*This report updates a report from 2012
Since 2012, the EU has implemented its proposed reform of the existing legislative framework on the protection of personal data and has published another proposal. The 2002 Directive on Privacy and Electronic Communications (ePrivacy Directive) and the General Data Protection Regulation (GDPR), which entered into force May 2016, currently form the two main pillars of the data protection legal framework in the EU. The GDPR replaced and updated the 1995 data protection rules with the goals of strengthening online privacy rights, boosting Europe’s digital economy, and streamlining the implementation of data protection rules in EU Member States. In order to align the rules on electronic communications with technical developments and with the GDPR, the European Commission published a legislative proposal for a regulation on privacy and electronic communications on January 10, 2017. The proposed regulation would repeal and replace the 2002 ePrivacy Directive and take effect in May 2018.
The protection of personal data and the respect for private life are fundamental rights in the European Union (EU). Personal data is defined as “any information relating to an identified or identifiable natural person (data subject).” Since publication of the Law Library of Congress’s 2012 report on online privacy law, the EU has implemented the proposed reform of the existing legislative framework on the protection of personal data discussed in the report and in 2017 published another proposal. The data protection legal framework in the EU currently consists of two main pillars, the Directive on Privacy and Electronic Communications (ePrivacy Directive) and the General Data Protection Regulation (GDPR).
The EU’s first rules for the protection of personal data were adopted in 1995, when the internet was still in its infancy. The 1995 Data Protection Directive set out general rules to safeguard the right to privacy with regard to the processing of personal data and provided for the free movement of such data in the Member States. It stipulated that any processing of personal information required the explicit consent of the person concerned and that advance information about such data processing had to be provided to the data subject. Since then, globalization and technological advancements have brought new challenges for the protection of personal data and required a reform of the EU data protection framework.
In January 2012, the European Commission presented a plan for a comprehensive reform of the EU’s 1995 data protection rules. The goals of the reform were to strengthen online privacy rights, boost Europe’s digital economy, and streamline the implementation of data protection rules in the EU Member States. One of the concerns with the 1995 rules was that they had been implemented in differing ways in the Member States, leading to fragmentation. The reform plan included a policy communication setting out the Commission’s objectives and two legislative proposals—one for a General Data Protection Regulation (GDPR) and one for a Criminal Law Enforcement Data Protection Directive. The GDPR and the Criminal Law Enforcement Data Protection Directive were adopted in April 2016. The GDPR entered into force on May 24, 2016, and will apply directly in the EU Member States beginning May 25, 2018. The Criminal Law Enforcement Data Protection Directive entered into force on May 5, 2016. The deadline for implementation into national law for EU Member States is May 6, 2018.
On January 10, 2017, the European Commission published another legislative proposal that aims to align current rules with technical developments and with the GDPR. The proposed regulation on privacy and electronic communications (ePrivacy Regulation) would repeal the ePrivacy Directive 2002/58/EC and particularize and complement the GDPR, meaning that all matters concerning the processing of personal data not specifically addressed in the proposal would be covered by the GDPR. The proposed regulation would take effect on May 25, 2018.
Other EU legislative instruments on personal data protection included Directive 2006/24/EC on data retention. However, Directive 2006/24/EC was declared invalid by the Court of Justice of the European Union (ECJ) on April 8, 2014, because it violated the right to privacy (article 7), the right to protection of personal data (article 8), and the principle of proportionality (article 52) as codified in the EU Charter. It has not been replaced with new EU legislation. Instead, national data retention laws are applicable, but they are subject to review by the ECJ. The ECJ held that data retention obligations and access to that data are only permissible under EU law if they are strictly necessary. In the Court’s opinion, EU law precludes national legislation that prescribes general and indiscriminate retention of data. The Commission has announced that it will develop guidance as to how national data retention laws can be constructed to comply with the ECJ ruling.
II. Legal Framework
A. General Data Protection Regulation
The GDPR builds upon the 1995 Data Protection Directive and updates and modernizes the principles enshrined in it to deal with the challenges posed by the digital economy. In order to avoid the fragmentation that resulted from the differing implementation and enforcement of the 1995 directive in the EU Member States, the Commission opted for a regulation. The regulation will be directly applicable in the Member States with generally no domestic implementing legislation needed.
