2011/2025(INI)

Comprehensive approach on personal data protection in the European Union

Procedure completed

2011/2025(INI) Comprehensive approach on personal data protection in the European Union
RoleCommitteeRapporteurShadows
Opinion CULT KELLY Seán (EPP)
Opinion IMCO SALVINI Matteo (EFD)
Opinion ITRE CHICHESTER Giles (ECR)
Opinion JURI CASTEX Françoise (S&D)
Lead LIBE VOSS Axel (EPP)
Lead committee dossier: LIBE/7/05177
Legal Basis RoP 048
Subjects
Links

Activites

  • 2011/07/06 Text adopted by Parliament, single reading
    • T7-0323/2011 summary
    • Results of vote in Parliament
  • 2011/06/22 Committee report tabled for plenary, single reading
  • 2011/06/22 Committee report tabled for plenary, single reading
  • 2011/06/15 Vote in committee, 1st reading/single reading
  • 2011/04/26 Deadline Amendments
  • 2011/03/29 Committee draft report
  • 2011/02/24 Resolution/conclusions adopted by Council
  • #3071
  • 2011/02/24 Council Meeting
  • 2011/02/17 Committee referral announced in Parliament, 1st reading/single reading
  • 2011/01/18 EP officialisation
  • 2011/01/14 Document attached to the procedure
    • N7-0061/2011 summary
    • OJ C 181 22.06.2011, p. 0001
  • 2010/11/04 Non-legislative basic document published
    • COM(2010)0609 summary
  • 2010/11/04 Date
  • 2010/11/04 Non-legislative basic document
    • COM(2010)0609 summary
    • DG Justice, REDING Viviane

Documents

AmendmentsDossier
364 2011/2025(INI) Comprehensive approach on personal data protection in the European Union
2011/03/05 JURI 199 amendments...
source: PE-464.682
2011/03/22 CULT 34 amendments...
source: PE-460.957
2011/03/24 IMCO 74 amendments...
source: PE-462.540
2011/04/14 ITRE 57 amendments...
source: PE-462.771

History

(these mark the time of scraping, not the official date of the change)

2012-02-09
activities added
  • date
    2010-11-04
    docs
    • url
      http://eur-lex.europa.eu/smartapi/cgi/sga_doc?smartapi!celexplus!prod!DocNumber&lg=EN&type_doc=COMfinal&an_doc=2010&nu_doc=0609
      text
      • PURPOSE: to define an overall approach permitting the modernisation of the Union's legal framework governing personal data protection in response to the challenges posed by globalisation and the rapid development of new technologies.

        BACKGROUND: the 1995 Data Protection Directive enshrines two important ambitions of the European integration process: the protection of fundamental rights and freedoms of individuals and in particular the fundamental right to data protection, and the achievement of the internal market - the free flow of personal data in this case.

        Fifteen years later, this twofold objective is still valid and the principles enshrined in the Directive remain sound. However, rapid technological developments and globalisation have profoundly changed the world around us, and brought new challenges for the protection of personal data. At the same time, ways of collecting personal data have become increasingly elaborated and less easily detectable.

        The Commission launched a review of the current legal framework in May 2009. The findings confirmed that the core principles of the Directive are still valid and that its technologically neutral character should be preserved. However, several issues were identified as being problematic and posing specific challenges. These include:

        • addressing the impact of new technologies;
        • enhancing the internal market dimension of data protection;
        • addressing globalisation and improving international data transfers;
        • providing a stronger institutional arrangement for the effective enforcement of data protection rules;
        • improving the coherence of the data protection legal framework.

        The above challenges require the EU to develop a comprehensive and coherent approach guaranteeing that the fundamental right to data protection for individuals is fully respected within the EU and beyond.

