Data Protection Law

The EU has been central in promoting data protection laws.  The EU data protection directive applies to data processed by an automated means such as a computer or contained in or intended to be part of a non-automated filing system such as traditional paper filing.  It does not cover processing in the context of household or personal activities.  Also excluded are certain public security defence and state matters.

The purpose of the data protection directive is to protect the rights of the persons whose personal data is held.  It specifies the requirements for  “processing” (use) to be lawful.  The following standards must be complied with.

The personal data must be fair and accurate and generally, up to date.  The personal data must be processed fairly and lawfully.  It must be collected for a specified and expressed legitimate purpose and only used for that purpose only.

Data processing is legitimate only

  • if the person concerned has unambiguously given his consent to the use or processing
  • it is for a legitimate purpose such as the performance of a contract or similar legal relationship with the person
  • it is for the purpose of compliance with legal obligations owed to the person,
  • it is for the protection of his vital interests,
  • it is for the performance of a task in the public interest
  • it is for the purpose of legitimate interest pursued by the data control.

It is generally prohibited to process personal data which reveals racial or ethnic origin, political opinions, religious or philosophical believes, trade union membership or information concerning health or sex life.  It is permissible only where there is very explicit consent, it is necessary to protect the vital interest of the persons concerned or for the purpose of preventative medicine or medical diagnosis.

Rights of Data Subject

The person the subject of the personal data must be given access to the data.  The person processing the data must identify itself give details of the purpose and specify any third party who may receive the data.

A person is entitled to confirmation as to whether data relating to him has been processed and is entitled to copies of it.  He is entitled to rectify, erase or block data which does not comply with the provisions of the legislation either because it is not legitimately held, used is inaccurate or incomplete.  He is entitled to notification of the disclosure of the data to third parties.

There may be restrictions on the extent of the information which must be provided. Rights of access, to publication and to limits processing may be circumscribed in the interests of national security defence, prosecution of criminal offences, important economic and financial interests and the protection of the person concerned.

The person of whom the data relates may object to the processing of data which relates to him.  He has the right to object on request and free of charge in relation to data that may be processed for the purpose of direct marketing.  It must be informed before personal data is disclosed to third parties for the purpose of direct marketing and offered the right to object.

A person or entity acting under the authority of the person controlling the data must only process the data in accordance with the data controller’s instructions.  The controller must implement measures to protect the personal data against unlawful or accidental destruction laws or undisclosed access.  This requires the requisite security measures.

Notification of processing must be undertaken to a national authority in some cases.

Persons have the right to a court remedy for breach of their rights.  Persons are to have a right of compensation for loss or damage caused.

The transfer of data outside the EU is permissible only where there is an adequate level of protection.

The European Union itself is subject to legislation requiring it, provide high levels of protection in relation to public personal data which it holds.  The European data protection authority monitors and enforces data collection held by EU bodies and institutes.  Each institution has a data protection officer.

Reform and Modernisation

The General Data Protection Regulation has replaced the earlier data protections with a single pan-EU enhanced piece of legislation as of 25th May 2018. It was accompanied by a directive on the protection of individuals with respect to the processing of personal data by competent authorities for the purpose of prevention, investigation, detection or prosecution of criminal offences or the execution of criminal penalties and the free movement of such data. It is dealt with, in more detail, the section on data and information.

The GDPR seeks to improve the individual’s ability to control his/ her personal data by amongst other things giving users the right to have personal data deleted, e.g. if they withdraw their consent or other legitimate grounds, i.e., the right to be forgotten.  It provides for freedom to remove their data from one service provider to another without hindrance.  It reinforces the right to information so that individuals better understand how their personal data is handled particularly when being processed.

The regulation makes it easier for individuals to exercise their rights by ensuring that national data protection authority is properly equipped to deal effectively with complaints, have h powers to carry out investigations, take a binding decision and impose effective and dissuasive sanctions. They make it easier for individuals to take action, including legal action when the data protection violation occurs.

The GDPR seeks to reduce the risk of data security breaches by requiring the use of technologies which protect the privacy of information by minimizing the storage of personal data.  It introduces the general obligation for data controllers to notify data breaches without undue delay, both data protection authorities and the individuals concerned.

It  requires data controllers to designate a data protection officer in companies with employees of more 250 persons and in firms which are involved in processing data where there are risks to the rights and freedoms of individuals.  Organizations must carry out data protection impact assessments.

