Spotlight New Data Protection Framework for EU Institutions
The European Union has a new legal framework for the protection of personal data processed by Union institutions, bodies, offices and agencies. The underlying Regulation (EU) 2018/1725 was published in the Official Journal of 21 November 2018 (L 235/39). It repeals Regulation (EC) No 45/2001 and Decision No 1247/2002/EC which date back to the pre-Lisbon era and did not cover the processing of personal data within all Union institutions and bodies.
The main aim of the new Regulation is to adapt its rules to the modern General Data Protection Regulation (Regulation (EU) 2016/679), which has been fully applicable since May 2018. Hence, Regulation 2018/1725 establishes a coherent framework, while guaranteeing the free flow of personal data within the Union. It also sets out provisions on the European Data Protection Supervisor (EDPS). The EDPS is entitled to monitor the application of the provisions of this Regulation to all processing operations carried out by a Union institution or body. He is also the first port of call if complaints are lodged against infringements of an individual’s data protection rights.
The Regulation is divided into 12 chapters, including the following:
- General provisions, including scope and definitions;
- General data protection principles;
- Rights of the data subject;
- Controller and processor, including provisions on security of personal data;
- Transfers of personal data to third countries or international organisations;
- Remedies, liabilities and penalties;
Chapter IX contains specific rules on “the processing of operational personal data by Union bodies, offices and agencies when carrying out activities which fall within the scope of Chapter 4 or Chapter 5 of Title V of Part Three TFEU.” In other words, this concerns activities of Union bodies/offices/agencies (as their main or ancillary tasks) exercised for the purposes of the prevention, detection, investigation, and prosecution of criminal offences. In this event, the tailor-made rules of Chapter IX apply as a lex specialis.
It must be noted, however, that the Regulation does not apply to Europol or to the European Public Prosecutor’s Office until the legal acts establishing Europol and the European Public Prosecutor’s Office (i.e., Regulations No 2016/794 and No 2017/1939) are amended with a view to rendering this chapter (on the processing of operational personal data) applicable to them as adapted. Whether the legal basis of these institutions must be adapted to the Regulation will be assessed in a review process in 2022.
The rules of the Regulation apply from 12 December 2018, with an exception for Eurojust: the Regulation applies to the processing of personal data by Eurojust from 12 December 2019.
In the aftermath of the adoption, the EDPS Giovanni Buttarelli welcomed the new data protection rules for EU institutions (see press release of 11 December 2018). He pointed out:
“The new Regulation, which applies from today, brings the data protection rules for the EU institutions and bodies (EUI) in line with the standards imposed on other organisations and businesses by the General Data Protection Regulation (GDPR). Under the new rules, which we may refer to as the EUI-GDPR, the EDPS remains responsible for ensuring the effective protection of individuals’ fundamental rights and freedoms whenever their personal data is processed by the EU institutions or on their behalf, whether this is to ensure EU markets work better, to evaluate and supervise medicines in the EU or to fight against terrorism and organised crime.”
He also added that the EU institutions should take the lead by example in ensuring the individual’s protection of personal data.