The Proposal on the protection of individuals with regards to the processing of personal data and on the free movement of such data (‘General Data Protection Regulation’): Assumptions, Legal Framework and Principles
Negotiations are continuing in Brussels on the Proposal for a Regulation of the European Parliament and of the Council on the Protection of individuals with regard to the processing of personal data and free movement of such data (‘General Data Protection Regulation’).
The outcome of these negotiations will have a significant impact on data protection and privacy in the European Union (EU). It is expected that the negotiations will conclude in June 2015.
The Commission proposal on data protection starts from the basic position that the current EU Data Protection Directive 95/46/EC is not well adapted to data globalization and technological developments like social networks and cloud computing. New rules are required. For this reason the Commission published a proposal for a regulation on 25 January 2012, which extends the scope of the EU Data Protection to any company, wherever based, processing data in relation to EU residents. At the same time it proposes the harmonization of the data protection regulations throughout the EU, thereby making it easier for non-European companies to comply with these regulations.
The European Commission believes that “Building trust in the online environment is key to economic development”. Lack of trust makes consumers hesitate to buy online and adopt new services. This risks slowing down the development of innovative uses of new technologies. Personal data protection therefore plays a central role in the Digital Agenda for Europe and more generally in the Europe 2020 Strategy.
Data protection is considered a fundamental right in EU law.
Article 16(1) of the Treaty on the Functioning of the European Union (TFEU), establishes the principle that everyone has the right to the protection of their personal data concerning. Article 16(2) TFEU introduces a specific legal basis for the adoption of rules on the protection of personal data. Article 8 of the EU Charter of Fundamental Rights enshrines protection of personal data as a fundamental right.
Against this background of fundamental rights, the European Council invited the Commission to evaluate the functioning of existing EU instruments on data protection and to present, where necessary, further legislative and/or non-legislative initiatives. Data protection was included in the Stockholm Programme to ensure an open and secure Europe serving and protecting citizens. The Programme was approved by the European Parliament. Then Commission stressed in its Action Plan implementing the Stockholm Programme the need to ensure that the fundamental right to personal data protection is consistently applied in the context of all EU policies.
Finally the Commission in its Communication on “A comprehensive approach on personal data in the European Union”  concluded that the EU needs a more comprehensive and coherent policy on the fundamental right to personal data protection.
Legal basis and Principles
The legal basis of EU laws is keenly debated in Brussels for two reasons. Firstly the EU does not have competence to act unless there is a clear legal basis in the Lisbon treaty. Secondly, if there are two possible legal bases, the different legal bases give different EU institutions (Council, Parliament and Commission) different rights and competences. The Commission proposed use of Article 16 of the TFEU, which is the new legal basis for the adoption of data protection rules introduced by the Lisbon Treaty.
The next question is whether the form of the law should be a Regulation or a Directive. A Regulation is directly applicable in the Member States. A Directive leaves room for Member States to adapt the law to the national situation.
For data protection, the Commission considered that a Regulation was the most appropriate legal instruments to define the framework for the protection of personal data in the Union. The direct applicability of a Regulation reduces legal fragmentation and provides greater legal certainty by introducing a harmonized set of core rules.
As Commission reaffirmed,  the right to the protection of personal data, enshrined in Article 8 of the EU Charter of Fundamental Right, requires the same level of data protection throughout the Union. The absence of common EU rules would create the risk of different levels protection in the Member States and create restriction on cross-border flows of personal data between Member States with different standards.
Personal data is transferred across national boundaries, both internal and external borders, at rapidly increasing rates. In addition, there are practical challenges to enforcing data protection legislation and a need for co-operation between Member States and their Authorities, which needs to be organized at EU Level to ensure unity of application of Union Law. The EU is also best placed to ensure effectively and consistently the same level of protection for individuals when their personal data are transferred to third countries.
 Proposal for a Regulation of the European Parliament and of the Council on the protection of individuals with regard to the processing of personal data and on the free movement of such data (General Data Protection Regulation), Brussels, 25.1.2012, COM(2012) 11 Final.
 European Parliament and Council Directive 95/46/EC of 24 October 1995 on the protection of individuals with regard to the processing of personal data and on the free movement of such data, OJ L 281 of 23.11.1995.
 Communication from the Commission to the European Parliament, the Council, the Economic and Social Committee and the Committee of the Regions, ‘A Digital Agenda for Europe’, Brussels, 19.5.2010, COM(2010)245 Final.
 Communication from the Commission, ‘EUROPE 2020 – A strategy for smart, sustainable and inclusive growth’, Brussels, 3.3.2010, COM(2010) 2020 Final.
 The Stockholm Programme – An open and secure Europe serving and protecting citizens, OJ C 115, 4.5.2010, p.1.
 Adopted on 25 november 2009
Communication from the Commission to the European Parliament, the Council, the Economic and Social Committee and the Committee of the Regions, ‘Delivering an area of freedom, security and justice for Europe’s citizens – Action Plan Implementing the Stockholm Programme’, Brussels, 20.4.2010, COM(2010)171 Final.
 COM(2010)609 Final
 Article 16 of TFEU reads as follows: “1. Everyone has the right to the protection of personal data concerning them. // 2. The European Parliament and the Council, acting in accordance with the ordinary legislative procedures, shall lay down the rules relating to the protection of individuals with regard to the processing of personal data by Union Institutions, bodies, offices and agencies, and by the Member States when carrying out activities which fall within the scope of Union Law, and the rules relating to the free movement of such data. Compliance with these rules shall be subject to the control of indipendent authorities. // The rules adopted on the basis of this Article shall be without prejudice to the specific rules laid down in Article 39 of the Treaty on European Union”.
 See Digital Agenda; and the Stockholm Programme.
 Article 8 of the EU Charter of Fundamental Right provides that: “Everyone has the right to an effective remedy by the competent national tribunals for acts violating the fundamental rights granted him by the constitution or by law”.