Data protection reform

Archived content
The content on this page is provided for reference purposes only. This content has not been altered or updated since 27/09/2016

The data protection reform is a legislative package including:

  • a general data protection regulation
  • a directive on protecting personal data processed for the purpose of criminal law enforcement

On 24 May 2016 the general data protection regulation entered into force. It will apply from 25 May 2018. 

The directive on protecting personal data processed for the purpose of criminal law enforcement entered into force on 5 May 2016. Member states have until 6 May 2018 to translate the directive into national law.

This legislative package updates and modernises the rules of the 1995 data protection directive and the 2008 framework decision on data protection in judicial cooperation in criminal matters and police cooperation. Uniform and up-to-date legislation on data protection is essential to guarantee the fundamental right of individuals to have their personal data protected, to allow for the development of the digital economy and to strengthen the fight against crime and terrorism.

Why do we need it?

In the last few decades, the European Union had adopted several pieces of legislation to protect personal data, the main one being the 1995 Data Protection Directive. However, since the Lisbon Treaty, protection of personal data has become a fundamental right under EU law, recognised by the Treaty on the Functioning of the European Union and the EU Charter of Fundamental Rights. This means that the EU now has a specific legal basis to adopt legislation to protect this fundamental right.

Rapid technological developments in the last two decades have brought new challenges for the protection of personal data. The scale of data sharing and collection has grown exponentially, sometimes taking place on a global level, and individuals are increasingly making personal information publicly available.

The economic and social integration resulting from the functioning of the internal market has also led to a substantial increase in cross-border flows of data. To take full account of all these developments and promote the digital economy, there is a need to ensure a high level of protection of personal data, while at the same time allowing for the free movement of such data.  

In the case of personal data used for law enforcement purposes, there is a growing need for authorities in the member states to process and exchange data as part of the fight against transnational crime and terrorism. In this context, clear and consistent rules on data protection at EU level are fundamental to improving cooperation between those authorities.

General data protection regulation

This regulation sets out the rights of the individual and establishes the obligations of those processing and those responsible for the processing of the data. It also establishes the methods for ensuring compliance as well as the scope of sanctions for those in breach of the rules.

Directive on data protection in law enforcement

This directive aims to protect the right of individuals to the protection of their personal data while guaranteeing a high level of public security. It applies to both cross-border and national processing of data by member states' competent authorities for the purpose of criminal law enforcement.