Data Protection and Privacy in 2018: Going beyond the GDPR


Data Protection and Privacy in 2018: Going beyond the GDPR

2018 will be a landmark year for data protection. As co-host of the 2018 International Conference of Data Protection and Privacy Commissioners (ICDPPC) and a key player in the reform and implementation of the new EU data protection framework, the EDPS will remain at the forefront of the global dialogue on data protection and privacy in the digital age, the European Data Protection Supervisor (EDPS) said today, as he presented his 2017 Annual Report to the European Parliament’s Committee on Civil Liberties, Justice and Home Affairs (LIBE).

Giovanni Buttarelli, EDPS, said:In the EDPS Strategy 2015-2019, we set out three goals and an action plan to help the EU lead by example in the global dialogue on data protection and privacy in the digital age. As our 2017 Annual Report shows, we are well on the way to achieving our aim. In October this year, Brussels will play host to the 40th International Conference of Data Protection and Privacy Commissioners. This is a unique opportunity to showcase the leading role played by the EU in this area. Through focusing on the topic of Digital Ethics, we will explore effective, international and interdisciplinary responses to the challenges we face in the digital age. Today, I am therefore proud to announce not only the publication of our 2017 Annual Report, but also the launch of our 2018 International Conference website.”  

The EU leads the way in its approach to data protection and privacy in the digital age. For many around the world, the new the General Data Protection Regulation (GDPR), which will apply to all companies and organisations operating within the EU from 25 May 2018, is seen as a gold standard. Yet while technology continues to develop at a rapid pace, the new EU data protection framework remains incomplete. Revised data protection rules for the EU institutions and bodies and new rules on ePrivacy are still urgently needed.

Wojciech Wiewiórowski, Assistant EDPS, said:The EDPS has been working hard to prepare for the new EU data protection framework. We are cooperating closely with our partners from the EU’s national data protection authorities, through the Article 29 Working Party, to prepare guidance on the GDPR and to ensure that the new European Data Protection Board (EDPB), for which the EDPS will provide the secretariat, will be operational from May 2018. As the supervisory authority for the EU institutions, we have dedicated much time and effort to ensuring that they are fully prepared for the new rules, regardless of when they come into force, and we continue to act as a committed partner in the legislative process, providing advice and support where appropriate.”

In 2017, the EDPS published advice on a range of different EU policy proposals with an impact on data protection and privacy, including those on the revised rules for the EU institutions and on ePrivacy. He also contributed to ongoing discussions on the Privacy Shield and on the free flow of data in trade agreements, which will remain on the EU and EDPS agenda throughout 2018. With the fight against terrorism still a pressing concern for the EU, the EDPS continues to advocate the need to find a balance between security and privacy in the processing of personal data by law enforcement authorities. As the new data protection supervisor for Europol, the EU’s police authority, he is determined to ensure that the EU sets an example in achieving this balance.


The rules for data protection in the EU institutions, as well as the duties of the European Data Protection Supervisor (EDPS), are set out in Regulation (EC) No 45/2001. The EDPS is a relatively new but increasingly influential independent supervisory authority with responsibility for monitoring the processing of personal data by the EU institutions and bodies, advising on policies and legislation that affect privacy and cooperating with similar authorities to ensure consistent data protection.

Giovanni Buttarelli (EDPS) and Wojciech Wiewiórowski (Assistant EDPS) are the members of the institution, appointed by a joint decision of the European Parliament and the Council. Assigned for a five year term, they took office on 4 December 2014.

Key figures for 2017:

  • 33 decisions issued on complaints relating to the processing of personal data by EU institutions
  • 58 prior check Opinions issued (83% relating to administrative procedures proposed by EU institutions)
  • 8 inspections
  • 3 visits to EU institutions
  • 11 Opinions issued on legislative proposals
  • 6 Formal Comments issued on legislative proposals
  • 2 papers issued relating to legislative proposals


EDPS Strategy 2015-2019: Unveiled on 2 March 2015, the EDPS Strategy 2015-2019 summarises the major data protection and privacy challenges over the coming years; three strategic objectives and ten accompanying actions for meeting those challenges; and how to deliver the strategy through effective resource management, clear communication and evaluation of our performance.

Privacy: the right of an individual to be left alone and in control of information about his or herself. The right to privacy or private life is enshrined in the Universal Declaration of Human Rights (Article 12), the European Convention of Human Rights (Article 8) and the European Charter of Fundamental Rights (Article 7). The Charter also contains an explicit right to the protection of personal data (Article 8).

Privacy Shield: In October 2015, the Court of Justice of the European Union ruled that the Safe Harbour framework was invalid because it did not provide a sufficient level of data protection for personal data transferred by companies from the EU to the US, as required by EU law. In February 2016, the EU-US Privacy Shield was announced by the European Commission and the US Department of Commerce as a replacement for Safe Harbour.

The EU-US Umbrella Agreement covers data transfers across the Atlantic for law enforcement purposes while the EU-US Privacy Shield covers data exchange for commercial purposes.

EU Data Protection Reform package:
On 25 January 2012, the European Commission adopted its reform package, comprising two legislative proposals:

  • a general Regulation on data protection, which was adopted on 24 May 2016, applicable as of 25 May 2018; and
  • a specific Directive on data protection in the area of police and justice, adopted on 5 May 2016, applicable as of 6 May 2018.

The official texts of the Regulation and the Directive are now recognised as law across the European Union (EU). Member States were given two years to ensure that they are fully implementable in their countries by May 2018.

The revision of Regulation 45/2001, which addresses data protection in the EU institutions and bodies, is currently underway, while new rules on ePrivacy are also planned.

Available languages: English