Data Protection in the European Union: Difference between revisions
No edit summary |
No edit summary |
||
| Line 20: | Line 20: | ||
A data protection regulation for EUIs (European Institutions) came into force in 2001 under Regulation (EC) 45/2001. Under this regulation the EDPS was created and designated as the independent data protection authority in charge of supervising how EUIs process personal data. The regulation additionally laid down the tasks and powers of the EDPS. | A data protection regulation for EUIs (European Institutions) came into force in 2001 under Regulation (EC) 45/2001. Under this regulation the EDPS was created and designated as the independent data protection authority in charge of supervising how EUIs process personal data. The regulation additionally laid down the tasks and powers of the EDPS. | ||
The EDPS starts its work under the leadership of Peter Hustinx as the first European Data Protection Supervisor and Joaquín Bayo Delgado as the Assistant Supervisor.<ref>The role of assistant supervisor has been | The EDPS starts its work under the leadership of Peter Hustinx as the first European Data Protection Supervisor and Joaquín Bayo Delgado as the Assistant Supervisor.<ref>The role of assistant supervisor has been discontinued There is now the role of secretary general which fulfils many of the same functions as the assistant supervisor. </ref> 2004 marks the first of many EDPS initiatives: first Prior Check Opinions, first complaints addressed, first investigations, and first legislative Opinions. The EDPS counts 15 members of staff working in three sectors: the Administration, Personnel, Budget sector, the Policy and information sector and the Supervision sector. It's offices are located at 63 Rue Montoyer in Brussels, | ||
The EDPS has its first intervention before the Court of Justice in 2005. Specifically on a case concerning international transfers of Passenger Name Record data of airline passengers to the United States. | The EDPS has its first intervention before the Court of Justice in 2005. Specifically on a case concerning international transfers of Passenger Name Record data of airline passengers to the United States. | ||
| Line 47: | Line 47: | ||
When the provisions of Regulation 2018/1725 follow the same principles as the GDPR, they should be interpreted homogeneously. This is because Regulation 2018/1725 should be understood as the EU bodies and institution's equivalent to GDPR (Recital 5 Regulation 2018/1725), meaning that the two regulations should be applied in parallel (Recital 4 Regulation 2018/1725). This often makes GDPR case law applicable to the interpretation of Regulation 2018/1725. | When the provisions of Regulation 2018/1725 follow the same principles as the GDPR, they should be interpreted homogeneously. This is because Regulation 2018/1725 should be understood as the EU bodies and institution's equivalent to GDPR (Recital 5 Regulation 2018/1725), meaning that the two regulations should be applied in parallel (Recital 4 Regulation 2018/1725). This often makes GDPR case law applicable to the interpretation of Regulation 2018/1725. | ||
A way to understand [https://eur-lex.europa.eu/legal-content/EN/TXT/?uri=celex:32018R1725 Regulation 2018/1725], is to see it as a combination of the GDPR and LED. While earlier chapters reflect principles enshrined in the GDPR, later chapters often reflect the LED. | A way to understand [https://eur-lex.europa.eu/legal-content/EN/TXT/?uri=celex:32018R1725 Regulation 2018/1725], is to see it as a combination of the GDPR and Law Enforcement Directive (LED). While earlier chapters reflect principles enshrined in the GDPR, later chapters often reflect the LED. | ||
Of particular note is Chapter IX Regulation 2018/1725 which addresses Operational Personal Data (personal data which is processed for the purposes of carrying out law-enforcement tasks). Given the specialised nature of these tasks, Regulation 2018/1725 creates carve-outs within Chapter IX for the processing of this type of data. For example, the right of access under GDPR and [https://eur-lex.europa.eu/legal-content/EN/TXT/?uri=celex:32018R1725 Regulation 2018/1725], is different to the right of access under Chapter IX. These carve outs are also reflected in the LED (Law Enforcement Directive) and in many cases Chapter IX will directly overlap in text with the LED. | Of particular note is Chapter IX Regulation 2018/1725 which addresses Operational Personal Data (personal data which is processed for the purposes of carrying out law-enforcement tasks).<ref>The AFSJ sector (Area of Freedom Justice and Security) mainly relies on this Chapter of Regulation 2018/1725.</ref> Given the specialised nature of these tasks, Regulation 2018/1725 creates carve-outs within Chapter IX for the processing of this type of data. For example, the right of access under GDPR and [https://eur-lex.europa.eu/legal-content/EN/TXT/?uri=celex:32018R1725 Regulation 2018/1725], is different to the right of access under Chapter IX. These carve outs are also reflected in the LED (Law Enforcement Directive) and in many cases Chapter IX will directly overlap in text with the LED. | ||
