Skip to main content
SpringerLink
Log in

The Differences Between the Selected Member States and the Recommendations for a Further Harmonisation in the Post Lisbon Era

  • Chapter
  • First Online:
Market Integration Through Data Protection

Part of the book series: Law, Governance and Technology Series ((LGTS,volume 9))

  • 1050 Accesses

Abstract

In this chapter I will make some recommendations that impact on all processing of personal data, taking on board the ‘improvements’ currently incorporated by the EU Commission Proposal for a General Data Protection Regulation. However, they are made from the perspective of the selected industries, i.e., they are concentrated on the three sectors that were analysed in this book: insurance, banking, and credit reporting. Although these recommendations are not exhaustive, since they are limited by the scope of this book, they intend to contribute to the debate about the review of the General Data Protection Directive in the post Lisbon Treaty era. The recommendations will concentrate on the following topics: concept of personal data, consent, the data protection officer, the mutual recognition system, and codes of conduct.

This is a preview of subscription content, log in via an institution to check access.

Access this chapter

Log in via an institution
Chapter
USD 29.95
Price excludes VAT (USA)
  • Available as PDF
  • Read on any device
  • Instant download
  • Own it forever
eBook
USD 84.99
Price excludes VAT (USA)
  • Available as EPUB and PDF
  • Read on any device
  • Instant download
  • Own it forever
Softcover Book
USD 109.99
Price excludes VAT (USA)
  • Compact, lightweight edition
  • Dispatched in 3 to 5 business days
  • Free shipping worldwide - see info
Hardcover Book
USD 109.99
Price excludes VAT (USA)
  • Durable hardcover edition
  • Dispatched in 3 to 5 business days
  • Free shipping worldwide - see info

Tax calculation will be finalised at checkout

Purchases are for personal use only

Institutional subscriptions

Notes

  1. 1.

    European Parliament. SWIFT: MEPs to Vote on Backing or Sacking EU/US Data Sharing Deal. http://www.europarl.europa.eu/news/public/story_page/019-68537-039-02-07-902-20100205STO68536-2010-08-02-2010/default_en.htm. Accessed 19 February 2010.

  2. 2.

    In this sense, see European Commission. Draft communication from the commission to the European parliament, the council, the economic and social committee and the committee of the regions [COM(2010) 609 final]. http://ec.europa.eu/justice/news/consulting public/0006/com_2010_609_en.pdf. 22 Jan 2011.

  3. 3.

    Available at http://eur-lex.europa.eu/LexUriServ/LexUriServ.do?uri=OJ:C:2010:083:0335:0360:EN:PDF. Accessed 3 August 2011.

  4. 4.

    This article is included in Chapter 2 of the Treaty, entitled ‘Specific Provisions on the Common Foreign and Security Policy’.

  5. 5.

    European Economic and Social Committee. Opinion on proposal for a regulation of the European Parliament and of the Council on the protection of individuals with regard to the processing of personal data on the free movement of such data (General Data Protection Regulation). SOC/45. 23 May 2012. 2012. P. 6.

  6. 6.

    Available at http://ec.europa.eu/justice/newsroom/data-protection/news/120125_en.htm. Accessed 7 April 2012.

  7. 7.

    European Data Protection Supervisor. Op. Cit. 2012. P. 3.

  8. 8.

    European Commission. Draft Communication to the European Parliament, The Council, The Economic and Social Committee and The Committee of the Regions on a comprehensive approach on personal data protection in the European Union. Op. cit. P. 10.

  9. 9.

    The DG INFSO “is of the view that taken as a whole the draft DP Regulation would have significant negative effects on the development of the digital economy and jeopardise the Commission’s Digital Agenda.” Information Society and Media Directorate General (INFSO). Reply to the interservice consultation launched by DG JUST on the draft proposal of a DP Regulation and a draft proposal of a Police and Criminal Justice DP Directive. 22 December 2011. P. 4.

  10. 10.

    Ibid. P. 5. “The concept of ‘personal data’ is one of the key concepts for the protection of individuals by the current EU data protection instruments (…).”

  11. 11.

    Charlesworth, Andrew. Op. Cit. P. 939.

  12. 12.

