Personal data protection

Protection of personal data and respect for private life are important fundamental rights. The European Parliament has always insisted on the need to strike a balance between enhancing security and safeguarding human rights, including data protection and privacy. The EU data protection reform will strengthen citizens’ rights, giving them better control of their data and ensuring that their privacy continues to be protected in the digital age.

Legal basis

Article 16 of the Treaty on the Functioning of the European Union (TFEU);

Articles 7 and 8 of the EU Charter of Fundamental Rights.


The Union must ensure that the fundamental right to data protection, which is enshrined in the EU Charter of Fundamental Rights, is applied in a consistent manner. The EU’s stance on the protection of personal data needs to be strengthened in the context of all EU policies, including law enforcement and crime prevention, as well as in international relations, especially in a global society characterised by rapid technological changes.


a.A new institutional framework

1.Lisbon Treaty

Before the entry into force of the Lisbon Treaty, legislation concerning data protection in the area of freedom, security and justice (AFSJ) was divided between the first pillar (data protection for private and commercial purposes, with the use of the Community method) and the third pillar (data protection for law enforcement purposes, at intergovernmental level). As a consequence, the decision-making processes in the two areas followed different rules. The pillar structure disappeared with the Lisbon Treaty, which provides a stronger basis for the development of a clearer and more effective data protection system, while at the same time stipulating new powers for Parliament, which has become co-legislator. Article 16 of the TFEU provides that Parliament and the Council lay down rules relating to the protection of individuals with regard to the processing of personal data by Union institutions, bodies, offices and agencies, and by the Member States when carrying out activities which fall within the scope of Union law.

2.The Stockholm programme and the June 2014 European Council

Following the Tampere and Hague programmes (of October 1999 and November 2004, respectively), in December 2009 the European Council approved a new multiannual programme regarding the AFSJ for the 2010-2014 period: the Stockholm programme. In its conclusions of June 2014, the European Council defined strategic guidelines for legislative and operational planning for the coming years within the AFSJ, pursuant to Article 68 TFEU. One of the key objectives is to better protect personal data in the EU.

b.Main legislative instruments on data protection

1.EU Charter of Fundamental Rights

Articles 7 and 8 of the EU Charter of Fundamental Rights recognise respect for private life and protection of personal data as closely related but separate fundamental rights. The Charter is integrated into the Lisbon Treaty and is legally binding on the institutions and bodies of the European Union, and on the Member States when implementing EU law.

2.Council of Europe
a.Convention 108 of 1981

Council of Europe Convention 108 of 28 January 1981 for the Protection of Individuals with regard to Automatic Processing of Personal Data is the first legally binding international instrument adopted in the field of data protection. Its purpose is ‘to secure [...] for every individual [...] respect for his rights and fundamental freedoms and in particular his right to privacy, with regard to automatic processing of personal data’.

b.European Convention on Human Rights (ECHR)

Article 8 of the Convention of 4 November 1950 for the Protection of Human Rights and Fundamental Freedoms establishes the right to respect for private and family life: ‘Everyone has the right to respect for his private and family life, his home and his correspondence.’

3.Current EU legislative instruments on data protection

As a consequence of the old pillar structure, various legislative instruments are currently in force. These include former first-pillar instruments such as Directive 95/46/EC on data protection, Directive 2002/58/EC on e-privacy (modified in 2009), Directive 2006/24/EC on data retention (declared invalid by the Court of Justice of the European Union on 8 April 2014 owing to its serious interference with private life and data protection), and Regulation (EC) No 45/2001 on processing of personal data by Community institutions and bodies, as well as former third-pillar instruments such as the Council Framework Decision of November 2008 on the protection of personal data processed in the framework of police and criminal justice. A new comprehensive legal framework on data protection at EU level is due to come into force shortly (see below).

a.Data Protection Directive (95/46/EC)

Directive 95/46/EC of 24 October 1995 on the protection of individuals with regard to the processing of personal data and on the free movement of such data is the central piece of legislation on the protection of personal data in the EU. The directive stipulates general rules on the lawfulness of personal data processing, sets out the rights of data subjects and makes provision for national independent supervisory authorities. The directive stipulates that personal information may only be processed if the person concerned has given his/her explicit consent to, and has been informed in advance of, the data processing.

b.Council Framework Decision 2008/977/JHA

Council Framework Decision 2008/977/JHA of 27 November 2008 on the protection of personal data processed in the framework of police and judicial cooperation in criminal matters regulates data protection under the former third pillar. This is a sector not covered by Directive 95/46/EC, which applies to the processing of personal data under the former first pillar. The Framework Decision only applies to police and judicial data exchanged among Member States, EU authorities and associated systems, and does not cover domestic data.

4.European Data Protection Supervisor and Article 29 Working Party

The European Data Protection Supervisor (EDPS) is an independent supervisory authority which ensures that the EU institutions and bodies meet their obligations with regard to data protection as laid down in the Data Protection Regulation ((EC) No 45/2001). The primary duties of the EDPS are supervision, consultation and cooperation. The Article 29 Working Party is an independent advisory body on data protection and privacy, set up under Article 29 of the Data Protection Directive. It is composed of representatives of the EU national data protection authorities, the EDPS and the Commission. It issues recommendations, opinions and working documents. The Article 29 Working Party will be replaced by the European Data Protection Board under the new General Data Protection Regulation.

