Author: Domingos Farinho
The Commission shall, if appropriate, submit legislative proposals with a view to amending other Union legal acts on the protection of personal data, in order to ensure uniform and consistent protection of natural persons with regard to processing. This shall in particular concern the rules relating to the protection of natural persons with regard to processing by Union institutions, bodies, offices and agencies and on the free movement of such data.
I. Overview
Art. 98 mandates the Comm to review “other Union legal acts on the protection of personal data”. The provision states that the Comm should submit legislative proposals “if appropriate”, which seems to leave the Comm with a degree of discretion in choosing to amend legislation. However, since the GDPR also states that the review must be made to “ensure uniform and consistent protection of natural persons with regard to processing” and specifically mentions personal data processing by EU institutions, this discretion should be scrutinised accordingly, in order to guarantee the desired goal.
The GDPR sets itself as the standard for data protection in the EU and, as such, this provision has the goal of assuring there is coherence and consistency across all the legislative texts that comprise rules regarding the protection of personal data, with the GDPR functioning as the normative reference. Art. 98 also entails that any legislation proposed by the Comm after the adoption of the GDPR should be aligned with it, to pursue the same goal of “uniform and consistent protection” of personal data.
II. Legislative history
The DPD did not have a provision similar to Art. 98. This was to be expected considering that the DPD was the first legal framework on data protection of the EU, regarded as “an internal market related issue”.[1] The DPD was meant as a general framework, allowing for special regimes for specific sectors,[2] but, at the time of its enactment, such special regimes were still to be devised. However, the DPD did include a limited review clause on Art. 33 para. 2,[3] regarding the processing of image and audio, although it was not specified if the appropriate proposals required by such clause were to be aimed solely at reviewing the DPD or could regard the enactment of further legislation.
The ePrivacy Directives of 1997 and 2002, and Regulation (EC) N. 45/2001 on the protection of individuals with regard to the processing of personal data by the Community institutions and bodies and on the free movement of such data (superseded by Regulation 2018/1725) became the only other pieces of EU legislation to refer specifically to data protection in the EU. This explains the explicit references in recitals 17 and 173 of the GDPR requiring review and amendment endeavours. Recital 17 states that Regulation 45/2001 “and other Union legal acts applicable to such processing of personal data should be adapted to the principles and rules established” in the GDPR. In turn, recital 173 states that the ePrivacy-Directive, once the GDPR is adopted, “should be reviewed in particular in order to ensure consistency with this regulation”.
Since the enactment of the DPD and the entry into force of the GDPR, the EU legislator has also approved legislation that, although not specifically aimed at data protection, foresees specific provisions concerning the protection of personal data (→ mn. 15) and that should thus come under the scope of Art. 98 (→ mn. 7).
[…]
[1]See Art. 29 WP 168, p. 6.
[2]Ibid.
[3]See Tosoni, ‘Art. 98’, in Kuner/Bygrave/Docksey, p. 1314.