Amit Luhach - International Data Protection Laws

Article 8 of the EU Charter concerns a fundamental right which is distinct from that enshrined in Article 7 of the EU Charter and which has no equivalent in the European Convention on Human Rights (ECHR) .” 8The adoption of the Lisbon Treaty 9has contributed immensely to the development of data protection by elevating the status of the EU Charter to a binding legal document. It grants the EU an independent legal basis and the power to legislate on data protection matters. Further, it provides for the protection of individuals when their personal data is processed by EU institutions. Moreover, it provides for an independent authority to oversee compliance over these rules. 10Based on these core principles, the EU enacted Directive 95/46/EC (Directive) on Data Protection in 1995 11which, however, could not create a harmonized legal concept within the EU.

Accordingly, to achieve harmonization, in 2018, the EU promulgated the General Data Protection Regulation (GDPR) “ on the protection of natural persons concerning the processing of their personal data and the free movement of such data and repealing Directive 95/46/EC. ” From the outset, it was clear that the GDPR would set a threshold with international significance given the EU Member States´ economic significance. The GDPR aimed at setting an international standard for data processing rules and not surprisingly triggered legislative activity throughout the world. Therefore, this book starts with a description of the GDPR, then looks at the situation in the United States which traditionally follow a fundamentally different approach regarding the protection of personal data. While under the GDPR, the processing of personal data is forbidden unless it can be justified based on one of the grounds set out in Article 6; the US privacy laws allow for the processing of personal data unless such processing contravenes the rules and standards imposed by the law. It is noteworthy to mention that the US Federal laws follow a sector-specific approach as described in Chapter 1 of Part II. The US States however hold legislative competence to enact privacy laws and the most prominent example is the California Consumer Privacy Act (CCPA), 2018 that is inspired by the GDPR. Other US States are also in the process of evaluating their position or have already enacted privacy laws, some of which have incorporated concepts of the GDPR that are summarized in Part II. The third example is India’s draft Personal Data Protection Bill, 2019 that may be called the Personal Data Protection Act (PDPA), 2019, soon to be passed by the parliament. It is close to the European privacy concept with a couple of noteworthy deviations.

It remains to be seen in the years to come, where this journey will end and how those various legal systems and approaches will work together – hopefully ultimately helping to shape a space of free but safe virtual travelling.

Part I

The Directive was the European Union´s (EU) primary legal instrument on data protection and was effective from 13 December 1995 to 24 May 2018. During this time, the CJEU handed down numerous decisions, which may be valid under the new data protection legislation i.e. GDPR. The Directive, though technologically neutral, was unable to keep pace with the new technological developments. The lack of harmonization among Member States´ data protection laws led to the European Commission´s (EC) review on the legal framework of data protection in 2009 and 2010. This resulted in the publication of the proposal for the GDPR in 2012. After prolonged negotiations between the European Parliament and the Council of EU, the GDPR was finally adopted on 14 April 2016. It provided for a two-year transition period and came into force on 25 May 2018. The purpose of GDPR was to harmonize the protection of personal data in the EU. It is directly applicable to all EU Member States 1, meaning that it automatically applies to each Member State without the need for national implementation legislation. However, certain areas fall outside the EU´s legislative competence but remain in the area of national law such as national security, justice administration, press regulation and labour law. Consequently, the GDPR provides the Member States with certain leeway to makes their own rules. This means that even after following the GDPR, it is still necessary to check the national laws to avoid any pitfalls. The GDPR provides a legal framework with the following main components i.e. in addition to determining core principles and data subject´s rights, it sets new obligations on organizations and regulates data processing agreements between companies; also it provides mechanisms for cross border transfers. Furthermore, it enhances the powers of supervisory authorities, allowing them to impose high fines to efficiently enforce the GDPR. It contains 11 Chapters which includes 99 articles and 173 recitals. The articles contain the operative law and the recitals help in interpreting them. The GDPR is a new law and there are not many cases decided under it. However, the most important decisions include Schrems I and Schrems II 2which are discussed in the upcoming chapters. The cases decided on basis of the earlier Directive act as a source for interpreting the provisions of the GDPR – at least where the principles on which the CJEU decisions have been left untouched by the GDPR.

1

The GDPR defines personal data as any information relating to an identified or identifiable natural person. 1An identifiable natural person can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person. 2In determining whether a natural person is identifiable, the controller or another person is required to take all reasonable means likely to be used such as singling out, directly or indirectly, to identify the natural person. 3In Breyer v. Deutschland , the CJEU while dealing with the dynamic IP address held that “so far the means likely reasonably to be used by both the controller and by any other person, for information to be treated as personal data, it is not required that all the information enabling the identification of the data subject must be in the hands of one person. Thus, it appears that the online media services provider has the means which may likely reasonably be used to identify the data subject, with the assistance of other persons, namely the competent authority and the internet service provider, based on the IP addresses stored”. 4The above-cited case is based on the repealed Directive 95/46/EC and can be utilized in understanding the definition of personal data under the GDPR.

The GDPR classifies certain types of personal data as special categories of personal data. These are personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade-union membership, and the processing of genetic data 5, biometric data 6to uniquely identify a natural person, data concerning health or data concerning a natural person’s sex life or sexual orientation. The processing of sensitive personal data is prohibited under the GDPR unless an exception applies.

Processing means any operation or set of operations performed on personal data or sets of personal data whether or not by automated means, such as collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction. 7

Читать дальше