Accessibility Tools

2) Data protection legislation


When was the right to protection of personal data established?

Respect for private life has been ensured at European level since the adoption of the Council of Europe Convention for the Protection of Human Rights and Fundamental Freedoms (ECHR) in 1950. During the 1960's and 1970's, the potential impact of information and communication technologies developments on the life of citizens became visible, for instance because of the increase of surveillance possibilities, both in the public and in the private sector.

The then existing legislation designed to secure the privacy of personal data was no longer felt adequate: the term "private life" in the ECHR had a number of limitations: the scope of it was uncertain and the emphasis was on the protection against interference by public authorities and not by private organisations.

The protection of personal data was - as a separate right granted to an individual - for the first time guaranteed in the Convention for the Protection of Individuals with regard to Automatic Processing of Personal Data ( Convention 108  ). It was adopted by the Council of Europe in 1981.

At the same time, the Organization for Economic Co-operation and Development (OECD) issued guidelines to its members, which urged them to introduce measures to protect personal information.

Respect for private life and protection of personal data have been recognised as closely related, but separate fundamental rights in Articles 7 and 8 of the EU Charter of Fundamental Rights adopted in 2000 and reaffirmed in 2007.

What is Convention 108 about?

Convention 108 refers to the Convention for the Protection of Individuals with regard to automatic processing of personal data  which was adopted by the Council of Europe in 1981.

This Convention is the first legally binding international instrument adopted in the field of data protection. Its purpose is:

"to secure [...] for every individual [...] respect for his rights and fundamental freedoms, and in particular his right to privacy, with regard to automatic processing of personal data."

It sets out minimum standards aimed at protecting the individuals against abuses which may accompany the collection and processing of personal data. It also seeks to regulate the transborder flow of personal data.

The right to protection of personal data encompasses the protection of privacy, but extends beyond it. Data protection is about securing respect for rights and fundamental freedoms, and in particular (i.e. not only) the right of the data subject to privacy. This is further explained in the Convention's explanatory statement. Paragraph 25 states:

"The preamble reaffirms the commitment of the signatory States to human rights and fundamental freedoms […] it acknowledges that the unfettered exercise of the freedom to process information may, under certain conditions, adversely affect the enjoyment of other fundamental rights (for example: privacy, non-discrimination, fair trial) or other legitimate personal interests (for example employment, consumer credit). It is in order to maintain a just balance between the different rights and interests of individuals that the convention sets out certain conditions or restrictions with regard to the processing of information. No other motives could justify the rules which the Contracting States undertake to apply in this field."

A total of 40 European states have ratified the Convention so far.

How is data protection legislation structured at EU level?

As a result of the work in the Council of Europe and in the OECD, many European countries had enacted legislation designed to balance the individual's right to data protection with the need of public authorities, employers and others to process data. This was undertaken at national level long before the initiative was taken at EU level in early 1990's to ensure more harmonisation on the basis of Convention 108.

► Data protection is highly developed in the EU. The central piece of legislation is Directive 95/46/EC  ("Data Protection Directive"), which regulates the protection of individuals with regard to the processing of personal data and the free movement of such data. As a framework law, the Directive had to be implemented in EU Member States through national laws.

►  Regulation (EC) No 45/2001  lays down the same rights and obligations at the level of the EC institutions and bodies. It also establishes the EDPS as independent supervisory authority with the task of ensuring that the Regulation is complied with.

►  Directive 2002/58/EC  concerning the processing of personal data and the protection of privacy in the electronic communications sector is usually referred to as the "ePrivacy Directive". It covers processing of personal data and the protection of privacy in the electronic communications sectors, and regulates areas such as confidentiality, billing and traffic data, rules on spam, etc.

►  Framework Decision 2008/977/JHA  on the protection of personal data processed in the framework of police and judicial co-operation in criminal matters. This is the first general legal framework for data protection in the “third pillar” of the EU. Its content is also based on Convention 108, but differs from Directive 95/46/EC in many ways that are related to the specific nature of the subject.

  • 25 March 2017

    60th anniversary of the Rome Treaties. Giovanni Buttarelli to participate in the meeting of the 27 EU heads of state and heads of European Union institutions in Rome, Italy.

  • 15 March 2017

    Data Protection and the EU institutions. Read the latest blogpost by Giovanni Buttarelli and the EDPS Opinion.

  • 15 March 2017

    EDPS sees opportunity for stronger consumer and data protection. Read the EDPS Opinion and the press release.

  • 13 March 2017

    2018 International Conference of Data Protection and Privacy Commissioners to be hosted in Brussels. Read the press statement.

  • 07 March 2017

    EDPS calls for consistent improvements in the approach to EU border policy. Read the EDPS Opinion and the press release.

  • 28 March 2017

    Giovanni Buttarelli meeting with Greg Nojeim, Senior Counsel and Director, Freedom, Security and Technology Project, Center for Democracy & Technology (CDT), Brussels, Belgium

  • 28 March 2017

    Giovanni Buttarelli meeting with Cornelia Ernst, MEP, Brussels, Belgium

  • 27 March 2017

    Processing of personal data  by the Union institutions, bodies, offices and agencies, Study group meeting, EESC, Participation of Giovanni Buttarelli, Brussels Belgium

  • 25 March 2017

    60th anniversary of the Rome Treaties, Participation of Giovanni Buttarelli in the meeting of the 27 EU heads of state and heads of European Union institutions, Rome, Italy

  • 23 March 2017

    Forum on International Privacy Law, Participation of Wojciech Wiewiórowski, Königstein, Germany

  • 23 March 2017

    Participation of Giovanni Buttarelli in DAPIX, Brussels, Belgium

  • 23 March 2017

    Concurrences Review, Law & Economics Workshop: Big Data, Speech by Giovanni Buttarelli, Brussels, Belgium

  • 13 March 2017

    Regulating Privacy through Ethical Standards and Accountability Principles in the era of Big Data, Keynote speech of Wojciech Wiewiórowski: Towards a new digital ethics – data, dignity and technology: How to ensure accountability in personal data management?, Brussels, Belgium