        The Lisbon Treaty provided the EU with additional means to achieve this: the EU Charter of Fundamental Rights - with Article 8 recognising an autonomous right to the protection of personal data - has become legally binding, and a new legal basis, Article 16 of the Treaty on the Functioning of the EU (TFEU), has been introduced allowing for the establishment of comprehensive and coherent Union legislation on the protection of individuals with regard to the processing of their personal data

        CONTENT: this communication seeks to lay down the Commission's approach for modernising the EU legal system for the protection of personal data in all areas of the Union's activities, taking account, in particular, of the challenges resulting from globalisation and new technologies.

        1) Strengthening individuals' rights: it is essential that individuals are well and clearly informed, in a transparent way, by data controllers about how and by whom their data are collected and processed, for what reasons, for how long and what their rights are if they want to access, rectify or delete their data. Basic elements of transparency are the requirements that the information must be easily accessible and easy to understand, and that clear and plain language is used. In this context, children deserve specific protection.

        The processing of data must be limited in relation to its specific purposes (principle of data minimisation) and individuals must retain the possibility of an effective control over their own data. In particular, they should be able to give their informed consent to the processing of their data and benefit from the 'right to be forgotten' when these data are no longer needed for legitimate purposes or they wish them to be deleted.

        There is also a need to make the general public, and particularly young people, more aware of the risks related to the processing of personal data and of their rights, as well as to ensure that there are effective provisions on remedies and sanctions.

        2) Enhancing the internal market dimension: the divergences that currently characterise the implementation of European data protection rules run counter to the free flow of data within the Union and increase costs. The Commission recommends:

        • increasing legal certainty and providing a level playing field for data controllers by reducing the administrative burden they have to bear;
        • clarifying the rules on applicable law and Member States' responsibility for the application of data protection rules;
        • encouraging self-regulatory initiatives and exploring EU certification schemes, such as, for example, privacy seals.

        3) Revising the data protection rules in the area of police and judicial cooperation in criminal matters: the Lisbon Treaty introduced a new and comprehensive legal basis for the protection of personal data across Union policies. Against this background, and in view of the EU Charter of Fundamental Rights, the Commission plans to examine the opportunity to:

        extend the application of the general data protection rules to the areas of police and judicial cooperation in criminal matters, including for processing at domestic level;

        introduce specific and harmonised provisions in the new general data protection framework, for example on data protection regarding the processing of genetic data for criminal law purposes or distinguishing the various categories of data subjects (witnesses; suspects etc) in the area of police cooperation and judicial cooperation in criminal matters.

        4) Ensure a high level of protection of data transferred outside the EU: this would involve the improvement and streamlining of procedures for international data transfers while guaranteeing an adequate level of protection of these data in the event of their transfer outside the EU or the EEA. The Commission also proposes to clarify its adequacy procedure and better specify the criteria and requirements for assessing the level of data protection in a third country or an international organisation.

        5) A stronger institutional arrangement for better enforcement of data protection rules: the Commission will examine how to i) strengthen, clarify and harmonise the status and the powers of the national Data Protection Authorities in the new legal framework; ii) improve the cooperation and coordination between Data Protection Authorities; iii) strengthen the role of national data protection supervisors, better coordinating their work via the Article 29 Working Party (which should become a more transparent body).

        The Commission's comprehensive approachwill serve as a basis for further discussions with the other European institutions and other interested parties. For this purpose, the Commission welcomes feedback on the issues raised in this Communication.

        On this basis, the Commission will propose legislation in 2011 aimed at revising the legal framework for data protection. As a second step, the Commission will assess the need to adapt other legal instruments to the new general data protection framework.

      title
      COM(2010)0609
      type
      Non-legislative basic document published
      celexid
      CELEX:52010DC0609:EN
    body
    type
    Non-legislative basic document published
  • body
    EP
    date
    2010-11-04
    type
    Date
  • date
    2010-11-04
    docs
    • url
      http://eur-lex.europa.eu/smartapi/cgi/sga_doc?smartapi!celexplus!prod!DocNumber&lg=EN&type_doc=COMfinal&an_doc=2010&nu_doc=0609
      text
      • PURPOSE: to define an overall approach permitting the modernisation of the Union's legal framework governing personal data protection in response to the challenges posed by globalisation and the rapid development of new technologies.

