COM(2010)609 - Comprehensive approach on personal data protection in the EU

Please note

This page contains a limited version of this dossier in the EU Monitor.

Contents

  1. Key information
  2. Key dates
  3. Related information
  4. Full version
  5. EU Monitor

1.

Key information

official title

COMMUNICATION FROM THE COMMISSION TO THE EUROPEAN PARLIAMENT, THE COUNCIL, THE ECONOMIC AND SOCIAL COMMITTEE AND THE COMMITTEE OF THE REGIONS A comprehensive approach on personal data protection in the European Union
 
Legal instrument Communication
Decision making procedure Own-initiative procedure (INI)
reference by COM-number87 COM(2010)609 EN
Additional COM-numbers COM(2010)609
procedure number89 2011/2025(INI)
CELEX number90 52010DC0609

2.

Key dates

Document 04-11-2010
Online publication 30-11-2010

3.

Related information

 

4.

Full version

This page is also available in a full version containing the latest state of affairs, the summary of the European Parliament Legislative Observatory, the legal context, other dossiers related to the dossier at hand, the stakeholders involved (e.g. European Commission directorates-general, European Parliament committees, Council configurations and even individual EU Commissioners and Members of the European Parliament) and finally documents of the European Parliament, the Council of Ministers and the European Commission.

The full version is available for registered users of the EU Monitor by ANP and PDC Informatie Architectuur.

5.

EU Monitor

The EU Monitor enables its users to keep track of the European process of lawmaking, focusing on the relevant dossiers. It automatically signals developments in your chosen topics of interest. Apologies to unregistered users, we can no longer add new users.This service will discontinue in the near future.

  • 1. 
    Directive 95/46/EC of the European Parliament and of the Council of 24.10.1995 on the protection of individuals with regard to the processing of personal data and on the free movement of such data (OJ L 281, 23.11.1995, p. 31).

     
  • 2. 
    See the Study on the economic benefits of privacy enhancing technologies, London Economics, July 2010 (ec.europa.eu/justice/policies/privacy/docs), p. 14.

     
  • 3. 
    Directive 2002/58/EC of the European Parliament and of the Council of 12 July 2002 concerning the processing of personal data and the protection of privacy in the electronic communications sector (Directive on privacy and electronic communications), (OJ L 201, 31.7.2002, p. 37).

     
  • 4. 
    The Data Protection Directive 95/46/EC sets the data protection standards for all EU legislative acts, including the e-Privacy Directive 2002/58/EC (amended by Directive 2009/136/EC - OJ L 337, 18.12.2009, p. 11). The e-Privacy Directive applies to the processing of personal data in connection with the provision of publicly available electronic communications services in public communications networks. It translated the principles set out in the Data Protection Directive into specific rules for the electronic communications sector. Directive 95/46/EC applies inter alia to non-public communication services.

     
  • 5. 
    See Article 16 of the Treaty on the Functioning of the European Union (TFEU).

     
  • 6. 
    See Article 16(2), last paragraph, TFEU and Article 39 of the Treaty on the European Union (TEU).

     
  • 7. 
    See European Court of Justice, Cases C-101/01,
     
  • 8. 
    See the definitions of
     
  • 9. 
    See for example the case of IP addresses, examined in the Article 29 Working Party Opinion 4/2007 on the concept of personal data (WP 136).

     
  • 10. 
    See for instance the judgement by the German Federal Constitutional Court ( Bundesverfassungsgericht ) of 27 February 2008, 1 BvR 370/07.

     
  • 11. 
    See Articles 10 and 11 of Directive 95/46/EC.

     
  • 12. 
    A Eurobarometer survey carried out in 2009 showed that about half of the respondents considered privacy notices in websites
     
  • 13. 
    See the Safer Internet for Children qualitative study concerning 9-10 year old and 12-14 year old children, which showed that children tend to underestimate risks linked to the use of Internet and minimise the consequences of their risky behaviour (available at:ec.europa.eu/information_society/activities/sip).

     
  • 14. 
    Article 4 of Directive 2009/136/EC.

     
  • 15. 
    See the Study on the economic benefits of privacy enhancing technologies, London Economics, July 2010 (ec.europa.eu/justice/policies/privacy/docs), p. 14.

     
  • 16. 
    See Flash Eurobarometer No 225
     
  • 17. 
    Cf. Article 2(h) of Directive 95/46/EC.

     
  • 18. 
    Cf. Article 8 of Directive 95/46/EC.

     
  • 19. 
    European Court of Justice, C-101/01,
     
  • 20. 
    Ibidem , 97. See also recital 9 of Directive 95/46/EC.

     
  • 21. 
    See Article 18 of Directive 95/46/EC.

     
  • 22. 
    Report from the Commission - First Report on the implementation of the Data Protection Directive (95/46/EC) - COM(2003) 265.

     
  • 23. 
    See Article 4 of Directive 95/46/EC.

     
  • 24. 
    The European Economic Area includes Norway, Liechtenstein and Iceland.

     
  • 25. 
    See in particular the opinion adopted by the Article 29 Working Party on 13 July, 3/2010.

     
  • 26. 
    On PETs see: Communication from the Commission to the European Parliament and the Council on Promoting Data Protection by Privacy Enhancing Technology (PETs) - COM(2007) 228. The principle of
     
  • 27. 
    The current possibility for a data controller to appoint a Data Protection Officer in order to ensure, in an independent manner, compliance with the EU and national data protection rules and to assist individuals has been implemented in several Member States already (see e.g. the Beauftragter für den Datenschutz in Germany and the correspondant informatique et libertés (CIL) in France).

     
  • 28. 
    See Article 27 of Directive 95/46/EC.

     
  • 29. 
    On this aspect, see also the PETs Communication, cit. footnote 30.

     
  • 30. 
    See COM(2009) 262, 10.6.2009, and COM(2010) 171, 20.4.2010.

     
  • 31. 
    Council Framework Decision 2008/977/JHA of 27.11.2008 on the protection of personal data processed in the framework of police and judicial cooperation in criminal matters (OJ L 350, 30.12.2008, p. 60). The Framework Decision only envisages minimum harmonisation of data protection standards.

     
  • 32. 
    As required by Principle 3.2 of Recommendation No R (87) 15.

     
  • 33. 
    Contrary to Principle 2 of Recommendation No R (87) 15 and its evaluation reports.

     
  • 34. 
    See an overview of such instruments in the Commission Communication
     
  • 35. 
    Joint Supervisory Authorities have been set up by the relevant instruments to ensure data protection supervision, in addition to the general supervisory powers of the European Data Protection Supervisor (EDPS) over Union institutions, bodies, offices and agencies based on Regulation (EC) No 45/2001.

     
  • 36. 
    Commission Decision 2001/497/EC of 15 June 2001 on standard contractual clauses for the transfer of personal data to third countries under the Directive 95/46/EC (OJ L 181, 4.7.2001, p. 19); Commission Decision 2002/16/EC of 27 December 2001 on standard contractual clauses for the transfer of personal data to processors established in third countries under Directive 95/46/EC (OJ L 6, 10.1.2002, p. 52); Commission Decision 2004/915/EC of 27 December 2004 amending Decision 2001/497/EC as regards the introduction of an alternative set of standard contractual clauses for the transfer of personal data to third countries (OJ L 385, 29.12.2004, p. 74).

     
  • 37. 
    Commission Decision of 5 February 2010 on standard contractual clauses for the transfer of personal data to processors established in third countries under Directive 95/46/EC of the European Parliament and of the Council (OJ L 39, 12.2.2010, p. 5).

     
  • 38. 
    Stockholm Action Plan, cit. (footnote 36).

     
  • 39. 
    ECJ judgment of 9.3.2010, Commission v. Germany, Case C-518/07.

     
  • 40. 
    This is currently the case for large IT-systems, e.g., for the SIS II (cf. Article 46 of Regulation (EC) No 1987/2006 - OJ L 318, 28.12.2006, p. 4) and for the VIS (cf. Article 43 of Regulation (EC) No 767/2008 - OJ L 218, 13.8.2008, p. 60).

     
  • 41. 
    The Article 29 Working Party is an advisory body composed of one representative of Member States', Data Protection Authorities, the European Data Protection Supervisor(EDPS) and the Commission (without voting rights), which also provides its secretariat. See:ec.europa.eu/justice/policies/privacy .

     
  • 42. 
    The Article 29 Working Party has the role of advising the Commission on the level of protection in the EU and in third countries and on any other measure relating to the processing of personal data.

     
  • 43. 
    This also includes Council Framework Decision 2008/977/JHA: Member States need to take the necessary measures to comply with the provisions of this Framework Decision before 27 November 2010.

     
  • 44. 
    Directive 95/46/EC of the European Parliament and of the Council of 24.10.1995 on the protection of individuals with regard to the processing of personal data and on the free movement of such data (OJ L 281, 23.11.1995, p. 31).

     
  • 45. 
    See the Study on the economic benefits of privacy enhancing technologies, London Economics, July 2010 (ec.europa.eu/justice/policies/privacy/docs), p. 14.

     
  • 46. 
    Directive 2002/58/EC of the European Parliament and of the Council of 12 July 2002 concerning the processing of personal data and the protection of privacy in the electronic communications sector (Directive on privacy and electronic communications), (OJ L 201, 31.7.2002, p. 37).

     
  • 47. 
    The Data Protection Directive 95/46/EC sets the data protection standards for all EU legislative acts, including the e-Privacy Directive 2002/58/EC (amended by Directive 2009/136/EC - OJ L 337, 18.12.2009, p. 11). The e-Privacy Directive applies to the processing of personal data in connection with the provision of publicly available electronic communications services in public communications networks. It translated the principles set out in the Data Protection Directive into specific rules for the electronic communications sector. Directive 95/46/EC applies inter alia to non-public communication services.

     
  • 48. 
    See Article 16 of the Treaty on the Functioning of the European Union (TFEU).

     
  • 49. 
    See Article 16(2), last paragraph, TFEU and Article 39 of the Treaty on the European Union (TEU).

     
  • 50. 
    See European Court of Justice, Cases C-101/01,
     
  • 51. 
    See the definitions of
     
  • 52. 
    See for example the case of IP addresses, examined in the Article 29 Working Party Opinion 4/2007 on the concept of personal data (WP 136).

     
  • 53. 
    See for instance the judgement by the German Federal Constitutional Court ( Bundesverfassungsgericht ) of 27 February 2008, 1 BvR 370/07.

     
  • 54. 
    See Articles 10 and 11 of Directive 95/46/EC.

     
  • 55. 
    A Eurobarometer survey carried out in 2009 showed that about half of the respondents considered privacy notices in websites
     
  • 56. 
    See the Safer Internet for Children qualitative study concerning 9-10 year old and 12-14 year old children, which showed that children tend to underestimate risks linked to the use of Internet and minimise the consequences of their risky behaviour (available at:ec.europa.eu/information_society/activities/sip).

     
  • 57. 
    Article 4 of Directive 2009/136/EC.

     
  • 58. 
    See the Study on the economic benefits of privacy enhancing technologies, London Economics, July 2010 (ec.europa.eu/justice/policies/privacy/docs), p. 14.

     
  • 59. 
    See Flash Eurobarometer No 225
     
  • 60. 
    Cf. Article 2(h) of Directive 95/46/EC.

     
  • 61. 
    Cf. Article 8 of Directive 95/46/EC.

     
  • 62. 
    European Court of Justice, C-101/01,
     
  • 63. 
    Ibidem , 97. See also recital 9 of Directive 95/46/EC.

     
  • 64. 
    See Article 18 of Directive 95/46/EC.

     
  • 65. 
    Report from the Commission - First Report on the implementation of the Data Protection Directive (95/46/EC) - COM(2003) 265.

     
  • 66. 
    See Article 4 of Directive 95/46/EC.

     
  • 67. 
    The European Economic Area includes Norway, Liechtenstein and Iceland.

     
  • 68. 
    See in particular the opinion adopted by the Article 29 Working Party on 13 July, 3/2010.

     
  • 69. 
    On PETs see: Communication from the Commission to the European Parliament and the Council on Promoting Data Protection by Privacy Enhancing Technology (PETs) - COM(2007) 228. The principle of
     
  • 70. 
    The current possibility for a data controller to appoint a Data Protection Officer in order to ensure, in an independent manner, compliance with the EU and national data protection rules and to assist individuals has been implemented in several Member States already (see e.g. the Beauftragter für den Datenschutz in Germany and the correspondant informatique et libertés (CIL) in France).

     
  • 71. 
    See Article 27 of Directive 95/46/EC.

     
  • 72. 
    On this aspect, see also the PETs Communication, cit. footnote 30.

     
  • 73. 
    See COM(2009) 262, 10.6.2009, and COM(2010) 171, 20.4.2010.

     
  • 74. 
    Council Framework Decision 2008/977/JHA of 27.11.2008 on the protection of personal data processed in the framework of police and judicial cooperation in criminal matters (OJ L 350, 30.12.2008, p. 60). The Framework Decision only envisages minimum harmonisation of data protection standards.

