Negotiations are continuing in Brussels on the Proposal for a Regulation of the European Parliament and of the Council on the Protection of individuals with regard to the processing of personal data and free movement of such data (‘General Data Protection Regulation’). 23

The outcome of these negotiations will have a significant impact on data protection and privacy in the European Union (EU). It is expected that the negotiations will conclude in June 2015.

The background

The Commission proposal on data protection starts from the basic position that the current EU Data Protection Directive 95/46/EC24 is not well adapted to data globalization and technological developments like social networks and cloud computing. New rules are required. For this reason the Commission published a proposal for a regulation on 25 January 2012, which extends the scope of the EU Data Protection to any company, wherever based, processing data in relation to EU residents. At the same time it proposes the harmonization of the data protection regulations throughout the EU, thereby making it easier for non-European companies to comply with these regulations.

The European Commission believes that “Building trust in the online environment is key to economic development”. Lack of trust makes consumers hesitate to buy online and adopt new services. This risks slowing down the development of innovative uses of new technologies. Personal data protection therefore plays a central role in the Digital Agenda for Europe 25 and more generally in the Europe 2020 Strategy26.

Data protection is considered a fundamental right in EU law.

Article 16(1) of the Treaty on the Functioning of the European Union (TFEU), establishes the principle that everyone has the right to the protection of their personal data concerning. Article 16(2) TFEU introduces a specific legal basis for the adoption of rules on the protection of personal data. Article 8 of the EU Charter of Fundamental Rights enshrines protection of personal data as a fundamental right.

Against this background of fundamental rights, the European Council invited the Commission to evaluate the functioning of existing EU instruments on data protection and to present, where necessary, further legislative and/or nonlegislative initiatives. 27 Data protection was included in the Stockholm Programme to ensure an open and secure Europe serving and protecting citizens. The Programme was approved by the European Parliament. 28 Then Commission stressed in its Action Plan implementing the Stockholm Programme29 the need to ensure that the fundamental right to personal data protection is consistently applied in the context of all EU policies.

Finally the Commission in its Communication on “A comprehensive approach on personal data in the European Union” 30 concluded that the EU needs a more comprehensive and coherent policy on the fundamental right to personal data protection.

Legal basis and Principles

The legal basis of EU laws is keenly debated in Brussels for two reasons. Firstly the EU does not have competence to act unless there is a clear legal basis in the Lisbon treaty. Secondly, if there are two possible legal bases, the different legal bases give different EU institutions (Council, Parliament and Commission) different rights and competences. The Commission proposed use of Article 16 of the TFEU, 31 which is the new legal basis for the adoption of data protection rules introduced by the Lisbon Treaty.

The next question is whether the form of the law should be a Regulation or a Directive. A Regulation is directly applicable in the Member States. A Directive leaves room for Member States to adapt the law to the national situation.

For data protection, the Commission considered that a Regulation was the most appropriate legal instruments to define the framework for the protection of personal data in the Union. The direct applicability of a Regulation reduces legal fragmentation and provides greater legal certainty by introducing a harmonized set of core rules.

As Commission reaffirmed, 32 the right to the protection of personal data, enshrined in Article 8 of the EU Charter of Fundamental Right, 33 requires the same level of data protection throughout the Union. The absence of common EU rules would create the risk of different levels protection in the Member States and create restriction on cross-border flows of personal data between Member States with different standards.

Personal data is transferred across national boundaries, both internal and external borders, at rapidly increasing rates. In addition, there are practical challenges to enforcing data protection legislation and a need for co-operation between Member States and their Authorities, which needs to be organized at EU Level to ensure unity of application of Union Law. The EU is also best placed to ensure effectively and consistently the same level of protection for individuals when their personal data are transferred to third countries.