Skip to main content
SpringerLink
Log in

Data Protection in the Internet: A European Union Perspective

  • Chapter
  • First Online:
Data Protection in the Internet

Part of the book series: Ius Comparatum - Global Studies in Comparative Law ((GSCL,volume 38))

  • 1120 Accesses

Abstract

A general overview of European Union law concerning data protection in the internet is provided with a view to facilitate comparison with the regulatory framework in other relevant jurisdictions.

The entry into force of the new General Data Protection Regulation has brought about significant changes in EU law. The new Regulation has become a particularly influential piece of legislation regarding internet activities even beyond the EU. It has also triggered an intense debate about the challenges posed by the EU approach to the protection of personal data and its enforcement. Other EU instruments relevant in the field and the case law of the Court of Justice interpreting legislation on data protection law are also discussed.

This chapter has been made in the framework of research project DER-2015-64063-P (MINECO-FEDER).

This is a preview of subscription content, log in via an institution to check access.

Access this chapter

Log in via an institution
Chapter
USD 29.95
Price excludes VAT (USA)
  • Available as PDF
  • Read on any device
  • Instant download
  • Own it forever
eBook
USD 139.00
Price excludes VAT (USA)
  • Available as EPUB and PDF
  • Read on any device
  • Instant download
  • Own it forever
Softcover Book
USD 179.99
Price excludes VAT (USA)
  • Compact, lightweight edition
  • Dispatched in 3 to 5 business days
  • Free shipping worldwide - see info
Hardcover Book
USD 179.99
Price excludes VAT (USA)
  • Durable hardcover edition
  • Dispatched in 3 to 5 business days
  • Free shipping worldwide - see info

Tax calculation will be finalised at checkout

Purchases are for personal use only

Institutional subscriptions

Notes

  1. 1.

    OJ L 119, 4.5.2016, p. 1. For an initial general overview of the GDPR, see De Hert and Papakonstantinou (2016), Härting (2016), Paal and Pauly (2017), and Albrecht and Jotzo (2017).

  2. 2.

    Directive 95/46/EC of the European Parliament and of the Council of 24 October 1995 on the protection of individuals with regard to the processing of personal data and on the free movement of such data (OJ L 281, 23.11.1995, p. 31).

  3. 3.

    The free movement of personal data within the EU granted by GDPR is intended to be complemented by a new Regulation on a framework for the free flow of non-personal, see the Proposal of 13 September 2017 by the Commission at COM(2017) 495 final.

  4. 4.

    See Judgments of the CJEU of 16 July 2015, ClientEarth and PAN Europe v. EFSA, C-615/13 P, EU:C:2015:489, para. 30; and of 9 March 2017, C-398/15, Camera di Commercio, Industria, Artigianato e Agricoltura di Lecce v. Salvatore Manni, ECLI:EU:C:2017:197, para. 34.

  5. 5.

    Judgment of the CJEU of 6 November 2003, Bodil Lindqvist, C-101/01, ECLI:EU:C:2003:596, para. 47.

  6. 6.

    Judgment of the CJEU of 10 July 2018, Jehovan todistajat, C-25/17, ECLI:EU:C:2018:551, para. 50.

  7. 7.

    OJ L 8, 12.1.2001, p. 1.

  8. 8.

    See, e.g., Judgment of the CJEU of 13 May 2014, rendered in case C-131/12, Google Spain SL and Google Inc. v. Agencia Española de Protección de Datos (AEPD) and Mario Costeja González, ECLI:EU:C:2014:317, para. 66 with further references.

  9. 9.

    Available at http://ec.europa.eu/justice/article-29/documentation/index_en.htm.

  10. 10.

    https://edpb.europa.eu/.

  11. 11.

