Personal data protection

Protection of personal data and respect for private life are European fundamental rights. The European Parliament has always insisted on the need to strike a balance between enhancing security and safeguarding human rights, including data protection and privacy. New EU data protection rules strengthening citizens’ rights and simplifying rules for companies in the digital age took effect in May 2018. Research prepared for the European Parliament indicates that EU legislation related to regulating data flows contributes EUR 51.6 billion annually to GDP in the European Union.

Legal basis

Article 16 of the Treaty on the Functioning of the European Union (TFEU);

Articles 7 and 8 of the EU Charter of Fundamental Rights.


The Union must ensure that the fundamental right to data protection, which is enshrined in the EU Charter of Fundamental Rights, is applied in a consistent manner. The EU’s stance on the protection of personal data needs to be strengthened in the context of all EU policies, including law enforcement and crime prevention, as well as in international relations, especially in a global society characterised by rapid technological change.


A. Institutional framework

1. Lisbon Treaty

Before the entry into force of the Lisbon Treaty, legislation concerning data protection in the area of freedom, security and justice (AFSJ) was divided between the first pillar (data protection for private and commercial purposes, with the use of the Community method) and the third pillar (data protection for law enforcement purposes, at intergovernmental level). As a consequence, the decision-making processes in the two areas followed different rules. The pillar structure disappeared with the Lisbon Treaty, which provides a stronger basis for the development of a clearer and more effective data protection system, while at the same time stipulating new powers for Parliament, which has become co-legislator. Article 16 of the TFEU provides that Parliament and the Council lay down rules relating to the protection of individuals with regard to the processing of personal data by Union institutions, bodies, offices and agencies, and by the Member States when carrying out activities that fall within the scope of Union law.

2. The strategic guidelines in the area of freedom, security and justice

Following the Tampere and Hague programmes (of October 1999 and November 2004, respectively), in December 2009 the European Council approved the multiannual programme regarding the AFSJ for the 2010-2014 period, known as the Stockholm programme. In its conclusions of June 2014, the European Council defined the strategic guidelines for legislative and operational planning for the coming years within the AFSJ, pursuant to Article 68 of the TFEU. One of the key objectives is to better protect personal data in the EU.

B. Main legislative instruments on data protection

1. EU Charter of Fundamental Rights

Articles 7 and 8 of the EU Charter of Fundamental Rights recognise respect for private life and protection of personal data as closely related but separate fundamental rights.

2. Council of Europe

a. Convention 108 of 1981

The Council of Europe Convention 108 of 28 January 1981 for the Protection of Individuals with regard to Automatic Processing of Personal Data was the first legally binding international instrument adopted in the field of data protection. Its purpose is to secure, for every individual, respect for their rights and fundamental freedoms, and in particular their right to privacy, with regard to automatic processing of personal data. The Protocol amending the Convention seeks to broaden its scope, increase the level of data protection and improve its effectiveness.

b. European Convention on Human Rights (ECHR)

Article 8 of the Convention of 4 November 1950 for the Protection of Human Rights and Fundamental Freedoms establishes the right of everyone to respect for their private and family life, their home and their correspondence.

3. Current EU legislative instruments on data protection

a. General Data Protection Regulation (GDPR)

Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation), became applicable in May 2018. The rules aim to protect all EU citizens from privacy and data breaches in an increasingly data-driven world, while creating a clearer and more consistent framework for businesses. The rights enjoyed by citizens include a clear and affirmative consent for their data to be processed and the right to receive clear and understandable information about it; the right to be forgotten: a citizen can ask for his/her data to be deleted; the right to transfer data to another service provider (e.g. when switching from one social network to another); and the right to know when data has been hacked. The new rules apply to all companies operating in the EU, even those based outside it. Furthermore, corrective measures can be imposed, such as warnings and orders, or fines on firms that break the rules. On 24 June 2020, the European Commission presented a report on the evaluation and review of the regulation[1].