5.EU Data Protection Reform

On 25 January 2012, the Commission published a broad legislative package to reform EU legislation on data protection. The proposed reform is aimed at safeguarding personal data across the EU, increasing users’ control of their data and cutting costs for businesses. Technological progress and globalisation have profoundly changed the way data is collected, accessed and used. In addition, the 28 Member States have implemented the 1995 rules in differing ways. A single law will do away with the current fragmentation and costly administrative burdens. This initiative will help reinforce consumer confidence in online services, providing a much-needed boost to growth, jobs and innovation in Europe. The package includes a policy communication on the main political objectives of the reform, a proposal for a general regulation to modernise the principles enshrined in the 1995 Data Protection Directive, and a proposal for a specific directive on the processing of personal data in the area of police and judicial cooperation in criminal matters. In December 2015, Parliament (at committee level) and the Council (at ambassadorial level) reached an agreement on the new data protection rules after almost three years of lengthy negotiations. Once the regulation and the directive have been formally adopted, the official texts will be published in the Official Journal; the new rules will come into force two years later.

Role of the European Parliament

Parliament has always insisted on the need to strike a balance between enhancing security and protecting privacy and personal data. It has adopted various resolutions on these sensitive matters, specifically addressing ethno-racial profiling, the Prüm Council Decision on cross-border cooperation in combating terrorism and cross-border crime, the use of body scanners to enhance aviation security, biometrics in passports and common consular instructions, border management, the internet and data mining.

The Lisbon Treaty has introduced more accountability and legitimacy into the AFSJ, thus generalising, with a few exceptions, the Community method, which includes majority voting in the Council and the ordinary legislative procedure (formerly known as co-decision). As regards international agreements, a new procedure (‘consent’) has been introduced. Parliament used these powers in February 2010 when it rejected the provisional application of the Terrorist Finance Tracking Programme (TFTP) agreement (previously known as the SWIFT agreement) on transfers of bank data to the USA for counterterrorism purposes. Following the adoption of Parliament’s resolution of 8 July 2010, the TFTP agreement entered into force in August 2010. In July 2011 the Commission adopted a communication on the main options for establishing a European Terrorist Finance Tracking System (EU TFTS), about which Parliament expressed doubts. In November 2013, the Commission announced its intention not to present at this stage a proposal for an EU TFTS.

Another issue of crucial importance is the Passenger Name Records (PNR) agreement between the EU and the USA on the processing and transfer of PNR data by air carriers to the US Department of Homeland Security. Following the consent given by Parliament, the Council adopted in April 2012 a decision on the conclusion of the new agreement, which replaced the previous EU-US PNR agreement, applied provisionally since 2007.

In February 2011 the Commission tabled a proposal for a directive on the use of PNR data for the prevention, detection, investigation and prosecution of terrorist offences and serious crime (EU PNR). In June 2013, Parliament decided in plenary to refer the matter back to its Committee on Civil Liberties, Justice and Home Affairs (LIBE), which in April 2013 voted against the EU PNR proposal, questioning its proportionality and compliance with fundamental rights. Since then, there has been a stalemate on the EU PNR file. Following the 2015 terrorist attacks in Paris and new concerns over possible threats to the EU’s internal security posed by ‘foreign fighters’, the debate on the EU PNR proposal gained new momentum. In December 2015, Parliament (at committee level) and the Council (at ambassadorial level) reached a compromise solution on this sensitive matter, which will allow, but not oblige, Member States to collect PNR for selected intra-EU flights. Following final approval by Parliament and the Council, the EU PNR directive will have to be transposed into national law within two years.

Parliament will be involved in the approval (under the consent procedure) of a legally binding framework agreement with the USA on the exchange of information and data protection, known as the ‘Umbrella Agreement’. The aim is to ensure a high level of protection of personal information transferred in the framework of transatlantic cooperation in the fight against terrorism and organised crime. The signing of the Judicial Redress Act by President Obama in February 2016 has paved the way for the signature of the EU-US Umbrella Agreement, which was initialled in September 2015.

In parallel, the Commission is working to put in place the ‘EU-US Privacy Shield’ in order to ensure a high level of data protection for commercial data transfers. The Privacy Shield reflects the requirements set out by the Court of Justice of the EU in its ruling of October 2015, which declared the old ‘Safe Harbour’ framework invalid.

On 12 March 2014, Parliament adopted a resolution on the US NSA surveillance programme, surveillance bodies in various Member States and their impact on EU citizens’ fundamental rights and on transatlantic cooperation in Justice and Home Affairs. This resolution concluded a six-month Parliament inquiry into electronic mass surveillance of EU citizens, following the revelations made in June 2013 concerned alleged spying by the USA and some EU countries. In its resolution, Parliament called for the suspension of the Safe Harbour privacy principles (voluntary data protection standards for non-EU companies transferring EU citizens’ personal data to the USA) and of the Terrorist Finance Tracking Programme.

Parliament has been involved, under the ordinary legislative procedure, in approving the data protection reform (see previous section). The new data protection rules will strengthen citizens’ fundamental rights in the digital age and facilitate business by simplifying rules for companies in the digital single market.

Alessandro Davoli