    See Judgment of the CJEU of 19 October 2016, case C-581/14, Patrick Breyer v. Bundesrepublik Deutschland, ECLI:EU:C:2016:779, establishing that Article 2(a) of Directive 95/46/EC “must be interpreted as meaning that a dynamic IP address registered by an online media services provider when a person accesses a website that the provider makes accessible to the public constitutes personal data within the meaning of that provision, in relation to that provider, where the latter has the legal means which enable it to identify the data subject with additional data which the internet service provider has about that person”. Furthermore, see Judgments of the CJEU of 8 April 2014, Digital Rights Ireland and Seitlinger, Joined Cases C-293/12 and C-594/12, ECLI:EU:C:2014:238, para. 26; and of 21 December 2016, Tele2 Sverige AB and Secretary of State for the Home Department, Joined Cases C-203/15 and C-698/15, ECLI:EU:C:2016:970, para 98. See also Judgment of the ECtHR of 24 April 2018, Benedik v. Slovenia (app. no. 62357/14) regarding dynamic IP addresses.

  12. 12.

    See on this matter González Fuster (2014).

  13. 13.

    Judgment of the CJEU of 29 June 2010, Comisión/Bavarian Lager, C-28/08 P, ECLI:EU:C:2010:378.

  14. 14.

    See Judgments of the ECtHR of 16 February 2000, Amann v. Switzerland, App. no. 27798/95, para. 65; and 4 May 2000, Rotaru v. Romania, App. No. 28341/95, para. 43, available at http://hudoc.echr.coe.int.

  15. 15.

    Kokottand and Sobotta (2013), p. 225.

  16. 16.

    See Judgment of the CJEU of 6 October 2015, C-362/14, Schrems v. Data Protection Commissioner, ECLI:EU:C:2015:6506, para. 38, with further references.

  17. 17.

    See, e.g., Judgments of the CJEU of 24 November 2011, Scarlet Extended SA v. Société belge des auteurs, compositeurs et éditeurs SCRL (SABAM), C-70/10, ECLI:EU:C:2011:771; of 16 February 2012, Belgische Vereniging van Auteurs, Componisten en Uitgevers CVBA (SABAM) v. Netlog NV, C-360/10, ECLI:EU:C:2012:85; and 19 April 2012, Bonnier Audio and Others v. Perfect Communication Sweden AB, C-461/10, ECLI:EU:C:2012:219.

  18. 18.

    CJEU Judgment of 1 October 2015 in case C-230/14, Weltimmo s.r.o. v. Nemzeti Adatvédelmi és Információszabadság Hatóság, ECLI:EU:C:2015:639 and CJEU Judgment of 5 June 2018 in case C-210/16, Unabhängiges Landeszentrum für Datenschutz Schleswig-Holstein v. Wirtschaftsakademie Schleswig-Holstein GmbH, ECLI:EU:C:2018:388.

  19. 19.

    See, e.g., Article 29 Working Party on Data Protection, Opinion 5/2009 on online social networking, WP 163, adopted on 12 June 2009.

  20. 20.

    Directive 2000/31/EC of the European Parliament and of the Council of 8 June 2000 on certain legal aspects of information society services, in particular electronic commerce, in the Internal Market (‘Directive on electronic commerce’) (OJ L 178, 17.7.2000, p. 1).

  21. 21.

    De Miguel Asensio (2015), pp. 218–383.

  22. 22.

    CJEU Judgment of 13 May 2014, case C-131/12, Google Spain SL and Google Inc. v. Agencia Española de Protección de Datos (AEPD) and Mario Costeja González, ECLI:EU:C:2014:317. See Article 29 Working Party on Data Protection, “Guidelines on the Implementation of the CJEU Judgment on “Google Spain and Inc v. Agencia Española de Protección de Datos (AEPD) and Mario Costeja González” C-131/12”, 26 November 2014.

  23. 23.

    CJEU Judgment of 9 March 2017, C-398/15, Camera di Commercio, Industria, Artigianato e Agricoltura di Lecce v. Salvatore Manni, ECLI:EU:C:2017:197, paras 55–56.

  24. 24.

    WP 174, adopted on 13 July 2010.

  25. 25.

    WP 232, adopted on 22 September 2015.

  26. 26.

    Directive 2002/58/EC of the European Parliament and of the Council of 12 July 2002 concerning the processing of personal data and the protection of privacy in the electronic communications sector (Directive on privacy and electronic communications) (OJ L 201, 31.7.2002, p. 37).

  27. 27.