    Doneda, Danilo and Viola de Azevedo Cunha, Mario. Data Protection as a Trade Resource in Mercosur. Op. cit. P. 366.

  13. 13.

    Austria and Switzerland have adopted the same approach. See Bygrave, Lee A. and Schartum, Dag Wiese, “Consent, Proportionality and Collective Power” in Reinventing Data Protection?, ed. Serge Gutwirth et al. (Springer, 2009), 168.

  14. 14.

    European Economic and Social Committee. Op. cit. P. 10.

  15. 15.

    See, for instance, Giovanni Buttarelli, Speaking points of the Assistant European Data Protection Supervisor on the Council Working Group on e-Justice and interconnection of insolvency registers, 15 July 2009. http://www.edps.europa.eu/EDPSWEB/webdav/shared/Documents/EDPS/Publications/Speeches/2009/09-07-15_eJustice_insolvency_EN.pdf. Accessed 4 January 2011.

  16. 16.

    European Court of Human Rights. Société Colas Est v. France case. Application nº 37971/97 (16/04/2002). http://cmiskp.echr.coe.int/tkp197/view.asp?item=1&portal=hbkm&action=html&highlight=37971/97&sessionid=64275468&skin=hudoc-en. Accessed 4 January 2011.

  17. 17.

    De Hert, Paul and Gutwirth, Serge, “Data Protection in the Case Law of Strasbourg and Luxemburg: Constitutionalisation in Action.” Reinventing Data Protection?, Gutwirth, Serge et al. (editors). Springer, 2009. P. 17. “The Court has even gone so far as to recognise privacy protection to firms and business activities, which is non-mandatory feature of data protection regulation (which optionally allows Members States to recognise data protection rights not only to natural persons but also to legal persons).”

  18. 18.

    Article 29 Working Party, Opinion 4/2007 on the concept of personal data, Op. cit.: 23. “Some provisions of the e-privacy Directive 2002/58/EC extend to legal persons. Article 1 thereof provides that ‘2. The provisions of this Directive particularise and complement Directive 94/46/EC for the purposes mentioned in paragraph 1. Moreover, they provide for protection of the legitimate interests of subscribers who are legal persons.’ Accordingly, Articles 12 and 13 extend the application of some provisions concerning directories of subscribers and unsolicited communication also to legal persons.”

  19. 19.

    Article 4 (1).

  20. 20.

    European Data Protection Supervisor, Opinion of 18 January 2011 on the Communication from the Commission to the European Parliament, the Council, the Economic and Social Committee and the Committee of the Regions—“A comprehensive approach on personal data protection in the European Union”, http://www.edps.europa.eu/EDPSWEB/webdav/site/mySite/shared/Documents/Consultation/Opinions/2011/11-01-14_Personal_Data_Protection_EN.pdf. Accessed 9 January 2011: 13.

  21. 21.

    Maclean, Alasdair R. The doctrine of informed consent: does it exist and has it crossed the Atlantic? Legal Studies, Vol. 24 (2004). P. 391.

  22. 22.

    Ibid. P. 392.

  23. 23.

    O’Neill, Onora. Informed Consent and Genetic Information. Studies in History and Philosophy of Biological and Biomedical Sciences, Vol. 32, No. 4 (2001). P. 693.

  24. 24.

    Lazer, David; Mayer-Schönberger, Viktor. Statutory Frameworks for Regulating Information Flows: Drawing Lessons for the DNA Data Banks from other Government Data Systems. Journal of Law, Medicine & Ethics, Vol. 34 (2006). P. 367.

  25. 25.

    Article 29 Working Party. Opinion 15/2011 on the definition of consent. Op. cit. P. 14. “While a situation of subordination is often the main reason preventing consent to be free, other contextual elements can influence the decision of the data subject. They can have for instance a financial dimension, or an emotional or a practical dimension. The fact that the collection of data is performed by a public authority can also have some influence on the data subject. It can however be difficult to draw the line between a simple incentive and something that has a real influence on the freedom of the data subject to exercise a choice.

  26. 26.

    For the sense the word consideration is used in this book, see footnote 99 of Chap. 1.

  27. 27.

