Data protection laws and regulations
in the European Union
in the European Union
by Chunchen Dai
As far back as 1995, European Union has promulgated the Data Protection Directive as an important component of EU privacy and human rights law. The Data Protection Directive, officially Directive 95/46/EC, is on the protection of processing personal data within the European Union.
Personal data are defined as "any information relating to an identified or identifiable natural person ("data subject"); an identifiable person is one who can be identified, directly or indirectly, in particular by reference to an identification number or to one or more factors specific to his physical, physiological, mental, economic, cultural or social identity;" (art. 2 a). Some examples of "personal data" are: address, credit card number, bank statements, criminal record, etc.
The notion processing means "any operation or set of operations which is performed upon personal data, whether or not by automatic means, such as collection, recording, organization, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, blocking, erasure or destruction;" (art. 2 b)
In that directive, any processing of personal data is strictly regulated, regardless of whether such processing is automated or not. Moreover, processing EU data from controllers outside the EU will have to follow data protection regulation as well.
Basically personal data should not be processed at all, except when certain conditions are met. These conditions fall into three categories: transparency, legitimate purpose, and proportionality.
The data subject has the right to be informed when his personal data is being processed. The controller must provide his name and address, the purpose of processing, the recipients of the data and all other information required to ensure the processing is fair. (art. 10 and 11)
Personal data can only be processed for specified explicit and legitimate purposes and may not be processed further in a way incompatible with those purposes. (art. 6 b)
Personal data may be processed only insofar as it is adequate, relevant and not excessive in relation to the purposes for which they are collected and/or further processed. Member States shall lay down appropriate safeguards for personal data stored for longer periods for historical, statistical or scientific use. (art. 6) Besides, When sensitive personal data (can be: religious beliefs, political opinions, health, sexual orientation, race, membership of past organizations) are being processed, extra restrictions apply. (art. 8) Based on European Convention on Human Rights, Article 8.2, “there shall be no interference by a public authority with the exercise of this right except such as is in accordance with the law and is necessary in a democratic society in the interests of national security, public safety or the economic well-being of the country”, each EU member state must set up a supervisory authority as an independent body to monitor the data protection level in that member state, (art. 28) and individuals may lodge complaints about violations to the supervisory authority or in a court of law.
On 25 January 2012, the European Commission unveiled a draft European General Data Protection Regulation that will supersede the Data Protection Directive.[1] The proposed new rules would strengthen some existing provisions and standardize data protections across the 27 member states.
Personal data are defined as "any information relating to an identified or identifiable natural person ("data subject"); an identifiable person is one who can be identified, directly or indirectly, in particular by reference to an identification number or to one or more factors specific to his physical, physiological, mental, economic, cultural or social identity;" (art. 2 a). Some examples of "personal data" are: address, credit card number, bank statements, criminal record, etc.
The notion processing means "any operation or set of operations which is performed upon personal data, whether or not by automatic means, such as collection, recording, organization, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, blocking, erasure or destruction;" (art. 2 b)
In that directive, any processing of personal data is strictly regulated, regardless of whether such processing is automated or not. Moreover, processing EU data from controllers outside the EU will have to follow data protection regulation as well.
Basically personal data should not be processed at all, except when certain conditions are met. These conditions fall into three categories: transparency, legitimate purpose, and proportionality.
- Transparency
The data subject has the right to be informed when his personal data is being processed. The controller must provide his name and address, the purpose of processing, the recipients of the data and all other information required to ensure the processing is fair. (art. 10 and 11)
- Legitimate purpose
Personal data can only be processed for specified explicit and legitimate purposes and may not be processed further in a way incompatible with those purposes. (art. 6 b)
- Proportionality
Personal data may be processed only insofar as it is adequate, relevant and not excessive in relation to the purposes for which they are collected and/or further processed. Member States shall lay down appropriate safeguards for personal data stored for longer periods for historical, statistical or scientific use. (art. 6) Besides, When sensitive personal data (can be: religious beliefs, political opinions, health, sexual orientation, race, membership of past organizations) are being processed, extra restrictions apply. (art. 8) Based on European Convention on Human Rights, Article 8.2, “there shall be no interference by a public authority with the exercise of this right except such as is in accordance with the law and is necessary in a democratic society in the interests of national security, public safety or the economic well-being of the country”, each EU member state must set up a supervisory authority as an independent body to monitor the data protection level in that member state, (art. 28) and individuals may lodge complaints about violations to the supervisory authority or in a court of law.
