New strategical steps on privacy and data protection in Europe

The European Union unveiled on 17 February 2021 its “Agenda for a Renewed Multilateralism”, a set of policy proposals aimed at increasing its leadership and influence in key global areas. Among seven relevant and strategical objectives, it has clearly identified the digital space as one of its priorities. The EU plans to establish rules for new digital technologies and will seek to build strategic partnerships to shape the global digital agenda. Following EU’s leadership in the framework and promotion of data protection with the binding General Data Protection Regulation (GDPR), the EU Commission will particularly engage in the development of normative frameworks for Artificial Intelligence and in the protection of human rights online.

As a clear strategical step, the EU also declared its support to the United Nations Secretary General’s Road Map on Digital Cooperation, unveiled in June 2020. In essence, the UN Road Map appoints eight key areas of the digital space for priority development, such as connectivity and internet to all; access to open source and digital public goods; digital inclusion; digital capacity building and training; digital human rights (in particular data privacy and protection, limitations on surveillance and facial recognition, tools to curb online harassment and violence – mainly against women – and for content governance, a clear approach and rules for artificial intelligence), as well as digital security and trust and finally global digital cooperation – allowing for effective and inclusive channels for more countries and associations to participate in discussions.

It is relevant to note that Europe has been at the forefront of data privacy and data protection. The jurisprudence of the European Court of Human Rights is consistent in its interpretation of the European Convention on Human Rights, as to consider the right to data privacy contained in one’s “right to respect for his private and family life, his home and his correspondence” (Article 8). In a great step forward, the Charter of Fundamental Rights of the European Union expressly provides for the protection of personal data as a human right (“Everyone has the right to the protection of personal data concerning him or her” – Article 8, 1), provides the underlying principles to protect this right, sets the limits to data processing and adds rights for its duly exercise (by establishing the right to access and also right to rectify his/her own data in Paragraph 2).

EU’s most recent legal developments in the digital area include final negotiations for a specific Regulation – binding in nature under EU Law, as does the GDPR – concerning privacy in the field of electronic communication services in the Union (the E-privacy Regulation). Its draft was presented on 6 January 2021 by the Portuguese Presidency of the EU after failed attempts in the last two years by other Presidencies and is currently under discussion.

Once the E-privacy Regulation is approved, it will replace the current E-privacy Directive (2002/58/EC), which relies on member state law to be effective and to some extent has not been able to bring uniformity of interpretation and application within the Union.  The E-privacy Regulation will provide new and uniform rules for the confidentiality of communications and processing of metadata, for the monitoring and tracking of data using cookies and for device integrity, with an extended scope that complements the existing GDPR. This framework was indeed expected to enter into force in conjunction with the GDPR in 2018 but it has been postponed due to lack of agreement.

Another relevant recent step taken in Europe for increased personal data protection has been the 2018 modernisation of the Council of Europe’s Convention for the Protection of Individuals with regard to Automatic Processing of Personal Data, dated of 27 January 1981, as it was further amended by its Protocol CETS No. 223 – and then rebaptised as Convention 108+. Convention 108 has been regarded as the landmark of data protection legislation in many European countries (with 47 ratifications) and the reference for subsequent European diplomas, culminating in the GDPR. Its modernised version Convention 108+ is open for signature and ratifications.

Most EU regulations in this field require extraterritorial compliance, such as the GDPR, for those who offer goods or services to European Union residents. Foreign companies and individuals willing to benefit from the European Union market will need to gain practical and professional knowledge of EU rules and will be required to have their their practises and process duly adapted as a consequence. Compliance with such EU rules is also clear evidence of sound practices and respect for personal data and privacy.

We plan to follow the developments of the E-privacy Regulation discussions and report key discussions for its approval, understand the next steps in the debate for a framework of Artificial Intelligence and clarify specific EU initiatives related to the UN’s Road Map on Digital Cooperation.