Authors: Vagelis Papakonstantinou and Paul De Hert
- This Regulation applies to the processing of personal data wholly or partly by automated means and to the processing other than by automated means of personal data which form part of a filing system or are intended to form part of a filing system.
- This Regulation does not apply to the processing of personal data:
- (a) in the course of an activity which falls outside the scope of Union law;
- (b) by the Member States when carrying out activities which fall within the scope of Chapter 2 of Title V of the TEU;
- (c) by a natural person in the course of a purely personal or household activity;
- (d) by competent authorities for the purposes of the prevention, investigation, detection or prosecution of criminal offences or the execution of criminal penalties, including the safeguarding against and the prevention of threats to public security.
- For the processing of personal data by the Union institutions, bodies, offices and agencies, Regulation (EC) No 45/2001 applies. Regulation (EC) No 45/2001 and other Union legal acts applicable to such processing of personal data shall be adapted to the principles and rules of this Regulation in accordance with Article 98.
- This Regulation shall be without prejudice to the application of Directive 2000/31/EC, in particular of the liability rules of intermediary service providers in Articles 12 to 15 of that Directive
I. Overview and legislative history
- When is data protection law applicable?
Art. 2 sets the first, out of two, of the GDPR applicability criteria. The second one, on territoriality, is introduced in Art. 3. Anyone wondering whether the GDPR is applicable on a particular case should run the GDPR two-step test of applicability: As per this Art. 2, if “personal data” undergo “processing” (according to the respective definitions of Art. 4 no. 1 and no. 2 respectively), meet the conditions of its para. 1, and escape the exemptions of its paras. 2 and 3, then the material scope criterion is met. If the case under examination does not present any cross-border circumstances (or develops entirely in a third country), then the verification process may stop at this point. Otherwise, the second step of the GDPR applicability test involves examination of the criteria referred to in Art. 3.
Personal data protection legislation does not necessarily apply to all perceived personal data processing, as duly noted by the Art. 29 WP: “the mere fact that a certain situation may be considered as involving ‘the processing of personal data’ in the sense of the definition does not alone determine that this situation is to be subject to the rules of the Directive”, referring to the DPD.[1] In other words, “the scope of the data protection rules should not be overstretched”.[2]
Excessive recourse to the personal data protection provisions whenever personal data are even remotely affected may lead to “excessively burdensome or even absurd consequences”.[3] While public expectations may indeed invoke application of personal data protection legislation each time mere mention of “personal data” is made, a connotation perhaps accentuated by the fact that the differentiation under EU law between the right to privacy and the right to data protection is relatively recent, a fine line of balance needs to be struck, by SAs and courts alike, while verifying whether the GDPR is applicable in any processing operation under examination. GDPR ubiquitousness may well work against the data protection purposes: Apart from loss of legal certainty, any forced application of legal provisions in cases that they were not originally designed to cover may prove ineffective, arbitrary, and, ultimately, lead to disappointment.
GDPR applicability does not necessarily equal to personal data protection law applicability. Admittedly, according to the EU data protection architecture, the GDPR is the de facto dominating legal instrument in the field. A number of formative and substantial reasons may be used to justify its placement. The GDPR effectuates the Art. 16 TFEU requirement;[4] it requires that EU institutions “adapt” to its principles and rules;[5] The LED copies-pastes its rules;[6] Other specialised personal data protection legislation (e.g., the draft ePrivacy Regulation),[7] “complement and particularise” certain of the GDPR provisions; And, being a Regulation, it is directly applicable into Member State law.
However, it is important to be noted that the GDPR ought not be perceived as the only personal data protection text, outside of which no personal data protection exists. Large swathes of personal data processing are left outside of its scope, as set in paras. 2(a) and 2(b) of Art. 2, even under combined reading with the respective Art. 2 of the LED. These fields may, or may not, apply their own data protection rules. This, notwithstanding the actual scope of the unequivocal wording of Art. 16 para. 1 TFEU,[8] will largely depend on whether the respective Member State has chosen to – explicitly or through case law – insert in its constitution the right to personal data protection. While a number of EU Member States have indeed chosen to do so, this is by no means the norm.
[…]
[1] ‘Opinion 4/2007 on the Concept of Personal Data’ (Art. 29 Data Protection Working Party, 20 June 2007), p.4.
[2] ‘Opinion 4/2007’, p.5.
[3] ‘Opinion 4/2007’.
[4] See also recital 9 of the LED.
[5] See its Art. 2 para. 3.
[6] Although twins, the GDPR is the older one, as denoted not only through their numbering in the Official Journal, but also through the LED’s own wording, and also during law-making work at EU level on each instrument.
[7] ‘Proposal for a Regulation of the European Parliament and of the Council Concerning the Respect for Private Life and the Protection of Personal Data in Electronic Communications and Repealing Directive 2002/58/EC (Regulation on Privacy and Electronic Communications), COM/2017/010 Final, 2017/03 (COD)’ (European Commission, 2017).
[8] “Everyone has the right to the protection of personal data concerning them”.