EU data protection reform
The EU data protection reform led to the adoption of the General Data Protection Regulation and the Data Protection Directive for the police and criminal justice system . It was prepared by the Barroso II Commission and finalized under the Juncker Commission . The reform package was pushed in particular by the EU Justice Commissioner Viviane Reding and the rapporteur in the European Parliament, the Green MEP Jan Philipp Albrecht . The package was approved by the European Parliament on April 14, 2016, came into force on May 24, 2016 and was valid from May 25, 2018.
aims
The Commission wants to standardize the existing European and national data protection regulations. Reporting obligations for companies should be dropped. The Commission expects this to save the economy up to EUR 2.3 billion a year. In return, however, the data processing companies should be subject to increased accountability. In the future , serious data protection violations will have to be reported immediately to the national data protection supervisory authorities. The national data protection authorities, for example the Federal Data Protection Commissioner in Germany , are to be strengthened in their independence. Among other things, they should be given stronger sanctions.
Companies that process data outside of the EU, but also offer their services within the EU, should in future be subject to the regulations of the European Union (so-called market location principle ). US companies such as Facebook would be particularly affected . The right to data portability and the right to be forgotten are to be enshrined in law for the benefit of the citizens . These new rights are also aimed directly at online services such as Facebook.
In addition, the new EU data protection law should implement the principles of privacy by design (data protection through technology) and privacy by default (data protection-friendly default settings).
Procedure
From the data protection guideline to the overall data protection concept
The data protection directive of 1995 (DSRL) represented the data protection framework law of the European Union until the reform package was adopted in 2016. The draft for the 1995 directive came from 1990, 3 years before the publication of the first popular web browser, Mosaic . This gave rise to some problems with modern technologies e.g. B. in communication networks, in the area of IoT or in social networks, these could be solved due to the technology-neutral approach of the DSRL, but in the context of digitization these rules neither seemed to have the necessary degree of harmonization nor the necessary effectiveness to grant the right to the protection of personal data to guarantee.
In the Stockholm Program , the Council instructed the Commission to "evaluate the functioning of the various legal instruments on data protection and, if necessary, to submit further legislative and non-legislative initiatives". For its part, Parliament "calls on the Council and the Commission to take the initiative and create a global platform for the development of [...] [of] standards [for data protection]".
The Commission had already started this assessment: in 2009 it carried out a consultation and commissioned several studies. The Article 29 Working Party made comments. Overall, it was found that the main principles of the directive are still valid and that their technology neutrality should be maintained - however, it was also found that some aspects are problematic and raise specific problems.
Viviane Reding announced on September 16, 2010 a plan for the amendment of the data protection guideline, which was published on November 4, 2010 as the "Overall concept for data protection in the European Union".
The Commission identified five problem areas of the old regulation:
- Mastery of the effects of new technologies : In particular, the LfD Berlin Alexander Dix , the Austrian Federal Chamber of Labor and the vzbv emphasized problems of digitization, e. E.g .: data protection requirements for the terms of use of social networks (LfD Berlin and Federal Chamber of Labor) or smart meters (vzbv). The Commission noted that “the application of data protection principles to new technologies needs to be clarified and specified in order to ensure that personal data are effectively protected regardless of the technology used to process them, and that data controllers are aware of the effects of new technologies have to be fully aware of data protection ”and that the ePrivacy Directive in particular only partially regulated these aspects.
- Internal market dimension of data protection : Many companies and their associations such as For example : BITKOM , GDV and Microsoft took the position that different data protection levels were a problem. The Commission found that "according to the respondents [...] legal certainty should be increased, administrative burdens reduced and a level playing field for business and other data controllers guaranteed".
- Dealing with globalization and improving international data transfers : In particular, companies that have their headquarters outside of Europe such as eBay and Intel but also the European representation of AmCham complained about the high standards that had to be complied with for data transfers outside of Europe, praised the old ones Regulations, however, in particular for the possibility of binding corporate rules and the simplicity of recognition by other data protection authorities as soon as an EU data protection authority has declared them to be acceptable.
