Justice, consumers and gender equality

← Justice, consumers and gender equality

Personal data protection

Overall state of play:

• Commission Proposal - Adopted; 25.01.2012, COM (2012)11
• Legal Act: General Data Protection Regulation (GDPR - Regulation (EU) 2016/679) adopted in 2016, applied as of May 2018; Data Protection Directive for the police and criminal justice sector (Law Enforcement Directive – Directive (EU) 2016/680) adopted in 2016, to be transposed by May 2018.

State of play, main conclusions, outlook

The data protection reform includes the General Data Protection Regulation (GDPR) and the Data Protection Directive for the police and criminal justice sector (Law enforcement Directive).

The GDPR updates and modernises the principles enshrined in the 1995 Data Protection Directive to guarantee data protection rights. It focuses on: reinforcing individuals' rights, strengthening the EU internal market, ensuring stronger enforcement of the rules and streamlining international transfers of personal data.

The GDPR will help the Digital Single Market realise its full potential through:

• One continent, one law: a single, pan-European law for data protection, replacing the earlier inconsistent patchwork of national laws. Companies will deal with one law, not 27.

• One-stop-shop: with a 'one-stop-shop' for businesses companies only have to deal with one single supervisory authority, not 27, making it simpler and cheaper for companies to do business in the EU;

• The same rules for all companies - regardless of where they are established. With the GDPR, companies based outside of Europe have to apply the same rules as companies established inside the EU when they offer goods or services on the EU market. This creates a level playing field;

• Technological neutrality: the GDPR enables innovation to continue to thrive under the new rules.

The Law Enforcement Directive ensures the protection of personal data of individuals involved in criminal proceedings, be it as witnesses, victims, or suspects. It also facilitates a smoother exchange of information between Member States' police and judicial authorities, improving cooperation in the fight against terrorism and other serious crime in Europe. It establishes a comprehensive framework to ensure a high level of data protection whilst taking into account the specific nature of the police and criminal justice field.

The General Data Protection Regulation (GDPR) provided for a two-year transition period and entered into application on 25 May 2018, and the Data Protection Law Enforcement Directive (LED) was to be transposed by 6 May 2018. The 2020 evaluation concluded that the GDPR has successfully met its objectives to strengthen the individual’s right to personal data protection and to guarantee the free flow of personal data within the EU. The first report on the application and functioning of the Law Enforcement Directive was published on 25 July 2022. It found that that the Law Enforcement Directive ensures a harmonised and high level of protection for the rights of individuals, and also provides a coherent legal framework for data processing by criminal law enforcement and judicial authorities. The Commission launched several cases of infringement against several member states for both legal acts.

Estimated savings and benefits

The GDPR establishes a single, pan-European law for data protection meaning that companies can simply deal with one law, not 27. This is due not only to the removal of prior authorisations and notifications to data protection authorities but also to the reduction of costs linked to activities of companies across different Member States.

The Law Enforcement Directive cuts red tape for authorities. It means that police and criminal justice authorities no longer have to apply different sets of data protection rules according to the origin of the personal data, saving time and money. The new rules apply to both domestic processing and cross-border transfers of personal data. Having more harmonised laws in all EU Member States makes it easier for our police forces to work together.

State of Play:

• Adopted, COM (2012)11, 25.01.2012

Which objective(s) does the Commission pursue?

The proposed legal instruments strengthened personal data protection rights and boosted Europe's digital economy.

The proposal for the GDPR provided legal certainty, clarity and consistency, for individuals and business, and strengthened the internal market dimension of the data protection rules through the adoption of a single law for Europe to replace the earlier 28 different national laws. The proposal created a regulatory one-stop-shop for business allowing companies to deal with a single supervisory authority. It removed a number of existing requirements in terms of notifications and prior authorisation.

