Understanding EU data protection policy

Briefing 20-05-2020

The near-ubiquity of data in the lives of ordinary people, along with its exponential growth in generation rate and potential misuse, has made the protection of personal information an increasingly important social, legal and political matter for the EU. In recent years, both awareness of data rights and expectations for EU action in this area have grown considerably. The right to privacy and the right to protection of personal data are both enshrined in the Charter of Fundamental Rights of the EU and the EU Treaties. The entry into force of the Lisbon Treaty in 2009 gave the Charter the same legal value as the Treaties and abolished the pillar structure, providing a stronger basis for a more effective and comprehensive data protection regime in the EU. In 2012, the European Commission launched an ambitious reform to modernise the EU data protection framework. It resulted in the adoption in 2016 of the main EU data protection legislative instrument – the General Data Protection Regulation (GDPR) – and the Law Enforcement Directive. The framework overhaul also included adopting an updated Regulation on Data Processing in the EU Institutions and reforming the ePrivacy Directive, pending in the Council since September 2017. The European Parliament has played a major role in passing these reforms, both as co-legislator and author of own-initiative reports and resolutions seeking to guarantee a high level of data protection to EU citizens. Last but not least, the European Court of Justice has also played an important part in building the EU data protection framework, with several landmark judgments delivered in recent years. In the coming years, potential challenges to the data protection framework include the question of how to adapt the GDPR to emerging technologies such as artificial intelligence, facial recognition technology and the Internet of Things. Potential fragmentation issues include differing Member State interpretations of consent for data processing, while compliance burdens for SMEs and insufficient resources for data protection authorities may present challenges for enforcement. The European Commission is expected to address these issues in its upcoming evaluation of the GDPR.