28 Jan 2022
Cheers to the harmony of the GDPR and the eIDAS Regulation as an indispensable basis for the electronic signature.
On 28 January 1981, the European Convention on Data Protection was signed by the then member states of the Council of Europe. With the convention, the signatory states wanted to ensure data protection within the scope of the convention. In view of the increasing cross-border data traffic, a uniform level of data protection was to be established within the signatory states. Since 2007, 28 January has been European Data Privacy Day.
The Convention contains certain elementary data protection principles for the automated processing of personal data that had to be transposed into national law – including the principle of data processing in good faith, the purpose limitation principle, the necessity principle and the data subject's right to information.
GDPR as successor across the EU
These principles, agreed at that time, are also included in the General Data Protection Regulation (GDPR), which has formed the common data protection framework in the European Union since 25 May 2018.
As the successor to the Data Protection Directive (Directive 95/46/EC on the protection of individuals with regard to the processing of personal data and on the free movement of such data), the GDPR applies directly in all EU Member States. The data protection laid down by the Regulation may neither be weakened nor strengthened by national regulations; only opening clauses allow individual member states to regulate certain aspects of data protection nationally.
Consistency with the eIDAS Regulation
This is where the harmonisation with the eIDAS Regulation of the EU for regulating electronic signatures and trust services, among other things, comes into play. The eIDAS Regulation has been in force since July 1, 2016 and, due to its legal nature, is also directly applicable in all Member States, has general validity and serves to create an EU-wide harmonised legal framework for electronic signatures and trust services. National laws therefore only regulate those areas in which the directly applicable eIDAS Regulation leaves it to the member states to enact national regulations. Here, too, the predecessor was a directive to be implemented in national law.
Let's face it: the topics of electronic signatures and data protection are inextricably linked. Especially in times of cloud services, this link is becoming ever closer. The history of data protection regulation in the EU and its harmony with the eIDAS Regulation will create a legal basis that will put the electronic signature on a uniform and stable footing for the first time. We are lucky that this basis was already in place when the COVID pandemic broke out and that the electronic signature is more than ever an important cornerstone for the business activities of companies and public authorities.
Uncertainty with data transfer to the USA
On the other hand, the transfer of personal data to the USA is an uncertain matter. According to the GDPR, this is only permissible if there is an adequate level of protection for the processing of EU citizens' personal data.
With the ruling of the European Court of Justice in the "Schrems II" case, the so-called Privacy Shield ceased to be a legal basis for data transfer to the USA. Now, in a decision dated 22 December 2021, the Data Protection Authority has clarified that the mere adoption of the standard protection clauses drawn up by the EU Commission between Google and website operators alone does not provide a sufficient legal basis for the transfer of data to the USA. This uncertainty will therefore continue for a longer period of time.
Many thanks to lawyer and data protection expert Dr. Irene Binder, LL.M. for this guest article!
