EU data privacy law

By Athena Tong

EU data privacy

Although privacy laws in Europe are among the most developed in the world, the Data Protection Directive of 1995 hardly seems to address data security issues today adequately with rapidly evolving online platforms and services. When Edward Snowden revealed the details about the American spying programme in 2013, Europe became determined to better protect its own citizens from the misuse of data by foreign companies. However, growing threat of terrorism and divergent perspective on privacy between America and Europe are putting speedbumps onto the road ahead.

In June 2015, the European Court of Justice overturned the “Safe Harbour Decision” [1 of 2000 and ruled it as invalid. Under the European Data Protection Directive, personal data are confided to 10 countries[2] outside of the EU in a non-restricted fashion. These countries are chosen because of their “adequate protection” for personal data. Only the United States was granted the “Safe Harbour” status, which enables American companies to collect and transfer data from the EU to their servers in their home country, under the condition that they adhere to the seven principles in compliance with the EU Data Protection Directive. The Directive required a secure storage of data which can only be used under certain circumstances and cannot be transferred to any third party. In 2013, Snowden leaked the information relating to the secret scheme of the American National Security Agency (NSA), suggesting a violation of the US government’s promise of the protection of private data. Max Schrems, an Austrian lawyer and privacy activist, filed a legal complaint against Facebook, stating that his information has been sent to the Facebook American servers which are part of the NSA PRISM surveillance programme. (Finley, 2015) (Geller, 2016). PRISM is a clandestine surveillance programme launched in 2007, in which the US government asked at least nine US internet companies including Facebook, Youtube, Apple, and Microsoft to share stored internet communications of their users. The programme was exposed six years later by Edward Snowden, a former CIA contractor. As a result, the Court of Justice of the European Union ruled the case violated the right of privacy of EU citizens and therefore suspended the “Safe Harbour”, which was subsequently replaced by the EU-US Privacy Shield, under which the authorities have to make written commitment and assurance to adhere to clear limitations, safeguards, and oversight mechanisms when they access the data. (European Commission, 2016)

One of the problems that surfaced with this ruling is the different perspective with regard to privacy between the Europeans and Americans. As Louis Bennett, chair of security at the British Chartered Institute for IT, puts it, “there will never be total reconciliation between American views, where freedom of speech matters most, and European views, where privacy matters most.” In the European Convention on Human Rights, privacy and dignity is first addressed in Article 8, before the freedom of expression in Article 10; in the United States, however, the protection of the latter is known as the First Amendment, ranking above all other amendments – the word ‘privacy’ does not even appear in the American Constitution. (Liptak, 2010) (Whitman, 2004)

Niantic has recently made a huge comeback with Pokémon Go, a popular mobile gaming application that uses GPS and augmented reality to simulate the players catching Pokémons in their immediate environment. The application gave gamers a scare a month ago when they were told that the developers might have “full access” to their Google accounts after signing on. It was later found out it was only a misunderstanding. As Niantic is using an outdated version of Google’s shared sign-on service, the permission-granting step through which users could choose what permission to grant the application was skipped. In the end, the developers claimed to have access only to the user ID and email address of gamers, and the scare was therefore only due to mislabeling. (Solon, 2016) Nevertheless, since the application still uses GPS and collects users’ data, Marc Tarabella, Belgian Socialist Member of the European Parliament, believes that the application infringes the General Data Protection Regulation which will come into effect in 2018 as well as the EU’s ePrivacy Directive. Consequently he is now filing a request to the European Commission to inquire the game’s privacy practices. (Breland, 2016)

The General Data Protection Regulation [3] mentioned above was jointly passed by the European Parliament and Council on 27 April 2016 and will come into effect on 25 May 2018. It further addresses the export of private data overseas, unifies EU data protection practices for individuals and replaces the Data Protection Directive from 1995. It is both a Regulation and a Directive. To clarify the differences between the two, the Directive does not require enabling legislation to be passed by governments, as in it is an obligation for all EU nations to integrate the Directive into their own national laws; it also does not address data processed outside of the EU. Most importantly, the Directive targets criminal law enforcement and is considered as a Police Directive which replaces the Framework Decision 2008/977/JHA. Therefore, the Directive only regulates how data is handled when authorities are dealing with investigations and execution of criminal law cases. EU Member States are expected to transpose the Directive into their national law latest by 6 May 2018. (European Commission, 2016) Some criticize the law as it adds burden to the administration by requiring EU Member States to have their own Data Protection Officer. It also poses a potential language barrier between non-EU countries and EU non-anglophone countries when the national data protection authorities in Europe have to be addressed.. Since the US legislation enables the government to continue the surveillance of the public, which is incompatible with the new EU legislation, it appears improper to continue the rights of the American companies to possess EU personal data. (Gabel, Hickman & Blamires, 2016)

In addition, the European Commission is currently drafting a law on data privacy targeting online messaging services. It aims to secure instant message and internet voice call by having those services adhere to the same privacy rules as SMS text messages, phone calls, and landline calls. The effort highlights the determination of Europe to encrypt end-to-end communication, especially after the Edward Snowden revelations. The division between the European and American technology sectors is evident here: large European firms like Telefónica and Vodafone are seriously undercut by their American counterparts such as Apple and Alphabet, which provide OTT services[4]. Messaging is also dominated by American companies, as only one out of the top ten messaging services ranked by the number of users, was founded in Europe – Skype, which is now owned by Microsoft. (Rankin & Hern, 2016)

The two main European legislative efforts are seen as milestones for the protection of private data and have alarmed the technology industry as one follows hot on the heels of the other. But the conflict of values between the US and Europe draws up tension between the two when the issue of privacy and freedom of expression arises. Despite the willingness and effort of the European authority, ever-evolving technology remains a challenge.

1) The decision of the European Commission that the United States’ principles complies with the EU Data Protection Directive.
2) These countries include: Argentina, Switzerland, Israel, New Zealand, Uruguay, Andorra, Guernsey, the Isle of Man, the Faroe Islands, and Jersey. Australia and Canada are certified with limitations
3) It is formally titled “Regulation on the protection of natural persons with regard to the processing of personal data and on the free movement of such data and repealing Directive 95/46/EC”
4) Over-the-top content, which refers to the delivery of audio, video, and other similar media over the Internet

Breland, A. (2016, August 24). Pokémon Go game violates EU privacy laws: MEP. Retrieved from

EUR-Lex Access to European Union law. (2014, March 8). Retrieved from

European Commission. (2016, July). EU-U.S. Privacy Shield. Retrieved from

European Commission. (2016, August 2). Protection of personal data. Retrieved from

Finley, K. (2015, June 10). Thank (Or Blame) Snowden for Europe’s Big Privacy Ruling. Retrieved from

Gabel, D., Hickman, T., & Blamires, R. (2016, April 18). Significant concerns from EU Data Protection Authorities may delay the EU-US Privacy Shield. Retrieved from

Geller, T. (2016, February 25). In privacy law, it’s the U.S. vs. the world. Communications of the ACM Commun. ACM, 59(2), 21-23. doi:10.1145/2852233

Liptak, A. (2010, February 27). When American and European Ideas of Privacy Collide. Retrieved from

Rankin, J., & Hern, A. (2016, August 15). EU to crack down on online services such as WhatsApp over privacy. Retrieved from

Solon, O. (2016, July 12). Have you given Pokémon Go full access to everything in your Google account? Retrieved from

Whitman, J. Q. (2004). The Two Western Cultures of Privacy: Dignity versus Liberty. The Yale Law Journal, 113(6), 1151. doi:10.2307/4135723