Data Protection & Brexit

The EU provides common data protection rules regarding the processing and use of personal data. The collection and use of personal data are subject to standards in relation to transparency, legitimate use, and proportionality. Those who collect and use personal data must protect it from misuse and respect the rights of the data subjects concerned.

There are high standards of protection for the transfer of personal data between EU states and a third country. There are no equivalent protections on the transfer of non-personal data. The General Data Protection Regulation took effect on 25th May 2018.

Under the regulation, EU citizens’ personal data may be transferred to a third country only if the Commission has decided that the third country, territory or international organisations ensure an adequate level of protection and the organisation receiving the personal data has provided adequate safeguards. Individuals’ rights must be enforceable and effective remedies for the individual must be available following the transfer.

The EU / US safe harbour was challenged based on revelations at how the U.S. Security Agencies processed personal data of EU citizens. It has been replaced by the EU U.S. Privacy Shield.

The UK should readily obtain approval on the basis that it satisfies the EU criteria based on the adequacy and equivalence of its data protection legislation (the GDPR and its associate Directive now having the force of law.

E-Privacy Laws

Businesses providing public electronic communications must ensure the security of their networks.  The regulatory authorities must be informed of any breach or loss of integrity.  Regulators may issue binding instructions to businesses providing communication networks.

The provider of electronic communication services must protect the security of services

  • by ensuring personal data is accessed by authorised persons only
  • protecting personal data from destruction or loss, alteration
  • ensuring implementation of a security policy on the processing of data

Member states must through legislation to ensure the confidentiality of communications over public electronic networks. Listening, tapping or storage of communications without consent is proscribed, subject to limited exceptions

The data traffic and location data must be erased when no longer required for the conveyance of communication or billing even if the subscriber has given consent to another use.  The protection of data may be withdrawn to allow criminal investigations or safeguard national security defence or public security.  This action may only be taken where necessary and proportionate in a democratic society.

Providers of an electronic communication service must protect the security of their service by ensuring that personal data is accessed by authorized persons only.  Personal data must be protected from destruction, loss or accidental alteration or other unlawful or unauthorized forms of processing.  There must be a security policy on the processing of personal data.

In the case of infringement of personal data, the service provider must inform the national authority within 24 hours. If the infringement is likely to harm the personal data or privacy of a subscriber or an individual the service provider must also inform the subscriber or individual in question except if the service provider has put in place technological protection measures that make the data incomprehensible to any party without authorized access.

Users must give their consent for information to be stored in their terminal equipment and in relation to access to such equipment.  The user must receive clear and comprehensive information about the purpose of the storage or access.  These provisions protect the private life of users from malicious software such as viruses or spyware and they also apply to cookies.  Cookies are hidden information exchanged between an internet and web server which are stored in a file on the user’s equipment.  Their original purpose was to retain information between sessions.  They may be used to monitor net surfers’ activity.

Consent to Communications

Unsolicited commercial electronic data is subject to opt-in Users must have given a private prior consent.  This covers SMS, text services and other electronic messages received in any fixed or mobile terminal.  There are exceptions.

Users must give their consent for information to be stored on their terminal as cookies or for access to such information to be had. Users must receive clear and comprehensive information about the purpose of the storage or access.

Citizens must give prior consent for their telephone numbers, landline or mobile, e-mail addresses or postal addresses to appear in public directory.

Each state must implement a system of penalties including legal sanctions in the case of infringements for breach of the directive.

Further Protections for Privacy

Providers of an electronic communication service must protect the security of their service by ensuring that personal data is accessed by authorized persons only.  Personal data must be protected from destruction, loss or accidental alteration or other unlawful or unauthorized forms of processing.  There must be a security policy on the processing of personal data.

In the case of infringement of personal data, the service provider must inform the national authority within 24 hours. If the infringement is likely to harm the personal data or privacy of a subscriber or an individual the service provider must also inform the subscriber or individual in question except if the service provider has put in place technological protection measures that make the data incomprehensible to any party without authorized access.

Users must give their consent for information to be stored in their terminal equipment and in relation to access to such equipment.  The user must receive clear and comprehensive information about the purpose of the storage or access.  These provisions protect the private life of users from malicious software such as viruses or spyware and they also apply to cookies.  Cookies are hidden information exchanged between an internet and web server which are stored in a file on the user’s equipment.  Their original purpose was to retain information between sessions.  They may be used to monitor net surfers’ activity.

Contact McMahon Legal 

    Share this article