PERSONAL DATA PROTECTION

Protection of personal data and respect for private life are European fundamental
rights. The European Parliament has always insisted on the need to strike a
balance between enhancing security and safeguarding human rights, including data
protection and privacy. New EU data protection rules strengthening citizens’ rights
and simplifying rules for companies in the digital age took effect in May 2018.
Research prepared for the European Parliament indicates that EU legislation related
to regulating data flows contributes EUR 51.6 billion annually to GDP in the European
Union. Research prepared for the European Parliament’s Committee of Inquiry
to investigate the use of Pegasus and equivalent surveillance spyware (PEGA
Committee) confirms the importance of data protection for defending democracy and
individual freedoms in the EU.

LEGAL BASIS
Article 16 of the Treaty on the Functioning of the European Union (TFEU);
Articles 7 and 8 of the EU Charter of Fundamental Rights.

OBJECTIVES
The Union must ensure that the fundamental right to data protection, which is enshrined
in the EU Charter of Fundamental Rights, is applied in a consistent manner. In the light
of the exponential growth of the volume of data transfers -–with the EU, the US and
Canada constituting the biggest share of this growth – the EU’s stance on the protection
of personal data needs to be strengthened in the context of all EU policies.

ACHIEVEMENTS
A. Institutional framework
1. Lisbon Treaty
Before the entry into force of the Lisbon Treaty, legislation concerning data protection
in the area of freedom, security and justice (AFSJ) was divided between the first
pillar (data protection for private and commercial purposes, with the use of the
Community method) and the third pillar (data protection for law enforcement purposes,
at intergovernmental level). As a consequence, the decision-making processes in the
two areas followed different rules. The pillar structure disappeared with the Lisbon
Treaty, which provides a stronger basis for the development of a clearer and more
effective data protection system, while at the same time stipulating new powers for

Fact Sheets on the European Union - 2024 1

www.europarl.europa.eu/factsheets/en
Parliament, which has become co-legislator. Article 16 of the TFEU provides that
Parliament and the Council lay down rules relating to the protection of individuals with
regard to the processing of personal data by Union institutions, bodies, offices and
agencies, and by the Member States when carrying out activities that fall within the
scope of Union law.
2. The strategic guidelines in the area of freedom, security and justice
Following the Tampere and Hague programmes (of October 1999 and November 2004,
respectively), in December 2009 the European Council approved the multiannual
programme regarding the AFSJ for the 2010-2014 period, known as the Stockholm
programme. In its conclusions of June 2014, the European Council defined the strategic
guidelines for legislative and operational planning for the coming years within the AFSJ,
pursuant to Article 68 of the TFEU. One of the key objectives is to better protect personal
data in the EU.
B. Main legislative instruments on data protection
1. EU Charter of Fundamental Rights
Articles 7 and 8 of the EU Charter of Fundamental Rights recognise respect for private
life and protection of personal data as closely related but separate fundamental rights.
2. Council of Europe
a. Convention 108 of 1981
The Council of Europe Convention 108 of 28 January 1981 for the Protection of
Individuals with regard to Automatic Processing of Personal Data was the first legally
binding international instrument adopted in the field of data protection. Its purpose is
to secure, for every individual, respect for their rights and fundamental freedoms, and
in particular their right to privacy, with regard to automatic processing of personal data.
The Protocol amending the Convention seeks to broaden its scope, increase the level
of data protection and improve its effectiveness.
b. European Convention on Human Rights (ECHR)
Article 8 of the Convention of 4 November 1950 for the Protection of Human Rights and
Fundamental Freedoms establishes the right of everyone to respect for their private
and family life, their home and their correspondence.
3. Current EU legislative instruments on data protection
a. General Data Protection Regulation (GDPR)
Regulation (EU) 2016/679 of the European Parliament and of the Council of
27 April 2016 on the protection of natural persons with regard to the processing of
personal data and on the free movement of such data, and repealing Directive 95/46/
EC (General Data Protection Regulation), became applicable in May 2018. The rules
aim to protect all EU citizens from privacy and data breaches in an increasingly data-
driven world, while creating a clearer and more consistent framework for businesses.
The rights enjoyed by citizens include a clear and affirmative consent for their data to
be processed and the right to receive clear and understandable information about it;
the right to be forgotten: a citizen can ask for his/her data to be deleted; the right to
transfer data to another service provider (e.g. when switching from one social network

