The EU has been a pioneer in the fields of data protection and online privacy, having first enacted legislation more than 20 years ago. It recently completed a major reform of its data protection framework, which is intended to enhance protections for individuals, provide a single set of harmonized rules for businesses, and simplify procedures for transferring data outside the EU.
Listed below are some of the most important pieces of EU legislation on data protection and privacy currently in force.
The following legislation is no longer in force, but it may be of interest for historical research.
For those unfamiliar with the different types of EU legislation, the following definitions are provided:
The Charter of Fundamental Rights enshrines within a single document the political, social, and economic rights protected by the EU. It applies to both the EU, as an institution, and to its members states when they implement EU law. EU courts are empowered to strike down legislation and official actions that are inconsistent with the Charter.
The full text of the Charter is available for download in PDF format. Relevant provisions of the Charter include Article 7 (respect for private and family life), Article 8 (protection of personal data), and Article 11 (freedom of expression and information).
EU courts are generating a growing body of case law involving privacy and data protection, most notably the judgment in Google Spain SL and Google Inc. v Agencia Española de Protección de Datos (AEPD) and Mario Costeja González, also known as the "right to be forgotten" case.
To search by keyword for EU case law on privacy and data security, use the EUR-Lex database and select "EU Case Law" from the menu at the top of the homepage. Searchable databases of EU case law also are available on Lexis and Westlaw.
EU Data Protection Portal
The European Commission, the executive arm of the EU, maintains this convenient gateway for information about the EU's data protection and privacy law.
This crowd-sourced educational portal, which is not affiliated with the EU, is intended to provide reliable, objective information about the GDPR, its origins, and its impact, including: