Fact Sheets on the European Union
European Parliament
Please fill this field

Personal data protection

Protection of personal data and respect for private life are legally enforceable fundamental rights, which cannot be balanced against commercial or political interests. The European Parliament has always insisted on the need to strike a balance between enhancing security and safeguarding human rights, including data protection and privacy. New EU data protection rules strengthening citizens’ rights and simplifying rules for companies in the digital age came into effect in May 2018.

Legal basis

Article 16 of the Treaty on the Functioning of the European Union (TFEU);

Articles 7 and 8 of the EU Charter of Fundamental Rights.

Objectives

The Union must ensure that the fundamental right to data protection, which is enshrined in the EU Charter of Fundamental Rights, is applied consistently. In the light of the exponential growth of the volume of data transfers – with the EU, the US and Canada constituting the biggest share of this growth – the EU’s stance on the protection of personal data needs to be strengthened in the context of all EU policies.

Achievements

A. Institutional framework

1. Lisbon Treaty

Before the entry into force of the Lisbon Treaty, legislation concerning data protection in the area of freedom, security and justice (AFSJ) was divided between the first pillar (data protection for private and commercial purposes, with the use of the Community method) and the third pillar (data protection for law enforcement purposes, at intergovernmental level). As a consequence, the decision-making processes in the two areas followed different rules. The pillar structure disappeared with the Lisbon Treaty, which provides a stronger basis for the development of a clearer and more effective data protection system, while at the same time stipulating new powers for Parliament, which has become co-legislator. Article 16 of the TFEU provides that Parliament and the Council lay down rules relating to the protection of individuals with regard to the processing of personal data by Union institutions, bodies, offices and agencies, and by the Member States when carrying out activities that fall within the scope of Union law.

2. The strategic guidelines in the area of freedom, security and justice

Following the Tampere and Hague programmes (of October 1999 and November 2004, respectively), in December 2009 the European Council approved the multiannual programme regarding the AFSJ for the 2010-2014 period, known as the Stockholm programme. In its conclusions of June 2014, the European Council defined the strategic guidelines for legislative and operational planning for the coming years within the AFSJ, pursuant to Article 68 of the TFEU. One of the key objectives is to better protect personal data in the EU.

B. Main legislative instruments on data protection

1. EU Charter of Fundamental Rights

Articles 7 and 8 of the EU Charter of Fundamental Rights recognise respect for private life and protection of personal data as closely related but separate fundamental rights.

2. Council of Europe

a. Convention 108 of 1981

The Council of Europe Convention 108 of 28 January 1981 for the Protection of Individuals with regard to Automatic Processing of Personal Data was the first legally binding international instrument adopted in the field of data protection. Its purpose is to secure, for every individual, respect for their rights and fundamental freedoms, and in particular their right to privacy, with regard to automatic processing of personal data. The Protocol amending the Convention seeks to broaden its scope, increase the level of data protection and improve its effectiveness.

b. European Convention on Human Rights (ECHR)

Article 8 of the Convention of 4 November 1950 for the Protection of Human Rights and Fundamental Freedoms establishes the right of everyone to respect for their private and family life, their home and their correspondence.

3. Current EU legislative instruments on data protection

a. General Data Protection Regulation (GDPR)

Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation), became applicable in May 2018. The rules aim to protect all EU citizens from privacy and data breaches in an increasingly data-driven world, while creating a clearer and more consistent framework for businesses. The rights enjoyed by citizens include the requirement for clear and affirmative consent for their data to be processed and the right to receive clear and understandable information about it; the right to be forgotten: citizens can ask for their data to be deleted; the right to transfer data to another service provider (e.g. when switching from one social network to another); and the right to know when data has been hacked. The new rules apply to all companies operating in the EU, even those based outside it. Furthermore, corrective measures can be imposed, such as warnings and orders, or fines on firms that break the rules.

On 25 July 2024, the European Commission presented its ‘Second Report on the application of the General Data Protection Regulation’. On 16 July 2025, the Commission hosted an Implementation Dialogue in Brussels on the application of the GDPR. This dialogue followed initiatives such as the Commission Omnibus proposal to exempt entities with fewer than 750 employees from the record-keeping obligation under the GDPR.