b. The Data Protection Law Enforcement Directive

Directive (EU) 2016/680 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data by competent authorities for the purposes of the prevention, investigation, detection or prosecution of criminal offences or the execution of criminal penalties, and on the free movement of such data, and repealing Council Framework Decision 2008/977/JHA, became applicable in May 2018. The directive protects citizens’ fundamental right to data protection whenever personal data is used by law enforcement authorities. It ensures that the personal data of victims, witnesses, and suspects of crime are duly protected and facilitates cross-border cooperation in the fight against crime and terrorism. Since 6 May 2022, the European Commission’s report to the European Parliament and to the Council on the evaluation and review of this directive has been overdue.

c. Directive on privacy and electronic communications

Directive 2002/58/EC of the European Parliament and of the Council of 12 July 2002 concerning the processing of personal data and the protection of privacy in the electronic communications sector (directive on privacy and electronic communications) was modified by Directive 2009/136/EC of 25 November 2009. It raises the delicate issue of data retention, which was repeatedly brought to the CJEU and led to a series of rulings, most recently in 2020, declaring that EU law precludes the general and indiscriminate retention of traffic and location data.

The new proposal for a regulation of the European Parliament and of the Council concerning the respect for private life and the protection of personal data in electronic communications and repealing Directive 2002/58/EC (regulation on privacy and electronic communications) is currently under consideration.

d. Regulation on the processing of personal data by the Union institutions and bodies

Regulation (EU) 2018/1725 of the European Parliament and of the Council of 23 October 2018 on the protection of natural persons with regard to the processing of personal data by the Union institutions, bodies, offices and agencies and on the free movement of such data, and repealing Regulation (EC) No 45/2001 and Decision No 1247/2002/EC, entered into force on 11 December 2018.

e. Articles on data protection in sector-specific legislative acts

In addition to the main legislative acts on data protection referred to above, specific provisions on data protection are also set down in sector-specific legislative acts, such as:

  • Article 13 (on the protection of personal data) of Directive (EU) 2016/681 of the European Parliament and of the Council of 27 April 2016 on the use of passenger name record (PNR) data for the prevention, detection, investigation and prosecution of terrorist offences and serious crime;
  • Chapter VI (on data protection safeguards) of Regulation (EU) 2016/794 of the European Parliament and of the Council of 11 May 2016 on the European Union Agency for Law Enforcement Cooperation (Europol);
  • Chapter VIII (on data protection) of Council Regulation (EU) 2017/1939 of 12 October 2017 implementing enhanced cooperation on the establishment of the European Public Prosecutor’s Office (‘the EPPO’).

4. The EU’s main international arrangements on data transfers

a. Commercial data transfers: adequacy decisions

Under Article 45 of the GDPR, the Commission has the power to determine whether a country outside the EU offers an adequate level of data protection, be that on the basis of its domestic legislation or of the international commitments it has entered into.

Parliament has adopted several resolutions raising concerns about transatlantic data flows. In particular, it considered that the EU-US Privacy Shield Decision does not provide the adequate level of protection required by EU law, while the CJEU has repeatedly invalidated the European Commission’s adequacy decisions concerning the US (see its rulings of 2015 on Safe Harbour in Schrems and of 2020 on the EU-US Privacy Shield in Schrems II).

b. EU-US Umbrella Agreement

Under the consent procedure, Parliament was involved in the approval of the agreement between the US and the EU on the protection of personal information relating to the prevention, investigation, detection, and prosecution of criminal offences, also known as the ‘Umbrella Agreement’. The aim of this agreement is to ensure a high level of protection of personal information transferred in the framework of transatlantic cooperation for law enforcement purposes, namely in the fight against terrorism and organised crime.

c. EU-US, EU-Australia and EU-Canada passenger name record (PNR) agreements

The EU has signed bilateral passenger name record (PNR) agreements with the United States, Australia and Canada. PNR data includes information provided by passengers when booking or checking in for flights and data collected by air carriers for their own commercial purposes. PNR data can be used by law enforcement authorities to fight serious crime and terrorism.

d. EU-US Terrorist Finance Tracking Programme (TFTP)

The EU has signed a bilateral agreement with the US on the processing and transfer of financial messaging data from the EU to the US for the purposes of the terrorist finance tracking programme.

5. Addressing data protection aspects in sector-specific resolutions

Several Parliament resolutions on different policy areas also address personal data protection in order to ensure consistency with general EU data protection law and the protection of privacy in those specific sectors.

