Personal data protection has been frequently portrayed as a distinctive European legal innovation, its principles being held up as a standard for best data protection practices( Borghi, Ferretti, Karapapa, 2013, p. 109). In 2010, the EU moved even a step further with the adoption of the Charter of Fundamental Rights as part of the Treaty of Lisbon, upgrading the right to personal data protection to the status of a fundamental right.
The origins of personal data protection go back to the late 1960s and to the Council of Europe’ s Convention for the Protection of Individuals with regard to Automatic Processing of Personal Data, of 1981( Convention 108). The Convention was gifted with principles that keep being key to the protection of personal data, and came to shape Directive 95 / 46 / EC, the Data Protection Directive( DPD). These principles, to be observed by the data controllers and processors, are, specifically: purpose limitation( ie personal data may only be collected for specified, explicit and legitimate purposes and may not be further processed in a way incompatible with those purposes); data minimization( ie processing of personal data must be restricted to the minimum amount necessary); proportionality( ie personal data must be adequate, relevant and not excessive in relation to the purposes for which they are collected); and control( ie supervision of processing must be ensured by member states’ authorities). Also, the data subjects are assigned a set of procedural rights enabling them to consent, to have access, and to know what information about them is registered in databases, as well as to rectify the data, and to oppose to data processing in specific situations. In addition, the DPD prohibits the transfer of personal data to third countries unless the latter provide an adequate level of data protection as determined by the European Commission, or unless one of the enumerated exceptions applies.
Both the Convention and the DPD were designed having in mind the computer systems of large organizations, either public or private, to the extent that they collect, store and process personal data for the purposes of their own activities. The DPD, in particular, was drawn up as part of the legal framing of the common market, meaning that data protection law was mainly targeted towards private companies at a time when these companies were not yet engaged into massive data mining. Besides, although adopted in an age when the Internet was already widely known among the technology community and was starting to make its way into households, the DPD did not depict a specific concern regarding the use of the Web, rendering it to naturally lag behind technology from the moment of its enactment, even though some extensive interpretation has been made throughout the years, in order to accommodate the special features of the online environment 6.
accessed 09.04.2016). The consolidated version is available at < https:// www. janalbrecht. eu / fileadmin / material / Dokumente / GDPR _ consolidated _ LIBE-vote-2015-12- 17. pdf >( last accessed 18.03.2016).
6 In 2003, a decision by the European Court of Justice( ECJ) in the Bodil Lindqvist case helped to clarify the
applicability of Directive 95 / 46 / EC to the Internet in the specific circumstances in which someone processes and diffuses sensitive personal data of other people on an Internet page. In this instance, the Court considered that the publication of personal data online made the said information available to a countless number of recipients, thus rendering the personal / household exemption prescribed by the article 3( 2) of the DPD not applicable( Warso, 2013, p. 493 ff).
48