    Solove, Daniel J. The digital person. Op. cit. P. 60. Solove in another article quotes an example presented by Paul M. Schartz, which demonstrates the fragility of consent. In Solove, Daniel J. Identity Theft, Privacy, and the Architecture of Vulnerability. Hastings Law Journal, Vol. 54 (2003–2003). P. 1234/1235. “Schartz notes how consent screens on a website asking users to relinquish control over information often do so on a ‘take-it-or-leave-it basis’ resulting in the ‘fiction’ that people have ‘expressed informed consent to [the website’s] data processing practices.’”

  28. 28.

    Solove, Daniel J. Privacy and Power: Computer Databases and Metaphors for Information Privacy. Standford Law Review, Vol. 53 (2000–2001). P. 1427.

  29. 29.

    Ibid. P. 1459.

  30. 30.

    Whitley, Edgard A. Informational privacy, consent and the “control” of personal data. Information Security Technical Report, Vol. 14 (2009). P. 156.

  31. 31.

    Rouvroy, Antoinette, Poullet, Yves. The right to informational self-determination and the value of self-development: Reassessing the importance of privacy for democracy. In Reinventing data protection? ed. Serge Gutwirth et al. Dordrecht: Springer. P. 73.

  32. 32.

    Charlesworth, Andrew. Op. cit. P. 942.

  33. 33.

    Charlesworth, Andrew. Op. cit. P. 943.

  34. 34.

    Bryce, Jo and Klang, Mathias. Young people, disclosure of personal information and online privacy: Control, choice and consequences. Information Security Technical report, Vol. 14 (2009). P. 163.

  35. 35.

    See item 1.3.1.1.

  36. 36.

    Article 29 Working Party. Opinion 15/2011 on the definition of consent. Op. cit. P. 12. “Consent can only be valid if the data subject is able to exercise a real choice, and there is no risk of deception, intimidation, coercion or significant negative consequences if he/she does not consent. If the consequences of consenting undermine individuals’ freedom of choice, consent would not be free.”

  37. 37.

    European Data Protection Supervisor. Op. cit. 2012. P. 21.

  38. 38.

    Information Society and Media Directorate General (INFSO). Reply to the interservice consultation launched by DG JUST on the draft proposal of a DP Regulation and a draft proposal of a Police and Criminal Justice DP Directive. 22 December 2011. P. 8.

  39. 39.

    See also article 19 of the EU Commission Proposal for a General Data Protection Regulation: Article 19—Right to object.

    1. 1.

      The data subject shall have the right to object, on grounds relating to their particular situation, at any time to the processing of personal data which is based on points (d), (e) and (f) of Article 6 (1), unless the controller demonstrates compelling legitimate grounds for the processing which override the interests or fundamental rights and freedoms of the data subject.

    2. 2.

      Where personal data are processed for direct marketing purposes, the data subject shall have the right to object free of charge to the processing of their personal data for such marketing. This right shall be explicitly offered to the data subject in an intelligible manner and shall be clearly distinguishable from other information.

    3. 3.

      Where an objection is upheld pursuant to paragraphs 1 and 2, the controller shall no longer use or otherwise process the personal data concerned.

  40. 40.

    Article 29 Working Party; Working Party on Police and Justice. Op. cit. P. 13. “They should be obliged to take technological data protection into account already at the planning stage of information-technological procedures and systems. Providers of such services as well as controllers should demonstrate that they have taken all measures required to comply with these requirements.”

  41. 41.

    In the same sense see Linkomles, Laura. European Union to Strengthen Privacy Framework. Privacy Laws & Business. Issue 103. February 2010. P. 7. “The European Digital Rights Initiative (EDRi) calls for more transparency and data minimisation. The group says: < < A revision of the directive should include stronger principles ensuring the minimisation of the collection and processing of personal data. The criterion should be ‘adequate, relevant and not excessive in relation to the purposes for which they are collected and/or further processed’ has proven to be an inadequate threshold for judging legitimate versus illegitimate collection of personal data. Firstly, this standard should be made more strict, by allowing only the collection of data which is ‘strictly necessary’ for the purposes. Secondly, the ‘legitimate interest’ test under which most of these purposes are evaluated, should be interpreted so as to minimise the collection and processing of personal data.”

  42. 42.