==Data Protection Authority== | ==Data Protection Authority== | ||
Revision as of 12:45, 10 May 2024
| Data Protection in the European Union | |
|---|---|
 | |
| Data Protection Authority: | EDPS |
| Regulation for EU institutions: | Regulation (EU) 2018/1725 |
| Official Language(s): | 24 EU Languages |
| European Legislation Database(s): | Link |
| European Decision Database(s): | Link |
Legislation
History
A data protection regulation for EUIs (European Institutions) came into force in 2001 under Regulation (EC) 45/2001. Under this regulation the EDPS was created and designated as the independent data protection authority in charge of supervising how EUIs process personal data. The regulation additionally laid down the tasks and powers of the EDPS.
The EDPS starts its work under the leadership of Peter Hustinx as the first European Data Protection Supervisor and Joaquín Bayo Delgado as the Assistant Supervisor.[1] 2004 marks the first of many EDPS initiatives: first Prior Check Opinions, first complaints addressed, first investigations, and first legislative Opinions. The EDPS counts 15 members of staff working in three sectors: the Administration, Personnel, Budget sector, the Policy and information sector and the Supervision sector. It's offices are located at 63 Rue Montoyer in Brussels,
The EDPS has its first intervention before the Court of Justice in 2005. Specifically on a case concerning international transfers of Passenger Name Record data of airline passengers to the United States.
In 2009, The Treaty on the Functioning of the EU, or the Lisbon Treaty., enters into force on 1 December 2009, ensuring a strong legal basis for comprehensive data protection in all EU policy areas. Data protection becomes a directly enforceable right for everyone.
In 2012, a new sector, Information and Technology Policy (IT Policy Unit), is created in the organisation, to focus on the impact of technologies on data protection. Similarly, other organisational changes are made within the previously created units: Supervision & Enforcement, Policy & Consultation and Human Resources, Budget & Administration, head of activities are created. The EDPS now counts more than 52 privacy professionals and other experts working to protect individuals and their personal data. The EDPS also moves into its headquarters, 30 Rue Montoyer in Brussels, Belgium, which reflects the organisation's growth as a fully-fledged independent data protection institution. These are still the EDPS' headquarters.
In 2013, the EDPS makes oral submissions at the hearing before the Grand Chamber of the Court of Justice in joint preliminary references C-293/12 and C-594/12 Digital Rights Ireland and Others. Both cases concern the validity of the Data Retention Directive 2006/24/EC. It is the first time that the Court decides, on the basis of Article 24 of its Statute, to invite the EDPS to attend a hearing in a preliminary reference procedure, to provide answers to specific questions.
In 2017, with the new Europol Regulation, the EDPS begins to supervises Europol (the European Union Agency for Law Enforcement Cooperation) whose remit is to help make Europe safer by assisting law enforcement authorities in EU Member States. The new Regulation also provides for the establishment of the Europol Cooperation Board, for which the EDPS provides the secretariat. The Board facilitates cooperation between the EDPS and EU Member States' data protection authorities on its supervisory activities.
In 2018, Regulation (EU) 2018/1725, or EUDPR, repealing Regulation (EC) 45/2001 is adopted. This Regulation provides the new data protection rules for EUls which matches the GDPR, the latter applicable across the EU/European Economic Area. By the end of 2018, the EDPS reaches 100 employees.
In 2019, the EDPS starts supervising Eurojust - an EU agency in charge of combating serious forms of crime - in its processing of operational personal data.
