Skip to 0 minutes and 7 secondsAt the core of the European Union data protection regime, for many years, they have been two legal instruments. The first one is the directive on the protection of individuals with regard to the processing of personal data and on the free movement of such data, adopted in 1995. And the second one is the Council Framework Decision dealing with data protection within the framework of police and judicial cooperation in criminal matters, adopted in 2008. In 2012, the European Commission prepared and made public the General Protection Reform Package containing two proposals for new legal acts.

Skip to 0 minutes and 45 secondsThis was deemed necessary in order to modernise the outdated legal framework on data protection and strengthen Europe's digital economy and fundamental rights of individuals in the digital age. The first proposal includes the new Police and Criminal Justice Data Protection Directive of the European Parliament and of the Council that replaces the Council Framework Decision from 2008. It concerns the protection of individuals with regard to the processing of personal data by competent authorities for the purposes of prevention, investigation, detection, or prosecution of criminal offences, or the execution of criminal penalties and the free movement of such data.

Skip to 1 minute and 28 secondsThe competent authorities in question could be not only public authorities, such as the judicial authorities, the police, and other law enforcement agencies, but also other bodies and entities entrusted by EU Member State law to exercise public authority and public powers for the purposes of this directive. The second proposal is the General Data Protection Regulation of the European Parliament and of the Council, or simply the GDPR, which replaces the Directive from 1995. Its focus is on the protection of individuals with regard to the processing of personal data and on the free movement of such data. This regulation is what we are dealing with in this course.

Skip to 2 minutes and 12 secondsFor the sake of clarity, the main difference between directives and regulations as legal instruments of the European Union needs to be explained. Directives are essentially legislative acts harmonising national laws and establishing certain objectives that must be achieved by EU Member States. Individual countries may decide themselves how they incorporate directives into their national legislation. Regulations are a different type of legislative act. They are binding and directly applicable in their entirety in all EU member states. The General Data Protection Regulation is a regulation that aims to create a more effective and consistent data protection regime in the EU.

Skip to 2 minutes and 54 secondsAfter the new Police and Criminal Justice Data Protection Directive was published in the Official Journal of the European Union on the 4th of May, 2016, it entered into force on the 5th of May of the same year. EU Member States are required to transpose the directive into their national legal orders before the 6th of May, 2018. The General Data Protection Regulation was also published on the 4th of May, 2016, but entered into force on the 24th of May of that year. It will become binding and directly applicable in all EU Member States from the 25th of May 2018 without the need for implementing national legislation.

Skip to 3 minutes and 36 secondsThe General Data Protection Regulation replaces local data protection laws of EU Member States and applies to the processing of personal data by a broad range of actors established within or outside the European Union, for example, pharmacists, companies offering all sorts of goods and services, educational institutions, and many others. Therefore, it is not an exaggeration to say that now it is time to act and to comply with the regulation.

Data protection in the EU

In this video, the origins of the EU data protection regime are explained. The Police and Criminal Justice Data Protection Directive and General Data Protection Regulation are introduced as two crucial legal instruments. The Directive will have to be implemented by the EU Member States before 6 May 2018 and the Regulation will become effective on 25 May 2018.

For many years, at the core of the EU data protection regime one could find the 1995 Directive on the protection of individuals with regard to the processing of personal data and on the free movement of such data and the 2008 Council Framework Decision dealing with data protection within the framework of police and judicial cooperation in criminal matters.

A few years ago, the European Commission started making changes to this regime. In 2012, it introduced the data protection reform package. The first proposal of the reform package included the new Police and Criminal Justice Data Protection Directive replacing the Council Framework Decision from 2008. It concerns the protection of individuals with regard to the processing of personal data by competent authorities for the purposes of prevention, investigation, detection or prosecution of criminal offences or the execution of criminal penalties, and the free movement of such data.

The second proposal was the General Data Protection Regulation or the GDPR replacing the Directive from 1995 that dealt the protection of individuals with regard to the processing of personal data and on the free movement of such data.

Essentially, the GDPR replaces local data protection laws of EU Member States and, from May 2018, is applicable to the processing of personal data by various actors established within or outside the EU. These include businesses, local governments, supermarkets and any other organisations that process personal data. It might also apply to you, so don’t wait and act now!

Share this video:

This video is from the free online course:

Understanding the General Data Protection Regulation

University of Groningen