On 25 January 2012, the European Commission unveiled a draft European General Data Protection Regulation that will supersede the Data Protection Directive.[1] The proposed new rules would strengthen some existing provisions and standardize data protections across the 27 member states.
Data protection laws and regulations
in the Netherlands
The Dutch data protection authority (College Bescherming Persoonsgegevens or CBP) supervises the operation of personal data files in accordance with the PDPA (The Dutch Personal Data Protection). On 28 January 2008, the CBP, previously known as the Registratiekamer, called for an increase in its supervisory power to strengthen the enforcement of the data protection law and to take direct actions regarding investigations and fines.[2]
The Dutch Personal Data Protection (PDPA) is a revised and expanded version of the Data Registration Act of 1998 that brings Dutch law in line with the EU Directive and regulates the transfer of personal data to countries outside of the European Union. Pursuant to the PDPA, the Decree on Regulated Exemption was enacted to exempt certain organizations from the registration requirements of the PDPA.[3]
In the Dutch legal order, there are also sector-based privacy laws regulating the Dutch police[4] and social security.[5] A series of laws concerning the Dutch social security number regulates the allowable uses of this number for identifying citizens and for general administrative purposes.[6]
As of 2004, the use of covert video surveillance in public places requires notice. The Hidden Camera Surveillance Act 2003 (Heimelijk Cameratoezicht) makes it unlawful to use hidden cameras in public places without notification. The use of hidden cameras in the workplace remains lawful if there is suspicion of criminal behavior and if workers are notified. Journalists can still use hidden cameras for their work. In April 2005, the House of Representatives passed the Camera Surveillance Act, which allows images to be retained for up to four weeks and also facilitates the use of cameras for law enforcement purposes, whereas before the main purpose of camera surveillance was keeping public order.[7]
Data retention In September 2004, a new Act came into force that amends the power to request telecommunications data.[8] The law (Vorderen gegevens telecommunicatie) enables the public prosecutor to request traffic data from providers of public telecommunications networks and services. In the event of suspicion of a criminal offence, any investigating officer can request a subscriber's personal information. A proposal to notify suspects when the subscriber’s data has been requested was rejected by the Parliament.
On 4 April 2007, the Dutch Cabinet agreed to proposed legislation designed to implement the European Directive on Data Retention, a directive that requires member countries to set statutory retention of telephone and Internet traffic data.[9]
On 22 May 2008, the Dutch House of Representatives passed the Telecommunications Data Retention Act (Wet Bewaarplicht Telecommunicatiegegevens), which amended the data retention period from 18 months in the first draft to 12 months.[10]
- Comprehensive law
The Dutch Personal Data Protection (PDPA) is a revised and expanded version of the Data Registration Act of 1998 that brings Dutch law in line with the EU Directive and regulates the transfer of personal data to countries outside of the European Union. Pursuant to the PDPA, the Decree on Regulated Exemption was enacted to exempt certain organizations from the registration requirements of the PDPA.[3]
- Sector-based laws
In the Dutch legal order, there are also sector-based privacy laws regulating the Dutch police[4] and social security.[5] A series of laws concerning the Dutch social security number regulates the allowable uses of this number for identifying citizens and for general administrative purposes.[6]
As of 2004, the use of covert video surveillance in public places requires notice. The Hidden Camera Surveillance Act 2003 (Heimelijk Cameratoezicht) makes it unlawful to use hidden cameras in public places without notification. The use of hidden cameras in the workplace remains lawful if there is suspicion of criminal behavior and if workers are notified. Journalists can still use hidden cameras for their work. In April 2005, the House of Representatives passed the Camera Surveillance Act, which allows images to be retained for up to four weeks and also facilitates the use of cameras for law enforcement purposes, whereas before the main purpose of camera surveillance was keeping public order.[7]
Data retention In September 2004, a new Act came into force that amends the power to request telecommunications data.[8] The law (Vorderen gegevens telecommunicatie) enables the public prosecutor to request traffic data from providers of public telecommunications networks and services. In the event of suspicion of a criminal offence, any investigating officer can request a subscriber's personal information. A proposal to notify suspects when the subscriber’s data has been requested was rejected by the Parliament.