6. EU data protection supervisory authorities

The European Data Protection Supervisor (EDPS) is an independent supervisory authority that ensures that the EU institutions and bodies meet their obligations with regard to data protection. The primary duties of the EDPS are supervision, consultation and cooperation.

The European Data Protection Board (EDPB), formerly the Article 29 Working Party, has the status of an EU body with legal personality and is provided with an independent secretariat. The EDPB brings together the EU’s national supervisory authorities, the EDPS and the Commission. The EDPB has extensive powers to determine disputes between national supervisory authorities and to give advice and guidance on key concepts of the GDPR and the Data Protection Law Enforcement Directive.

Role of the European Parliament

Parliament has played a key role in shaping EU legislation in the field of personal data protection by making the protection of privacy a political priority. Furthermore, under the ordinary legislative procedure, it has been working on the data protection reform on an equal footing with the Council. In 2017, it concluded its work on the last significant piece in the puzzle, the new regulation on privacy and electronic communications, and is waiting expectantly for the Council to finally conclude its work in order to start interinstitutional negotiations.

Parliament has been closely supervising international arrangements on data transfers. Whether via the consent procedure or own-initiative reports, it has made sure to get its voice heard. Moreover, before voting on the EU-Canada PNR Agreement, it decided to seek an opinion from the CJEU, as provided for under Article 218(1) of the TFEU, in a resolution of 25 November 2014. In that ensuing opinion, issued on 26 July 2017, the Court found that the PNR agreement could not be concluded in its current form because several of its provisions were incompatible with the fundamental right to the protection of personal data.

In numerous resolutions, Parliament has expressed doubts as to the adequacy of the protection given to EU citizens under the EU-US Safe Harbour Framework and, subsequently, the EU-US ‘Privacy Shield’. After the Schrems II case led to the invalidation of European Commission Implementing Decision (EU) 2016/1250 on the adequacy of the protection provided by the EU-US ‘Privacy Shield’ agreement, on the basis of concerns that the US Government’s surveillance powers were not limited, as required by EU law, and that EU citizens did not have effective means of redress, the European Parliament adopted a resolution in which it deplored the fact that the Commission had put relations with the US before the interests of EU citizens, and that the Commission had thereby left the task of defending EU law to individual citizens. It pointed out that any future adequacy decision by the Commission should not rely on a system of self-certification, as had been the case with both Safe Harbour and the Privacy Shield. Parliament called on the Commission to fully involve the EDPB in the assessment of compliance and enforcement of any new adequacy decision in relation to the US[2]. Parliament has also commissioned research that has pointed to the complicated landscape of operators trading personal data transferred to the US[3] and the reforms that need to be introduced in the US federal system in order to restore confidence in transatlantic data transfers[4].

Parliament is now focusing on monitoring how EU data protection legislation is implemented, on the data protection aspects of the Commission’s proposals on the Digital Services Act, the Artificial Intelligence Act, the Data Governance Act and on other upcoming Commission proposals that may have an impact on data protection.

Parliament has commissioned a number of research studies in order to have a scientific basis for its legislative activities, including a study on the impact of algorithms for online content filtering or moderation – Upload filters, a study on the impact of the General Data Protection Regulation (GDPR) on artificial intelligence and a study on Biometric Recognition and Behavioural Detection.


[1]Commission communication of 24 June 2020 entitled ‘Data protection as a pillar of citizens’ empowerment and the EU’s approach to the digital transition – two years of application of the General Data Protection Regulation’(SWD(2020)0115).
[3]Sartor, G., et al., Regulating targeted and behavioural advertising in digital services: how to ensure users’ informed consent, a study commissioned by the European Parliament’s Policy Department for Citizens’ Rights and Constitutional Affairs at the request of the Committee on Legal Affairs, 30 August 2021.
[4]Brown, I. et al., Exchanges of Personal Data After the Schrems II Judgment, a study commissioned by the European Parliament’s Policy Department for Citizens’ Rights and Constitutional Affairs at the request of the Committee on Civil Liberties, Justice and Home Affairs, 8 July 2021.

Udo Bux / Mariusz Maciejewski