European Data Protection: GDPR and Beyond

One of the ‘third generation’ fundamental rights included in the EU Charter of Fundamental Rights is the right to Data Protection. That says a lot about how Europeans view the protection of their personal data and explains the high standards European authorities adopt regarding collecting and processing data.

Data protection has been on everyone’s minds since last October, when the CJEU struck down the EU-U.S. Safe Harbour agreement for transatlantic transfers of personal data. Negotiators are currently putting the final touches on a new agreement, the so-called Privacy Shield, yet data protection standards have been long debated on both sides of the pond.  In 2012, the European Commission came out with a proposal for the reform of the Data Protection Directive, the aim of which was to update provisions for data protection and convert the law into a Regulation (General Data Protection Regulation - GDPR). Regulations, as opposed to Directives, become immediately enforceable in all EU Member States, ensuring more stability, efficiency and wider consistency across the 28 countries.

What’s going on with data protection in Europe today?

International Data Transfers

In February 2016, after several months of tense negotiations, the EU and the U.S. agreed on a new framework for regulating transatlantic data flows, the so-called Privacy Shield, which replaces the previously invalidated Safe Harbour agreement.

The new agreement was reviewed by the Article 29 Working Party, which includes the EU Data Protection Authorities (DPAs), and they concluded that they required more clarity on a host of issues relating to the Privacy Shield agreement. Privacy officials have asked for more details about the powers of the newly appointed Ombudsperson, assurances on bulk data collection by U.S. intelligence agencies and a review in two years’ time. Justice Commissioner Vera Jourová has stated that the Commission will work to swiftly include the DPAs’ concerns in its final decision.

Missed our latest publications on the topic? Find our infographic here, watch a 2-minute explanatory video  and read more on our blog.


The Council of the European Union (Council) and the European Parliament reached an informal agreement on the General Data Protection Regulation last December. The Council and European Parliament subsequently adopted the package in April 2016.

On 4th May, the Regulation was published in the EU’s official journal and will enter into force from 25th May 2018. This enables businesses and Member States to have a sufficient grace period, during which they will be able to make necessary arrangements for the law to be put in place on a national level – even if some early birds, like France, are calling for a shorter grace period and quicker enforcement.

The GDPR is a very wide-ranging regulation that governs all aspects of EU personal data collection and management by websites and apps. For app developers, on one hand it will simplify compliance, while on the other it will set higher privacy standards. It will also introduce some new concepts, such as the ‘right to be forgotten’, ‘risk-based approach’ and ‘privacy by design’. Amongst others, the a major concern for developers is the regulation’s wide territorial scope, which means that any company, including non-EU companies who offer goods and services to EU citizens or monitor their data, will fall under the regulation and will have to comply with very restrictive data minimisation principles and profiling provisions. Only the data that is deemed ‘necessary’ can be collected and kept, and only for as little time as possible. Furthermore, the possibility of profiling users, and consequently legally monetising their data, will now be perilous.

Additionally, developers will still be required to comply with another piece of legislation, the ePrivacy Directive of 2002, which deals with another range of important issues related to online and internet privacy.  

ePrivacy Directive

The ePrivacy Directive is often commonly referred to as the ‘Cookies Law’. Adopted in 2002 and reviewed in 2009, the directive governs the "processing of personal data in connection with the provision of publicly available electronic communications services in public communications networks" in the EU but it does not apply to content providers that process personal data via those networks.

Many consider the directive to be controversial and believe that an opportunity was missed to repeal the ePrivacy Directive and include all relevant principles in the GDPR instead. In response, the European Commission recently launched a public consultation to kick-start a review of the ePrivacy Directive to ensure that it is fit for the digital age and for the challenges facing European society. With the help of the consultation, which ends on 5 July, and after a thorough review, the Commission will propose any necessary changes to the ePrivacy Directive – which is expected to be announced in December.

You can read and complete the consultation here. The consultation ends on 5 July.

We’ll be following every development closely. Keep checking our Data and Innovation page to remain up to date with all the latest.