    Article 29 Working Party; Working Party on Police and Justice. Op. cit. P. 13.

  43. 43.

    Article 23—Data protection by design and by default

    1. 1.

      Having regard to the state of the art and the cost of implementation, the controller shall, both at the time of the determination of the means for processing and at the time of the processing itself, implement appropriate technical and organizational measures and procedures in such a way that the processing will meet the requirements of this Regulation and ensure the protection of the rights of the data subject.

    2. 2.

      The controller shall implement mechanisms for ensuring that, by default, only those personal data are processed which are necessary for each specific purpose of the processing and are especially not collected or retained beyond the minimum necessary for those purposes, both in terms of the amount of the data and the time of their storage. In particular, those mechanisms shall ensure that by default personal data are not made accessible to an indefinite number of individuals.

    3. 3.

      The Commission shall be empowered to adopt delegated acts in accordance with Article 86 for the purpose of specifying any further criteria and requirements for appropriate measures and mechanisms referred to in paragraph 1 and 2, in particular for data protection by design requirements applicable across sectors, products and services.

    4. 4.

      The Commission may lay down technical standards for the requirements laid down in paragraph 1 and 2. Those implementing acts shall be adopted in accordance with the examination procedure referred to in Article 87 (2).

  44. 44.

    Laffaire, Marie-Laure. Op. cit. P. 195. “Ce système a déjà été adopté et consacré par plusieurs autres états membres: le Luxembourg, l’Allemagne, les Pays-bas, l Suède, la Finlande et la Belgique. Dans certains cas ce détaché est obligatoire, dans d’autres il est facultatif.”

  45. 45.

    See Article 41 of Regulation 45/2001.

  46. 46.

    See, for instance, the French Data Protection Act.

  47. 47.

    European Commission. Draft Communication to the European Parliament, the Council, the Economic and Social Committee and the Committee of the Regions on a comprehensive approach on personal data protection in the European Union. Available at http://ec.europa.eu/justice/news/consulting_public/0006/com_2010_609_en.pdf. Accessed 29 March 2011. P. 12.

  48. 48.

    Article 35.

  49. 49.

    European Data Protection Supervisor. Op. Cit. 2012. P. 34.

  50. 50.

    Information Society and Media Directorate General (INFSO). Op. cit. 2011. P. 15.

  51. 51.

    Belleil, Arnaud. La regulation economique des données personnelles? In LEGICOM nº 42—2009/1. La régulation des données personnelles. Victoires Éditions: Paris, 2009. P. 149. “En Europe le chantier n’est pas partout au point mort. Une riche expérience a été acquise par l’autorité de protection du Schwelsig Holstein (Allemagne), véritable précurseurs européen en matière de délivrance de label protection des données personnelles (Datenschutz-Gütesiegel).”

  52. 52.

    About the importance of the principle of mutual recognition for an integration process see Schmidt, Susanne K. Mutual Recognition as a new mode of governance, in Journal of European Public Policy 14:5 August 2007. P. 671.

  53. 53.

    Griffin, Patrick B. Delaware Effect: Keeping the Tiger in Its Cage—The European Experience on Mutual Recognition in Financial Services. 7 Colum. J. Eur. L. 337 (2001). P. 337.

  54. 54.

    Charlesworth, Andrew. Op. cit. P. 949.

  55. 55.

    Linkomles, Laura. European Union to Strengthen Privacy Framework. Privacy Laws & Business. Issue 103. February 2010. P. 7. “On applicable law, the group supports the suggestions by Francis Aldhouse, the former UK Deputy Information Commissioner, who advocates the system of mutual recognition: < < Applying their experience since 1995, national data protection authorities have, through the Article 29 Working Party and other means, generated great consensus on the application of the law. With the increased understanding and confidence between national governments and regulators, the time is now right to amend the Directive and adopt the practice of home-country regulation. The system of mutual recognition, which is well precedented in the European Union, would allow users of personal information operating in more than one European state to be subject only to the law and regulation of one of those states. Those providing information services from outside Europe in more than one European state would similarly be subject to the jurisdiction of a single European regulator. None of these changes would prejudice the rights of individuals to secure a remedy in their home jurisdiction.”