In 2021, the EDPS becomes responsible for supervising the European Public Prosecutor's Office (EPPO) in its operational capacity, the independent European body in charge of investigating and prosecuting criminal offences against the European Union's financial interests.
In 2023, the EDPS opened a new office in the European Parliament in Strasbourg, France. With this new office, the EDPS provides additional support to the European Parliament in their legislative process, fulfilling their role as advisor to the EU legislator. The year also marked organisational changes within the EDPS. Specialised sectors were created to tackle ongoing and future data protection challenges, including a sector to monitor the EU's Area of Freedom, Security, and Justice; one to address individuals' complaints; another to ensure that technologies embed privacy principles throughout their development, as well as a Legal Service.
In 2024, the EDPS celebrates 24 years since its creation.
Regulation (EU) 2018/1725
The European institutions are bound by Regulation 2018/1725, which provides the same rights to data subjects as the GDPR.
When the provisions of Regulation 2018/1725 follow the same principles as the GDPR, they should be interpreted homogeneously. This is because Regulation 2018/1725 should be understood as the EU bodies and institution's equivalent to GDPR (Recital 5 Regulation 2018/1725), meaning that the two regulations should be applied in parallel (Recital 4 Regulation 2018/1725). This often makes GDPR case law applicable to the interpretation of Regulation 2018/1725.
A way to understand Regulation 2018/1725, is to see it as a combination of the GDPR and Law Enforcement Directive (LED). While earlier chapters reflect principles enshrined in the GDPR, later chapters often reflect the LED.
Of particular note is Chapter IX Regulation 2018/1725 which addresses Operational Personal Data (personal data which is processed for the purposes of carrying out law-enforcement tasks).[2] Given the specialised nature of these tasks, Regulation 2018/1725 creates carve-outs within Chapter IX for the processing of this type of data. For example, the right of access under GDPR and Regulation 2018/1725, is different to the right of access under Chapter IX. These carve outs are also reflected in the LED (Law Enforcement Directive) and in many cases Chapter IX will directly overlap in text with the LED.
Data Protection Authority
The European Data Protection Supervisor (European Data Protection Supervisor) is the data protection authority for European Union institutions, bodies, offices and agencies.
→ Details see EDPS
While the EDPS mostly relies on Regulation 2018/1725 to enforce data protection law against European Union institutions, bodies, offices and agencies, there are also specialised regulations which will apply. For example, among others, the EDPS supervises Europol which alongside Chapter IX of Regulation 2018/1725 requires the use of Regulation (EU) 2016/794 (Europol Regulation).
Judicial protection
General Court
A data subject has a right to a judicial remedy against a decision taken by the EDPS (Recital 79 and Article 64 2018/1725). In practice, this means that the General Court becomes the first instance court against a decision taken by the EDPS. Should the decision be appealed by the data subject, this will then go to the Court of Justice (CJEU) for a final decision.
Article 64 states:
1. The Court of Justice shall have jurisdiction to hear all disputes relating to the provisions of this Regulation, including claims for damages.
2. Actions against decisions of the European Data Protection Supervisor, including decisions under Article 63(3), shall be brought before the Court of Justice.
3. The Court of Justice shall have unlimited jurisdiction to review administrative fines referred to in Article 66. It may cancel, reduce or increase those fines within the limits of Article 66.
The EDPS, as an independent institution, must fund its own legal defence. As it is enforcing the law against other European Union institutions, bodies, offices and agencies, it cannot rely on, for example, the Commission's legal service. It therefore, has its own legal service who goes to Court in the institutions's behalf. The Supervision and Enforcement Unit (the unit responsible for the appealed decision) cooperates closely with the legal service.
Court of Justice of the European Union
Under Article 58 Regulation 2018/1725 the EDPS has the power to refer matters directly to the CJEU and to intervene in actions brought before the CJEU (Article 58(4) Regulation 2018/1725).
In practice, the EDPS rarely intervenes in cases that, while relevant to data protection, do not directly involve the EDPS. In these cases, the CJEU can invite the EDPS as a specialist party to give an opinion, but this does not happen often.