1. Material and Territorial Scope
According to section 2 of the GDPR, the regulation applies to the “processing of personal data wholly or partly by automated means and to the processing other than by automated means of personal data which form part of a filing system or are intended to form part of a filing system.” “Processing” is defined as “any operation or set of operations which is performed on personal data or on sets of personal data.”
The territorial scope covers businesses with an EU establishment where personal data is processed “in the context of the activities” of that establishment. It is irrelevant whether the data processing itself takes place in the EU. “Establishment” is broadly defined by the ECJ. It held that the “concept of ‘establishment’ . . . extends to any real and effective activity—even a minimal one—exercised through stable arrangements.” The presence of only one representative can, in some circumstances, suffice.
If the organization has no establishment in the EU, the GDPR applies where the processing activities are related to the offering of goods and services to data subjects located in the EU or where the behavior of EU data subjects is monitored. Monitoring behavior includes, in particular, tracking an EU resident on the internet as well as the potential subsequent use of personal data processing techniques to profile that person—for example to analyze or predict her or his personal preferences, behaviors, and attitudes.
Lastly, the GDPR will apply to organizations without an EU establishment if the law of a Member State applies by virtue of public international law, such as in a Member State’s diplomatic mission or consular post.
2. Principles Relating to Processing of Personal Data
Personal data may only be processed if certain principles are complied with. These principles are
(a) lawfulness, fairness, and transparency;
(b) purpose limitation, meaning personal data may only be collected for specified, explicit, and legitimate purposes and not be further processed in a manner that is incompatible with those purposes;
(c) data minimization, meaning processing of personal data should be adequate, relevant, and limited to what is necessary;
(d) accuracy and keeping data up to date;
(f) storage limitation, meaning that personal data in a form which permits identification of data subjects may not be kept longer than is necessary for the purposes for which the personal data are processed; and
(g) integrity and confidentiality to ensure the appropriate security of the processed personal data.
The controller processing the data is responsible for compliance with the aforementioned principles and has to be able to demonstrate such compliance.
a. Lawfulness in General
Article 6 of the GDPR sets out the conditions under which the data processing is considered lawful. The most common ground is consent given by the data subject. Other grounds include when the data processing is necessary for
- performance of a contract with the data subject or to take steps preparatory to such a contract;
- compliance with a legal obligation;
- protection of the vital interests of a data subject or another person where the data subject is incapable of giving consent;
- performance of a task carried out in the public interest or in the exercise of official authority vested in the controller; or
- legitimate interests pursued by the controller or by a third party.
Consent is only valid if it is freely given, specific, informed, and an unambiguous indication of the data subject’s wishes by which he or she signifies agreement to the processing of personal data relating to him or her. It may be withdrawn at any time. Silence, pre-ticked boxes, or inactivity do not constitute consent. In addition, consent is not valid in the context of a contract including the provision of a service, if the data subject is required to give consent to uses of his or her personal data that are not necessary for the performance of the contract or service. There is a presumption that such consent is not freely given. When the processing has multiple purposes, separate consent must be given to each for all of them to be valid.
When “information society services” are offered directly to children, consent is subject to specific rules. If the child is younger than sixteen years, parental consent is needed for the processing to be lawful. Member States may lower the age to thirteen. Because children are regarded as particularly vulnerable, any information or communication to a child has to be easily understandable in clear and plain language.
c. Fairness and Transparency
In order to ensure fairness and transparency, data controllers must provide data subjects with extensive information, unless they already have this information, at the time the data is obtained. The information includes, among other things, the controller’s identity and contact details, the data protection officer’s contact details, the purposes and the legal basis of the data processing, the “legitimate interests” pursued by the controller or by a third party if this is used as a legal basis, personal data recipients or recipient categories, details of data transfers outside the EU if applicable, the retention period, rights of the data subject to his or her data, and the possibility of submitting a complaint to a supervisory authority.