  56. 56.

    Charlesworth, Andrew. Op. cit. P. 955.

  57. 57.

    European Commission. Explanatory Memorandum to the Proposal for a Regulation of the European Parliament and of the Council on the protection of individual with regard to the processing of personal data and on the free movement of such data (General Data Protection Regulation). COM (2012) 11 final. Published 25 January 2012. Available at http://ec.europa.eu/justice/data-protection/document/review2012/com_2012_11_en.pdf. Accessed 7 April 2012. P. 13.

  58. 58.

    Costa, Luiz; Poullet, Yves. Op. cit. P. 261. “We underline the strange role played by the Commission according to Articles 59, 60 and 61, which enact that in a last resort the Commission may adopt an opinion to ensure ‘correct and consistent application of this Regulation’. Such opinion must be taken into ‘utmost account’ by the supervisory authority otherwise it may see its measure suspended.”

  59. 59.

    See Article 62.

  60. 60.

    ARTICLE 29 Data Protection Working Party. Opinion 01/2012 on the data protection reform proposal. WP 191. Adopted on 23 March 2012. P. 18.

  61. 61.

    See, for instance, Article 29 Working Party. Contribution to the public consultation of DG MARKET on the report of the Expert Group on Credit Histories. Op. cit. P. 6.

  62. 62.

    European Commission. Draft Communication to the European Parliament, the Council, the Economic and Social Committee and the Committee of the Regions on a comprehensive approach on personal data protection in the European Union. Op. cit. P. 12.

  63. 63.

    See article 27 of Directive 95/46/EC.

  64. 64.

    Actually, who analyses the ‘Community Codes’ is the Article 29 Working Party, whose decisions do not have a binding effect. See Article 27 (3) of Directive 95/46/EC.

  65. 65.

    Charlesworth, Andrew. Op. cit. P. 967.

  66. 66.

    European Commission. Explanatory Memorandum to the Proposal for a Regulation of the European Parliament and of the Council on the protection of individual with regard to the processing of personal data and on the free movement of such data (General Data Protection Regulation). Op. cit. P. 11.

  67. 67.

    See article 38 of the EU Commission Proposal for a General Data Protection Regulation.

References

  • Belleil, Arnaud. 2009. La regulation economique des données personnelles? In LEGICOM nº 42–2009/1. La régulation des données personnelles. Paris: Victoires Éditions.

    Google Scholar 

  • Bryce, Jo, and Mathias Klang. 2009. Young people, disclosure of personal information and online privacy: Control, choice and consequences. Information Security Technical Report 14(3): 160–166.

    Article  Google Scholar 

  • Buttarelli, Giovanni. 2009. Speaking points of the assistant European data protection supervisor on the council working group on e-justice and interconnection of insolvency registers. 15 July. http://www.edps.europa.eu/EDPSWEB/webdav/shared/Documents/EDPS/Publications/Speeches/2009/09-07-15_eJustice_insolvency_EN.pdf. 4 Jan 2011.

  • Bygrave, Lee A., and Dag Wiese Schartum. 2009. Consent, proportionality and collective power. In Reinventing data protection? ed. Serge Gutwirth et al. Dordrecht: Springer.

    Google Scholar 

  • De Hert, Paul, and Serge Gutwirth. 2009. Data protection in the case law of Strasbourg and Luxemburg: Constitutionalisation in action. In Reinventing data protection? ed. Serge Gutwirth et al. Dordrecht: Springer.

    Google Scholar 

  • Griffin, Patrick B. 2001. Delaware effect: Keeping the tiger in its cage—The European experience on mutual recognition in financial services. Columbia Journal of European Law 7: 337.

    Google Scholar 

  • Lazer, David, and Viktor Mayer-Schönberger. 2006. Statutory frameworks for regulating information flows: Drawing lessons for the DNA data banks from other government data systems. The Journal of Law, Medicine & Ethics 34(2): 366–374.

    Article  Google Scholar 

  • Linkomles, Laura. 2010b. European Union to strengthen privacy framework. Privacy Laws & Business Issue 103, Feb 2010.

    Google Scholar 

  • Maclean, Alasdair R. 2004. The doctrine of informed consent: Does it exist and has it crossed the Atlantic? Legal Studies 24(3): 386–413.