- Reinforced institutional framework for effective enforcement of data protection rules : All parties involved agree that data protection authorities should be given more powers to better enforce data protection compliance. Some organizations also asked for more transparency in the work of the data protection group and clear information about its tasks and powers.
- More coherent data protection regime : all parties involved - with the exception of Europol and Eurojust - felt that there is a need for an overarching regime that applies to data processing in all sectors and policies of the Union. This would ensure a coherent approach and seamless, coherent and effective protection.
Parliamentary advice and advice in the Council
The proposal for the data protection package was presented by Viviane Reding on October 25, 2012. In terms of regulation, the data protection reform was implemented through two legal acts: The data protection guideline for police and criminal justice was introduced for police and judicial cooperation in criminal matters . This follows the framework decision 2008/977 / JI ; as an EU directive , it must first be transposed into national law by the member states. In all other areas, a new General Data Protection Regulation regulates data protection. This regulation replaces the data protection directive 95/46 / EC , which has been in force since 1995 ; as an EU regulation , it is directly effective in the member states.
The European Parliament adopted on 21 October 2013 its negotiating position for the two instruments for data protection reform. In this decision, prepared by the two rapporteurs Jan Philipp Albrecht and Dimitris Droutsas , Parliament called for the rapid adoption of strong data protection rules.
The draft reform was then negotiated in the EU Council of Ministers, with key parts of the regulation being changed in favor of weaker data protection. Only in June 2015 did the EU justice ministers agree on a draft of the EU General Data Protection Regulation.
This was followed by the coordination negotiations between the Council, the European Parliament and the European Commission (so-called trialogue ). An informal agreement reached between Parliament and Council on December 15, 2015, was adopted by a large majority on December 17 by the Parliament's Committee on Home Affairs and Legal Affairs.
On April 14, 2016, the European Parliament approved the data protection reform. On May 4, 2016, the General Data Protection Regulation (Regulation (EU) 2016/679) and the Data Protection Directive for Police and Criminal Justice (Directive (EU) 2016/680) were published in the Official Journal of the European Union . The EU member states have two years to transpose the provisions of the directive into national law. Due to the exceptions that Denmark and Great Britain negotiated in the area of justice and home affairs, the provisions of the directive will only apply to a limited extent there.
Web links
Individual evidence
- ↑ Legislative resolution of the European Parliament of 14 April 2016 on the Council's position at first reading with a view to the adoption of the Regulation of the European Parliament and of the Council on the protection of natural persons with regard to the processing of personal data, on the free movement of data and repealing the directive 95/46 / EG (General Data Protection Regulation). (PDF) (P8_TA (2016) 0125). In: European Parliament - Texts Adopted. April 14, 2014, accessed July 6, 2018 .
- ↑ Legislative resolution of the European Parliament of 14 April 2016 on the Council's position at first reading with regard to the adoption of the European Parliament and Council Directive on the protection of natural persons with regard to the processing of personal data by the competent authorities for the purpose of prevention, Investigation, detection or prosecution of criminal offenses or the execution of sentences, as well as on the free movement of data and repealing Council Framework Decision 2008/977 / JHA. (pdf) (P8_TA (2016) 0126). In: European Parliament - Texts Adopted. April 14, 2014, accessed July 6, 2018 .
- ↑ Communication from the Commission on the protection of individuals with regard to the processing of personal data in the Community and the security of information systems (PDF; 4.22 MB), accessed on May 13, 2018
- ↑ Proposal for a Council Directive on the protection of persons with regard to the processing of personal data (PDF; 1176 kB), accessed on May 15, 2018 In: OJ. C 277, November 5, 1990, p. 3.
- ↑ Wolfgang Hoffmann-Riem: Fundamental rights and functional protection for electronically networked communication . In: Archives of Public Law . tape 134 , no. 4 , 2009, p. 513-541 , doi : 10.1628 / 000389109790079404 ( [1] [PDF; accessed July 13, 2018]).
- ↑ Rolf H. Weber: Internet of Things - New security and privacy challenges . In: Computer Law & Security Report . tape 26 , no. 1 , 2010, doi : 10.1016 / j.clsr.2009.11.008 (English, [2] [PDF; accessed on July 13, 2018]).