    COM (2017) 10 final.

  28. 28.

    Commission proposal for a Directive of the European Parliament and of the Council establishing the European Electronic Communications Code (Recast) (COM/2016/0590 final—2016/0288 (COD)).

  29. 29.

    See Judgment of the CJEU of 8 April 2014, Digital Rights Ireland and Seitlinger, Joined Cases C-293/12 and C-594/12, ECLI:EU:C:2014:238, on the invalidity of Directive 2006/24/EC of the European Parliament and of the Council of 15 March 2006 on the retention of data generated or processed in connection with the provision of publicly available electronic communications services or of public communications networks and amending Directive 2002/58/EC. Additionally, see Judgment of the CJEU of 21 December 2016, joined cases C-203/15 and C-698/15, Tele2 Sverige AB v. Secretary of State for the Home Department, ECLI:EU:C:2016:970. For instance, the latter considered that the equivalent to Article 11 in the previous version of the ePrivacy Regulation (Art. 15 of Directive 2002/58) read in the light of Articles 7, 8 and 11 and Article 52(1) of the Charter, precluded national legislation which, for the purpose of fighting crime, provides for general and indiscriminate retention of all traffic and location data of all subscribers and registered users relating to all means of electronic communication. Additionally, the Court established that those provisions precluded national legislation governed access of the national authorities to the retained data, where the objective pursued by that access, in the context of fighting crime, is not restricted solely to fighting serious crime, where access is not subject to prior review by a court or an independent administrative authority, and where there is no requirement that the data concerned should be retained within the European Union.

  30. 30.

    See Judgment of the ECtHR of 13 September 2018, Big Brother Watch and Others v. The United Kingdom (Apps. nos. 58170/13, 62322/14 and 24960/15).

  31. 31.

    OJ L 119, 4.5.2016, p. 89.

  32. 32.

    De Miguel Asensio (2017), pp. 78–86. On some concerns raised by the territorial reach of EU Data Protection Law, see Svantesson (2013), pp. 89–111.

  33. 33.

    CJEU Judgment of 1 October 2015 in case C-230/14, Weltimmo s.r.o. v. Nemzeti Adatvédelmi és Információszabadság Hatóság, ECLI:EU:C:2015:639, and CJEU Judgment of 28 July 2016, C-191/15, Verein für Konsumenteninformation v. Amazon EU Sàrl, ECLI:EU:C:2016:612, para. 31, and paras 73–81.

  34. 34.

    CJEU Judgment of 13 May 2014, rendered in case C-131/12, Google Spain SL and Google Inc. v. Agencia Española de Protección de Datos (AEPD) and Mario Costeja González, ECLI:EU:C:2014:317, paras 55 and 56. See also Article 29 Working Party on Data Protection, “Update of Opinion 8/2010 on applicable law in light of the CJEU judgment in Google Spain”, 16 December 2015, Annex II; Kuner (2015), Oro Martínez (2015) and Van Alsenoy and Koekkoek (2015).

  35. 35.

    Judgment of the CJEU of 7 December 2010, Peter Pammer v. Reederei Karl Schlüter GmbH & Co KG (C-585/08) and Hotel Alpenhof GesmbH v. Oliver Heller (C-144/09), ECLI:EU:C:2010:740, paras. 77–78.

  36. 36.

    On the data protection implications of those practices, see Article 29 Working Party on Data Protection, Opinion 2/2010 on online behavioural advertising, WP 171, adopted on 22 June 2010.

  37. 37.

    See Kuner (2013), pp. 151–154.

  38. 38.

    Judgment of the CJEU of 6 October 2015, C-362/14, Schrems v. Data Protection Commissioner, ECLI:EU:C:2015:6506, paras. 73–74.

  39. 39.

    CJEU Judgment of 25 January 2018, C-498/16, Maximilian Schrems v. Facebook Ireland Limited, ECLI:EU:C:2018:37.

  40. 40.

    Brkan (2015), pp. 257–278; Kohler (2016), pp. 653–675; De Miguel Asensio (2017), pp. 92–106.

