The European Parliament has today adopted a regulation that aims to bring the use of personal data by EU institutions into line with the GDPR.
The EU institutions’ use of personal data is not covered in the scope of the recently adopted EU General Data Protection Regulation (GDPR), and has until now been covered by the older Regulation 45/2001 on the protection of individuals with regard to the processing of personal data by the Community institutions and bodies and on the free movement of such data.
The regulation adopted today aims to replace the older one, ensuring that the EU institutions are accountable to the same data protection standards as the Member States, businesses and citizens.
Rapporteur, Cornelia Ernst, elaborates: “The GDPR is the basis for the most modern and comprehensive data protection legislation in the world. The report adopted today brings the regulation governing the use of personal data by EU institutions into line with the GDPR so that fundamental rights of citizens are effectively protected. In this regulation we have ensured that the standards for data protection that apply to every European citizen should also be adhered to by the EU institutions, including the Council, Parliament and Commission. The report obliges EU institutions to keep records of their data processing activities and to make these publicly accessible.”
“These changes represent an improvement in transparency and freedom of information regarding access to EU documents,” she added.
Notably, the provisions of the report will also apply to European agencies responsible for law enforcement.
They will immediately apply to Eurojust and Frontex, but do not initially apply to Europol and the European Public Prosecutor’s Office (EPPO).
“We would have preferred that Europol and the EPPO were included in the scope of the regulation, but the Council did not agree. However, their exclusion will be reviewed by the Commission by May 2022,” Ernst adds.
Regarding the next steps, it is expected that the Council will also adopt this regulation and it will enter into force shortly.
“Overall, this regulation is a really important achievement in data privacy in the European Union. In order to complete the legislative measures needed to ensure the highest standard of data privacy to European citizens, the Council now needs to move forward on the ePrivacy regulation, which is also related to the GDPR and covers privacy in electronic communication such as messages shared via chat applications,” Ernst concludes.