d. Sensitive Personal Data
In general, processing sensitive personal data is prohibited. Sensitive data includes personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership, genetic data, biometric data for the purpose of uniquely identifying a natural person, and data concerning health or a natural person’s sex life or sexual orientation. The processing of photographs is only considered processing of biometric data if it allows the unique identification or authentication of a natural person. As an exception, sensitive data may be processed if the data subject has given explicit consent for one or more specified purposes or if one of the other enumerated grounds allows the processing, including obligations under a collective agreement or under employment, social security, or social protection law. The GDPR allows Member States to maintain or adopt further conditions, including limitations, with regard to the processing of genetic, biometric, or health data.
3. Rights of Data Subjects
The GDPR grants data subjects various rights with respect to their data. Among them are the right of information and access, the right to data portability, the right to rectification, the right to erasure (“right to be forgotten”), the right to restriction, and several rights to object to data processing. After a data subject makes a request based on these rights, action must generally be taken without undue delay and, in any event, within one month of receipt of the request.
a. Right of Information and Access
The right of information and access provides the data subject with the right to obtain from the controller confirmation as to whether or not personal data concerning him or her are being processed, and, when that is the case, access to the personal data and supplemental information. The controller must provide a copy of the processed data to the data subject free of charge. If the request is made electronically, the information should be provided in a commonly used electronic form.
b. Right to Data Portability
The right to data portability is broader than the right to receive data in a commonly used electronic form, but it only applies to personal data that the data subject has provided to the controller, that was processed under consent or contract, and that is processed by automated means. It requires the controller to provide information to the data subject in a structured, commonly used, and machine-readable form. The data subject can also require the controller to transmit those data to another controller.
c. Right to Rectification
The right to rectification gives the data subject a right to require the controller to rectify inaccurate personal data concerning him or her and in some cases to complete incomplete information.
d. Right to Be Forgotten
The right to erasure (“right to be forgotten”) provides data subjects with the right to require controllers to erase personal data when certain conditions are met. The provision draws from a May 13, 2014, decision by the ECJ. A data subject may demand erasure if
- the personal data are no longer necessary in relation to the purposes for which they were collected or otherwise processed;
- the data subject withdraws the consent on which the processing is based and there is no other legal ground for the processing;
- the data subject objects to the processing on the basis of legitimate interests and there are no overriding legitimate grounds for the processing;
- the personal data have been unlawfully processed in breach of the GDPR;
- the personal data must be erased to comply with an EU or Member State legal obligation to which the controller is subject; or
- the personal data have been collected in relation to the offer of information society services directly to a child and consent was given by the child, but he or she was not fully aware of the risks involved by the processing at the time, and later wants to remove such personal data.
If one of these grounds for erasure applies and the controller has made the personal data public, he or she has to take reasonable steps to inform other controllers who are processing the data that the data subject has requested erasure of any links to, or copies or replications of, those personal data. The right to erasure may be restricted if an exemption applies, such as if the processing is necessary to exercise freedom of expression and information.
e. Right to Restriction
Instead of erasure, the data subject may have a right to restriction of processing of personal data. Restriction means that the controller may only store the data but not process it further. A right to restriction exists if
- the accuracy of the personal data is contested by the data subject while the controller verifies it;
- the processing is unlawful and the data subject requests the restriction instead of erasure;
- the controller no longer needs the personal data for processing purposes, but the data subject requires them for the establishment, exercise, or defense of legal claims; or
- the data subject has objected to processing based on legitimate interests pending the verification of whether the controller has overriding legitimate grounds.
f. Rights to Object to Processing
Data subjects have several rights to object to the processing of personal data carried out for specific purposes. They have an absolute right to object at any time where personal data are processed for direct marketing purposes. If the processing is necessary for the performance of a task carried out in the public interest, or if it is necessary for legitimate interests pursued by the controller, the data subject may object to the processing on grounds relating to his or her particular situation. If the processing is done for scientific or historical research purposes or statistical purposes, the data subject has a right to object on grounds relating to his or her particular situation, unless the processing is necessary for the performance of a task carried out in the public interest.
