This update details legislative developments in European Data Protection legislation, namely the entering into force of the following:
- Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation) (the “GDPR”);
- Directive (EU) 2016/680 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data by competent authorities for the purposes of the prevention, investigation, detection or prosecution of criminal offences or the execution of criminal penalties, and on the free movement of such data, and repealing Council Framework Decision 2008/977/JHA (“Police and Criminal Justice Authorities Directive”); and
- Directive (EU) 2016/681 of the European Parliament and of the Council of 27 April 2016 on the use of passenger name record (“PNR”) data for the prevention, detection, investigation and prosecution of terrorist offences and serious crime (“PNR Directive”).
1. GENERAL DATA PROTECTION REGULATION
On 6 April 2016 the Council of the European Union published the final text of the GDPR. The GDPR will enter into force on 24 May 2018, two years after its publication in the Official Journal of the European Union (“OJ”) and it will implement a harmonised data protection regime throughout the EU. The EU institutions agreed the text of the GDPR in December 2015 and this text was then translated and refined for publication in the OJ.
The GDPR will replace Directive 95/46/EC (the current European data protection law), on which the primary Irish data protection legislation, the Data Protection Acts 1988 and 2003, is based. The GDPR contains a number of provisions which will serve to increase accountability of data controllers and processors including expansion of the duties of data controllers and processors; increased reporting obligations; and strengthened individual rights. Please see our “Group Briefing – February 2016 - European General Data Protection Regulation Agreed – Headline Changes” for a more detailed analysis of the changes introduced by the GDPR.
The differences between the texts of the December 2015 GDPR and the final form GDPR as published in the OJ are limited to semantic corrections and clarifications in order to facilitate the efficient implementation of the GDPR in the Member States.
2. POLICE AND CRIMINAL JUSTICE AUTHORITIES DIRECTIVE
After three years of trilogue negotiations between the European Parliament, the Commission and the Council, an agreement was reached in December 2015 on the final text of the Police and Criminal Justice Authorities Directive in relation to data protection in the police and justice sectors. The Police and Criminal Justice Authorities Directive creates a coherent framework for data processing activities performed for the prevention, investigation, detection or prosecution of criminal offences or the execution of criminal penalties, including the safeguarding against and the prevention of threats to public security.
As Directive 95/46/EC (the current European data protection law) does not apply to the processing of personal data in the course of an activity which falls outside the scope of European Community law and the Framework Decision 20008/977/ JHA does not regulate internal data processing activities of law enforcement, the Police and Criminal Authorities Directive bridges this legislative gap. Member States have a two-year period in which to implement the Police and Criminal Justice Authorities Directive into their national law; Member States must adopt any relevant legislative acts for compliance with the Directive by 6 May 2018.
The Police and Criminal Justice Authorities Directive harmonises the laws in the Member States in respect of the exchange of information between police and judicial authorities, whilst leaving discretion in specific areas (for example, penalties for breach of the Directive) in order to respect the different legal traditions of the Member States. The Directive applies to both cross-border and domestic processing of personal data and it aims to improve cooperation of the Member States in the fight against terrorism and other serious crime across the EU, in that, it guarantees that personal data transferred outside the EU by criminal law enforcement authorities will be adequately protected. The key principles of processing personal data only when necessary, proportional and pursuant to a specific purpose are also reflected in the Directive.
3. PASSENGER NAME RECORD DIRECTIVE
The PNR Directive aims to prevent, detect, investigate and prosecute terrorist offences and serious crimes by regulating the transfer of PNR data from airlines to Member States as well as the processing of PNR data by competent authorities in the Member States. The PNR Directive was adopted by the Council of the European Union on 21 April 2016 and will enter into force on 24 May 2018. Member States will be afforded two years (i.e. until 24 May 2018) to align their national legislation such that it is in compliance with the PNR Directive.
Under the PNR Directive, airlines and air carriers will be required to provide Member States’ authorities with PNR data for flights entering or departing the EU. Member States will also be permitted (but not required) to collect PNR data from intra-EU flights and such collection of data should be notified to the Commission. PNR data may include the name of the passenger, travel dates, travel itinerary, ticket information, contact details of the travel agent through which the flight was booked, means of payment used, seat number and/or baggage information.
Member States will also be required to establish a Passenger Information Unit (“PIU”) to deal with PNR requests under the PNR Directive. Such PIUs must are also obliged to appoint a data protection officer. Data collected by the PIU will be stored for six months initially, after which the data will be anonymised. The data will then be stored for a further period of four and a half years.
While Member States’ law enforcement bodies are already using PNR data for law enforcement purposes, the PNR Directive will create a common approach across the EU including in relation to: the purposes for which PNR data can be processed in the context of law enforcement; exchange of PNR data between the Member States and third countries; storage of PNR data (as detailed above); transfer the PNR data from the air carriers to the PIUs; and safeguards relating to the protection of privacy and personal data.