European Parliament approves new rules for data protection in the EU

Regulation provides important protections for privacy, but allows some troubling loopholes

Brussels, Belgium — Earlier today, the European Parliament’s Civil Liberties Committee approved the final version of the General Data Protection Regulation (GDPR), a text that has been under development for the past three years.

The GDPR sets an overall positive precedent for data protection standards across the EU, although it allows some loopholes that are cause for concern.

Agreed to on Tuesday by negotiators from the EU parliament and EU member states, the text will replace the previous data protection rules which were devised in 1995 when only 1% of the EU population was online. The Regulation will be subject to approval by the Council of the EU in the next few days, and will then be translated and formally adopted early next year.

“Access Now welcomes the approval of this privacy-enhancing legislation, setting a positive standard for users’ rights to data protection and privacy in the digital age,” said Estelle Massé, Policy Analyst at Access Now. “This Regulation is a very welcome and essential step in ensuring the fundamental rights of European citizens. It solidifies the EU’s leadership in developing user-centric data protection rules”.

Due to its nature, the Regulation provides a (mostly) harmonised and directly applicable set of rules to be uniformly enforced across the EU, which will benefit users and economic players. A new addition in this legislation is the concept of data protection by design and by default,  the aim of which is to promote a privacy-friendly approach to the development of new services. The text includes key provisions ascertaining the minimisation of data use and collection and limitation of purpose, and encompasses a long list of users’ rights. This provides a significant level of privacy protection for users, which is further supported by a data breach notification procedure and measures for data security.

“Despite those gains, the Regulation is not perfect, as some loopholes made their way into the text,” added Massé. “The compromise achieved by the EU institutions in this Regulation lacks ambition in crucial parts of the text and does not provide needed changes from the outdated rules from 1995.”

Among the provisions in the Regulation that could use stricter rules and limitation are the issues of how companies can collect data for their legitimate interests, how the transfer of data will work using new, untested, and potentially unreliable mechanisms, and how member states may be granted exceptions that would limit users’ rights for “national security” or “public security” purposes.

In spite of its shortcomings and unprecedented levels of lobbying, the GDPR has maintained essential data protection standards across the EU. The previous Directive in 1995 helped provide a standard for developing privacy regimes across the world, and we encourage governments outside the EU to adopt the user-centric approach of this Regulation when they create new binding privacy legislation.


Media contact

Estelle Massé

EU Policy Analyst

[email protected]

0032 485 44 54 58