        BACKGROUND: the 1995 Data Protection Directive enshrines two important ambitions of the European integration process: the protection of fundamental rights and freedoms of individuals and in particular the fundamental right to data protection, and the achievement of the internal market - the free flow of personal data in this case.

        Fifteen years later, this twofold objective is still valid and the principles enshrined in the Directive remain sound. However, rapid technological developments and globalisation have profoundly changed the world around us, and brought new challenges for the protection of personal data. At the same time, ways of collecting personal data have become increasingly elaborated and less easily detectable.

        The Commission launched a review of the current legal framework in May 2009. The findings confirmed that the core principles of the Directive are still valid and that its technologically neutral character should be preserved. However, several issues were identified as being problematic and posing specific challenges. These include:

        • addressing the impact of new technologies;
        • enhancing the internal market dimension of data protection;
        • addressing globalisation and improving international data transfers;
        • providing a stronger institutional arrangement for the effective enforcement of data protection rules;
        • improving the coherence of the data protection legal framework.

        The above challenges require the EU to develop a comprehensive and coherent approach guaranteeing that the fundamental right to data protection for individuals is fully respected within the EU and beyond.

        The Lisbon Treaty provided the EU with additional means to achieve this: the EU Charter of Fundamental Rights - with Article 8 recognising an autonomous right to the protection of personal data - has become legally binding, and a new legal basis, Article 16 of the Treaty on the Functioning of the EU (TFEU), has been introduced allowing for the establishment of comprehensive and coherent Union legislation on the protection of individuals with regard to the processing of their personal data

        CONTENT: this communication seeks to lay down the Commission's approach for modernising the EU legal system for the protection of personal data in all areas of the Union's activities, taking account, in particular, of the challenges resulting from globalisation and new technologies.

        1) Strengthening individuals' rights: it is essential that individuals are well and clearly informed, in a transparent way, by data controllers about how and by whom their data are collected and processed, for what reasons, for how long and what their rights are if they want to access, rectify or delete their data. Basic elements of transparency are the requirements that the information must be easily accessible and easy to understand, and that clear and plain language is used. In this context, children deserve specific protection.

        The processing of data must be limited in relation to its specific purposes (principle of data minimisation) and individuals must retain the possibility of an effective control over their own data. In particular, they should be able to give their informed consent to the processing of their data and benefit from the 'right to be forgotten' when these data are no longer needed for legitimate purposes or they wish them to be deleted.

        There is also a need to make the general public, and particularly young people, more aware of the risks related to the processing of personal data and of their rights, as well as to ensure that there are effective provisions on remedies and sanctions.

        2) Enhancing the internal market dimension: the divergences that currently characterise the implementation of European data protection rules run counter to the free flow of data within the Union and increase costs. The Commission recommends:

        • increasing legal certainty and providing a level playing field for data controllers by reducing the administrative burden they have to bear;
        • clarifying the rules on applicable law and Member States' responsibility for the application of data protection rules;
        • encouraging self-regulatory initiatives and exploring EU certification schemes, such as, for example, privacy seals.

        3) Revising the data protection rules in the area of police and judicial cooperation in criminal matters: the Lisbon Treaty introduced a new and comprehensive legal basis for the protection of personal data across Union policies. Against this background, and in view of the EU Charter of Fundamental Rights, the Commission plans to examine the opportunity to:

        extend the application of the general data protection rules to the areas of police and judicial cooperation in criminal matters, including for processing at domestic level;

        introduce specific and harmonised provisions in the new general data protection framework, for example on data protection regarding the processing of genetic data for criminal law purposes or distinguishing the various categories of data subjects (witnesses; suspects etc) in the area of police cooperation and judicial cooperation in criminal matters.

