The Right to Protection of Personal Data. Incapable of Autonomous Standing in the Basic EU Constituting Documents

Abstract

Over the past few years an overhaul of the European data protection edifice has been under way. Practically all basic data protection regulating documents in effect until today have either already been replaced or are in the process of being thoroughly amended. This is probably a development that was long overdue, given that all of them have an age of several decades while none of them has been released taking the internet into account. The OECD is the first international organisation that issued any data protection regulations at all: it did so in 1980, and its Guidelines remained unchanged until 2013, when their amendment process was completed. The Council of Europe released its own data protection regulations, formulated in Convention 108, only a few weeks after the OECD; they too remained in effect unchanged over the decades that passed, admittedly complemented by rich secondary legislation, and are now in the process of being amended. However, most of the data protection work undoubtedly takes place within the EU which chose to dominate the international field since it became involved in it, through the EU Data Protection Directive in 1994. The Directive set the EU and international, through its “adequacy” criterion, data protection standard. However, it remained hopelessly outdated, because it was released before the advent of the Internet (although the Court of Justice through its recent Google Spain case showed that there is still some life left in it). The European Commission seized the opportunity presented by the Treaty of Lisbon, and its Article 16 TFEU, and took upon itself the herculean task of reconstructing the whole EU data protection edifice, both from an architectural and from a substantive law point of view