Fragmentation of the data protection framework
The original aim of the Commission was to create “a comprehensive personal data protection scheme covering all areas of EU competence,” which would “ensure that the fundamental right to data protection is consistently applied”. Instead, however, the current proposals would perpetuate a seriously fragmented system of data protection rules (albeit with greater harmonisation in some areas):
- processing of personal data by private entities would be covered by the new Regulation, except that processing for “exclusively personal or household purposes” would remain fully exempt, and (more importantly) processing of important data such as traffic- and location data by e-communication service providers would continue to be covered by the (divergent) national laws implementing the e-Privacy Directive (Directive 2002/58/EC) (although the processing of other types of geolocation data by other controllers would be subject to the Regulation and not the e-Privacy Directive), and the rules on compulsory suspicionless retention of traffic- and location data would continue to be subject to the (equally divergent) laws implementing the Data Retention Directive (Directive 2006/24/EC);
- processing of personal data by public-law entities in the Member States in relation to matters covered by Union law would be covered by the new Regulation, except that processing by law enforcement agencies would be covered by the national laws implementing (undoubtedly in divergent ways) the proposed new Law Enforcement Data Protection Directive, and that processing by Member States in relation to the Common Foreign and Security Policy would be subject to whatever national laws would apply to that processing (if any);
- processing by EU institutions, bodies, offices and agencies would remain subject not to the new Regulation, but to Regulation (EC) No 45/2001 of 18 December 2000; and
- processing by Member States in relation to national security is and remains totally outside the scope of EU law, and thus also of the Regulation (and of the new Directive, or indeed any EU legal rules) (Art. 4(2) TEU).
- access to communications databases would be governed by national concepts of reasonableness and would result in entirely unpredictable access to databases covering data subjects in multiple jurisdictions.
In our opinion, this continued fragmentation is neither necessary nor desirable. Intellectually and in terms of constitutional/fundamental rights law there is no reason why all processing of personal data subject to EU law should not be subject to one set of overarching basic rules. Moreover, the Regulation (including the restrictions and exemptions contained within it) is perfectly suitable to that end.