The Evolution of Data Protection Law
Data exists everywhere in 2015. It has evolved from a necessary procedural function into a fundamental component of modern society. Such progress requires adequate legislative development in order to safeguard democratic rights. Moreover, this transformative importance now places an expectation of responsibility on data controllers, data processors and data subjects who must respect the values inherent in data protection law. Such law is more than a mere safeguard against potential infringement. Rather, it serves to balance privacy and data use without sacrificing one for the benefit of the other.The right to privacy was first outlined in European law in Article 8 of the 1950 European Convention on Human Rights (the Convention); 'Right to respect for private and family life'. Although not containing any explicit mention of data protection, privacy law deriving from the Convention has developed to include the right to the protection of personal data. The Charter of Fundamental Rights of the European Union (the Charter) which was proclaimed in 2000 went further than the Convention, echoing the earlier proclamation concerning privacy in Article 7 and making specific reference to personal data via Article 8:
1. Everyone has the right to the protection of personal data concerning him or her.
2. Such data must be processed fairly for specified purposes and on the basis of the consent of the person concerned or some other legitimate basis laid down by law. Everyone has the right of access to data which has been collected concerning him or her, and the right to have it rectified.
3. Compliance with these rules shall be subject to control by an independent authority.
In Ireland, the right to privacy is widely viewed and understood as a fundamental human right, and is recognised by Bunreacht na hÉireann, the Charter and the Convention. However, the right is not absolute which thus permits an element of flexibility to be afforded when balancing priorities. Moreover, it could be argued that if privacy is a concept with no common core it may be difficult to find a definitive right to privacy across changeable social arrangements. This would make the right to data protection quite different to classical civil rights such as life or freedom, which are regarded as beyond interpretation or discussion.
Nevertheless, in the present age the relative importance and influence of information privacy to cultural utility cannot be understated. As of now, almost 20 years after its introduction, the governing EU legislation on data protection remains Directive 95/46/EC on the protection of individuals with regard to the processing of personal data and on the free movement of such data (the Directive). The implementation of the Directive in 1995 was enabled to harmonize standards pertaining to data protection across member states; an objective which will be replicated with the enactment of the General Data Protection Regulation (the Regulation) which is currently being finalised.
Once the European Parliament, Commission and Council of Ministers agree upon a final draft, there will be a two year transition period that so that each of 28 EU Member States can adapt to the new rules. According to estimates, the GDPR could therefore be in force throughout the EU by early 2018. The new Regulation will of course harmonise national data protection laws throughout the EU and will significantly improve existing laws governing technological developments. These improvements will be listed in this blog over the coming months as the enactment of the Regulation approaches. Ultimately however, the Regulation will go a long way towards formally legitimising the importance of data protection and strengthening established laws that safeguard data subject, data processor and data controller rights.