EUROPEAN UNION DATA PROTECTION LAW

Nov. 20th, 2013


Note: “Read” means read, “skim” means there’s no need to read it that carefully, and the other links are there for your interest.


Introduction

As it gets technologically easier to track and sort our data, privacy concerns arise that didn’t exist a generation ago. One way of dealing with these issues is to legislate a right to control of our personal data. The European Union has done this, manifested in Directive 95/46/EC. Consider whether the EU rules meet their own goals, and whether they meet the expectations of reasonable citizens.


I. Sources of Law


1. European Convention on Human Rights, Art. 12 (1953, renewed 1994)

The European Charter for Human Rights is a quasi-constitutional document of the EU, and lists rights that anyone, including individuals, can seek to have enforced. Article 8 in particular gives an explicit right of privacy. Read Article 8, and compare this with the US concept of information privacy as described by Eugene Volokh (read his introduction and summary of information privacy speech restrictions), where free speech trumps privacy concerns.


2. Directive 95/46/EC (1995)

Directive 95/46/EC lays down the basic framework for EU data protection law. A directive is a document passed and approved by the European Union as a whole, to be implemented and interpreted by its member states. It is meant to harmonize laws across different EU countries, while allowing a degree of sovereignty in implementation. I have listed a number of hypotheticals situations below. Please skim the directive, but read the articles mentioned in the hypotheticals.


Please do them before class (yes-no-maybe is fine), so that we can share our answers.


Personal data definition: Which of the following are personal data under Article 2(a)? Sensitive personal data under Article 8(1)?


Legal Bases for Processing: Per Art. 7, under which of the following can you process data? Per Art. 8, when can you process sensitive data?


Legal Basis for Transfer to a Third Country: Under Art. 25 and 26, which of the following are legal bases for transferring data to a third country, assuming you already have permission to transfer to any third parties? Note also exceptions to data protection under Articles 3 and 9.



II. EU Data Law in Practice


3.Bodil Lindqvist, European Court of Justice (2003)

Bodil Lindqvist, of Alseda, Sweden, takes a computer class. An active member of her church, she makes her class project into a website for church parishioners, with gossipy information about herself, her husband, and a number of other volunteers. She also mentions a fellow volunteer's broken foot.

The Swedish Data Inspector charges her with failing to notify them that she was going to process personal data, processing sensitive personal data without authorization, and transferring data to a third country without adequate safeguards.

Is this behavior criminal? Read the facts and summary of the case and consider the following:

I have condensed the case for this class, but if you’re interested, you can read the full opinion here.


4. Europe v Facebook, 2011 to Present

In 2011, an Austrian law student looked at Facebook’s terms of service and found them wanting in regards to data protection, and started a student group called “Europe v Facebook.” In Europe, Facebook is based in Ireland, making them subject to the Irish Data Protection Commission. The student group filed a number of complaints with the Irish Data Protection Commission on various aspects of Facebook's policies that they felt violated Directive 95/46/EC.

Please skim their objectives, and the timeline of complaints filed. Read Complaint 3, on tagging, and Complaint 15, on excess processing. Also, skim Facebook’s summary of its response, which offers concise justifications for most of those policies.

Europe v Facebook’s campaign is ongoing. The Irish Data Protection Commission has issued its first report, as well a compliance report a year later. After some changes to their policy and negotiations, Facebook has issued some responses, but there has not yet been a final resolution. Since the cause of action comes from a directive, if the student group does not find Ireland's answer satisfactory, they may appeal to the European Court of Justice.


III. Practical Solutions for US Companies


5. Safe Harbor

Largely due to U.S. lobbying, the EU has allowed American companies to meet the Article 25 “adequate level of protection” by compliance with the FTC-run Safe Harbor program. Read the overview of the US Safe Harbor Program. Does this seem to meet the goals of 95/46/EC?

Although 95/46/EC does not cover data protection with regards to issues of national security, recent revelations of NSA monitoring have caused concern in other areas of data protection as well. This has led to renewed scrutiny of the Safe Harbor Program.


6. Standard Contractual Clauses

Directive 95/46/EC, Art. 26(2) allows data transfer outside the EU if the data is protected adequately by contract. The ECJ has affirmed that if copied exactly, these offer “adequate protection.” These standard contractual clauses can be found here. As you may guess from the contents of the standard contractual clauses, they are not very popular.


7. Binding Corporate Rules

Transfers within a company may be done under a company-wide data protection policy approved by relevant EU authorities. Read about these Binding Corporate Rules. Although it’s expensive to hire the lawyers to get approval this way, it’s tenable for larger companies to use these for internal data transfers.


 

Return to the syllabus