In 2023, the Commission proposed a new Regulation on GDPR procedural rules, which aims to streamline cooperation between Data Protection Authorities (DPAs) when enforcing the GDPR in cross-border cases. It establishes procedural rules to be followed by DPAs when applying the GDPR in cases that affect individuals in more than one Member State. On 21 October 2025, Parliament approved the new rules to speed up cross-border enforcement of the GDPR, thus clarifying the relevant procedures and rights.

b. The Data Protection Law Enforcement Directive

Directive (EU) 2016/680 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data by competent authorities for the purposes of the prevention, investigation, detection or prosecution of criminal offences or the execution of criminal penalties, and on the free movement of such data, and repealing Council Framework Decision 2008/977/JHA, came into effect in May 2018. The directive protects citizens’ fundamental right to data protection whenever personal data is used by law enforcement authorities. It ensures that the personal data of victims, witnesses, and suspects of crime are duly protected and facilitates cross-border cooperation in the fight against crime and terrorism. On 25 July 2022, the European Commission published its delayed report on application and functioning of the Law Enforcement Directive. This was followed by an evaluation study commissioned by the Committee on Civil Liberties, Justice and Home Affairs (LIBE) containing a critical assessment of the implementation of the Law Enforcement Directive.

c. Directive on privacy and electronic communications

Directive 2002/58/EC of the European Parliament and of the Council of 12 July 2002 concerning the processing of personal data and the protection of privacy in the electronic communications sector (directive on privacy and electronic communications) was modified by Directive 2009/136/EC of 25 November 2009. It raises the delicate issue of data retention, which was repeatedly brought before the Court of Justice of the EU (CJEU) and led to a series of rulings, such as the ruling in 2020, declaring that EU law precludes the general and indiscriminate retention of traffic and location data.

The 2017 proposal for a regulation of the European Parliament and of the Council concerning the respect for private life and the protection of personal data in electronic communications and repealing Directive 2002/58/EC (regulation on privacy and electronic communications) was under prolonged discussions. Parliament’s experts indicated that it should resist the Council’s attempts to exclude the applicability of European data protection principles.

In February 2025, the Commission indicated in its ‘2025 Work Programme’ that it would withdraw the proposal for a new ePrivacy Regulation (replacing the current ePrivacy Directive). In July, the Commission approved the withdrawal, which was then published in the Official Journal on 6 October. The current ePrivacy Directive and its national transposition laws remain in force.

d. Regulation on the processing of personal data by Union institutions and bodies

Regulation (EU) 2018/1725 of the European Parliament and of the Council of 23 October 2018 on the protection of natural persons with regard to the processing of personal data by the Union institutions, bodies, offices and agencies and on the free movement of such data, and repealing Regulation (EC) No 45/2001 and Decision No 1247/2002/EC, entered into force on 11 December 2018.

e. Articles on data protection in sector-specific legislative acts

In addition to the main legislative acts on data protection referred to above, specific provisions on data protection are also set down in sector-specific legislative acts, such as:

  • Article 13 (on the protection of personal data) of Directive (EU) 2016/681 of the European Parliament and of the Council of 27 April 2016 on the use of passenger name record (PNR) data for the prevention, detection, investigation and prosecution of terrorist offences and serious crime;
  • Article 4 (on data collection) of Regulation (EU) 2025/12 of the European Parliament and of the Council of 19 December 2024 on the collection and transfer of advance passenger information for enhancing and facilitating external border checks and of Regulation (EU) 2025/13 of the European Parliament and of the Council of 19 December 2024 on the collection and transfer of advance passenger information for the prevention, detection, investigation and prosecution of terrorist offences and serious crime;
  • Chapter VI (on data protection safeguards) of Regulation (EU) 2016/794 of the European Parliament and of the Council of 11 May 2016 on the European Union Agency for Law Enforcement Cooperation (Europol);
  • Chapter VIII (on data protection) of Council Regulation (EU) 2017/1939 of 12 October 2017 implementing enhanced cooperation on the establishment of the European Public Prosecutor’s Office (‘the EPPO’);
  • Chapter II of Regulation (EU) 2024/1689 of the European Parliament and of the Council of 13 June 2024 laying down harmonised rules on artificial intelligence (Artificial Intelligence Act) prohibits a number of AI practices involving specific uses of data while Chapter III imposes the obligation to carry out data protection impact assessments for high-risk AI systems.

