28 Jun 2012

Proposal for a regulation of the European Parliament and of the Council on the protection of individuals with regard to the processing of personal data and on the free movement of such data (General Data Protection Regulation)

5853/12 DATAPROTECT 9 JAI 44 MI 58 DRS 9 DAPIX 12 FREMP 7
COMIX 61 CODEC 219

 EXPLANATORY MEMORANDUM

1. CONTEXT OF THE PROPOSAL
This explanatory memorandum presents in further detail the proposed new legal framework
for the protection of personal data in the EU as set out in Communication COM (2012) 9
final1. The proposed new legal framework consists of two legislative proposals:
– a proposal for a Regulation of the European Parliament and of the Council on the
protection of individuals with regard to the processing of personal data and on the free
movement of such data (General Data Protection Regulation), and
– a proposal for a Directive of the European Parliament and of the Council on the protection
of individuals with regard to the processing of personal data by competent authorities for
the purposes of prevention, investigation, detection or prosecution of criminal offences or
the execution of criminal penalties, and the free movement of such data2.
This explanatory memorandum concerns the legislative proposal for a General Data
Protection Regulation.
The centrepiece of existing EU legislation on personal data protection, Directive 95/46/EC3,
was adopted in 1995 with two objectives in mind: to protect the fundamental right to data
protection and to guarantee the free flow of personal data between Member States. It was
complemented by Framework Decision 2008/977/JHA as a general instrument at Union level
for the protection of personal data in the areas of police co-operation and judicial co-operation
in criminal matters4.
Rapid technological developments have brought new challenges for the protection of personal
data. The scale of data sharing and collecting has increased dramatically. Technology allows
both private companies and public authorities to make use of personal data on an
unprecedented scale in order to pursue their activities. Individuals increasingly make personal
information available publicly and globally. Technology has transformed both the economy
and social life.
Building trust in the online environment is key to economic development. Lack of trust makes
consumers hesitate to buy online and adopt new services. This risks slowing down the
development of innovative uses of new technologies. Personal data protection therefore playsa central role in the Digital Agenda for Europe5, and more generally in the Europe 2020
Strategy6.
Article 16(1) of Treaty on the Functioning of the European Union (TFEU), as introduced by
the Lisbon Treaty, establishes the principle that everyone has the right to the protection of
personal data concerning him or her. Moreover, with Article 16(2) TFEU, the Lisbon Treaty
introduced a specific legal basis for the adoption of rules on the protection of personal data.
Article 8 of the Charter of Fundamental Rights of the EU enshrines protection of personal data
as a fundamental right.
The European Council invited the Commission to evaluate the functioning of EU instruments
on data protection and to present, where necessary, further legislative and non-legislative
initiatives7. In its resolution on the Stockholm Programme, the European Parliament8
welcomed a comprehensive data protection scheme in the EU and among others called for the
revision of the Framework Decision. The Commission stressed in its Action Plan
implementing the Stockholm Programme9 the need to ensure that the fundamental right to
personal data protection is consistently applied in the context of all EU policies.
In its Communication on “A comprehensive approach on personal data protection in the
European Union”10, the Commission concluded that the EU needs a more comprehensive and
coherent policy on the fundamental right to personal data protection.
The current framework remains sound as far as its objectives and principles are concerned,
but it has not prevented fragmentation in the way personal data protection is implemented
across the Union, legal uncertainty and a widespread public perception that there are
significant risks associated notably with online activity11. This is why it is time to build a
stronger and more coherent data protection framework in the EU, backed by strong
enforcement that will allow the digital economy to develop across the internal market, put
individuals in control of their own data and reinforce legal and practical certainty for
economic operators and public authorities.


http://www.ipex.eu/IPEXL-WEB/dossier/document/COM20120011.do#dossier-COD20120011