On 4 April 2007, the Dutch Cabinet agreed to proposed legislation designed to implement the European Directive on Data Retention, a directive that requires member countries to set statutory retention of telephone and Internet traffic data.[9]
On 22 May 2008, the Dutch House of Representatives passed the Telecommunications Data Retention Act (Wet Bewaarplicht Telecommunicatiegegevens), which amended the data retention period from 18 months in the first draft to 12 months.[10]
Improvement of data protection regulations
due to new technological development
The European Union has instituted more of a blanket regulatory system; it has a common directive that gives its citizens certain fundamental rights- the one-regulation-fits-all-data approach.[11]
The increasingly globalized nature of data flows, the fact that personal information is collected, transferred and exchanged in huge quantities, across continents and around the globe in milliseconds and the arrival of cloud computing, those are all good reasons for reviewing and improving the current rules, the Data Protection Directive, which was adopted in 1995. Especially the rapid pace of technological change and globalization have profoundly transformed the scale and the way personal data is collected, accessed, used and transferred. In order to ensure a continuity of data protection, the rules need to be brought in line with technological developments.
European commission will propose one, single, technologically neutral and future-proof set of rules across the EU. This means that regardless of how technology and the digital environment develop in the future, the personal information of individuals in the EU will be secure, and their fundamental right to data protection respected. The Commission will also reinforce the ‘right to be forgotten’, so that if an individual no longer wants their personal data to be processed, and there is no legitimate reason for an organization to keep it, it must be removed from their system. Citizens will also have a right to data portability, i.e. the right to obtain a copy of their data from one Internet company and to transmit it to another one without hindrance from the first company. These proposals will help build trust in the online environment, which is good for individuals and businesses.
The new data protection rules will enable consumers to engage with innovative technologies and purchase online in full confidence that their data will be protected. This will encourage people to embrace new technologies and to make full use of the single market’s potential to provide a greater choice of goods at lower prices. This increase in activity will also help businesses, especially small and medium-sized businesses (SMEs) grow to their full potential within the single market. By having future-proof, technologically neutral regulations, the Commission’s proposals will give long-lasting certainty to data protection issues online.
Tightening the rules on surveillance technology export
The European Commission is leading the way to ensure, for instance, that private data protection goes hand-in-hand with technologies such as video cameras and other forms of detection and surveillance. However, at the same time, activists have been fighting the battle against technology exports to repressive countries for years.
Human Rights Watch (HRW) and Reporters without Borders (RWB) have called the European Union (EU) to enact new controls on internet surveillance technologies that have enabled human rights violations.[12] In January 2012 the EU seems to have finally agreed to take action on tightening the rules that have made these exports possible. Within a strategy that the EU announces as ‘seeking to anchor and mainstream the promotion and protection of digital freedom’, Parliamentarians are now calling for stricter control on dual-use technology to prevent it from being used by repressive regimes. It involves follows:
According to Dutch Member of European Parliament Marietje Schaake¡äs’ proposal, the European Commission will be required to provide a regularly updated list of restricted products and countries. An upgraded EU control system would guarantee that the EU knows what is being sold to whom, and whether the sale is potentially dangerous. GVA has expressed the wish that this process is as transparent as possible.[13]
- Why?
The increasingly globalized nature of data flows, the fact that personal information is collected, transferred and exchanged in huge quantities, across continents and around the globe in milliseconds and the arrival of cloud computing, those are all good reasons for reviewing and improving the current rules, the Data Protection Directive, which was adopted in 1995. Especially the rapid pace of technological change and globalization have profoundly transformed the scale and the way personal data is collected, accessed, used and transferred. In order to ensure a continuity of data protection, the rules need to be brought in line with technological developments.
- What?
European commission will propose one, single, technologically neutral and future-proof set of rules across the EU. This means that regardless of how technology and the digital environment develop in the future, the personal information of individuals in the EU will be secure, and their fundamental right to data protection respected. The Commission will also reinforce the ‘right to be forgotten’, so that if an individual no longer wants their personal data to be processed, and there is no legitimate reason for an organization to keep it, it must be removed from their system. Citizens will also have a right to data portability, i.e. the right to obtain a copy of their data from one Internet company and to transmit it to another one without hindrance from the first company. These proposals will help build trust in the online environment, which is good for individuals and businesses.
- How?
The new data protection rules will enable consumers to engage with innovative technologies and purchase online in full confidence that their data will be protected. This will encourage people to embrace new technologies and to make full use of the single market’s potential to provide a greater choice of goods at lower prices. This increase in activity will also help businesses, especially small and medium-sized businesses (SMEs) grow to their full potential within the single market. By having future-proof, technologically neutral regulations, the Commission’s proposals will give long-lasting certainty to data protection issues online.
