Data protection and telecommunications in Europe: Do we need a new European regulation?


In today’s digital environment, the increasingly widespread use of social networking sites and location-based services and the constant collection of data for advertising purposes make the protection of privacy online a fundamental issue.

According to a recent Eurobarometer, 70% of the Europeans are concerned that their personal data may be misused[i]. European citizens place a high value on privacy, explicitly guaranteed by Article 8 of the EU’s Charter of Fundamental Rights. The centerpiece of the present EU data protection framework was adopted 17 years ago, at a time when Internet had not yet revolutionised our everyday life and cybersecurity was not yet an imperative[ii].

The several hackings registered in 2011, affecting Playstation Network[iii] as well as Citigroup[iv] solicited demand for a modernised and strengthened data protection framework. Additionally, lack of uniform transposition in the national legislations resulted in a patchwork of different obligations for enterprises and varying levels of protection.

The European Commission finally proposed a comprehensive reform last 25th January: a Communication and two legislative proposals,  a Regulation setting out a common EU framework for data protection and a Directive on data processed for criminal offences and related judicial activities. The draft reform is aimed to build a single, stronger and more coherent data protection framework, allowing the development of digital economy while guaranteeing a greater control of personal data and a reinforced legal certainty. Yet several points were object of heavy criticism either from national authorities and enterprises.

Key changes include a right to have access to their own data and to erase them (what has been called “a right to be forgotten”) if there are no legitimate grounds for retaining it. Enterprises are called to establish data protection structures with numerous prescribed obligations, while independent national data protection authorities will be allowed to sanction violation of EU data protection rules with fines of up to €1 million or up to 2% of the global annual turnover of a company. This  pushed enterprises like Microsoft Europe to express concern that the regulation might be “too restrictive”[v].

Additionally, companies based outside the EU, but which target their services to EU consumers, will be subject to EU data protection law as well.

The German Minister of the Interior and a Federal Constitutional Court Judge already criticized the choice of a regulation in early December. Since in Germany not only courts but also individual citizens can appeal to the Constitutional Court when they feel their fundamental rights are violated, the new regulatory framework could ironically reduce German citizens’ rights. German courts would no longer decide on the interpretation of data protection law, but would need to present critical cases to the European Court of Justice[vi].French CNIL agreed that national authorities risk to be reduced to play the role of a mailbox, determining a “real regression towards the citizens’rights”[vii].

So, do we really need a new regulation? The fact that 1995 directive failed to impose a common level of protection in all EU member states means that an Internet company cannot operate across the 27-countries under the same regulations. Therefore these enterprises urged EU lawmakers to simplify the existing practice[viii]. Lack of uniformity has to be addressed: despite national authorities  complain that a European regulation would essentially deprive them of control powers, in some member states the existing system does not ensure effective protection. While the  global dimension of data exchange imposes uniformisation of rules also outside of Europe, the fixation of a common level of protection should allow national authorities to continue to play their essential role of inspection, investigation and regulation.

However, as the Commission’s proposals are now to be passed on to the European Parliament and EU Council of Ministers for discussion, they are likely to undergo to a lively debate and some points might be significantly changed.

[i]“Data Protection: Europeans Share Data Online, But Privacy Concerns Remain-New Survey”, European Commission, Brussels, 16 June 2011.

[ii] “Safeguarding Privacy in a Connected World – A European Data Protection Framework for the 21st

[ii]Century” COM(2012) 9 final.

[iii] “PlayStation Outage Caused by Hacking Attack”, in BBC News, 25 April 2011,

[iv]Smith R., “Citigroup Says Hacking Affected 360,000 Cards” in The Wall Street Journal, 26 June 2011

[v] EU Proposed “right to be forgotten” by Internet firms”, BBC News Technology, 23 January 2012 (last visited 03 february 2012)


[vii] “Draft EU Regulation on Data Protection: The Defense of Data Protection Driven Apart From Citizens”,ibidem.

[viii] Pfanner E., “A proposal for EU Wide Data Protection Regulation”, The New York Times, 29 November 2011,

About Author

Rosa Rosanelli

Rosa Rosanelli is contributor at the International Security Observer (ISO). Rosa is a graduate student of the Master 2 Space Law and telecommunications at Paris Sud University. She gained significant experience in the field of juridical, political and strategic aspects of space activities within the framework of a Istituto Affari Internazionali-Finmeccanica scolarship and an Internship at the European Space Policy Institute in Vienna. Her research activities include space for security and defence; European policy; telecommunications regulaton and export control. For the ISO, she is responsible for leading the research group on Defence & Aerospace. Rosa holds a Master in International Relations at Sapienza University of Rome. She speaks Italian, English, French, Russian and German.

Comments are closed.

Get Amazing Articles

Get our articles delivered straight to your inbox. Sign Up Now.
Email address
Secure and Spam free...