     
  • 75. 
    As required by Principle 3.2 of Recommendation No R (87) 15.

     
  • 76. 
    Contrary to Principle 2 of Recommendation No R (87) 15 and its evaluation reports.

     
  • 77. 
    See an overview of such instruments in the Commission Communication
     
  • 78. 
    Joint Supervisory Authorities have been set up by the relevant instruments to ensure data protection supervision, in addition to the general supervisory powers of the European Data Protection Supervisor (EDPS) over Union institutions, bodies, offices and agencies based on Regulation (EC) No 45/2001.

     
  • 79. 
    Commission Decision 2001/497/EC of 15 June 2001 on standard contractual clauses for the transfer of personal data to third countries under the Directive 95/46/EC (OJ L 181, 4.7.2001, p. 19); Commission Decision 2002/16/EC of 27 December 2001 on standard contractual clauses for the transfer of personal data to processors established in third countries under Directive 95/46/EC (OJ L 6, 10.1.2002, p. 52); Commission Decision 2004/915/EC of 27 December 2004 amending Decision 2001/497/EC as regards the introduction of an alternative set of standard contractual clauses for the transfer of personal data to third countries (OJ L 385, 29.12.2004, p. 74).

     
  • 80. 
    Commission Decision of 5 February 2010 on standard contractual clauses for the transfer of personal data to processors established in third countries under Directive 95/46/EC of the European Parliament and of the Council (OJ L 39, 12.2.2010, p.

    5).

     
  • 81. 
    Stockholm Action Plan, cit. (footnote 36).

     
  • 82. 
    ECJ judgment of 9.3.2010, Commission v. Germany, Case C-518/07.

     
  • 83. 
    This is currently the case for large IT-systems, e.g., for the SIS II (cf. Article 46 of Regulation (EC) No 1987/2006 - OJ L 318, 28.12.2006, p.

    4) and for the VIS (cf. Article 43 of Regulation (EC) No 767/2008 - OJ L 218, 13.8.2008, p. 60).

     
  • 84. 
    The Article 29 Working Party is an advisory body composed of one representative of Member States', Data Protection Authorities, the European Data Protection Supervisor(EDPS) and the Commission (without voting rights), which also provides its secretariat. See:ec.europa.eu/justice/policies/privacy .

     
  • 85. 
    The Article 29 Working Party has the role of advising the Commission on the level of protection in the EU and in third countries and on any other measure relating to the processing of personal data.

     
  • 86. 
    This also includes Council Framework Decision 2008/977/JHA: Member States need to take the necessary measures to comply with the provisions of this Framework Decision before 27 November
     
  • 87. 
    De Europese Commissie kent nummers toe aan officiële documenten van de Europese Unie. De Commissie maakt onderscheid in een aantal typen documenten door middel van het toekennen van verschillende nummerseries. Het onderscheid is gebaseerd op het soort document en/of de instelling van de Unie van wie het document afkomstig is.
     
  • 88. 
    De Raad van de Europese Unie kent aan wetgevingsdossiers een uniek toe. Dit nummer bestaat uit een vijfcijferig volgnummer gevolgd door een schuine streep met de laatste twee cijfers van het jaartal, bijvoorbeeld 12345/00 - een document met nummer 12345 uit het jaar 2000.
     
  • 89. 
    Het interinstitutionele nummer is een nummerreeks die binnen de Europese Unie toegekend wordt aan voorstellen voor regelgeving van de Europese Commissie.
    Binnen de Europese Unie worden nog een aantal andere nummerseries gebruikt. Iedere instelling heeft één of meerdere sets documenten met ieder een eigen nummering. Die reeksen komen niet overeen met elkaar of het interinstitutioneel nummer.
     
  • 90. 
    Deze databank van de Europese Unie biedt de mogelijkheid de actuele werkzaamheden (workflow) van de Europese instellingen (Europees Parlement, Raad, ESC, Comité van de Regio's, Europese Centrale Bank, Hof van Justitie enz.) te volgen. EURlex volgt alle voorstellen (zoals wetgevende en begrotingsdossiers) en mededelingen van de Commissie, vanaf het moment dat ze aan de Raad of het Europees Parlement worden voorgelegd.
     
  • 91. 
    Als dag van bekendmaking van een Europees besluit geldt de dag waarop het besluit in het Publicatieblad wordt bekendgemaakt, en daardoor in alle officiële talen van de Europese Unie bij het Publicatiebureau beschikbaar is.