    Article  Google Scholar 

  • O’Neill, Onora. 2001. Informed consent and genetic information. Studies in History and Philosophy of Biological and Biomedical Sciences 32(4): 689–704.

    Article  Google Scholar 

  • Schmidt, Susanne K. 2007. Mutual recognition as a new mode of governance. Journal of European Public Policy 14(5): 667–681.

    Article  Google Scholar 

  • Solove, Daniel. 2000–2001. Privacy and power: Computer databases and metaphors for information privacy. Stanford Law Review 53: 1393–1462.

    Article  Google Scholar 

  • Solove, Daniel. 2003. Identity theft, privacy, and the architecture of vulnerability. Hastings Law Journal 54: 1227.

    Google Scholar 

  • Whitley, Edgard A. 2009. Informational privacy, consent and the “control” of personal data. Information Security Technical Report 14(3): 154–159.

    Article  Google Scholar 

  • Article 29 Working Party on Data Protection. Opinion 01/2012 on the data protection reform proposal. WP 191. Adopted on 23 Mar 2012.

    Google Scholar 

  • European Commission. Draft communication from the commission to the European parliament, the council, the economic and social committee and the committee of the regions [COM(2010) 609 final]. http://ec.europa.eu/justice/news/consulting_public/0006/com_2010_609_en.pdf. 22 Jan 2011.

  • European Commission. 2012. Explanatory memorandum to the proposal for a regulation of the European parliament and of the council on the protection of individuals with regard to the processing of personal data and on the free movement of such data (General Data Protection Regulation). COM (2012) 11 final. Published 25 January. Available at http://ec.europa.eu/justice/data-protection/document/review2012/com_2012_11_en.pdf. 7 Apr 2012.

  • European Data Protection Supervisor. Opinion on the communication from the commission to the European parliament, the council and the economic and social committee and the committee of the regions—“A comprehensive approach on personal data protection in the European Union. Available at http://www.edps.europa.eu/EDPSWEB/webdav/site/mySite/shared/Documents/Consultation/Opinions/2011/11-01-14_Personal_Data_Protection_EN.pdf. 29 Mar 2011.

  • European Data Protection Supervisor. Opinion on the data protection reform package. Available at http://www.edps.europa.eu/EDPSWEB/webdav/site/mySite/shared/Documents/Consultation/Opinions/2012/12-03-07_EDPS_Reform_package_EN.pdf. Accessed 23 Sept 2012.

  • European Economic and Social Committee. 2012. Opinion on proposal for a regulation of the European parliament and of the council on the protection of individuals with regard to the processing of personal data on the free movement of such data (General Data Protection Regulation). SOC/45. 23 May.

    Google Scholar 

  • European Parliament. Swift: Meps to vote on backing or sacking eu/us data sharing deal. Available at http://www.europarl.europa.eu/news/public/story_page/019-68537-039-02-07-902-20100205sto68536-2010-08-02-2010/default_en.htm. 19 Feb 2010.

  • Information Society and Media Directorate General (INFSO). Reply to the interservice consultation launched by dg just on the draft proposal of a DP regulation and a draft proposal of a police and criminal justice DP directive. 22 Dec 2011.

    Google Scholar 

Download references

Author information

Authors and Affiliations

  1. Centro de Estudos e Pesquisas no Ensino do Direito, Rio de Janeiro State University Centro, Rio de Janeiro, Rio de Janeiro, Brazil

    Mario Viola de Azevedo Cunha

Authors
  1. Mario Viola de Azevedo Cunha
    View author publications

    You can also search for this author in PubMed Google Scholar

Rights and permissions

Reprints and permissions

Copyright information

© 2013 Springer Science+Business Media Dordrecht.

About this chapter

Cite this chapter

de Azevedo Cunha, M.V. (2013). The Differences Between the Selected Member States and the Recommendations for a Further Harmonisation in the Post Lisbon Era. In: Market Integration Through Data Protection. Law, Governance and Technology Series, vol 9. Springer, Dordrecht. https://doi.org/10.1007/978-94-007-6085-1_6

Download citation

Publish with us

Policies and ethics

Search

Navigation