Fact Sheets on the European Union - 2024 2

www.europarl.europa.eu/factsheets/en
to another); and the right to know when data has been hacked. The new rules apply to
all companies operating in the EU, even those based outside it. Furthermore, corrective
measures can be imposed, such as warnings and orders, or fines on firms that break
the rules. On 24 June 2020, the European Commission presented a report on the
evaluation and review of the regulation[1].
b. The Data Protection Law Enforcement Directive
Directive (EU) 2016/680 of the European Parliament and of the Council of 27 April 2016
on the protection of natural persons with regard to the processing of personal data
by competent authorities for the purposes of the prevention, investigation, detection
or prosecution of criminal offences or the execution of criminal penalties, and on the
free movement of such data, and repealing Council Framework Decision 2008/977/
JHA, became applicable in May 2018. The directive protects citizens’ fundamental right
to data protection whenever personal data is used by law enforcement authorities.
It ensures that the personal data of victims, witnesses, and suspects of crime are
duly protected and facilitates cross-border cooperation in the fight against crime and
terrorism. On 25 July 2022, the European Commission published its delayed report
on application and functioning of the Law Enforcement Directive. It was followed
by an evaluation study commissioned by Committee on Civil Liberties, Justice and
Home Affairs (LIBE) containing a critical assessment of the implementation of the Law
Enforcement Directive[2].
c. Directive on privacy and electronic communications
Directive 2002/58/EC of the European Parliament and of the Council of 12 July 2002
concerning the processing of personal data and the protection of privacy in the
electronic communications sector (directive on privacy and electronic communications)
was modified by Directive 2009/136/EC of 25 November 2009. It raises the delicate
issue of data retention, which was repeatedly brought to the CJEU and led to a series
of rulings, most recently in 2020, declaring that EU law precludes the general and
indiscriminate retention of traffic and location data.
The 2017 proposal for a regulation of the European Parliament and of the Council
concerning the respect for private life and the protection of personal data in
electronic communications and repealing Directive 2002/58/EC (regulation on privacy
and electronic communications) is under prolonged discussions. The European
Parliament’s experts indicated that Parliament should resist the Council’s attempts to
exclude the applicability of European data protection principles[3].

[1]Commission communication of 24 June 2020 entitled ‘Data protection as a pillar of citizens’ empowerment and the EU’s
approach to the digital transition – two years of application of the General Data Protection Regulation’(SWD(2020)0115).
[2]Vogiatzoglou, P. et al., Assessment of the implementation of the Law Enforcement Directive, European Parliament,
Directorate-General for Internal Policies of the Union, Policy Department for Citizens’ Rights and Constitutional Affairs,
7 December 2022.
[3]Sartor, G. et al., The impact of Pegasus on fundamental rights and democratic processes, European Parliament, Directorate-
General for Internal Policies of the Union, Policy Department for Citizens’ Rights and Constitutional Affairs, January 2023, pp.
56-57.

