The challenges of European data protection policy : an analysis of supranational decision-making processes

‘Everyone has the right to the protection of personal data concerning him or her.’ This right of privacy is codified in Article 8 (1) of the Charta of Fundamental Rights of the European Union. A broad definition is given in the second paragraph, stating that personal data can only be used in specified cases and with the agreement of the person concerned or some other legitimate aim. Until the mid 1990s each Member State of the European Union had its own legislation on data protection policy. However, this was considered to be a hindrance for the internal market and its ‘free flow of data’. Thus, in 1995 a first Directive was passed laying down the basic principles of European data protection policy. Subsequently, further legislative acts were passed in order to regulate more specific issues. The circumstances in which data protection policy takes place are changing constantly. In an era of rapid technological advancement, new developments and inventions are becoming increasingly popular. The last decade has seen, by way of example, an exponentially increasing popularity of online shopping and social networking. While facilitating communication and the provision of goods and services, those developments also entail new possibilities for the collection and processing of data. Besides this, a growing fear of terror attacks stimulates the debate about the future of data protection policy. The question discussed in this context is to what extent data protection rights can be restricted to prevent such serious and organized crime as terrorism. This short outline indicates that data protection policy is a topic of steady relevance. In the last two decades the European Union has realized the importance of harmonized European regulations on consumer protection policies – including data protection - for the establishment of the internal market and passed various acts of law. Yet, a view on the decision- making processes reveals that different and to some extent opposing opinions exist on how to regulate the field of data protection policy. This has lead to controversial and protracted debates in the past. Taking into account the contexts in which former decision procedures took place, this paper examines the European Union’s ability to cope with the aforementioned new challenges of the policy field. Thus, the following research question shall be analyzed: What are the possibilities and limits of European decision-making in the field of data protection policy?