Accessibility Tools

2) Data protection legislation


When was the right to protection of personal data established?

Respect for private life has been ensured at European level since the adoption of the Council of Europe Convention for the Protection of Human Rights and Fundamental Freedoms (ECHR) in 1950. During the 1960's and 1970's, the potential impact of information and communication technologies developments on the life of citizens became visible, for instance because of the increase of surveillance possibilities, both in the public and in the private sector.

The then existing legislation designed to secure the privacy of personal data was no longer felt adequate: the term "private life" in the ECHR had a number of limitations: the scope of it was uncertain and the emphasis was on the protection against interference by public authorities and not by private organisations.

The protection of personal data was - as a separate right granted to an individual - for the first time guaranteed in the Convention for the Protection of Individuals with regard to Automatic Processing of Personal Data ( Convention 108  ). It was adopted by the Council of Europe in 1981.

At the same time, the Organization for Economic Co-operation and Development (OECD) issued guidelines to its members, which urged them to introduce measures to protect personal information.

Respect for private life and protection of personal data have been recognised as closely related, but separate fundamental rights in Articles 7 and 8 of the EU Charter of Fundamental Rights adopted in 2000 and reaffirmed in 2007.

What is Convention 108 about?

Convention 108 refers to the Convention for the Protection of Individuals with regard to automatic processing of personal data  which was adopted by the Council of Europe in 1981.

This Convention is the first legally binding international instrument adopted in the field of data protection. Its purpose is:

"to secure [...] for every individual [...] respect for his rights and fundamental freedoms, and in particular his right to privacy, with regard to automatic processing of personal data."

It sets out minimum standards aimed at protecting the individuals against abuses which may accompany the collection and processing of personal data. It also seeks to regulate the transborder flow of personal data.

The right to protection of personal data encompasses the protection of privacy, but extends beyond it. Data protection is about securing respect for rights and fundamental freedoms, and in particular (i.e. not only) the right of the data subject to privacy. This is further explained in the Convention's explanatory statement. Paragraph 25 states:

"The preamble reaffirms the commitment of the signatory States to human rights and fundamental freedoms […] it acknowledges that the unfettered exercise of the freedom to process information may, under certain conditions, adversely affect the enjoyment of other fundamental rights (for example: privacy, non-discrimination, fair trial) or other legitimate personal interests (for example employment, consumer credit). It is in order to maintain a just balance between the different rights and interests of individuals that the convention sets out certain conditions or restrictions with regard to the processing of information. No other motives could justify the rules which the Contracting States undertake to apply in this field."

A total of 40 European states have ratified the Convention so far.

How is data protection legislation structured at EU level?

As a result of the work in the Council of Europe and in the OECD, many European countries had enacted legislation designed to balance the individual's right to data protection with the need of public authorities, employers and others to process data. This was undertaken at national level long before the initiative was taken at EU level in early 1990's to ensure more harmonisation on the basis of Convention 108.

► Data protection is highly developed in the EU. The central piece of legislation is Directive 95/46/EC  ("Data Protection Directive"), which regulates the protection of individuals with regard to the processing of personal data and the free movement of such data. As a framework law, the Directive had to be implemented in EU Member States through national laws.

►  Regulation (EC) No 45/2001  lays down the same rights and obligations at the level of the EC institutions and bodies. It also establishes the EDPS as independent supervisory authority with the task of ensuring that the Regulation is complied with.

►  Directive 2002/58/EC  concerning the processing of personal data and the protection of privacy in the electronic communications sector is usually referred to as the "ePrivacy Directive". It covers processing of personal data and the protection of privacy in the electronic communications sectors, and regulates areas such as confidentiality, billing and traffic data, rules on spam, etc.

►  Framework Decision 2008/977/JHA  on the protection of personal data processed in the framework of police and judicial co-operation in criminal matters. This is the first general legal framework for data protection in the “third pillar” of the EU. Its content is also based on Convention 108, but differs from Directive 95/46/EC in many ways that are related to the specific nature of the subject.

  • 10 February 2017

    Is your toaster watching you?, Lunchtime conference on the Internet of Things, Speeches by Giovanni Buttarelli and Wojciech Wiewiórowski, Brussels, Belgium

  • 08 February 2017

    6th Data Protection Forum with Mr Viljar PEEP, Director General, Estonian Data Protection Inspectorate, Participation of Giovanni Buttarelli and Wojciech Wiewiórowski, Brussels, Belgium

  • 08 February 2017

    e-Privacy Breakfast Debate organised by EIF, Speech by Wojciech Wiewiórowski, European Parliament, Brussels, Belgium

  • 08 February 2017

    e-Privacy Directive: Combining Modern Marketing & Privacy, Event organised by FEDMA, Speech by Wojciech Wiewiórowski, Brussels, Belgium

  • 07 February 2017

    109th Plenary meeting of the Article 29 Working Party, Participation of Giovanni Buttarelli, Brussels, Belgium

  • 06 February 2017

    Workshop on the current trends and practices in biobanking in the light of European and national data protection requirements? Participation of Wojciech Wiewiórowski, Brussels, Belgium

  • 03 February 2017

    Giovanni Buttarelli speaking on GDPR in panel New rules and what to do next in the conference organised by Confindustria Il nuovo Regolamento europeo sulla protezione dei dati personali, Rome, Italy

  • 01 February 2017

    Giovanni Buttarelli meeting with Bob Quinn, Senior Executive Vice President, AT&T, Brussels, Belgium