Fact Sheets on the European Union - 2024 3

www.europarl.europa.eu/factsheets/en
d. Regulation on the processing of personal data by the Union institutions and
bodies
Regulation (EU) 2018/1725 of the European Parliament and of the Council of
23 October 2018 on the protection of natural persons with regard to the processing
of personal data by the Union institutions, bodies, offices and agencies and on the
free movement of such data, and repealing Regulation (EC) No 45/2001 and Decision
No 1247/2002/EC, entered into force on 11 December 2018.
e. Articles on data protection in sector-specific legislative acts
In addition to the main legislative acts on data protection referred to above, specific
provisions on data protection are also set down in sector-specific legislative acts, such
as:
— Article 13 (on the protection of personal data) of Directive (EU) 2016/681 of
the European Parliament and of the Council of 27 April 2016 on the use of
passenger name record (PNR) data for the prevention, detection, investigation and
prosecution of terrorist offences and serious crime;
— Article 6 (on data processing) of Council Directive 2004/82/EC of 29 April 2004 on
the obligation of carriers to communicate passenger data (API);
— on 13 December 2022, the Commission adopted two legislative proposals on the
collection and transfer of API data that will replace the API[4];
— Chapter VI (on data protection safeguards) of Regulation (EU) 2016/794 of the
European Parliament and of the Council of 11 May 2016 on the European Union
Agency for Law Enforcement Cooperation (Europol);
— Chapter VIII (on data protection) of Council Regulation (EU) 2017/1939 of
12 October 2017 implementing enhanced cooperation on the establishment of the
European Public Prosecutor’s Office (‘the EPPO’).
4. The EU’s main international arrangements on data transfers
a. Commercial data transfers: adequacy decisions
Under Article 45 of the GDPR, the Commission has the power to determine whether a
country outside the EU offers an adequate level of data protection, be that on the basis
of its domestic legislation or of the international commitments it has entered into.
While data transfers between the EU and North America have increased exponentially,
with the US dominating private online advertising and surveillance[5], Parliament has
adopted numerous resolutions raising concerns about transatlantic data flows. In
particular, it considered that the EU-US Privacy Shield Decision does not provide
the adequate level of protection required by EU law, while the CJEU has repeatedly
invalidated the European Commission’s adequacy decisions concerning the US (see

[4]Vavoula, N. et al., Advance Passenger Information (API) – An analysis of the European Commission’s proposals to reform
the API legal framework, European Parliament, Directorate-General for Internal Policies of the Union, Policy Department for
Citizens’ Rights and Constitutional Affairs, 8 June 2023.
[5]Maciejewski, M., Metaverse, European Parliament, Directorate-General for Internal Policies of the Union, Policy Department
for Citizens’ Rights and Constitutional Affairs, 26 June 2023.

Fact Sheets on the European Union - 2024 4

www.europarl.europa.eu/factsheets/en
its rulings of 2015 on Safe Harbour in Schrems and of 2020 on the EU-US Privacy
Shield in Schrems II).
Despite a lack of reform of the data protection regime in the US, the European
Commission reached another agreement with the US and presented a proposal for
yet another EU-US Data Privacy Framework. On a motion from the LIBE Committee,
on 11 May 2023, Parliament adopted a resolution on the adequacy of the protection
afforded by the EU-US Data Privacy Framework, concluding that the EU-US Data
Privacy Framework fails to create essential equivalence in the level of protection and
calling on the Commission to continue negotiations with its US counterparts, but to
refrain from adopting the adequacy finding until all of the recommendations made in
Parliament’s resolution and the European Data Protection Board (EDPB) opinion are
fully implemented.
The Commission adopted its third EU-US Data Privacy Framework on 10 July 2023.
b. EU-US Umbrella Agreement
Under the consent procedure, Parliament was involved in the approval of the
agreement between the US and the EU on the protection of personal information
relating to the prevention, investigation, detection, and prosecution of criminal offences,
also known as the ‘Umbrella Agreement’. The aim of this agreement is to ensure a high
level of protection of personal information transferred in the framework of transatlantic
cooperation for law enforcement purposes, namely in the fight against terrorism and
organised crime.
c. EU-US, EU-Australia and EU-Canada passenger name record (PNR)
agreements
The EU has signed bilateral passenger name record (PNR) agreements with the United
States, Australia and Canada. PNR data includes information provided by passengers
when booking or checking in for flights and data collected by air carriers for their own
commercial purposes. PNR data can be used by law enforcement authorities to fight
serious crime and terrorism.
d. EU-US Terrorist Finance Tracking Programme (TFTP)
The EU has signed a bilateral agreement with the US on the processing and transfer of
financial messaging data from the EU to the US for the purposes of the terrorist finance
tracking programme.
5. Addressing data protection aspects in sector-specific resolutions
Several Parliament resolutions on different policy areas also address personal data
protection in order to ensure consistency with general EU data protection law and the
protection of privacy in those specific sectors.
6. EU data protection supervisory authorities
The European Data Protection Supervisor (EDPS) is an independent supervisory
authority that ensures that the EU institutions and bodies meet their obligations with
regard to data protection. The primary duties of the EDPS are supervision, consultation
and cooperation.