        4) Ensure a high level of protection of data transferred outside the EU: this would involve the improvement and streamlining of procedures for international data transfers while guaranteeing an adequate level of protection of these data in the event of their transfer outside the EU or the EEA. The Commission also proposes to clarify its adequacy procedure and better specify the criteria and requirements for assessing the level of data protection in a third country or an international organisation.

        5) A stronger institutional arrangement for better enforcement of data protection rules: the Commission will examine how to i) strengthen, clarify and harmonise the status and the powers of the national Data Protection Authorities in the new legal framework; ii) improve the cooperation and coordination between Data Protection Authorities; iii) strengthen the role of national data protection supervisors, better coordinating their work via the Article 29 Working Party (which should become a more transparent body).

        The Commission's comprehensive approachwill serve as a basis for further discussions with the other European institutions and other interested parties. For this purpose, the Commission welcomes feedback on the issues raised in this Communication.

        On this basis, the Commission will propose legislation in 2011 aimed at revising the legal framework for data protection. As a second step, the Commission will assess the need to adapt other legal instruments to the new general data protection framework.

      title
      COM(2010)0609
      type
      Non-legislative basic document
      celexid
      CELEX:52010DC0609:EN
    body
    EC
    commission
    • DG
      Justice
      Commissioner
      REDING Viviane
    type
    Non-legislative basic document
  • date
    2011-01-14
    docs
    body
    type
    Document attached to the procedure
  • body
    EP
    date
    2011-01-18
    type
    EP officialisation
  • date
    2011-02-17
    body
    EP
    type
    Committee referral announced in Parliament, 1st reading/single reading
    committees
  • date
    2011-02-24
    text
    • The Council adopted conclusions on the Commission communication "A comprehensive approach on personal data protection in the European Union". It welcomes the Communication and strongly supports the aim outlined in the Communication according to which appropriate protection must be ensured for individuals in all circumstances.

      The Council shares the Commission's view that the notion of a comprehensive approach to data protection does not necessarily exclude specific rules for data protection for police and judicial cooperation in criminal matters within this comprehensive protection scheme. It encourages the Commission to propose a new legal framework taking due account of the specificities of this area. In this context, certain limitations have to be set regarding the rights of individuals in the specific context in a harmonised and balanced way, when necessary and proportionate and taking into account the legitimate goals pursued by law enforcement authorities in combating crime and maintaining public security.

      Privacy: Council invites the Commission to explore the possibility of including a provision on the 'privacy by design' principle in the new legal framework and to favour privacy-enhancing technologies (PET). It demands that special attention be given to minors.

      The Council expects the special protection of sensitive personal data to remain a core element of the Commission proposal. It invites the Commission to assess the impact of the use of biometric data on individuals. It supports the idea of introducing privacy seals (EU certification schemes) and self-regulatory initiatives.

      Applicable law: the Council feels that the new legal framework should clearly regulate the issue of applicable law within the European Union. As regards cases with an extra-EU dimension, the Council encourages the Commission to find legal solutions that provide adequate safeguards to ensure that data subjects can exercise their data protection rights even if their data are processed outside the European Union.

      Principle of accountability: the Council considers that the concept of accountability should be explored with a view to diminishing the administrative burden on data controllers, for instance by simplifying or tailoring adequate notification requirements. Data breach notification should not, however, become a routine alert for all sorts of security breaches. It should apply only if the risks stemming from the breach can impact negatively on the individual's privacy.

      While recalling that prime responsibility and accountability for the protection of personal data must rest with the data controller (who benefits from the use of such data), there is also a major need to increase the data subject's awareness of the implications of sharing his personal data.

      The Council supports the Commission's aim of enhancing the data controller's responsibility and encourages the Commission to include in its impact assessment an evaluation of the possible appointment of Data Protection Officers.

