you're reading...
Institutional and Legal Affairs, PUBLICATIONS

Personal data protection package

6 language versions available in PDF format
Paquete sobre la protección de datos personales
Protection des données à caractère personnel
Pacchetto sulla protezione dei dati personali
Pakiet dotyczący ochrony danych osobowych
Personal data protection package

The existing directive on personal data protection was enacted almost two decades ago, at the dawn of the digital era. The Commission proposes to replace that directive with a regulation, thereby not only updating the legal framework, but also ending its fragmentation.


Personal data protection package

© freshidea / Fotolia

Protection of personal data is a human right enshrined in Article 8 of the Charter of Fundamental Rights. The Lisbon Treaty gave the EU the explicit competence to legislate on the protection of individuals with regard to the processing of personal data by EU institutions and other bodies, as well as by the Member States (MS) when acting within the scope of EU law (Art. 16(2) TFEU). Currently, the legal framework comprises a general Data Protection Directive (1995), a Regulation on processing of personal data by the EU institutions and bodies (2000) and a Framework Decision on the protection of personal data in the context of criminal law enforcement (2008). Since the enactment of the Directive there have been significant changes in the practical aspects of processing of personal data. This is due in particular to the proliferation of online technology, an increase in the volume of data collection, and the globalisation of markets.

European Commission

In its Digital Agenda for Europe (2010), the European Commission (EC) stressed the link between the effective protection of personal data and building consumer confidence in online markets. In its Action Plan implementing the Stockholm Programme (2010), it considered that the fundamental right to data protection must be consistently applied and strengthened. Finally, in a communication that same year, it called for a more coherent and comprehensive EU policy on                 the issue. The Commission’s approach was backed by an EP resolution in 2011. In January 2012 the Commission tabled its reform package comprising a general data protection regulation and a directive to replace the 2008 Framework Decision. The 2000 Regulation on processing of data by the EU institutions would not be amended. The proposed regulation would strengthen citizens’ rights (e.g. limits to online tracking and profiling, ‘right to be forgotten’, right to data portability, principles of transparency and data minimalisation). Transfer of data to a non-EU country would be allowed if the EC has endorsed the level of protection there through an implementing act. In transnational cases a ‘one-stop shop’ mechanism would apply, whereby the supervisory authority of the MS in which the company dealing with personal data has its main establishment would be competent. In Council, some MS expressed preference for a directive instead of a regulation and, in transnational cases, would prefer joint decision by authorities from different MS instead of exclusive competence of a single one.

European Parliament

The package was referred to the Committee on Civil Liberties, Justice and Home Affairs (rapporteur for the regulation: Jan Philipp Albrecht, Greens/EFA, Germany; and, for the directive: Dimitrios Droutsas, S&D, Greece). The report on the regulation recommends inter alia broadening its scope, to cover cooperation of companies with law enforcement agencies, to reduce the number of delegated acts by replacing them with more detailed wording of the Regulation and to clarify the content of the ‘right to be forgotten’. The EC should endorse non-EU country data protection regimes by delegated, rather than implementing, acts. As regards the ‘one-stop shop’ mechanism, the ‘lead authority’ of the MS in which the company in question has its main establishment should be the single contact point but would have to consult other competent authorities and attempt to reach a consensus. However, it would be exclusively competent to issue legally binding measures directed to the company in question. The report on the Directive likewise puts forward numerous amendments, inter alia to opt for minimum, instead of maximum harmonisation.


One thought on “Personal data protection package

  1. Im still wondering what Cookies are doing to my live,and Private Dates that Im working on


    Posted by Portfolio tobieBred | January 21, 2019, 15:38

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

This site uses Akismet to reduce spam. Learn how your comment data is processed.

Download the EPRS App

EPRS App on Google Play
EPRS App on App Store
What Europe Does For You
EU Legislation in Progress
Topical Digests
EPRS Podcasts

Enter your email address to follow this blog and receive notifications of new posts by email.

Join 3,502 other followers

Disclaimer and Copyright statement

The content of all documents (and articles) contained in this blog is the sole responsibility of the author and any opinions expressed therein do not necessarily represent the official position of the European Parliament. It is addressed to the Members and staff of the EP for their parliamentary work. Reproduction and translation for non-commercial purposes are authorised, provided the source is acknowledged and the European Parliament is given prior notice and sent a copy.

For a comprehensive description of our cookie and data protection policies, please visit Terms and Conditions page.

Copyright © European Union, 2014-2019. All rights reserved.

<span>%d</span> bloggers like this: