The existing directive on personal data protection was enacted almost two decades ago, at the dawn of the digital era. The Commission proposes to replace that directive with a regulation, thereby not only updating the legal framework, but also ending its fragmentation.
Protection of personal data is a human right enshrined in Article 8 of the Charter of Fundamental Rights. The Lisbon Treaty gave the EU the explicit competence to legislate on the protection of individuals with regard to the processing of personal data by EU institutions and other bodies, as well as by the Member States (MS) when acting within the scope of EU law (Art. 16(2) TFEU). Currently, the legal framework comprises a general Data Protection Directive (1995), a Regulation on processing of personal data by the EU institutions and bodies (2000) and a Framework Decision on the protection of personal data in the context of criminal law enforcement (2008). Since the enactment of the Directive there have been significant changes in the practical aspects of processing of personal data. This is due in particular to the proliferation of online technology, an increase in the volume of data collection, and the globalisation of markets.
In its Digital Agenda for Europe (2010), the European Commission (EC) stressed the link between the effective protection of personal data and building consumer confidence in online markets. In its Action Plan implementing the Stockholm Programme (2010), it considered that the fundamental right to data protection must be consistently applied and strengthened. Finally, in a communication that same year, it called for a more coherent and comprehensive EU policy on the issue. The Commission’s approach was backed by an EP resolution in 2011. In January 2012 the Commission tabled its reform package comprising a general data protection regulation and a directive to replace the 2008 Framework Decision. The 2000 Regulation on processing of data by the EU institutions would not be amended. The proposed regulation would strengthen citizens’ rights (e.g. limits to online tracking and profiling, ‘right to be forgotten’, right to data portability, principles of transparency and data minimalisation). Transfer of data to a non-EU country would be allowed if the EC has endorsed the level of protection there through an implementing act. In transnational cases a ‘one-stop shop’ mechanism would apply, whereby the supervisory authority of the MS in which the company dealing with personal data has its main establishment would be competent. In Council, some MS expressed preference for a directive instead of a regulation and, in transnational cases, would prefer joint decision by authorities from different MS instead of exclusive competence of a single one.
The package was referred to the Committee on Civil Liberties, Justice and Home Affairs (rapporteur for the regulation: Jan Philipp Albrecht, Greens/EFA, Germany; and, for the directive: Dimitrios Droutsas, S&D, Greece). The report on the regulation recommends inter alia broadening its scope, to cover cooperation of companies with law enforcement agencies, to reduce the number of delegated acts by replacing them with more detailed wording of the Regulation and to clarify the content of the ‘right to be forgotten’. The EC should endorse non-EU country data protection regimes by delegated, rather than implementing, acts. As regards the ‘one-stop shop’ mechanism, the ‘lead authority’ of the MS in which the company in question has its main establishment should be the single contact point but would have to consult other competent authorities and attempt to reach a consensus. However, it would be exclusively competent to issue legally binding measures directed to the company in question. The report on the Directive likewise puts forward numerous amendments, inter alia to opt for minimum, instead of maximum harmonisation.