      Rights of individuals: the Council encourages the Commission: i) to define more precisely the rights of data subjects (such as access, rectification, deletion/blocking) and ii) to explore the introduction of a right to be forgotten, as an innovative legal instrument, insofar as the exercise of such a right is enabled by new technologies.

      The Council is of the opinion that the right of access should, as a rule, be exercised free of charge and that any charge should be without excessive expense.

      Data protection authorities: the Council supports a more harmonised role of data protection authorities. This also holds true for the field of police and judicial cooperation in criminal matters. In this context, the coordination between data protection authorities needs to be improved.

    body
    type
    Resolution/conclusions adopted by Council
  • date
    2011-02-24
    body
    CSL
    type
    Council Meeting
    council
    Justice and Home Affairs (JHA)
    meeting_id
    3071
  • date
    2011-03-29
    docs
    • url
      http://www.europarl.europa.eu/sides/getDoc.do?type=COMPARL&mode=XML&language=EN&reference=PE460.636
      type
      Committee draft report
      title
      PE460.636
    body
    EP
    type
    Committee draft report
  • body
    EP
    date
    2011-04-26
    type
    Deadline Amendments
  • date
    2011-06-15
    text
    • The Committee on Civil Liberties, Justice and Home Affairs adopted the report drafted by Axel VOSS (EPP, DE) on a comprehensive approach on personal data protection in the European Union.

      Members strongly welcome and support the Commission communication entitled 'A comprehensive approach on personal data protection in the European Union' and its focus on strengthening existing arrangements, putting forward new principles and mechanisms and ensuring coherence and high standards of data protection in the new setting offered by the entry into force of the Lisbon Treaty and the now binding Charter of Fundamental Rights.

      Fully engaging with a comprehensive approach: Members emphasise that the standards and principles set out in Directive 95/46/EC represent an ideal starting point and should be further elaborated, extended and enforced, as part of a modern data protection law.

      The report underlines the importance of Article 9 of Directive 95/46/EC, which obliges Member States to provide for exemptions from data protection rules when personal data are used solely for journalistic purposes or the purpose of artistic or literary expression. It calls on the Commission to ensure that these exemptions are maintained and that every effort is made to evaluate the need for developing these exceptions further in the light of any new provisions in order to protect freedom of the press.

      Recognising that technological developments have created new threats to the protection of personal data, Members consider that a thorough evaluation of the current data protection rules is required in order to ensure that (i) the rules still provide a high level of protection, (ii) the rules still strike a fair balance between the right to protection of personal data and the right to freedom of speech and information, and (iii) the rules do not unnecessarily hinder everyday processing of personal data, which is typically harmless.

      Members also consider it imperative to extend the application of the general data protection rules to the areas of police and judicial cooperation.

      The Commission is called upon to ensure that the current revision of EU data protection legislation will provide for:

      • full harmonisation at the highest level providing legal certainty and a uniform high level standard of protection of individuals in all circumstances,
      • further clarification of the rules on applicable law with a view to delivering a uniform degree of protection for individuals irrespective of the geographical location of the data controller, also covering enforcement of data protection rules by authorities or in courts.

      Strengthening individuals' rights: the report calls on the Commission to reinforce existing principles and elements such as transparency, data minimisation and purpose limitation, informed, prior and explicit consent, data breach notification and the data subjects' rights, as set out in Directive 95/46/EC, improving their implementation in Member States, particularly as regards the 'global online environment'.

      The report underlines the importance of:

      • improving the means of exercising, and awareness of, the rights of access, of rectification, of erasure and blocking of data, of clarifying in detail and codifying the 'right to be forgotten' and of enabling data portability;
      • enabling individuals to sufficiently control their online data to enable them to use the internet responsibly;
      • including provisions on profiling, while clearly defining the terms 'profile' and 'profiling';
      • enhancing obligations of data controllers with regard to provision of information to data subjects;
      • specifically protecting children and minors - in the light, inter alia, of increased access for children to internet and digital content.