- ↑ Joseph Bonneau, Sören Preibusch: The Privacy Jungle: On the Market for Data Protection in Social Networks . In: Economics of Information Security and Privacy . S. 121–167 , doi : 10.1007 / 978-1-4419-6967-5_8 (English, [3] [PDF; accessed on July 13, 2018]).
- ↑ Article 29 Data Protection Working Party - Police and Justice Working Group: The Future of Data Protection: Joint Contribution to the Consultation of the European Commission on the Legal Framework for the Fundamental Right to the Protection of Personal Data. (pdf) Working paper 168. European Commission, December 1, 2009, accessed on July 6, 2018 : “Directive 95/46 / EC has withstood the influx of technological changes well due to its solid and technologically neutral principles and concepts. These principles and concepts remain authoritative, valid and applicable in today's networked world. "
- ↑ Protecting privacy in a networked world - A European data protection framework for the 21st century. (pdf) (COM (2012) 9 final). In: Communications from the Commission to the European Parliament, the Council, the European Economic and Social Committee and the Committee of the Regions. European Commission, January 25, 2012, p. 3 , accessed July 6, 2018 .
- ↑ European Parliament: Data protection in the European Union. European Parliament resolution of 6 July 2011 on the overall concept for data protection in the European Union (2011/2025 (INI)) (P7_TA (2011) 0323). In: Texts adopted. June 6, 2011, accessed on July 13, 2018 (Bulgarian, Spanish, Czech, Danish, German, Estonian, Greek, English, French, Italian, Latvian, Lithuanian, Hungarian, Maltese, Polish, Portuguese, Romanian, Slovak, Slovenian, Finnish, Swedish): “[H.] whereas the collection, analysis, exchange and misuse of data, as well as the risk of profiling made possible by technical developments, have reached unprecedented proportions and therefore require strict data protection regulations such as the determination of the applicable law and the definition of the responsibilities of all parties concerned with regard to the implementation of EU data protection rules; whereas more and more customer cards (club cards, bonus cards, advantage cards, etc.) are used by companies and in retail, which are or can be used to create consumer profiles, [I.] whereas Bürger Online - Do not make purchases with the same level of security as offline due to fears of identity theft and a lack of transparency about how your personal information is processed and used, [J.] whereas technology is increasing Measures enable personal data to be created, sent, processed and stored in many different forms in any place and at any time; whereas in this context it is of vital importance that data subjects retain effective control over their own data ”
- ↑ Council of the European Union: The Stockholm Program - An open and secure Europe serving and protecting its citizens. (pdf) (Council Document 17024/09). December 9, 2009, p. 19 , accessed July 6, 2018 .
- ↑ European Parliament: Resolution of the European Parliament of 25 November 2009 on the Communication from the Commission to the European Parliament and the Council - An area of freedom, security and justice serving the citizens - Stockholm program. (P7_TA (2009) 0090, No. 82ff). In: Texts adopted. November 25, 2009, accessed on July 27, 2018 (Bulgarian, Spanish, Czech, Danish, German, Estonian, Greek, English, French, Italian, Latvian, Lithuanian, Hungarian, Maltese, Dutch, Polish, Portuguese, Romanian, Slovak, Slovenian, Finnish, Swedish).
- ↑ Consultation on the legal framework for the fundamental right to protection of personal data. European Commission, December 31, 2009, archived from the original on March 17, 2011 ; accessed on July 6, 2018 .
- ↑ KANTOR Management Consultants SA: Evaluation of the Means used by National Data Protection Supervisory Authorities in the promotion of personal data protection. (pdf) Final Report (JLS / 2007 / C4 / 040: 30-CE-0185875 / 00-79). 2009, archived from the original ; accessed on July 27, 2018 (English).
- ↑ Study on the economic benefits of privacy ‐ enhancing technologies. (pdf) Final Report. London Economics, July 2010, archived from the original on June 17, 2012 ; accessed on July 6, 2018 .