References

  • Albrecht JP, Jotzo F (2017) Das neue Datenschutzrecht der EU. Nomos, Baden-Baden

    Google Scholar 

  • Brkan M (2015) Data protection and European private international law: observing a bull in a China shop. Int Data Privacy Law:257–278

    Article  Google Scholar 

  • De Hert P, Papakonstantinou V (2016) The New General Data Protection Regulation: still a sound system for the protection of individuals? Comput Law Secur Rev 32:179–194

    Google Scholar 

  • De Miguel Asensio PA (2015) Derecho Privado de Internet, 5th edn. Civitas Thomson Reuters, Madrid

    Google Scholar 

  • De Miguel Asensio PA (2017) Competencia y Derecho aplicable en el Reglamento General sobre Protección de Datos de la Unión Europea. Revista española de Derecho internacional 69(1):75–108

    Article  Google Scholar 

  • González Fuster G (2014) The emergence of personal data protection as a fundamental right of the EU. Springer, Heidelberg

    Book  Google Scholar 

  • Härting N (2016) Datenschutz-Grund-verordnung. Otto Schmidt, Cologne

    Google Scholar 

  • Kohler C (2016) Conflict of law issues in the 2016 data protection regulation of the European Union. Rivista di Diritto Internazionale Privato e Processuale:653–675

    Google Scholar 

  • Kokottand J, Sobotta C (2013) The distinction between privacy and data protection in the jurisprudence of the CJEU and the ECtHR. Int Data Privacy Law 3(4):222–228

    Article  Google Scholar 

  • Kuner C (2013) Transborder data flows and data privacy law. OUP, Oxford

    Book  Google Scholar 

  • Kuner C (2015) The Court of Justice of the EU Judgment on data protection and internet search engines: current issues and future challenges. In: Hess B, Mariottini CM (eds) Protecting privacy in private international and procedural law and by data protection. Ashgate, Nomos, Baden-Baden, pp 19–44

    Chapter  Google Scholar 

  • Oro Martínez C (2015) The CJEU Judgment in Google Spain: notes on its causes and perspectives on its consequences, protecting privacy in private international and procedural law and by data protection. Ashgate, Nomos, Baden-Baden, pp 45–55

    Google Scholar 

  • Paal BP, Pauly DA (2017) Datenschutz-Grundverordnung. C.H. Beck, Munich

    Google Scholar 

  • Svantesson DJB (2013) Extraterritoriality in data privacy law. Ex Tuto, Copenhagen

    Google Scholar 

  • Van Alsenoy B, Koekkoek M (2015) Internet and jurisdiction after Google Spain: the extraterritorial reach of the ‘right to be delisted’. Int Data Privacy Law 5(2):105–120

    Google Scholar 

Download references

Author information

Authors and Affiliations

  1. Complutense University of Madrid, Madrid, Spain

    Pedro A. de Miguel Asensio

Authors
  1. Pedro A. de Miguel Asensio
    View author publications

    You can also search for this author in PubMed Google Scholar

Corresponding author

Correspondence to Pedro A. de Miguel Asensio .

Editor information

Editors and Affiliations

  1. Law School, University of Lisbon, Lisbon, Portugal

    Dário Moura Vicente  & Sofia de Vasconcelos Casimiro  & 

Rights and permissions

Reprints and permissions

Copyright information

© 2020 Springer Nature Switzerland AG

About this chapter

Check for updates. Verify currency and authenticity via CrossMark

Cite this chapter

de Miguel Asensio, P.A. (2020). Data Protection in the Internet: A European Union Perspective. In: Moura Vicente, D., de Vasconcelos Casimiro, S. (eds) Data Protection in the Internet. Ius Comparatum - Global Studies in Comparative Law, vol 38. Springer, Cham. https://doi.org/10.1007/978-3-030-28049-9_18

Download citation

  • DOI: https://doi.org/10.1007/978-3-030-28049-9_18

  • Published:

  • Publisher Name: Springer, Cham

  • Print ISBN: 978-3-030-28048-2

  • Online ISBN: 978-3-030-28049-9

  • eBook Packages: Law and CriminologyLaw and Criminology (R0)

Publish with us

Policies and ethics

Search

Navigation