Data protection from scratch

Directive 95/46 / EC of the European Parliament and of the Council

The Objective of the Directive 95/46/EC was to protect the fundamental rights and freedoms of natural persons, and in particular their right to privacy with respect to the processing of personal data . In order to meet the Directive’s objective Member States shall neither restrict nor prohibit the free flow of personal data between the Member States for reasons connected with the protection guaranteed under paragraph 1 of Article 1 of the Directive 95/46/EC.

Article 4 of the Directive has assigned three criteria for the application of the Directive under the national law of the Member states:

“(a) the processing is carried out in the context of the activities of an establishment of the controller on the territory of the Member State… (b) the controller is not established on the Member State’s territory, but in a place where its national law applies by virtue of international public law; (c) the controller is not established on Community territory and, for purposes of processing personal data makes use of equipment, automated or otherwise, situated on the territory of the said Member State“.

The first criterion is the so-called establishment criterion which applies to the processing of personal data where the processing is carried out in the context of the activities of an establishment of the controller on the territory of the Member States; when the same controller is established on the territory of several Member States.

The second criterion is similar to the provision of Article 3(3) of the GDPR in the case when the controller is not established on the Member State’s territory, but in a place where its national law applies by virtue of international public law.

And finally, the third criterion is related to the equipment situated in the Union used by a non-eu established controller for purposes of processing personal data. And this is the case when the controller must designate a representative established in the territory of that Member State . It will be explained later why this criterion had been abandoned in the later data protection laws.


General Data Protection Regulation

The GDPR is Regulation (EU) number 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation. “The new General Data Protection Regulation (‘GDPR’)). GDPR regulates the processing by an individual, a company or an archaeologic of personal data relating to individuals in the EU. It doesn’t apply to the processing of personal data of deceased persons or of legal persons. The rules don’t apply to data processed by an individual for purely personal reasons or for activities carried out in one’s home, provided there is no connection to a professional or commercial activity. When an individual uses personal data outside the personal sphere, for socio-cultural or financial activities, for example, then the data protection law has to be respected.”

The territorial scope of the General Data Protection Regulation is determined by Article 3 of the Regulation and represents a significant evolution of the EU data protection law compared to the framework defined by Directive 95/46/EC.

Like Directive 95/46/EC, the GDPR also has a provision which sets rules about establishment criteria. The GDPR shall apply when the processing of personal data in the context of the activities of an establishment of a controller or a processor in the Union, regardless of whether the processing takes place in the Union or not.

Unlike Directive 95/46/EC, the GDPR introduces new targeting criteria for application of the GDPR which apply to the processing of personal data of data subjects who are in the Union by a controller or processor not established in the Union, where the processing activities are related to the offering of goods or services, irrespective of whether a payment of the data subject is required, to such data subjects in the Union, and the monitoring of their behavior as far as their behavior takes place within the Union . This provision of Article 3 of the GDPR has brought new criterion of the territorial scope of Union data protection laws in comparison to Directive 95/46/EC.

Similarly to Article 3 of the Directive, the GDPR has used the same numeration of the Articles to set up the rules on the application of Regulation to the processing of personal data by a controller not established in the Union, in a place where Member State law applies by virtue of public international law.