- ↑ Douwe Korff, Ian Brown: Comparative study of different approaches to meeting new challenges for the protection of privacy, especially due to technological developments. (pdf) Final report (JLS / 2008 / C4 / 011 - 30-CE-0219363 / 00-28). LRDP KANTOR, Center for Public Reform, January 2010, archived from the original ; accessed on July 13, 2018 .
- ↑ Article 29 Data Protection Working Party - Police and Justice Working Group: The Future of Data Protection: Joint Contribution to the Consultation of the European Commission on the Legal Framework for the Fundamental Right to the Protection of Personal Data. (pdf) Working paper 168th European Commission, December 1, 2009, accessed July 6, 2018 .
- ↑ a b Overall concept for data protection in the European Union. (pdf) (COM (2010) 609 final). In: Communications from the Commission to the European Parliament, the Council, the European Economic and Social Committee and the Committee of the Regions. European Commission, November 4, 2010, p. 3 , accessed on July 6, 2018 .
- ↑ EURACTIV: Commissioner Reding speaks on the Digital Single Market at the Lisbon Council (from 0:12:07) on YouTube , September 10, 2010, accessed on July 6, 2018.
- ^ Viviane Reding: Doing the Single Market Justice. (SPEECH / 10/441). In: Unleashing the digital single market Conference. European Commission, September 16, 2010, accessed July 6, 2018 .
- ↑ Overall concept for data protection in the European Union. (pdf) (COM (2010) 609 final). In: Communications from the Commission to the European Parliament, the Council, the European Economic and Social Committee and the Committee of the Regions. European Commission, November 4, 2010, accessed July 6, 2018 .
- ↑ Extracts from a technical briefing on a new comprehensive strategy on data protection in the EU. (Video) (I-067912). European Commission - Audiovisual Services, accessed on July 10, 2018 .
- ↑ Berlin Commissioner for Data Protection and Freedom of Information: Public consultation on the legal framework for the fundamental right to data protection. (pdf) (GeschZ. 6881.8.1). December 31, 2009, archived from the original on May 14, 2016 ; accessed on July 6, 2018 .
- ↑ Consultation on the Community legal framework regarding the fundamental right to data protection. (Symbol: BAK / KS / GSt / DZ / De). Federal Chamber of Labor, December 15, 2009, archived from the original on May 16, 2016 ; accessed on July 6, 2018 .
- ↑ Answers to the Consultation on the EU General Data Protection Framework. New challenges, current legal framework and future action to address identified challenges. Federation of German Consumer Organizations, December 30, 2009, archived from the original on May 14, 2016 ; accessed on July 6, 2018 .
- ↑ Bundesverband Informationswirtschaft, Telekommunikation und neue Medien: Response on the public online consultation for the purpose of reviewing directive 95/46 / EC. (pdf) December 28, 2009, archived from the original on May 18, 2016 ; Retrieved on July 7, 2018 (English): “Without unified, consistent regulations, European and national locational disadvantages will be inevitable. Furthermore, consistent regulations must apply to the government and the economy alike. "
- ^ General Association of the German Insurance Industry: Position paper on the consultation on the revision of Directive 95/46 / EC of October 24, 1995. (pdf) December 17, 2009, archived from the original on May 17, 2016 ; Retrieved on July 7, 2018 : “The focus must also be on ensuring a uniform level of data protection in all European countries so that cross-border activities are facilitated. Therefore, regulations that have led to different implementations in the Member States should allow less room for maneuver in future. "
- ^ Microsoft: Microsoft Response to the Commission Consultation on the Legal Framework for the Fundamental Right to Protection of Personal Data. (pdf) December 31, 2009, archived from the original on May 16, 2016 ; Retrieved on July 7, 2018 (English): "Despite the Directive's many strengths, the EU data protection framework has not worked as well in practice as it should because Member States have not transposed the Directive consistently. The Commission's first implementation report in 2003, which was the result of a consultation process very similar to the one the Commission is currently undertaking, identified serious divergences in Member State data protection laws resulting from inconsistent transposition of the Directive into national law. "
- ↑ a b c Overall concept for data protection in the European Union. (pdf) (COM (2010) 609 final). In: Communications from the Commission to the European Parliament, the Council, the European Economic and Social Committee and the Committee of the Regions. European Commission, November 4, 2010, p. 4 , accessed on July 6, 2018 .
