Title: OVERVIEW OF THE EXISTING PRIVACY AND DATA PROTECTION LEGAL FRAMEWORK

Overview of the existing privacy and data protection legal framework

The right to privacy is considered a core value of a democratic society. It is recognised as a fundamental right in all major international treaties and agreements on human rights and in the constitutions of several countries, either explicitly or implicitly. In Europe, the fundamental right to respect for privacy is recognised, among others, in Article 8 of the European Convention of Human Rights and Fundamental Freedoms (ECHR), which states that everyone has the right to respect for his private and family life, his home and his correspondence.

With the evolution of technology, it became clear that the mere recognition of the right to privacy was not sufficient to safeguard the privacy with regard to the processing of personal data. Basic principles of data protection were developed and spelled out in international legal data-protection texts produced by institutions such as the Organization for Economic Cooperation and Development (OECD), the Council of Europe (Treaty 108), and the European Union (Directive 95/46/EC). The EU has also included the right to private and family life as well as right to protection of personal data in Articles 7 and 8, respectively, of the European Charter of Fundamental Rights. 

Directive 95/46/EC reconciles the need for a free flow of personal data between the Member States with the need for protection of fundamental rights and freedoms of individuals, notably the right to privacy with regard to such data. The challenges for data-protection law in relation to Ambient Intelligence concern mainly the reconciliation of the principles of data-protection law with the concept of AmI. This challenge emerges because important elements of AmI as well as its supporting technologies show that AmI systems need large amounts of personal data and, in most cases, profiles to work with. In order to provide people with customised information (enhanced goods and services), AmI needs to have personal information. The aforementioned data-protection principles are twofold. On the one hand, there exist obligations on those who are responsible for personal data and, on the other hand, certain rights are conferred to the individuals whose data are collected or processed.

Directive 2002/58/EC – commonly referred to as the Directive on privacy and electronic communications or simply the ePrivacy Directive – specifies and complements the principles of the general Directive into specific rules for the electronic-communications sector. Its provisions apply to the processing of personal data in connection with the provision of publicly available electronic communications services in public communication networks in the Community. Whereas Directive 95/46/EC only offers protection to natural persons, the ePrivacy Directive does not only protect rights and fundamental freedoms of natural persons, but also the legitimate interests of legal persons. This directive regulates issues such as confidentiality of communications, the status of traffic data, itemized billing and location based services, and also direct marketing and spam.

The Data Retention Directive applies to providers of publicly available electronic-communications services or of public e-communications networks. The directive aims at harmonising the obligations of these providers with regard to the retention of traffic and location data, as well as the data necessary to identify subscribers or registered users, to ensure that these data are available for law-enforcement purposes. Information to be retained is the information relating to the source and destination of a communication, the date, time, and duration of a communication, its type, the communication device, as well as the data necessary to identify the location of mobile communication equipment. These data shall be retained for a minimum of 6 months and for a maximum of 24 months by the providers. Member States should have implemented the directive into national law by the 15th of September 2007. For data relating to Internet access, Internet telephony and Internet e-mail, the application of the directive can be postponed till the 15th of March 2009.