Data protection and privacy regulation impacts both businesses and citizens.
Within Europe, data protection rules stem from every individual’s right to privacy set out in Article 8 of the European Convention on Human Rights:
“ARTICLE 8 – Right to respect for private and family life
1. Everyone has the right to respect for his private and family life, his home and his correspondence.
2. There shall be no interference by a public authority with the exercise of this right except such as is in accordance with the law and is necessary in a democratic society in the interests of national security, public safety or the economic wellbeing of the country, for the prevention of disorder or crime, for the protection of health or morals, or for the protection of the rights and freedoms.”
This right is explicitly referenced in the recitals to both the:
- harmonising 1995 European Data Protection Directive (Directive 95/46/EC of the European Parliament and of the Council of 24 October 1995 on the protection of individuals with regard to the processing of personal data and on the free movement of such data); and
- the 2016 General Data Protection Regulation (Regulation (EU) 2016/679 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC).
The 1995 Directive was implemented into UK law by the Data Protection Act 1998, whilst the General Data Protection Regulation will have direct effect from 25 May 2018.
Key regulators are the European Data Protection Supervisor, the ‘Article 29 Working Party‘ and in the UK, the Information Commissioner’s Office.