- ↑ eBay: European Commission's Consultation on the legal framework for the fundamental right to protection of personal data. (pdf) December 2009, archived from the original on May 14, 2016 ; Retrieved on July 7, 2018 (section: Binding Corporate Rules for Onward Transfers of Personal Information outside of the EU).
- ^ Intel: European Commission Public Consultation on the Legal Framework for the Fundamental Right to Protection of Personal Data. (pdf) December 2009, archived from the original on May 16, 2016 ; Retrieved July 7, 2018 (English): "International data transfers have grown in complexity, while lacking a practical mechanism for compliance, and a culture of accountability for organizations of all types and sizes. So long as an organization of any size provides adequate protection and accountability, transfers of personal data should take place without need for complex, lengthy and costly administrative processes. "
- ↑ American Chamber of Commerce to the European Union: AmCham EU response to the Commission consultation on protection of personal data. (pdf) January 19, 2010, archived from the original on May 14, 2016 ; accessed on July 7, 2018 (English): "The current system for assessing third countries is burdensome and time-consuming. Rather than the current scheme which automatically excludes countries outside the EEA and requires their assessment, which means in fact a test of equivalence of their local system with the Directive, the European Commission should allow transfer of personal data to countries outside the EEA that have democratic systems and a rule of law that would allow individuals to seek legal redress in case of misuse of their personal data by a data controller or data processor located in any of such countries. "
- ^ Rob Wainwright : Comment on the Communication of the Commission about a comprehensive approach on personal data protection in the EU COM (2010) 609 . (File no. 2130-67, partially released). Ed .: Europol. Den Haag, January 26, 2011 (English): “I believe therefore, that the processing of personal data at Europol is fully regulated at present by rules which should remain fully applicable also after the entry into force of the Treaty of Lisbon. Any attempt to replace those specific provisions with general clauses, similar to the ones which are applicable to the private sector, might not only Europol's operational tasks but also diminish the high data protection standards in place. "
- ^ Aled Williams: Data Protection after the Treaty of Lisbon. (pdf) Eurojust, April 23, 2010, accessed on July 26, 2018 (English): "Article 16 TFEU may offer a basis for one general EU instrument regulating data protection in all sectors of activities, and Eurojust would not, of course, oppose an obligation to ensure a level of protection equivalent to that generally applicable. However, because of the particular nature and sensitivity of data processing in crossborder judicial co-operation, Eurojust would urge strongly that the specific rules and specialized supervision already successfully established in this area should be maintained. "
- ↑ Viviane Reding: Press conference on the Data Protection Proposal. (Video) (I-072143). October 25, 2012, accessed July 10, 2018 .
- ↑ Tagesschau from October 21, 2013.
- ↑ Unofficial consolidated version of the decision on the data protection regulation of October 21, 2013. ( Memento of the original of December 3, 2013 in the Internet Archive ) Info: The archive link has been inserted automatically and has not yet been checked. Please check the original and archive link according to the instructions and then remove this notice.
- ↑ Svenja Bergt: Fabric softener for data protection. In: TAZ . 4th March 2015.
- ↑ "EU General Data Protection Regulation: EU ministers agree on data protection reform " Die Zeit from June 15, 2015
- ↑ Press release of the European Commission of December 15, 2015
- ↑ Regulation (EU) 2016/67 of the European Parliament and of the Council of April 27, 2016 on the protection of natural persons with regard to the processing of personal data, the free movement of data and the repeal of Directive 95/46 / EC (General Data Protection Regulation) , accessed on May 8, 2016
- ↑ Directive (EU) 2016/680 of the European Parliament and of the Council of April 27, 2016 on the protection of natural persons in the processing of personal data by the competent authorities for the purpose of preventing, investigating, detecting or prosecuting criminal offenses or the execution of sentences as well as for free Data traffic and repealing Council Framework Decision 2008/977 / JHA , accessed on 8 May 2016
- ↑ Press release of the European Parliament of April 14, 2016