Explanatory memorandum

1. Context of the proposal

This explanatory memorandum presents in further detail the proposed new legal framework for the protection of personal data in the EU as set out in Communication COM (2012) 9 final [1]. The proposed new legal framework consists of two legislative proposals:

• a proposal for a Regulation of the European Parliament and of the Council on the protection of individuals with regard to the processing of personal data and on the free movement of such data (General Data Protection Regulation), and
• a proposal for a Directive of the European Parliament and of the Council on the protection of individuals with regard to the processing of personal data by competent authorities for the purposes of prevention, investigation, detection or prosecution of criminal offences or the execution of criminal penalties, and the free movement of such data [2].

This explanatory memorandum concerns the legislative proposal for a General Data Protection Regulation.

The centrepiece of existing EU legislation on personal data protection, Directive 95/46/EC [3], was adopted in 1995 with two objectives in mind: to protect the fundamental right to data protection and to guarantee the free flow of personal data between Member States. It was complemented by Framework Decision 2008/977/JHA as a general instrument at Union level for the protection of personal data in the areas of police co-operation and judicial co-operation in criminal matters [4].

Rapid technological developments have brought new challenges for the protection of personal data. The scale of data sharing and collecting has increased dramatically. Technology allows both private companies and public authorities to make use of personal data on an unprecedented scale in order to pursue their activities. Individuals increasingly make personal information available publicly and globally. Technology has transformed both the economy and social life.

Building trust in the online environment is key to economic development. Lack of trust makes consumers hesitate to buy online and adopt new services. This risks slowing down the development of innovative uses of new technologies. Personal data protection therefore plays a central role in the Digital Agenda for Europe [5], and more generally in the Europe 2020 Strategy [6].

Article 16(1) of Treaty on the Functioning of the European Union (TFEU), as introduced by the Lisbon Treaty, establishes the principle that everyone has the right to the protection of personal data concerning him or her. Moreover, with Article 16(2) TFEU, the Lisbon Treaty introduced a specific legal basis for the adoption of rules on the protection of personal data. Article 8 of the Charter of Fundamental Rights of the EU enshrines protection of personal data as a fundamental right.

The European Council invited the Commission to evaluate the functioning of EU instruments on data protection and to present, where necessary, further legislative and non-legislative initiatives [7]. In its resolution on the Stockholm Programme, the European Parliament [8] welcomed a comprehensive data protection scheme in the EU and among others called for the revision of the Framework Decision. The Commission stressed in its Action Plan implementing the Stockholm Programme [9] the need to ensure that the fundamental right to personal data protection is consistently applied in the context of all EU policies.

In its Communication on "A comprehensive approach on personal data protection in the European Union" [10], the Commission concluded that the EU needs a more comprehensive and coherent policy on the fundamental right to personal data protection.

The current framework remains sound as far as its objectives and principles are concerned, but it has not prevented fragmentation in the way personal data protection is implemented across the Union, legal uncertainty and a widespread public perception that there are significant risks associated notably with online activity [11]. This is why it is time to build a stronger and more coherent data protection framework in the EU, backed by strong enforcement that will allow the digital economy to develop across the internal market, put individuals in control of their own data and reinforce legal and practical certainty for economic operators and public authorities.

[Notes:]

• 1 "Safeguarding Privacy in a Connected World – A European Data Protection Framework for the 21st Century" COM(2012) 9 final.
• 2 COM(2012) 10 final.
• 3 Directive 95/46/EC of the European Parliament and of the Council of 24 October 1995 on the protection of individuals with regard to the processing of personal data and on the free movement of such data, OJ L 281, 23.11.1995, p.31.
• 4 Council Framework Decision 2008/977/JHA of 27 November 2008 on the protection of personal data processed in the framework of police and judicial cooperation in criminal matters, OJ L 350, 30.12.2008, p. 60 (‘Framework Decision’).
• 5 COM(2010)245 final.
• 6 COM(2010)2020 final.
• 7 "The Stockholm Programme — An open and secure Europe serving and protecting citizens", OJ C 115, 4.5.2010, p.1.
• 8 Resolution of the European Parliament on the on the Communication from the Commission to the European Parliament and the Council – An area of freedom, security and justice serving the citizen – Stockholm programme adopted 25 November 2009 (P7_TA(2009)0090).
• 9 COM(2010)171 final.
• 10 COM(2010)609 final.
• 11 Special Eurobarometer (EB) 359, Data Protection and Electronic Identity in the EU (2011): http://ec.europa.eu/public_opinion/archives/ebs/ebs_359_en.pdf.

[Source: January 2012]

Explanatory memorandum

3. Legal elements of the proposal

3.2. Subsidiarity and proportionality

According to the principle of subsidiarity (Article 5(3) TEU), action at Union level shall be taken only if and in so far as the objectives envisaged cannot be achieved sufficiently by Member States, but can rather, by reason of the scale or effects of the proposed action, be better achieved by the Union. In the light of the problems outlined above, the analysis of subsidiarity indicates the necessity of EU-level action on the following grounds:

• The right to the protection of personal data, enshrined in Article 8 of the Charter of Fundamental Rights, requires the same level of data protection throughout the Union. The absence of common EU rules would create the risk of different levels of protection in the Member States and create restrictions on cross-border flows of personal data between Member States with different standards.
• Personal data are transferred across national boundaries, both internal and external borders, at rapidly increasing rates. In addition, there are practical challenges to enforcing data protection legislation and a need for co-operation between Member States and their authorities, which needs to be organised at EU level to ensure unity of application of Union law. The EU is also best placed to ensure effectively and consistently the same level of protection for individuals when their personal data are transferred to third countries.
• Member States cannot alone reduce the problems in the current situation, particularly those due to the fragmentation in national legislations. Thus, there is a specific need to establish a harmonised and coherent framework allowing for a smooth transfer of personal data across borders within the EU while ensuring effective protection for all individuals across the EU.
• The proposed EU legislative actions will be more effective than similar actions at the level of Member States because of the nature and scale of the problems, which are not confined to the level of one or several Member States.

The principle of proportionality requires that any intervention is targeted and does not go beyond what is necessary to achieve the objectives. This principle has guided the preparation of this proposal from the identification and evaluation of alternative policy options to the drafting of the legislative proposal.

[Source: January 2012]