Answer given by Ms Jourová on behalf of the Commission
The EU General Data Protection Regulation (GDPR)(1) essentially updates and modernises the principles already enshrined in the 1995 Data Protection Directive(2). It will apply as of 25 May 2018. The regulation creates new opportunities for business. It enables the free flow of personal data across the Digital Single Market. It will replace a patchwork of 28 data protection regimes with one unified law across the whole EU. The regulation will make it easier for companies to do business across the EU and cut red tape.
Data protection authorities are currently elaborating, within the article 29 Working Party, guidelines on key topics of the regulation in order to help organisations processing personal data in their compliance efforts.
The obligations incumbent on data controllers, including those operating in the online sector, to respect individuals' rights and choices on the processing of their personal data are not new requirements introduced by the GDPR. They are already enshrined in Article 8(2) of the Charter of Fundamental Rights and further detailed in Directive 95/46/EC and apply to all organisations processing personal data of individuals located in the EU.
On 10 January 2017, the Commission adopted a proposal for a regulation on Privacy and Electronic Communications(3) which extends the application of the right to confidentiality of communications laid down in Article 7 of the Charter of Fundamental Rights to all communication service providers. The proposal aims to update the rules set forth in Directive 2002/58/EC(4), create new possibilities for providers to process communication data, ensure that traditional and Internet based communication providers are bound by the same rules when it comes to the respect on the confidentiality of communications and hence reinforce trust and security in the Digital Single Market. The proposed Regulation will complement the GDPR as regards electronic communications data that qualify as personal data and seeks to ensure consistency with the GDPR, by repealing some provisions of the directive, such as the security obligations, which are now in the GDPR.
(1) Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation), OJ L 119, 4.5.2016, p. 1‐88.
(2) Directive 95/46/EC of the European Parliament and of the Council of 24 October 1995 on the protection of individuals with regard to the processing of personal data and on the free movement of such data, OJ L 281, 23.11.1995, p. 31-50.
(3) Proposal for a regulation of the European Parliament and of the Council concerning the respect for private life and the protection of personal data in electronic communications and repealing Directive 2002/58/EC (Regulation on Privacy and Electronic Communications), COM(2017) 10 final, 10.1.2017.
(4) Directive 2002/58/EC of the European Parliament and of the Council of 12 July 2002 concerning the processing of personal data and the protection of privacy in the electronic communications sector (Directive on privacy and electronic communications), OJ L 201, 31.7.2002, p. 37‐47.