BIG BROTHER WATCH AND OTHERS v. THE UNITED KINGDOM JUDGMENT
101
contains provisions and requirements pertaining to the processing of
personally identifiable information of data subjects inside the European
Union, and applies to all enterprises, regardless of location, that are doing
business with the European Economic Area. Business processes that handle
personal data must be built with data protection by design and by default,
meaning that personal data must be stored using pseudonymisation or full
anonymisation, and use the highest-possible privacy settings by default, so
that the data is not available publicly without explicit consent, and cannot be
used to identify a subject without additional information stored separately.
No personal data may be processed unless it is done under a lawful basis
specified by the regulation, or if the data controller or processor has
received explicit, opt-in consent from the data’s owner. The data owner has
the right to revoke this permission at any time.
220. A processor of personal data must clearly disclose any data
collection, declare the lawful basis and purpose for data processing, how
long data is being retained, and if it is being shared with any third-parties or
outside of the EU. Users have the right to request a portable copy of the data
collected by a processor in a common format, and the right to have their
data erased under certain circumstances. Public authorities, and businesses
whose core activities centre around regular or systematic processing of
personal data, are required to employ a data protection officer (DPO), who
is responsible for managing compliance with the GDPR. Businesses must
report any data breaches within 72 hours if they have an adverse effect on
user privacy.
221. The Privacy and Electronic Communications Directive (Directive
2002/58/EC concerning the processing of personal data and the protection
of privacy in the electronic communications sector), adopted on 12 July
2002, states, in recitals 2 and 11:
“(2) This Directive seeks to respect the fundamental rights and observes the
principles recognised in particular by the Charter of fundamental rights of the
European Union. In particular, this Directive seeks to ensure full respect for the rights
set out in Articles 7 and 8 of that Charter.
(11) Like Directive 95/46/EC, this Directive does not address issues of protection of
fundamental rights and freedoms related to activities which are not governed by
Community law. Therefore it does not alter the existing balance between the
individual’s right to privacy and the possibility for Member States to take the
measures referred to in Article 15(1) of this Directive, necessary for the protection of
public security, defence, State security (including the economic well-being of the
State when the activities relate to State security matters) and the enforcement of
criminal law. Consequently, this Directive does not affect the ability of Member
States to carry out lawful interception of electronic communications, or take other
measures, if necessary for any of these purposes and in accordance with the European
1 As the United Kingdom is leaving the European Union in 2019, it granted royal assent to
the Data Protection Act 2018 on 23 May 2018, which contains equivalent regulations and
protections.