shall lay down the rules relating to the protection of individuals with regard to the processing of personal data by Union institutions, bodies, offices and agencies, and by the Member States when carrying out activities which fall within the scope of Union law, and the rules relating to the free movement of such data. Compliance with these rules shall be subject to the control of independent authorities.

The rules adopted on the basis of this Article shall be without prejudice to the specific rules laid down in Article 25a of the Treaty on European Union.

***

Comparing the Lisbon Treaty provision, we start with the existing Article 286 TEC being replaced (in the latest consolidated version of the current TEU and TEC, OJ 29.12.2006 C 321 E/171):

Article 286 TEC

1. From 1 January 1999, Community acts on the protection of individuals with regard to the processing of personal data and the free movement of such data shall apply to the institutions and bodies set up by, or on the basis of, this Treaty.

2. Before the date referred to in paragraph 1, the Council, acting in accordance with the procedure referred to in Article 251, shall establish an independent supervisory body responsible for monitoring the application of such Community acts to Community institutions and bodies and shall adopt any other relevant provisions as appropriate.

***

The European Convention proposed the following Article I-50 under Title VI The democratic life of the Union of the draft Treaty establishing a Constitution for Europe (OJ 18.7.2003 C 169/20):

Article I-50 Draft Constitution
Protection of personal data

1. Everyone has the right to the protection of personal data concerning him or her.

2. A European law shall lay down the rules relating to the protection of individuals with regard to the processing of personal data by Union Institutions, bodies and agencies, and by the Member States when carrying out activities which come under the scope of Union law, and the rules relating to the free movement of such data. Compliance with these rules shall be subject to the control of an independent authority.

***

The IGC 2004 took up the proposal of the European Convention, and in the Treaty establishing a Constitution for Europe we find Article I-51, under Title VI The democratic life of the Union (OJ 16.12.2004 C 310/36):

Article I-51 Constitution
Protection of personal data

1. Everyone has the right to the protection of personal data concerning him or her.

2. European laws or framework laws shall lay down the rules relating to the protection of individuals with regard to the processing of personal data by Union institutions, bodies, offices and agencies, and by the Member States when carrying out activities which fall within the scope of Union law, and the rules relating to the free movement of such data. Compliance with these rules shall be subject to the control of independent authorities.

***

The IGC 2004 wanted to make clear that national security may override personal data protection sensitivities, and agreed on a declaration (OJ 16.12.2004 C 310/423):

10. Declaration on Article I-51 (Constitution)

The Conference declares that, whenever rules on protection of personal data to be adopted on the basis of Article I-51 could have direct implications for national security, due account will have to be taken of the specific characteristics of the matter. It recalls that the legislation presently applicable (see in particular Directive 95/46/EC) includes specific derogations in this regard.

***

Although the basis for Community legislation exists, the wording of the current TEC is badly dated. The draft Constitution and the Constitution and the TFEU seem to be essentially equal. The Lisbon Treaty follows in their footsteps, but adds a second subparagraph to paragraph 2, with a referral to a new TEU provision we have visited earlier on specific rules concerning Chapter 2 Specific provisions on the common foreign and security policy (OJ 17.12.2007 C 306/31):

Article 25a TEU (ToL), renumbered Article 39 TEU

In accordance with Article 16 B of the Treaty on the Functioning of the European Union and by way of derogation from paragraph 2 thereof, the Council shall adopt a decision laying down the rules relating to the protection of individuals with regard to the processing of personal data by the Member States when carrying out activities which fall within the scope of this Chapter, and the rules relating to the free movement of such data. Compliance with these rules shall be subject to the control of independent authorities.

***

The IGC 2007 added two declarations of relevance here (OJ 17.12.2007 C 306/255). Declaration 20 lays stress on national security, and in substance repeats the text of the IGC 2004 declaration, although the TFEU referral and the new specific CFSP provision have been introduced:

20. Declaration on Article 16 B of the Treaty on the Functioning of the European Union

The Conference declares that, whenever rules on protection of personal data to be adopted on the basis of Article 15a could have direct implications for national security, due account will have to be taken of the specific characteristics of the matter. It recalls that the legislation presently applicable (see in particular Directive 95/46/EC) includes specific derogations in this regard.

***

The other IGC 2007 declaration concerns raises another area of concern for the member states, judicial cooperation in criminal matters and police cooperation:


21. Declaration on the protection of personal data in the fields of judicial cooperation in criminal matters and police cooperation

The Conference acknowledges that specific rules on the protection of personal data and the free movement of such data in the fields of judicial cooperation in criminal matters and police cooperation based on Article 16 B of the Treaty on the Functioning of the European Union may prove necessary because of the specific nature of these fields.

***

Article 8 of the Charter of Fundamental Rights of the European Union provides for the protection of personal data (OJ 14.12.2007 C 303/4):

Article 8 Charter
Protection of personal data

1. Everyone has the right to the protection of personal data concerning him or her.

2. Such data must be processed fairly for specified purposes and on the basis of the consent of the person concerned or some other legitimate basis laid down by law. Everyone has the right of access to data which has been collected concerning him or her, and the right to have it rectified.

3. Compliance with these rules shall be subject to control by an independent authority.

***

The Explanations relating to the Charter of Fundamental Rights traces the Charter provision back to its origins (OJ 14.12.2007 C 303/20):

Explanation on Article 8 — Protection of personal data

This Article has been based on Article 286 of the Treaty establishing the European Community and Directive 95/46/EC of the European Parliament and of the Council on the protection of individuals with regard to the processing of personal data and on the free movement of such data (OJ L 281, 23.11.1995, p. 31) as well as on Article 8 of the ECHR and on the Council of Europe Convention of 28 January 1981 for the Protection of Individuals with regard to Automatic Processing of Personal Data, which has been ratified by all the Member States. Article 286 of the EC Treaty is now replaced by Article 16 of the Treaty on the Functioning of the European Union and Article 39 of the Treaty on European Union. Reference is also made to Regulation (EC) No 45/2001 of the European Parliament and of the Council on the protection of individuals with regard to the processing of personal data by the Community institutions and bodies and on the free movement of such data (OJ L 8, 12.1.2001, p. 1). The above-mentioned Directive and Regulation contain conditions and limitations for the exercise of the right to the protection of personal data.

***

Those who want to dig deeper could start their study of secondary legislation with the European Commission’s web pages on Freedom, Security and Justice, with Data Protection, Legislative documents:

http://ec.europa.eu/justice_home/fsj/privacy/law/index_en.htm

***

The EurActiv 14 February 2008 news story “US air security plans ‘unacceptable’, says EU” on transatlantic tensions and a crumbling EU front is just one topical example of an area, which looks set to engage EU institutions, member state governments, NGOs and courts of justice in the years to come:

http://www.euractiv.com/en/transport/us-air-security-plans-unacceptable-eu/article-170303

Privacy or personal data protection issues concern every citizen of the European Union.


Ralf Grahn