Reflections Upon the Interaction between Domestic and European Personal Data Protection Legislation

Abstract

The European Council has established the first legal framework for the fundamental right to the protection of personal data, namely the Convention for the Protection of Individuals with Regard to the Automatic Processing of Personal Data (Convention 108). The right to the protection of personal data is closely linked - but not identical - to the right of private life established by Article 8 of the European Convention for the Protection of Human Rights (hereinafter, the ECHR). Article 8 of the Charter of Fundamental Rights of the European Union (hereinafter, the Charter) expressly recognized the right of private life as an autonomous fundamental right. The importance awarded by the EU to the protection of personal data is also highlighted at Article 16 of the TFEU. The protection of personal data arises out of the question of the protection of individual rights by the State and has evolved into the question of how the the State treats and uses its citizens' personal data. On the contrary, in private commercial relationships, the right to the protection of personal data has a horizontal dimension. Does the Charter's fundamental right of personal data protection have direct effect in domestic legal orders? The CJEU has not yet pronounced on the enforceability of this right, however the legal scholar has already considered that Article 16 of the TFEU can be directly invoked. To be directly enforceable in front of domestic jurisdiction, the right to the protection of personal data should be specified by a specific legislation in the EU. To have a full picture it is thus paramount to consider the details of legislation in combination with primary law.Thus, in the next European legislature, a general reform of the data protection framework is envisaged to account for the challenges posed by new technologies of information, globalisation and the increasingly common practice of using personal data to prevent criminal and terrorist actions. The legislative package for the protection of personal data concerns two proposals: a Regulation that generally covers the treatment of personal data within the EU, both in the private and public sectors, and a Directive on Data Retention that aims to prevent, detect or to pursue criminal acts. This contribution not only clarifies the specific content of companies' obligations to respect the European standard for the protection of personal data but also discusses the proposal to revise the general framework to respect the Charter's acknowledgment of the fundamental right of personal data protection. The forthcoming legislative reform will represent an important reference point for countries - such as Switzerland - that are not members of the European Union. This paper assesses whether the European legislative reform on the protection of personal data, in conjunction with national law, responds in a satisfactory manner to the challenges posed by technological evolution and widespread use of the Internet. In recent years, the question of State regulation of the processing of personal data by private companies has become urgent as allegations of unauthorized access to personal data have been hotly debated in the European press. Thus, the paper shall first analyse, the appropriateness of European and States' legislation to properly regulate the effective protection of personal data, in particular of obligations applicable to companies storing and processing personal data on European soil. Does the proposed European legislation in the context of the EU's international agreements with the US provide sufficient legal safeguards to ensure the effective protection of personal data in the post-Snowden era? Specific subparts are devoted to the European reform of companies' criminal liability in cases of cyber-attack (a) and of specific obligations imposed on providers of cloud computing services (b). In the second part, I comment on the interpretation of the European data-protection legislation, provided by the Court of Justice, regarding the obligations imposed upon 'intermediaries' that process personal data, such as the Internet service providers (a) and Internet search engines (b). The Court of Justice has interpreted the European legislation in a manner that allows courts and national authorities to impose on companies a set of safeguards to protect individuals against the infringement of copyright and privacy rights.