To ensure minimal regulatory burden for small and medium companies, the proposal included the following specific provisions and exceptions:

• An exemption for businesses from the obligation to appoint a Data Protection Officer if its core activities does not involve processing of sensitive data on a large scale and does not involve large scale, regular and systematic monitoring of individuals;

• A risk-based approach that requires controllers to comply with specific obligations only when there is a high risk (e.g. the obligation to conduct a Data Protection Impact Assessment);

• Provisions included for Subject Access Request Fees that businesses can request in case of abuse.

The Law Enforcement Directive is the first instrument that takes a comprehensive approach to data protection in the field of law enforcement, including by regulating ‘domestic’ processing. It is therefore a significant development compared with the earlier Framework Decision (which covered only transmission of data between Member States) that it repealed and replaced.

By harmonising the protection of personal data by law enforcement authorities in EU and Schengen countries, it contributes to increased trust and data exchange between authorities for law enforcement purposes, provided such exchange is based on law, while at the same time ensuring that the rights of individuals are effectively protected.

Estimated savings and benefits

The proposal for the GDPR was estimated to reduce overall administrative burden through important reduction of fragmentation in national data protection rules and from the removal of prior authorisations and notifications that were imposing significant compliance costs on economic operators and affecting the free flow of personal data in the EU.

The proposal for the Law Enforcement Directive introduced for the first time rules for the domestic processing of personal data, and similarly to the proposal for the GDPR, aimed to reduce fragmentation in national data protection rules and avoid unnecessary administrative burden for the competent national authorities.

State of Play:

• Adopted 27.04.2016 Regulation (EU) 2016/679
• Date of entry into force: 24.05.2016;
• Date of application: 25.05.2018

Outcome of Legislative Procedure

Some exemptions and specific provisions for small and medium-sized companies proposed by the Commission were changed in first reading by the co-legislators to a general risk-based approach connected to the risks the processing in question has for the rights and freedoms of individuals rather than to the size of the company. This was explained by the argument that a small organisation with just a few employees can control a significant amount of sensitive personal data and vice versa.

However, the fundamentals of the proposal have not been changed in the legislative proposal: the key benefits of the GDPR remain unchanged compared with the initial Commission proposal.

Estimated savings and benefits

Estimations on savings were not updated following amendments in legislative procedure.

State of play:

Regulation (EU) 2016/679 - in application since 25.05.2018
First evaluation report issued by the Commission on 24 June 2020

Implementation reported by Member States

The General Data Protection Regulation (GDPR) provided for a two-year transition period and entered into application on 25 May 2018.

