Abstract
This chapter provides an analysis of the data protection rules in EU law, focusing on the constitutional and legal developments after the entry into force of the Lisbon Treaty. It examines the jurisprudence of the Court of Justice of the EU on data protection issues, including the recent decisions of the Court on metadata retention and the new right to be forgotten. It concludes with a critical comment on the possibilities and limitations of the EU to provide for effective and comprehensive data protection.
Top2. The Eu Data Protection Regime After The Lisbon Treaty
2.1 The Lisbon Treaty and Constitutional Developments in the EU
In 2004, two failed referendums in France and the Netherlands marked the early end of the ambitious EU Constitutional Treaty (or the Treaty establishing a Constitution for Europe). Not very long after this, the Lisbon Treaty was signed on December 13, 2007 and entered into force on December 1st 2009. The Lisbon Treaty was presented by its authors –the EU Member States- as an amending Treaty of the founding Treaties of the EU that aimed to introduce only an ‘incremental change’ (Cremona, 2012, p. 40) and not the complete new legal framework that the Constitutional Treaty proposed. However, the Lisbon Treaty represents an important new departure for the EU (Berman, 2012, p. 3) and marked a new era for the EU constitutional and human rights framework in general and the right to data protection in particular.
The pre-Lisbon EU constitutional framework was built-up on the so-called three –pillar system: the first encompassed the European Community (EC) Treaty and Euratom (and formerly the Coal and Steel Community); the second the provisions on Common Foreign and Security Policy (CFSP); and the third the provisions on Police and Judicial Cooperation in Criminal Matters (PJC). The pillar structure was considered very problematic as the different pillars were comprised of different rules concerning institutions, decision-making instruments and procedures, decision-making powers, judiciary competences and the protection of human rights and fundamental freedoms (Dougan, 2007, p. 617). The Lisbon Treaty abolished the pillar system of the EU. It amended the Treaty on the European Union (TEU) and the EC Treaty by renaming the latter the Treaty on the Functioning of the EU (TFEU). Essentially, the provisions of the former first and third pillars are now found in the TFEU, while the ‘distinctive’ rules relating to the CFSP are found in the TEU. These amendments have major implications for the right to data protection that will be discussed in detail below.
At this point before the analysis moves on to discuss data protection in the post-Lisbon era, one further major development introduced by the Lisbon Treaty should be mentioned. The EU Charter of Fundamental Rights (EUCFR) was given legal force by the Lisbon Treaty and is now incorporated into European constitutional law (Anderson & Murphy, 2012, p. 155). The Charter, which constitutes the EU’s own written bill of rights, enjoys now the same legal value as the Treaties. In fact, the Lisbon Treaty recognizes in Article 6 TEU three formal sources for EU human rights law: the first is the EUCFR, the second is the accession of the EU to the European Convention for the Protection of Human Rights and Fundamental Freedoms (ECHR), and the third is the protection of fundamental rights as ‘general principles of EU law’ that have been developed by the European Court of Justice (ECJ) (now: Court of Justice of the EU (CJEU) over the years.
Key Terms in this Chapter
Processing: Any operation performed upon personal data, such as, collection, recording, storage, use, disclosure, dissemination, erasure and destruction.
Commission Proposals for a New EU Data Protection Legal Framework: Major reform of the current EU data protection legal framework proposed by the Commission in 2012 and currently under negotiation. The proposal includes a Regulation aimed to replace the Data Protection Directive, and a Directive aimed to replace the Data Protection Framework Decision.
Data Protection: A set of rules that aim to protect the rights, freedoms and interests of individuals when information related to them is being processed.
Personal Data: Information relating to an identified or identifiable natural person.
Data Retention Directive: The Directive adopted in the aftermath of the Madrid and London terrorist attacks requiring the retention of telecommunications metadata by service providers in order to fight ‘serious crime’. The Directive was invalidated by the Court of Justice of the EU on April 8 th , 2014.
Lisbon Treaty: The latest Treaty that amends the constitutional framework of the European Union. The Lisbon Treaty entered into force on December 1st, 2009.
Data Controller: The natural or legal person, which alone or jointly with others determines the purposes and means of the processing of personal data.