4. The EU’s main arrangements on transatlantic data transfers

a. Commercial data transfers: adequacy decisions and the EU-US Data Privacy Framework

Under Article 45 of the GDPR, the Commission has the power to determine whether a country outside the EU offers an adequate level of data protection, whether on the basis of its domestic legislation or of the international commitments it has entered into.

While data transfers between the EU and the United States have increased exponentially, with the United States dominating private online advertising and surveillance, Parliament has adopted numerous resolutions raising concerns about transatlantic data flows. In particular, it considered that the EU-US Privacy Shield Decision does not provide the adequate level of protection required by EU law, while the CJEU has repeatedly invalidated the Commission’s adequacy decisions concerning the US (see its rulings of 2015 on Safe Harbour in Schrems and of 2020 on the EU-US Privacy Shield in Schrems II).

Despite a lack of reform of the data protection regime in the US, the Commission reached another agreement with the US and presented a proposal for yet another EU-US Data Privacy Framework. On a motion from the LIBE Committee, on 11 May 2023 Parliament adopted a resolution on the adequacy of the protection afforded by the EU-US Data Privacy Framework, concluding that the EU-US Data Privacy Framework fails to create essential equivalence in the level of protection and calling on the Commission to continue negotiations with its US counterparts, but to refrain from adopting the adequacy finding until all of the recommendations made in Parliament’s resolution and the European Data Protection Board (EDPB) opinion are fully implemented.

The Commission adopted its third EU-US Data Privacy Framework on 10 July 2023. In its judgment of 3 September 2025, the General Court (Case T-553/23Latombe v. European Commission) dismissed an action for annulment of the adequacy decision for the EU-US Data Privacy Framework, thus maintaining its validity. The General Court confirmed in its press release ‘that, on the date of adoption of the contested decision, the United States of America ensured an adequate level of protection for personal data transferred from the European Union to organisations in that country’.

b. EU-US Umbrella Agreement

Under the consent procedure, Parliament was involved in the approval of the agreement between the US and the EU on the protection of personal information relating to the prevention, investigation, detection, and prosecution of criminal offences, also known as the ‘Umbrella Agreement’. The aim of this agreement is to ensure a high level of protection of personal information transferred in the framework of transatlantic cooperation for law enforcement purposes, namely in the fight against terrorism and organised crime.

c. EU-US Terrorist Finance Tracking Programme (TFTP)

The EU has signed a bilateral agreement with the US on the processing and transfer of financial messaging data from the EU to the US for the purposes of the terrorist finance tracking programme.

5. EU data protection supervisory authorities

The European Data Protection Supervisor (EDPS) is an independent supervisory authority that ensures that the EU institutions and bodies meet their obligations with regard to data protection. The primary duties of the EDPS are supervision, consultation and cooperation. The EDPS investigates complaints, and advises on policies and legislation that affect privacy. The EDPS also aims to raise awareness of risks and protect people’s rights and freedoms when their personal data is processed.

The European Data Protection Board (EDPB), formerly the Article 29 Working Party, has the status of an EU body with legal personality and is assisted by an independent secretariat (provided by the EDPS). The EDPB brings together the EU’s national supervisory authorities, the EDPS and the Commission. The EDPB has extensive powers to decide on disputes between national supervisory authorities and to give advice and guidance on key concepts of the GDPR and the Data Protection Law Enforcement Directive.

Role of the European Parliament

Parliament has played a key role in shaping EU legislation in the field of personal data protection by making the protection of privacy a political priority. Furthermore, under the ordinary legislative procedure, it has been working on data protection reform on an equal footing with the Council.

