Public Policy
Biodiversity and Ecosystem Services
Children, Young People and Families
Consumer Policy
Corporate Advisory Services
Culture, Sport and Creative Industries
Crime, Justice and Fundamental Rights
Education, Training and Skills
Employment, Labour Markets and Welfare
Energy and Climate Change
Enterprise and Industry
Environment Policy and the Green Economy
Food Chain
Gender equality and non-discrimination
Health and Well-Being
Innovation
Local economic development
Migration and Asylum
Place Making
Public Service Reform
Regional Development
Rural Development
Security
Social Dialogue
Third Sector Support
International Development
Ports and Logistics
You are here: Services > Public Policy > Crime, Justice and Fundamental Rights > EU Legal Framework for personal data protection
Study for an impact assessment for the future EU Legal Framework for personal data protection

Study for an impact assessment for the future EU Legal Framework for personal data protection

March – December 2010

The European Union is based on the respect for fundamental rights. Article 8 of the Charter of Fundamental Rights of the European Union expressly recognises the fundamental right to the protection of personal data. Personal data encompasses any data relating to a person which can be used to singularly identify them. Such data include names, addresses, national insurance numbers, fingerprints, and D.N.A. In today’s Information Society such data is constantly being processed and transferred from user to user. In order to ensure a high and consistent level of protection within and between all Member States – without impeding the functioning of the internal commercial market of the Union (which depends on the free flow of data) – the EU began introducing legislation in 1995 to harmonise data protection at EU level. However, in light of technological advancements, the evolution of the importance of data in society in general, and the increased ease with which data can now be processed and exchanged, there is a concern that the current legislative framework may be outdated or have become inappropriate.

In 2010, the Data Protection unit of DG Justice commissioned GHK Consulting to carry out a study to inform their future Communication and Impact Assessment on a potential future legislative framework for Data Protection. The study involved, in a first phase, the identification and assessment of current problems associated with existing data protection legislation and the identification of gaps in the legal framework. On this basis, recommendations for actions that would address the identified shortcomings were made. The problem assessment also involved the identification of emerging issues, and an assessment of the extent to which these were covered by existing legislation. In the second phase, policy options were developed taking account of the recommendations made. These were assessed for their social and economic impacts. The impacts of the policy options were compared and the preferred option elaborated.

Currently, the legislative framework comprises one major piece of legislation (Directive 95/46/EC) governing the processing and transferral of data in the area of commerce. Framework Decision 2008/977/JHA regulates the transfer of data relating to crime, law enforcement and justice transferred between Member States or from the EU to third countries. In addition, there is legislation governing the processing of data within the Telecoms industry (Directive 2009/136/EC) and by European Union institutions (Regulation 45/2001).

The study concluded that, while in broad terms the principles underpinning the existing EU legal framework (lawfulness, proportionality and purpose) are still highly relevant, the relevance of the content of the EU legal framework (specifically Directive 95/46/EC) can be questioned in the light of societal changes since its adoption. Moreover, there is insufficient consistency between the existing legislation which has meant that data is insufficiently protected.

The study made an assessment of five stratified policy options, including the introduction of a regulation, the retention of a Directive with stricter provisions, and a status quo situation. Finally, the ‘preferred option’ comprised the introduction of a regulation which would incorporate all existing legislation, increase harmonisation between Member States and improve the rights of data subjects.

  
© Copyright 2012 ICF Consulting Limited. All rights reserved.  |  Terms Of Use  |  Privacy Statement  | Login