In the 1980s and 90s, technological innovations occurred by leaps and bounds. The PC (personal computer) revolution had a major impact on businesses and households. The pervasiveness of the PC meant that data was shared and exchanged among businesses and individuals on a regular basis.
Convention 108 and the OECD Guidelines had resulted in a patchwork of domestic legislation. EU member states felt there was insufficient protection for individual privacy rights.
In 1995, the Council of European Union and the European Parliament adopted the Data Protection Directive of 1995 (Directive 95/46/EC). The Directive’s goal was to set minimum standards for privacy and security across the EU. The Directive sought to have consistency and harmony in the way businesses applied data protection across the EU. This was done to create a level playing field for businesses and to prevent forum shopping by organizations so that individual privacy rights could be protected in all member states.
However, the Data Protection Directive had major limitations.
One, as a directive it lacked specificity on domestic application. EU law states that, “A “directive” is a legislative act that sets out a goal that all EU countries must achieve. However, it is up to the individual countries to devise their own laws on how to reach these goals.” Thus, member states had discretion in the manner in which they implemented the Directive into their domestic legislation. This often led to inconsistency in privacy and data protection laws across EU states.
Two, the Data Protection Directive lacked enforcement mechanisms. Thus, violators faced few consequences.
Rapid technological advancements that created massive data sharing, and inconsistent and unenforceable privacy mechanisms led to the realization that the EU needed a harmonised approach to data protection. By 2000s, the European Parliament and European Commission began drafting the framework for a new privacy regulation that eventually led to the GDPR.
In 2016, the Data Protection Directive was repealed by the GDPR.
*See my detailed summary on the Data Protection Directive of 1995 (Directive 95/46/EC) here.
—————-
The Charter of Fundamental Rights of the European Union (2009) is one of the most significant human rights instruments in the EU. It enshrines the fundamental rights and freedoms of the people in the EU. It is the EU’s bill of rights. Under the Treaty of Lisbon, the EU Charter became a binding legal instrument on all EU member states and institutions in 2009.
The EU Charter explicitly recognizes privacy rights. Articles 7, 8, and 52 (reproduced below) are the key articles that give EU data subjects the right to privacy over their personal data, and provide a framework for the Courts and member states on restrictions and limitations of those rights. The Court of Justice of the European Union (CJEU) interprets and adjudicates Charter claims and violations.
Article 7 Respect for private and family life
Everyone has the right to respect for his or her private and family life, home and communications)
Article 8 Protection of personal data
1. Everyone has the right to the protection of personal data concerning him or her.
2. Such data must be processed fairly for specified purposes and on the basis of the consent of the person concerned or some other legitimate basis laid down by law. Everyone has the right of access to data which has been collected concerning him or her, and the right to have it rectified.
Article 52 Scope of guaranteed rights
1. Any limitation on the exercise of the rights and freedoms recognised by this Charter must be provided for by law and respect the essence of those rights and freedoms. Subject to the principle of proportionality, limitations may be made only if they are necessary and genuinely meet objectives of general interest recognised by the Union or the need to protect the rights and freedoms of others.
2. Rights recognised by this Charter which are based on the Community Treaties or the Treaty on European Union shall be exercised under the conditions and within the limits defined by those Treaties.
3. In so far as this Charter contains rights which correspond to rights guaranteed by the Convention for the Protection of Human Rights and Fundamental Freedoms, the meaning and scope of those rights shall be the same as those laid down by the said Convention. This provision shall not prevent Union law providing more extensive protection.
