top of page
Search

The Data Protection Directive, Directive 95/46/EC

  • May 8, 2016

Directive 95/46/EC, the Data Protection Directive, passed by the European Parliament and Council in 1995 regulates the processing of personal data in the European Union. Its official title is, "Directive on the protection of individuals with regard to the processing of personal data and on the free movement of such data". As discussed in the Tip of the Night for March 27, 2016, Article 26(2) of the Directive allows for data to be transferred using model contracts outside the safe harbor framework, and Article 26 also states conditions under which data can be transferred to third countries that don’t provide an adequate level of protection. See the Tip of the Night for February 27, 2016.

The Directive itself has a very broad scope and does not just apply to data in which a person is explicitly identified. It covers any data that can be used, even indirectly, to make a connection to a specific individual, even if the person possessing the data cannot make the connection themselves. Processing includes collection, disclosing, and erasing data.

Processing can only take place if three conditions are met:

1. Transparency - the individual is aware that his or her data is being processed. The controller has to provide their contact information and also disclose the purpose for the processing and the recipients of the processed data.

2. Legitimate Purpose - The data cannot be processed in a way that is incompatible with explicit legitimate purposes.

3. Proportionality - the collected data has be relevant for the purposes for which it collected. If the data is inaccurate, an effort must be taken to make sure that is corrected.

Article 14 allows the data subject to object to the processing of the data for direct marketing.

Article 15 gives, "the right to every person not to be subject to a decision which produces legal effects concerning him or significantly affects him and which is based solely on automated processing of data intended to evaluate certain personal aspects relating to him, such as his performance at work, creditworthiness, reliability, conduct, etc."

Each state that participates in the Data Protection Directive has to establish a supervisory authority responsible for starting legal proceedings when the directive has been violated. The controller files a report concerning the processed data with the authority that then files it in a public register.

Article 29 Working Parties were created under the Data Protection Directive to monitor the extent to which personal data is protected in countries outside the EU.

The Data Protection Directive is not legally binding on EU states. The state have to convert the principles of the directive in their own local laws.

As the Tip of the Night for April 13, 2016 noted, the Data Protection Directive will be replaced in 2018 by the General Data Protection Regulation.


 
 

Council Regulation (EC) No 1206/2001

  • May 7, 2016

In 2001, the EU implemented a regulation, Council Regulation (EC) No. 1206/2001, which allows evidence to be taken by litigators in one state from another state in civil matters without using the procedures of the Hague Convention or letters rogatory. So discovery can be accomplished without going through diplomatic channels. Denmark is the only member of the EU which has opted out of the regulation. Courts of different countries in the EU can contact each other directly about exchanging discovery without involving Foreign Affairs ministries.

As with the Hague Convention, central authorities are involved. Under 1206/2001 the central authorities supply information to the courts; address difficulties regarding transmission; and in certain cases, forwarding a request to a court. The requests are subject to the laws of the state from which data is requested, and must be responded to within 90 days. The requests may be denied if the costs of consulting an expert are not disclosed.

To make a request, party must complete Form A or Form I to the regulation. The forms are available on this site.

If you click on the links for the Forms on this site you will be taken to a map of Europe where you can select the state from which you want to collect evidence.

The form can be generated after filling information for the fields on the web site. '

One of the fields, requires, "Nature and subject matter of the case and a brief statement of the facts" and another a "description of the taking of evidence to be performed".


 
 

EU General Data Protection Regulation

  • Apr 13, 2016

The EU General Data Protection Regulation may be passed by the European Parliament this week, but if so, it will not take effect until early 2018. The GDPR provides for single set of rules governing data transfers between European countries and non-European countries. The current EU Data Protection Directive regime allows different countries to have different rules. The new regulations do provide varying degrees of protective measures based on the risks posed by different businesses' activities.

Under this new regime, all businesses operating in the EU will be accountable to only one authority. The old 'Directive' had to be voted into force by national legislatures, whereas the new 'Regulation' can be implemented in states directly. The GDPR will replace the European Data Protection Directive, discussed in the Tip of the Night for February 27, 2016, and provide for uniform data protection regulations throughout the EU. [Note the EU does not include Switzerland, Norway, Serbia, Bosnia, Serbia, Albania and Montenegro, but does include the rest of Europe west of the Belarus and Ukraine, and does include the Baltic States].

Note that the GDPR does not apply to the review of data in the interest of national security or for law enforcement activities relating to criminal law. While each EU state will have its own Supervising Authority, every business will have a single 'lead authority' to monitor all of its processing activity. The regulations require Data Protection Officers be appointed to assist data controllers and processors in complying with the GDPR. The DPO has to have knowledge of both the law and information technology processes. Any data breaches are to be reported by the DPO to the Supervising Authority promptly.

Violations of the GDPR can lead to sanctions of either the greater of 20 million Euro, or 4 per cent of the global turnover [sales revenue] of a business. Data subjects will no longer have a Right to Be Forgotten, but will instead have a Right to Erasure which is has a smaller scope.

The GDPR, unlike the DPD, covers non-EU businesses which process the data of EU citizens.


 
 

Sean O'Shea has more than 20 years of experience in the litigation support field with major law firms in New York and San Francisco.   He is an ACEDS Certified eDiscovery Specialist and a Relativity Certified Administrator.

The views expressed in this blog are those of the owner and do not reflect the views or opinions of the owner’s employer.

If you have a question or comment about this blog, please make a submission using the form to the right. 

Your details were sent successfully!

© 2015 by Sean O'Shea . Proudly created with Wix.com

bottom of page