European Data Protection Supervisor
European Data Protection Supervisor

The EU should ensure an area of freedom, security and justice with the rights of individuals at its core

The EU should ensure an area of freedom, security and justice with the rights of individuals at its core


The EU should ensure an area of freedom, security and justice with the rights of individuals at its core

The EDPS today called on the European Council to place the rights of individuals at the core of justice and security policies in the years to come. The intention of the European Council to define strategic guidelines under the current treaties, for further legislative and operational planning in the area of freedom, security and justice is an opportunity to revitalise the EU's approach in these areas and to repair the loss of trust resulting from the revelations about mass surveillance.

Peter Hustinx, EDPS, said: “The European Court of Justice's recent annulment of the data retention directive as an excessive violation of individuals’ rights to personal data protection should serve as a wakeup call to the EU. Policymakers need to apply proper limitations and safeguards in a more informed and systematic manner when launching proposals which have a significant impact on fundamental rights.”

In his Opinion on the future development of the area of freedom, security and justice published today, the EDPS highlights the need for fuller integration of privacy and data protection in the activities of all EU institutions.

The EDPS also recommends that in the new strategic guidelines, the European Council explicitly recognises that EU justice and home affairs laws and operations, including in agreements with third countries and cooperation with the private sector, often require large scale personal data processing. The guidelines should acknowledge that, unless initiatives are built on a robust foundation which respects fundamental rights, they are unlikely to succeed. 

The starting point, however, must be an agreement without further delay of a robust and modernised legal framework for data protection.

The EDPS offers to work with the European legislator to develop a policy toolkit for meeting legitimate justice and home affairs objectives and to safeguard data protection in an efficient and effective way. This will help in shaping the initiatives but also with implementation and consolidation – such as ensuring that individuals are able to obtain redress for illegal data processing, in line with the Commission's call for a justice agenda which facilitates citizens' lives.

Background information

Privacy and data protection are fundamental rights in the EU. Under the Data Protection Regulation (EC) No 45/2001, one of the duties of the EDPS is to advise the European Commission, the European Parliament and the Council on proposals for new legislation and a wide range of other issues that have an impact on data protection. Furthermore, EU institutions and bodies processing personal data presenting specific risks to the rights and freedoms of individuals ('data subjects') are subject to prior-checking by the EDPS. If in the opinion of the EDPS, the notified processing may involve a breach of any provision of the Regulation, he shall make proposals to avoid such a breach.

The area of freedom, security and justice was created to ensure the free movement of persons and to offer a high level of protection to citizens. It covers policy areas that range from the management of the European Union’s external borders to judicial cooperation in civil and criminal matters. It includes asylum and immigration policies, police cooperation, and the fight against crime (terrorism, organised crime, trafficking in human beings, drugs, etc.). The creation of the area of freedom, security and justice is based on the Tampere (1999-04), Hague (2004-09) and Stockholm (2010-14) programmes. It derives from Title V of the Treaty on the Functioning of the European Union, which regulates the “Area of freedom, security and justice”. See Europa website for more.

In December 2013, the European Council announced its intention - for the first time under the current treaties - to define ‘strategic guidelines for further legislative and operational planning in the area of freedom, security and justice (‘post-Stockholm’). Since then the Commission has adopted two communications on the topic, the European Parliament has adopted a resolution, while the Council has continued to hold a series of discussions. The EDPS made a contribution to deliberations on the previous multiannual plan which became known as the Stockholm Programme.

Personal data: any information relating to an identified or identifiable natural (living) person. Examples include names, dates of birth, photographs, e-mail addresses and telephone numbers. Other details such as health data, data used for evaluation purposes and traffic data on the use of telephone, email or internet are also considered personal data.

Privacy: the right of an individual to be left alone and in control of information about him or herself. The right to privacy or respect for private life is enshrined in the Universal Declaration of Human Rights (Article 12), the European Convention of Human Rights (Article 8) and the European Charter of Fundamental Rights (Article 7). The Charter also contains an explicit right to the protection of personal data (Article 8).

EU Data Protection Reform package: on 25 January 2012, the European Commission adopted its reform package, comprising two legislative proposals: a general Regulation on data protection (directly applicable in all Member States) and a specific Directive (to be transposed into national laws) on data protection in the area of police and justice. In addition to his opinion of 7 March 2012, the EDPS sent further comments on 15 March 2013. The two proposals have been discussed extensively in the European Parliament (EP) and the Council. The EP voted on the package on 12 March 2014. The outcome of Council discussions will determine the next steps. For more information on the reform, we refer you to a dedicated section on the EDPS website.

Data processing: processing of personal data refers to any operation or set of operations which is performed upon personal data, whether or not by automatic means, such as collection, recording, organisation, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, blocking, erasure or destruction. See EDPS glossary for more information.