Data protection in the European Union 1

Welcome to the presentation on Data Protection in the European Union. My name is Atina Krajewska, and I'm a senior lecturer at the Cardiff School of Law and Politics at the Cardiff University. And I will try to summarize the area of data protection in the European Union. Although this is a very complex area and because of the time constraints, I will necessarily have to focus on certain most important aspects of the regulation of this area of law.

Let me tell you briefly what I'm going to talk about during this presentation. First of all, I will try to introduce the basic principles of data protection in the European Union. And then I will move on to discuss shortly the current regulation of data protection, which is covered at the moment by an EU directive. However, most of my presentation will be concerned with the new coming general regulation on data protection, which is still in the legislative process. But we are expecting to have an adopted regulation by the end of this year, so I think this is really important to focus on the new coming law. And finally, I will focus on the highlights and challenges of that coming piece of legislation at the European Union and hopefully come to some conclusions, although this might be difficult at this stage.

Let's start with the framework of data protection law in Europe. Many people confuse the European Union with the Council of Europe. Politicians do and many academics are often guilty of that confusion. Generally speaking, in Europe there are several legal regimes which govern the data protection. First of all, there is a European Union regime, so everything that is regulated by the European Union and within the realms of the European Union law. However, secondly, an interrelated regime is the regime established and adopted by the Council of Europe, which is an international human rights organization dealing with and focused on democratization and human rights. The most famous organ or institution of Council of Europe is the European Court of Human Rights. And the European Court of Human Rights interprets and applies the European Convention on Human Rights, and this is the main piece of legislation, the most famous one. The European Convention on Human Rights regulates data protection indirectly through Article 8, which protects and establishes, guarantees the protection and respect of privacy and private life of an individual. Within the scope of Article 8, the European Court of Human Rights has on many numerous occasions established the protection of personal data. What's more, the Council of Europe has also adopted a convention, Convention number 108, which is currently being modernized. And these adoptions, these amendments, will come into force on the 1st of September 2015. So data subjects and data controllers, which means also researchers dealing with data, will have to take this regime into account. But this is a regime which has to be obviously introduced into the national domestic legislation. Finally, we have the regime that is established by each member state, member states of the European Union or of the Council of Europe. Member states have different ways of regulating data protection law. Usually, many countries have constitutional provisions regulating and guaranteeing not only the right to privacy or the right to private life of an individual, but specifically the right to have personal data protected. So the state has a constitutional obligation to protect personal data. These provisions naturally vary to some extent, but it is fair to say that, generally speaking, the Member States not only have constitutional protections, but they also adopt statutes and acts protecting personal data. An example of this is the Data Protection Act, 1998, adopted by the UK. Similar acts exist in countries such as Germany, Poland, France, Spain, or Greece. As you can see, this is a quite complex system of data protection laws. They are all interrelated, and sometimes it's quite difficult to navigate through all the provisions that exist. And sometimes it's difficult not only for the data subjects, so people whose data are being processed, but also for data controllers or data administrators, i.e. researchers, universities, which process these personal data. It is difficult to navigate between these provisions and identify the relevant provisions. Now, it is impossible because of time constraints to talk about the whole complexities and the whole area of data protection and these different regimes. Therefore, I will focus on the European Union, which due to the changes that are coming, seems to be the most important for the research community and life sciences.