Data Protection Directive (DPD)

The first European Union directive on data is the Data Protection Directive, adopted in October 1995. Its purpose is to operationalize the right to privacy guaranteed by Article 8 of the European Convention on Human Rights. This text provides the first typology of data by creating two distinct categories, personal data and non-personal data. With a definition of personal data “personal data shall mean any information relating to an identified or identifiable natural person (‘data subject’); an identifiable person is one who can be identified, directly or indirectly, in particular by reference to an identification number or to one or more factors specific to his physical, physiological, mental, economic, cultural or social identity.”

Moreover, it defines the different actors of the data, data controllers, the data subject, and the processor of the data.

Controller shall mean the natural or legal person, public authority, agency or any other body which alone or jointly with others determines the purposes and means of the processing of personal data; where the purposes and means of processing are determined by national or Community laws or regulations, the controller or the specific criteria for his nomination may be designated by national or Community law.

Processor shall mean a natural or legal person, public authority, agency or any other body which processes personal data on behalf of the controller.

The person to whom the personal data refers. This directive establishes 7 principles that dictate how personal data should be established. It applies to data processed within the Union and relating to individuals located in one of the Member States. Responsibility for compliance with these requirements rests with the data controllers.

• Notice – individuals should be notified when their personal data is collected.
• Purpose – use of personal data should be limited to the express purpose for which it was collected.
• Consent – individual consent should be required before personal data is shared with other parties.
• Security – collected data should be secured against abuse or compromise.
• Disclosure – data collectors should inform individuals when their personal data is being collected.
• Access – individuals should have the ability to access their personal data and correct any inaccuracies.
• Accountability – individuals should have a means to hold data collectors accountable to the previous six principles.

This directive was repealed in 2018 by the entry into force of the General Data Protection Regulation.

General Data Protection Regulation (GDPR)

On April 27, 2016, the European Union adopts one of the most famous regulations at the international level regarding personal data protection. This text is an extension of the 1995 DPD, it extends the field of application of this directive, by including in the definition of personal data the characteristics relating to the digital personality of persons (pseudo, IP address, location data). The other channel of extension of the 1995 directive is geographical, this text will apply as soon as the subject of the data is resident of the EU, no matter his nationality or the location of the data controller, or data processor. Moreover, the latter also becomes responsible for its compliance with the text. In terms of priority GPDR applies to a whole dataset if there is even a minority of personal data.

The text becomes more protective in a direct way by advocating privacy by default, but also an expression of necessary consent (no more default permissions) as soon as an actor wants to collect personal data. It is also one of the first texts to address the protection of minors online by setting a maximum age for consent to the collection of personal data, which is 16 years. In addition to strengthened obligations for firms, the GDPR creates new rights for European residents.

• Right to notification in case of hacking of one’s personal data: the data subject must be promptly notified by the data controller, except in certain situations (e.g. data already encrypted).
• Group action: any person can mandate an association or an organization active in the field of data protection to file a complaint or an appeal and obtain compensation in case of a data breach.
• Right to compensation for material or non-material damage: any person who has suffered such damage because of the breach of the GDPR may obtain compensation from the data controller or processor.
• Right to data portability: any person must be able to retrieve the data he or she has provided to one platform and transfer it free of charge to another (social network, etc.).

The right of portability opens the door for the second key principle of European regulation of data: free flow of data.