Until May 2018, the Commission actively prepared the entry into application of the GDPR, notably by issuing a Guidance (Communication) on 24 January 2018 and information materials aimed at helping stakeholders to adjust to the new regulatory environment. The Commission also set up an informal group of Member States’ experts to support the effective and uniform application of the GDPR and the Law Enforcement Directive. The Commission carried out an awareness-raising campaign targeting in particular individuals and small and medium-sized companies. After May 2018, the Commission started monitoring the implementation of the GDPR by the Member States. Several waves of EU grants were allocated in 2016-2020 to a number of national data protection authorities to support them in reaching out to citizens and small and medium-sized companies under the Rights, Equality and Citizenship framework program. This support will continue under the Citizens, Equality, Rights and Values (CERV) funding program in 2021-2027. In parallel, the Commission has actively contributed to the work of the European Data Protection Board composed of the national data protection authorities and the European Data Protection Supervisor, the enforcers of data protection rules, which issued guidelines on key aspects of the new data protection legislative framework. The Commission issued in September 2018 specific Guidance on the application of data protection rules in the electoral context as part of the electoral package and in April 2020 Guidance on apps supporting the fight against the Covid-19 pandemic in relation to data protection. To help European businesses comply with GDPR requirements, the Commission adopted in June 2021 two sets of modernised standard contractual clauses: one for use between controllers and processors in the EU/EEA and a one for transfers of personal data to third countries. To mark the first anniversary of the entry into application of the GDPR, the Commission organised in June 2019 a stock taking event entitled “One Year of GDPR Application: taking stock in the EU and beyond”. It subsequently issued on 24 July 2019 a Communication “Data protection rules as a trust-enabler in the EU and beyond – taking stock”. This work fed into the first evaluation of the GDPR issued by the Commission on 24 June 2020, entitled “Data protection as a pillar of citizens’ empowerment and the EU’s approach to the digital transition - two years of application of the General Data Protection Regulation”. For these evaluations, the Commission collected feedback from different stakeholders, including through a dedicated multi-stakeholder group composed of experts from industry, civil society, practitioners and academics. The 2020 evaluation concluded that the GDPR has successfully met its objectives to strengthen the individual’s right to personal data protection and to guarantee the free flow of personal data within the EU. To meet the full potential of the GDPR, the focus should be on creating a harmonised approach to and a European common culture of data protection, and on fostering a more efficient and coherent handling of cross-border cases. In 2020, the Commission launched an infringement procedure on the application of the GDPR against Poland as part of a procedure covering several other topics in relation to the Polish law on the judiciary. In 2021, the Commission decided to refer Poland to the Court of Justice of the European Union regarding that law. In 2021, the Commission launched infringement procedures on the application of the GDPR against Belgium (concerning the lack of independence of the Belgian supervisory authority) as well as against Hungary as part of an infringement procedure covering several topics in relation tothe Hungarian law on stricter measures against pedophile offenders and amending certain laws to protect children. In 2022, the Commission decided to refer Hungary to the Court of Justice of the European Union regarding that law. Furthermore, in 2022, the Commission launched infringement procedures against Finland and Sweden for failing to fulfil their obligations under the GDPR, in conjunction of the Charter of Fundamental Rights regarding the data subjects’ right to an effective judicial remedy in cases of inaction of the data protection supervisory authority. In addition, in 2022, the Commission launched an infringement procedure against Slovenia for failing to fulfil its notification obligations under the GDPR, and for not making it possible for its data protection supervisory authority to use all the corrective powers under the GDPR.

The Data Protection Law Enforcement Directive (LED) was to be transposed by 6 May 2018. The Commission worked with Member States prior to the transposition date to foster consistency, and started monitoring the transposition immediately afterwards. The Commission issued in July 2018 Letters of Formal Notice to 19 Member States for non-communication of the national legislation transposing the Directive. Reasoned Opinions were issued to nine Member States in January 2019. In July 2019, the Commission took Greece and Spain to Court for non-notification (Greece has subsequently adopted its national data protection legislation) and sent a Letter of Formal Notice to Germany for lack of transposition in several Länder. In May 2020, a Reasoned Opinion was issued to Germany and an additional Reasoned Opinion to Slovenia for partial transposition. Slovenia has subsequently completed the transposition of the Directive. On 25 February 2021, the Court of Justice ordered Spain to pay the Commission a lump sum of EUR 15 million and, should the infringement established have persisted up to the date of delivery of its judgment, as from that date and until the infringement established has been brought to an end, a daily penalty payment of EUR 89 000. Spain has subsequently transposed the Directive. On 24 June 2020, the Commission issued a Communication entitled “Way forward on aligning the former third pillar acquis with data protection rules”, thereby fulfilling the obligation under Article 62(6) of the Directive. In April and May 2022, the Commission launched infringement procedures against Germany after detecting a gap in the transposition of the LED in relation to the activities of Germany’s federal police and because several of its national laws transposing the LED failed to provide effective corrective powers to data protection authorities at federal and Länder level. It also launched infringement procedures against Greece as well as against Finland and Sweden (as part of the same above-mentioned infringement procedures against these two Member States under the GDPR) on the grounds that their national transposing laws are not in conformity with the LED.

The first report on the application and functioning of the LED was published on 25 July 2022. It found that that the LED ensures a harmonised and high level of protection for the rights of individuals, and also provides a coherent legal framework for data processing by criminal law enforcement and judicial authorities. The report also noted that the LED offers a flexible toolbox for international data transfers. The report contains a list of actions for the Commission, Member States, the European Data Protection Board and data protection supervisory authorities to realise the full potential of the LED. It concluded that it is too early to consider revising the provisions of the LED.