BIG BROTHER WATCH AND OTHERS v. THE UNITED KINGDOM JUDGMENT
for many years the protection and processing of personal data within the
European Union. As the activities of Member States regarding public safety,
defence and State security fell outside the scope of Community law, the
Directive did not apply to these activities (Article 3(2)).
204. The General Data Protection Regulation, adopted in April 2016,
superseded the Data Protection Directive and became enforceable on
25 May 2018. The regulation, which is directly applicable in Member
States,2 contains provisions and requirements pertaining to the processing of
personally identifiable information of data subjects inside the European
Union, and applies to all enterprises, regardless of location, doing business
with the European Economic Area. Business processes that handle personal
data must be built with data protection by design and by default, meaning
that personal data must be stored using pseudonymisation or full
anonymization, and use the highest-possible privacy settings by default, so
that the data are not available publicly without explicit consent, and cannot
be used to identify a subject without additional information stored
separately. No personal data may be processed unless it is done under a
lawful basis specified by the regulation, or if the data controller or processor
has received explicit, opt-in consent from the data’s owner. The data owner
has the right to revoke this permission at any time.
205. A processor of personal data must clearly disclose any data
collection, declare the lawful basis and purpose for data processing, how
long data are being retained, and if they are being shared with any
third-parties or outside of the European Union. Users have the right to
request a portable copy of the data collected by a processor in a common
format, and the right to have their data erased under certain circumstances.
Public authorities, and businesses whose core activities centre around
regular or systematic processing of personal data, are required to employ a
data protection officer (DPO), who is responsible for managing compliance
with the GDPR. Businesses must report any data breaches within 72 hours if
they have an adverse effect on user privacy.
206. The Privacy and Electronic Communications Directive
(Directive 2002/58/EC concerning the processing of personal data and the
protection of privacy in the electronic communications sector), adopted on
12 July 2002, states, in recitals 2 and 11:
“(2) This Directive seeks to respect the fundamental rights and observes the
principles recognised in particular by the Charter of fundamental rights of the
European Union. In particular, this Directive seeks to ensure full respect for the rights
set out in Articles 7 and 8 of that Charter.
... ... ...
Before the United Kingdom left the European Union, it granted royal assent to the Data
Protection Act 2018 on 23 May 2018, which contains equivalent regulations and
protections.
2
66