In numerous resolutions, Parliament has expressed doubts as to the adequacy of the protection given to EU citizens under the EU-US Safe Harbour Framework and, subsequently, the EU-US ‘Privacy Shield’. After the Schrems II case led to the invalidation of Commission Implementing Decision (EU) 2016/1250 on the adequacy of the protection provided by the EU-US ‘Privacy Shield’ agreement, on the basis of concerns that the US Government’s surveillance powers were not limited, as required by EU law, and that EU citizens did not have effective means of redress, Parliament adopted a resolution in which it deplored the fact that the Commission had put relations with the United States before the interests of EU citizens.

Following the tabling of the LIBE Committee’s motion, Parliament adopted on 11 May 2023 a resolution on the adequacy of the protection afforded by the EU-US Data Privacy Framework, concluding that the EU-US Data Privacy Framework fails to create essential equivalence in the level of protection and calling on the Commission to continue negotiations with its US counterparts but to refrain from adopting the adequacy finding until all the recommendations made in the resolution and the EDPB opinion are fully implemented. The Commission adopted its decision on the EU-US Data Privacy Framework on 10 July 2023.

Parliament has repeatedly condemned US surveillance practices. In September 2001, it adopted a resolution on the existence of the global ECHELON system for the interception of private and commercial communications. Following Edward Snowden’s revelations, in March 2014, Parliament adopted a resolution on the US NSA surveillance programme and surveillance bodies in various Member States, with a follow-up resolution in October 2015.

Parliament established a committee of inquiry to investigate the use of Pegasus and equivalent surveillance spyware in the EU’s Member States (PEGA). Chaired by MEP Jeroen Lenaers, the PEGA Committee thoroughly investigated the use of spyware to investigate opposition members, journalists, lawyers and civic society activists, as well as how such practices affect democratic processes and individual rights in the EU. During its inquiry, the PEGA Committee consulted leading academics, practitioners and authorities in the EU and worldwide. Parliament’s Policy Department prepared reports for the PEGA missions to Poland, Greece and Cyprus. The PEGA Committee voted on 8 May 2023 to approve its final report (Rapporteur: MEP Sophia in ‘t Veld) on the investigation into alleged contraventions and maladministration in the application of EU law in relation to the use of Pegasus and equivalent surveillance spyware, and including, among many other points, a recommendation to set up an EU Tech Lab for research and monitoring of the use of spyware against EU citizens. Parliament’s recommendation to the Council and the Commission following the PEGA report was adopted by its plenary on 15 June 2023. However, the Commission did not provide a timely response to the recommendation and blocked the pilot project of the EU Tech Lab proposed by MEPs. In November 2023, Parliament adopted a follow-up resolution on the lack of legislative follow-up by the Commission to the PEGA resolution, and also held a debate in June 2025 on the state of play and follow-up two years after the PEGA recommendations and the illegal use of spyware.

On 13 March 2024, Parliament adopted a legislative resolution on the proposal for a regulation on laying down harmonised rules on Artificial Intelligence (AI Act). Regulation (EU) 2024/1689, adopted on 13 June 2024, establishes obligations on AI systems and providers, based on their potential risks and impacts. AI systems considered a clear threat to the fundamental rights of people (including data protection) will be banned. On 1 August 2024, the AI Act entered into force. The majority of rules of the AI Act will start applying on 2 August 2026.

Parliament has commissioned a number of research studies to ensure it has a scientific basis for its legislative activities in the forefront of technological developments and data protection, including a study on the impact of the General Data Protection Regulation (GDPR) on artificial intelligence, a study on Biometric Recognition and Behavioural Detection,Advance Passenger Information (API) - An analysis of the European Commission’s proposals to reform the API legal framework, and a study on Law and ICT.

Parliament will examine and vote on the forthcoming policy initiatives and legislative proposals on data retention, encryption and lawful interception of data, which were announced in the Commission’s ‘Roadmap for effective and lawful access to data for law enforcement’, published on 24 June 2025.

 

Alessandro Davoli / Mariusz Maciejewski