Friday, 25 January 2008

EU Treaty of Lisbon: Personal data protection

Internationally, the protection of personal data can be seen as a particular European sensitivity, where balance is sought between concerns for privacy and security. The different approaches between the European Union and the United States of America have led to protracted negotiations on both commercial use and security measures.

Internally, the European Community (EC) introduced common norms on the protection of personal data, binding the member states, generally in Directive 95/46/EC of the European Parliament and of the Council of 24 October 1995 on the protection of individuals with regard to the processing of personal data and on the free movement of such data, and concerning telecommunications in Directive 97/66/EC, repealed and replaced by Directive 2002/58/EC of the European Parliament and of the Council of 12 July 2002 concerning the processing of personal data and the protection of privacy in the electronic communications sector (Directive on privacy and electronic communications).

The Treaty of Maastricht filled a gap concerning protection of personal data held by the EC itself. On the basis of Article 286 TEC a Regulation has been enacted: Regulation (EC) No 45/2001 of the European Parliament and of the Council of 18 December 2000 on the protection of individuals with regard to the processing of personal data by the Community institutions and bodies and on the free movement of such data.

The scope of Regulation 45/2001 is restricted to European Community legislation; the intergovernmental pillars, the common foreign and security policy (CFSP) and police and judicial cooperation in criminal matters, remain outside the scope of the Regulation.

***

On the other hand, Article 8 of the Charter of Fundamental Rights of the European Union (OJ 14.12.2007 C 303/4) lays down a general right to protection of personal data:

Article 8
Protection of personal data

1. Everyone has the right to the protection of personal data concerning him or her.

2. Such data must be processed fairly for specified purposes and on the basis of the consent of the
person concerned or some other legitimate basis laid down by law. Everyone has the right of access to data which has been collected concerning him or her, and the right to have it rectified.

3. Compliance with these rules shall be subject to control by an independent authority.

***

The Explanations relating to the Charter of Fundamental Rights give the following background to Article 8 (OJ 14.12.2007 C 303/20):

Explanation on Article 8 — Protection of personal data

This Article has been based on Article 286 of the Treaty establishing the European Community and Directive 95/46/EC of the European Parliament and of the Council on the protection of individuals with regard to the processing of personal data and on the free movement of such data (OJ L 281, 23.11.1995, p. 31) as well as on Article 8 of the ECHR and on the Council of Europe Convention of 28 January 1981 for the Protection of Individuals with regard to Automatic Processing of Personal Data, which has been ratified by all the Member States. Article 286 of the EC Treaty is now replaced by Article 16 of the Treaty on the Functioning of the European Union and Article 39 of the Treaty on European Union. Reference is also made to Regulation (EC) No 45/2001 of the European Parliament and of the Council on the protection of individuals with regard to the processing of personal data by the Community institutions and bodies and on the free movement of such data (OJ L 8, 12.1.2001, p. 1). The above-mentioned Directive and Regulation contain conditions and limitations for the exercise of the right to the protection of personal data.

***

The Treaty of Lisbon introduces a new Article 25a in the Treaty on European Union (TEU) (OJ 17.12.2007 C 306/31):

45) Articles 26 and 27 shall be repealed. The following Articles 25a and 25b shall be inserted, with Article 25b replacing Article 47:

Article 25a

In accordance with Article 16 B of the Treaty on the Functioning of the European Union and by way of derogation from paragraph 2 thereof, the Council shall adopt a decision laying down the rules relating to the protection of individuals with regard to the processing of personal data by the Member States when carrying out activities which fall within the scope of this Chapter, and the rules relating to the free movement of such data. Compliance with these rules shall be subject to the control of independent authorities.

***

Since the proposed new Article 25a refers to Article 16b of the Treaty on the Functioning of the European Union (TFEU), we have to look up Article 16b TFEU, as amended:

29) An Article 16 B shall be inserted, replacing Article 286:

Article 16b TFEU

1. Everyone has the right to the protection of personal data concerning them.

2. The European Parliament and the Council, acting in accordance with the ordinary legislative procedure, shall lay down the rules relating to the protection of individuals with regard to the processing of personal data by Union institutions, bodies, offices and agencies, and by the Member States when carrying out activities which fall within the scope of Union law, and the rules relating to the free movement of such data. Compliance with these rules shall be subject to the control of independent authorities.

The rules adopted on the basis of this Article shall be without prejudice to the specific rules laid down in Article 25a of the Treaty on European Union.

***

Since Article 16b TFEU replaces Article 286 of the Treaty establishing the European Community (TEC), we have to take a look at that:

Article 286 TEC

1. From 1 January 1999, Community acts on the protection of individuals with regard to the
processing of personal data and the free movement of such data shall apply to the institutions and bodies set up by, or on the basis of, this Treaty.

2. Before the date referred to in paragraph 1, the Council, acting in accordance with the procedure referred to in Article 251, shall establish an independent supervisory body responsible for monitoring the application of such Community acts to Community institutions and bodies and shall adopt any other relevant provisions as appropriate.

***

The Convention proposed a unitary legal basis for protection of personal data in the draft Treaty establishing a Constitution for Europe Article I-50 (OJ 18.7.2003 C 169/20):

Article 50
Protection of personal data

1. Everyone has the right to the protection of personal data concerning him or her.

2. A European law shall lay down the rules relating to the protection of individuals with regard to the processing of personal data by Union Institutions, bodies and agencies, and by the Member States when carrying out activities which come under the scope of Union law, and the rules relating to the free movement of such data. Compliance with these rules shall be subject to the control of an independent authority.

***

The Treaty establishing a Constitution for Europe took over the Convention’s proposal almost ‘verbatim’ in Article I-51 (OJ 16.12.2004 C 310/36):

Article I-51
Protection of personal data

1. Everyone has the right to the protection of personal data concerning him or her.

2. European laws or framework laws shall lay down the rules relating to the protection of
individuals with regard to the processing of personal data by Union institutions, bodies, offices and agencies, and by the Member States when carrying out activities which fall within the scope of Union law, and the rules relating to the free movement of such data. Compliance with these rules shall be subject to the control of independent authorities.

***

Annexed to the Constitutional Treaty was joint Declaration (number 10) on Article I-51, which gave an indication of the sensitivities of the member state governments (OJ 16.12.2004 C 310/423):

10. Declaration on Article I-51

The Conference declares that, whenever rules on protection of personal data to be adopted on the basis of Article I-51 could have direct implications for national security, due account will have to be taken of the specific characteristics of the matter. It recalls that the legislation presently applicable (see in particular Directive 95/46/EC) includes specific derogations in this regard.

***

If the Convention and the Constitutional Treaty had a unitary approach, taking into consideration the restrictions implied by Declaration 10, the Lisbon Treaty hollowed out the general provision in accordance with the IGC 2007 Mandate (Council document 11218/07, point 15): There will also be a specific legal basis on personal data protection in the CFSP area. – Footnote 7 added: With regard to the processing of such data by the Member States when carrying out activities which fall within the CFSP and ESDP and the movement of such data.

The specific legal basis for Chapter 2 Specific provisions on the common foreign and security policy, Article 25a TEU in the Reform Treaty follows from the mandate of the intergovernmental conference. The purpose of the new Article seems to be to offer leeway to the Union and member states’ governments in questions related to security.

***

Next time we look at Article 25b TEU.


Ralf Grahn