      Strengthening the global dimension of data protection: the committee considers it of utmost importance that data subjects' rights are enforceable. Members highlight the need for proper harmonised enforcement across the EU. They call on the Commission to provide in its legislative proposal for severe and dissuasive sanctions, including criminal sanctions, for misuse and abuse of personal data. The Commission is encouraged to introduce a system of mandatory general personal data breach notifications by extending it to sectors other than the telecommunications sector.

      The report welcomes the possibility of making the appointment of organisation data protection officers mandatory, as the experience of EU Member States which already have data protection officers shows that the concept has proved successful.

      Members see in the concepts of 'privacy by design' and 'privacy by default' a strengthening of data protection, and support examination of possibilities for their concrete application and further development, as well as recognising the need to promote the use of Privacy Enhancing Technologies.

      The committee supports the efforts to further advance self-regulatory initiatives - such as codes of conduct - and the reflection on setting up voluntary EU certification schemes, as complementary steps to legislative measures, while maintaining that the EU data protection regime is based on legislation setting high-level guarantees.

      According to Members, any certification or seal scheme must be of guaranteed integrity and trustworthiness, technology-neutral, globally recognisable and affordable, so as not to create barriers to entry.

    body
    EP
    committees
    type
    Vote in committee, 1st reading/single reading
  • date
    2011-06-22
    docs
    • url
      http://www.europarl.europa.eu/sides/getDoc.do?type=REPORT&mode=XML&reference=A7-2011-0244&language=EN
      type
      Committee report tabled for plenary, single reading
      title
      A7-0244/2011
    body
    type
    Committee report tabled for plenary, single reading
  • date
    2011-06-22
    docs
    • url
      http://www.europarl.europa.eu/sides/getDoc.do?type=REPORT&mode=XML&reference=A7-2011-0244&language=EN
      type
      Committee report tabled for plenary, single reading
      title
      A7-0244/2011
    body
    EP
    type
    Committee report tabled for plenary, single reading
  • date
    2011-07-06
    docs
    body
    EP
    type
    Text adopted by Parliament, single reading
committees added
  • body
    EP
    responsible
    False
    committee
    CULT
    date
    2010-11-18
    committee_full
    Culture and Education
    rapporteur
    • group
      EPP
      name
      KELLY Seán
  • body
    EP
    responsible
    False
    committee
    IMCO
    date
    2011-02-15
    committee_full
    Internal Market and Consumer Protection
    rapporteur
    • group
      EFD
      name
      SALVINI Matteo
  • body
    EP
    responsible
    False
    committee
    ITRE
    date
    2010-12-01
    committee_full
    Industry, Research and Energy
    rapporteur
    • group
      ECR
      name
      CHICHESTER Giles
  • body
    EP
    responsible
    False
    committee
    JURI
    date
    2011-02-28
    committee_full
    Legal Affairs
    rapporteur
    • group
      S&D
      name
      CASTEX Françoise
  • body
    EP
    responsible
    True
    committee
    LIBE
    date
    2010-12-09
    committee_full
    Civil Liberties, Justice and Home Affairs
    rapporteur
    • group
      EPP
      name
      VOSS Axel
links added
other added
  • body
    EC
    dg
    Justice
    commissioner
    REDING Viviane
procedure added
dossier_of_the_committee
LIBE/7/05177
reference
2011/2025(INI)
title
Comprehensive approach on personal data protection in the European Union
legal_basis
  • Rules of Procedure of the European Parliament EP 048
stage_reached
Procedure completed
subtype
Strategic initiative
type
INI - Own-initiative procedure
subject
  • 1.20.09 Protection of privacy and data protection

code AGPLv3.0+, data ODBLv1.0, site-content CC-By-Sa-3.0
© European Union, 2011 – Source: European Parliament