The commission proposed a new legal framework for the protection of personal data in the EU as set out in Communication COM (2012). The proposed new legal framework consists of two legislative proposals. The first proposal filed for a Regulation of the European Parliament and of the Council on the protection of individuals with regard to the processing of personal data and on the free movement of such data (General Data Protection Regulation). And the second proposal submitted for a Directive of the European Parliament and of the Council on the protection of individuals with regard to the processing of personal data by competent authorities for the purposes of prevention, investigation, detection or prosecution of criminal offences or the execution of criminal penalties, and the free movement of such data.
The centrepiece of existing EU legislation on personal data protection, Directive 95/46/EC3, was adopted in 1995 with two objectives in mind: to protect the fundamental right to data protection and to guarantee the free flow of personal data between Member States. It was complemented by Framework Decision 2008/977/JHA as a general instrument at Union level for the protection of personal data in the areas of police co-operation and judicial co-operation in criminal matters. Rapid technological developments have brought new challenges for the protection of personal data. The scale of data sharing and collecting has increased dramatically. Technology allows both private companies and public authorities to make use of personal data on an unprecedented scale in order to pursue their activities. Individuals increasingly make personal information available publicly and globally. Technology has transformed both the economy and social life.
Building trust in the online environment is key to economic development. Lack of trust makes consumers hesitate to buy online and adopt new services. This risks slowing down the development of innovative uses of new technologies. Personal data protection therefore plays a central role in the Digital Agenda for Europe5, and more generally in the Europe 2020 Strategy. Article 16(1) of Treaty on the Functioning of the European Union (TFEU), as introduced by the Lisbon Treaty, establishes the principle that everyone has the right to the protection of personal data concerning him or her. Moreover, with Article 16(2) TFEU, the Lisbon Treaty introduced a specific legal basis for the adoption of rules on the protection of personal data. Article 8 of the Charter of Fundamental Rights of the EU enshrines protection of personal data as a fundamental right.
The European Council invited the Commission to evaluate the functioning of EU instruments on data protection and to present, where necessary, further legislative and non-legislative initiatives. In its resolution on the Stockholm Programme, the European Parliament welcomed a comprehensive data protection scheme in the EU and among others called for the revision of the Framework Decision. The Commission stressed in its Action Plan implementing the Stockholm Programme the need to ensure that the fundamental right to personal data protection is consistently applied in the context of all EU policies.
In its Communication on “A comprehensive approach on personal data protection in the European Union”, the Commission concluded that the EU needs a more comprehensive and coherent policy on the fundamental right to personal data protection. The current framework remains sound as far as its objectives and principles are concerned, but it has not prevented fragmentation in the way personal data protection is implemented across the Union, legal uncertainty and a widespread public perception that there are significant risks associated notably with online activity11. This is why it is time to build a stronger and more coherent data protection framework in the EU, backed by strong enforcement that will allow the digital economy to develop across the internal market, put individuals in control of their own data and reinforce legal and practical certainty for economic operators and public authorities.