Fact Sheets on the European Union - 2024 5

www.europarl.europa.eu/factsheets/en
The European Data Protection Board (EDPB), formerly the Article 29 Working Party,
has the status of an EU body with legal personality and is provided with an independent
secretariat. The EDPB brings together the EU’s national supervisory authorities, the
EDPS and the Commission. The EDPB has extensive powers to determine disputes
between national supervisory authorities and to give advice and guidance on key
concepts of the GDPR and the Data Protection Law Enforcement Directive.

ROLE OF THE EUROPEAN PARLIAMENT

Parliament has played a key role in shaping EU legislation in the field of personal data
protection by making the protection of privacy a political priority. Furthermore, under
the ordinary legislative procedure, it has been working on the data protection reform on
an equal footing with the Council. In 2017, it concluded its work on the last significant
piece in the puzzle, the new regulation on privacy and electronic communications,
and is waiting expectantly for the Council to finally conclude its work in order to start
interinstitutional negotiations.
In numerous resolutions, Parliament has expressed doubts as to the adequacy of
the protection given to EU citizens under the EU-US Safe Harbour Framework and,
subsequently, the EU-US ‘Privacy Shield’. After the Schrems II case led to the
invalidation of European Commission Implementing Decision (EU) 2016/1250 on the
adequacy of the protection provided by the EU-US ‘Privacy Shield’ agreement, on the
basis of concerns that the US Government’s surveillance powers were not limited, as
required by EU law, and that EU citizens did not have effective means of redress,
the European Parliament adopted a resolution in which it deplored the fact that the
Commission had put relations with the US before the interests of EU citizens[6].
Following the tabling of LIBE Committee’s motion on 11 May 2023, Parliament adopted
a resolution on the adequacy of the protection afforded by the EU-US Data Privacy
Framework, concluding that the EU-US Data Privacy Framework fails to create
essential equivalence in the level of protection and calling on the Commission to
continue negotiations with its US counterparts but to refrain from adopting the adequacy
finding until all the recommendations made in the resolution and the EDPB opinion are
fully implemented. The Commission adopted its decision on the EU-US Data Privacy
Framework on 10 July 2023.
Parliament has established a committee of inquiry to investigate the use of Pegasus
and equivalent surveillance spyware in the EU’s Member States (PEGA). Chaired
by MEP Jeroen Lenaers, the PEGA Committee has thoroughly investigated the
practices of using spyware to investigate opposition members, journalists, lawyers
and civic society activists, as well as how such practices affect democratic processes
and individual rights in the EU. During its inquiry, the PEGA Committee consulted
leading academics, practitioners and authorities in the EU and worldwide. Parliament’s
Policy Department prepared reports for the PEGA missions to Poland, Greece and
Cyprus. The PEGA Committee voted on 8 May 2023 to approve its highly critical
final report with recommendations on the investigation into alleged contraventions

[6]European Parliament resolution of 20 May 2021 on the ruling of the CJEU of 16 July 2020 – Data Protection Commissioner v
Facebook Ireland Limited and Maximillian Schrems (‘Schrems II’), Case C-311/18, paragraph 28.

Fact Sheets on the European Union - 2024 6

www.europarl.europa.eu/factsheets/en
and maladministration in the application of EU law in relation to the use of Pegasus
and equivalent surveillance spyware, and including, among many other points, a
recommendation to set up an EU Tech Lab for research and monitoring of the use
of spyware against EU citizens. Parliament’s recommendation to the Council and the
Commission following the PEGA report was adopted by its plenary on 15 June 2023.
However, the Commission did not provide a timely response to the recommendation
and blocked the pilot project of the EU Tech Lab proposed by MEPs.
Parliament has commissioned a number of research studies in order to have a scientific
basis for its legislative activities in the forefront of technological developments and data
protection, including a study on the impact of the General Data Protection Regulation
(GDPR) on artificial intelligence, a study on Biometric Recognition and Behavioural
Detection and a study on the Metaverse.
This fact sheet was prepared by the European Parliament’s Policy Department for
Citizens’ Rights and Constitutional Affairs.

Mariusz Maciejewski
11/2023

Fact Sheets on the European Union - 2024 7

www.europarl.europa.eu/factsheets/en