Tightening the rules on surveillance technology export
The European Commission is leading the way to ensure, for instance, that private data protection goes hand-in-hand with technologies such as video cameras and other forms of detection and surveillance. However, at the same time, activists have been fighting the battle against technology exports to repressive countries for years.
Human Rights Watch (HRW) and Reporters without Borders (RWB) have called the European Union (EU) to enact new controls on internet surveillance technologies that have enabled human rights violations.[12] In January 2012 the EU seems to have finally agreed to take action on tightening the rules that have made these exports possible. Within a strategy that the EU announces as ‘seeking to anchor and mainstream the promotion and protection of digital freedom’, Parliamentarians are now calling for stricter control on dual-use technology to prevent it from being used by repressive regimes. It involves follows:
- EU member states will be obliged to block technology exports to countries facing emergency situations.
- Companies should ask for export authorization if they have reasons to believe that certain exports might harm human rights
According to Dutch Member of European Parliament Marietje Schaake¡äs’ proposal, the European Commission will be required to provide a regularly updated list of restricted products and countries. An upgraded EU control system would guarantee that the EU knows what is being sold to whom, and whether the sale is potentially dangerous. GVA has expressed the wish that this process is as transparent as possible.[13]
[1] "New draft European data protection regime". m law group. Retrieved 20 February 2012.
[2] At http://www,dutchdpa.nl
[3] Decree on Regulated Exemption, 7 May 2001.
[4] Dutch Police Registers Act 1990 (no longer in force), Dutch Police Data Act 2008.
[5] Dutch Social Security System Act 1997, Compulsory Identification Act.
[6] Dutch Act general regulations with respect to the citizens’ service number (Wet algemene bepalingen burgerservicenummer).
[7] Surveillance Policies at https://www.privacyinternational.org/reports/the-netherlands/ii-surveillance-policies
[8] Stb.2004,105
[9] Press Release, Ministry of Justice, "Dutch cabinet: telecommunications data to be retained for one and a half years," 4 April 2007, at http://english.justitie.nl/currenttopics/pressreleases/archives2007/-Dut....
[10] Press Release, Ministry of Justice, "Dutch cabinet: telecommunications data to be retained for one and a half years," 4 April 2007, at http://english.justitie.nl/currenttopics/pressreleases/archives2007/-Dut....
[11] How will the EU’s reform adapt data protection rules to new technological developments? At http://ec.europa.eu/justice/data-protection/document/review2012/factsheets/8_en.pdf
[12] NGOs call for new controls on surveillance technologies, at http://www.neurope.eu/article/ngos-call-new-controls-surveillance-technologies
[13] European Parliament endorses first ever Digital Freedom Strategy, at http://www.marietjeschaake.eu/2012/12/european-parliament-endorses-first-ever-digital-freedom-strategy/
[2] At http://www,dutchdpa.nl
[3] Decree on Regulated Exemption, 7 May 2001.
[4] Dutch Police Registers Act 1990 (no longer in force), Dutch Police Data Act 2008.
[5] Dutch Social Security System Act 1997, Compulsory Identification Act.
[6] Dutch Act general regulations with respect to the citizens’ service number (Wet algemene bepalingen burgerservicenummer).
[7] Surveillance Policies at https://www.privacyinternational.org/reports/the-netherlands/ii-surveillance-policies
[8] Stb.2004,105
[9] Press Release, Ministry of Justice, "Dutch cabinet: telecommunications data to be retained for one and a half years," 4 April 2007, at http://english.justitie.nl/currenttopics/pressreleases/archives2007/-Dut....
[10] Press Release, Ministry of Justice, "Dutch cabinet: telecommunications data to be retained for one and a half years," 4 April 2007, at http://english.justitie.nl/currenttopics/pressreleases/archives2007/-Dut....
[11] How will the EU’s reform adapt data protection rules to new technological developments? At http://ec.europa.eu/justice/data-protection/document/review2012/factsheets/8_en.pdf
[12] NGOs call for new controls on surveillance technologies, at http://www.neurope.eu/article/ngos-call-new-controls-surveillance-technologies
[13] European Parliament endorses first ever Digital Freedom Strategy, at http://www.marietjeschaake.eu/2012/12/european-parliament-endorses-first-ever-digital-freedom-strategy/