Rina Steenkamp - Privacy and technology

My annotated General Data Protection Regulation

[Proposal from the European Commission]

Having regard to the proposal from the European Commission,

January 2012

Explanatory memorandum

1. Context of the proposal

This explanatory memorandum presents in further detail the proposed new legal framework for the protection of personal data in the EU as set out in Communication COM (2012) 9 final [1]. The proposed new legal framework consists of two legislative proposals:

This explanatory memorandum concerns the legislative proposal for a General Data Protection Regulation.

The centrepiece of existing EU legislation on personal data protection, Directive 95/46/EC [3], was adopted in 1995 with two objectives in mind: to protect the fundamental right to data protection and to guarantee the free flow of personal data between Member States. It was complemented by Framework Decision 2008/977/JHA as a general instrument at Union level for the protection of personal data in the areas of police co-operation and judicial co-operation in criminal matters [4].

Rapid technological developments have brought new challenges for the protection of personal data. The scale of data sharing and collecting has increased dramatically. Technology allows both private companies and public authorities to make use of personal data on an unprecedented scale in order to pursue their activities. Individuals increasingly make personal information available publicly and globally. Technology has transformed both the economy and social life.

Building trust in the online environment is key to economic development. Lack of trust makes consumers hesitate to buy online and adopt new services. This risks slowing down the development of innovative uses of new technologies. Personal data protection therefore plays a central role in the Digital Agenda for Europe [5], and more generally in the Europe 2020 Strategy [6].

Article 16(1) of Treaty on the Functioning of the European Union (TFEU), as introduced by the Lisbon Treaty, establishes the principle that everyone has the right to the protection of personal data concerning him or her. Moreover, with Article 16(2) TFEU, the Lisbon Treaty introduced a specific legal basis for the adoption of rules on the protection of personal data. Article 8 of the Charter of Fundamental Rights of the EU enshrines protection of personal data as a fundamental right.

The European Council invited the Commission to evaluate the functioning of EU instruments on data protection and to present, where necessary, further legislative and non-legislative initiatives [7]. In its resolution on the Stockholm Programme, the European Parliament [8] welcomed a comprehensive data protection scheme in the EU and among others called for the revision of the Framework Decision. The Commission stressed in its Action Plan implementing the Stockholm Programme [9] the need to ensure that the fundamental right to personal data protection is consistently applied in the context of all EU policies.

In its Communication on "A comprehensive approach on personal data protection in the European Union" [10], the Commission concluded that the EU needs a more comprehensive and coherent policy on the fundamental right to personal data protection.

The current framework remains sound as far as its objectives and principles are concerned, but it has not prevented fragmentation in the way personal data protection is implemented across the Union, legal uncertainty and a widespread public perception that there are significant risks associated notably with online activity [11]. This is why it is time to build a stronger and more coherent data protection framework in the EU, backed by strong enforcement that will allow the digital economy to develop across the internal market, put individuals in control of their own data and reinforce legal and practical certainty for economic operators and public authorities.


[Source: January 2012]

Explanatory memorandum

3. Legal elements of the proposal

3.2. Subsidiarity and proportionality

According to the principle of subsidiarity (Article 5(3) TEU), action at Union level shall be taken only if and in so far as the objectives envisaged cannot be achieved sufficiently by Member States, but can rather, by reason of the scale or effects of the proposed action, be better achieved by the Union. In the light of the problems outlined above, the analysis of subsidiarity indicates the necessity of EU-level action on the following grounds:

The principle of proportionality requires that any intervention is targeted and does not go beyond what is necessary to achieve the objectives. This principle has guided the preparation of this proposal from the identification and evaluation of alternative policy options to the drafting of the legislative proposal.

[Source: January 2012]


The proposal from the European Commission

The proposal from the European Commission consists of:

'1. Context of the proposal' and '3.2 Subsidiarity and proportionality' have been reproduced above.

'3.1 Legal basis' can be found under '[Treaty on the functioning of the European Union]' [More information]

'3.3 Summary of fundamental rights issues can be found under Article 85a [More information]

'3.4. Detailed explanation of the proposal' contains explanations for each article, which I've added to the relevant articles. I intend to do the same with the proposed Regulation itself.

[Source: January 2012]