The GDPR states that its provisions will be enforced by an independent national supervisory authority in each Member State. In cases where the processing of personal data takes place in more than one Member State (cross-border processing), the business will be primarily regulated by the supervisory authority in the Member State in which it has its main establishment (the lead supervisory authority). The lead supervisory authority must cooperate with the national supervisory authorities in the other Member States where the business is established, and they may conduct joint operations. The approach adopted in the final version of the regulation is a watered-down version of the initial proposal. The proposal envisaged a “one-stop shop” under which a business conducting cross-border processing would only have to deal with a single supervisory authority to ensure a uniform application. This proposal was not adopted because Member States were opposed to the idea.
In addition, the GDPR creates an independent European Data Protection Board (EDPB) with legal personality. The EDPB is composed of the head of one supervisory authority of each Member State and of the European Data Protection Supervisor. It monitors the application of the GDPR and advises the EU Commission, issues guidelines, recommendations, and best practices on particular issues, and adjudicates disputes arising from supervisory authority decisions.
5. Notification of Data Breach and Penalties
If there is a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, personal data transmitted, stored, or otherwise processed, the data controller has an obligation to notify the supervisory authority and the data subject without undue delay if the breach is likely to result in a high risk to the rights and freedoms of natural persons. Failure to provide notification of a breach may result in administrative fines. There are two tiers of fines, depending on the nature of the breach. Fines are either up to €10 million (about US$10.9 million), or in the case of an undertaking, up to 2% of the total worldwide annual turnover of the preceding financial year, whichever is higher, or up to €20 million (about US$23.2 million) or up to 4% of the total worldwide annual turnover, whichever is higher.
6. Remedies for Data Subjects
Data subjects have the right to lodge a complaint with their supervisory authority against data processors and controllers if the processing of personal data infringes the GDPR. If there has been an infringement, data subjects have a right to receive compensation for damages from the processor or controller. The GDPR provides that the concept of damages “should be broadly interpreted in the light of the case law of the Court of Justice in a manner which fully reflects the objectives of this Regulation.” Furthermore, the GDPR authorizes not-for-profit bodies, organizations, or associations to lodge complaints on behalf of data subjects with supervisory authorities.
B. The ePrivacy Directive
Currently, rules on privacy and electronic communications are codified in the ePrivacy Directive 2002/58/EC as modified by the Cookies Directive. It was adopted in 2002 and states, among other things, how the principles in the 1995 Data Protection Directive apply to the electronic communications sector. The proposed regulation on electronic privacy mentioned above would repeal and replace the directive.
The aim of the ePrivacy Directive is to ensure an equivalent level of protection of fundamental rights and freedoms (particularly the right to privacy) with respect to personal data processing in the electronic communications sector and to ensure the free movement of such data. The ePrivacy Directive covers processing of personal data by traditional telecom providers in public communications networks in the EU and mandates that Member States protect the confidentiality of the content of electronic communications through national legislation.
With regard to cookies and other identifiers, the ePrivacy Directive requires Member States to ensure that storing or gaining access to information already stored in a subscriber or user’s terminal equipment is only allowed if the subscriber or user concerned has given his or her consent.
Traffic data, defined as “any data processed for the purpose of a conveyance of a communication on an electronic communications network or for the billing thereof,” must be deleted or made anonymous when it is no longer needed. Exceptions are allowed for billing purposes and national security reasons, among others.
Location data, defined as “any data processed in an electronic communications network, indicating the geographic position of the terminal equipment of a user of a publicly available electronic communications service,” may only be processed when they are made anonymous, or with the consent of the users or subscribers to the extent and for the duration necessary for the provision of a value-added service. Value-added services are commonly known as location-based services. The provision is only applicable to electronic communications service providers and not to information society service providers.
Article 13, paragraph 1 of the ePrivacy Directive contains rules with regard to unsolicited direct marketing. It prohibits the use of automated calling machines and the use of fax and email for direct marketing (“spam”) without the prior consent of the subscriber or user. In 2004, the Article 29 Working Party, which was set up under article 29 of the 1995 Data Protection Directive as an independent European advisory body on data protection and privacy, concluded in an opinion that the prohibition applies exclusively to “messages by electronic communications” and not to messages exchanged via information society services.
C. Proposal for an ePrivacy Regulation
The proposed regulation will enter into force after it has been adopted by both the European Parliament and the Council in what was formerly called the “co-decision procedure,” now referred to as the ordinary legislative procedure. Unlike the directive, it will be directly applicable in all EU Member States with no domestic implementing legislation needed. In order to ensure uniform application in all Member States, the proposal provides that the regulation will be enforced by the independent national supervisory authorities already competent to enforce the GDPR.
The proposed ePrivacy Regulation would have a wider scope than the current directive. It would cover providing e-communications services to end-users in the EU, irrespective of whether the end-user is required to pay for the service; the use of such services; and the protection of information related to the terminal equipment of end-users located in the EU. Providers that are located outside the EU would have to appoint a representative in the EU.
In addition to traditional telecom providers and the content of electronic communications, the proposed regulation would extend coverage to internet-based voice and messaging services such as WhatsApp, Facebook Messenger, and Skype. The confidentiality of content and metadata derived from electronic communications would also be protected.
Furthermore, the ePrivacy Regulation would ban unsolicited spam marketing messages and calls received via email, SMS, and automated calling machines, irrespective of the technology used to convey these unsolicited communications. However, the use of email contact details within the context of an existing customer relationship for the offering of similar products or services would be allowed. The email from the marketing company would be required to contain clear information on how to object to such a use. The ePrivacy Regulation would also require marketing companies to either display their phone numbers or use a special code or prefix that indicates a marketing call. In addition, it would require telecom providers to offer end users the means to limit the reception of unwanted calls and to block calls from specific numbers or from anonymous sources free of charge.
2. Status of Negotiations
As mentioned, both the European Parliament and the Council have to adopt the regulation. Within the European Parliament, the proposal is assigned to the Civil Liberties Committee (LIBE) which issued a draft report on June 21, 2017. More than eight hundred amendments were submitted by the July 2017 deadline. LIBE adopted the report on October 19, 2017, and presented it for a first reading of the plenary of the EU Parliament on October 23, 2017.
Within the Council, the proposal was assigned to the Telecommunications and Information Society working party, which is in the process of discussing the proposal. As several issues still need to be discussed, Member States’ delegations have voiced concerns as to whether the proposed date of May 25, 2018, for the entry into force of the regulation can be achieved.
Prepared by Jenny Gesley
Foreign Law Specialist
 Charter of Fundamental Rights of the European Union (EU Charter) arts. 7, 8, 2012 O.J. (C 326) 391, http://eur-lex.europa.eu/legal-content/EN/TXT/PDF/?uri=CELEX:12012P/TXT&from=EN, archived at http://perma.cc/PJN3-A8MZ; Consolidated Version of the Treaty on the Functioning of the European Union (TFEU) art. 16, para. 1, 2012 O.J. (C 326) 47, http://eur-lex.europa.eu/legal-content/EN/TXT/PDF/?uri=CELEX:12012E/TXT&from=EN, archived at http://perma.cc/K69X-SDQ9.
 Regulation 2016/679 of the European Parliament and of the Council of 27 April 2016 on the Protection of Natural Persons with Regard to the Processing of Personal Data and on the Free Movement of Such Data, and Repealing Directive 95/46/EC (General Data Protection Regulation) (GDPR) art. 4 (1), 2016 O.J. (L 119) 1, http://eur-lex. europa eu/legal-content/EN/TXT/PDF/?uri=CELEX:32016R0679&from=EN, archived at http://perma.cc/UWW3-KFMH. An identifiable natural person is “one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.” Id.
 Directive 2002/58/EC of the European Parliament and of the Council of 12 July 2002 Concerning the Processing of Personal Data and the Protection of Privacy in the Electronic Communications Sector (Directive on Privacy and Electronic Communications) (ePrivacy Directive), 2002 O.J. (L 201) 37, http://eur-lex.europa.eu/legal-content /EN/TXT/PDF/?uri=CELEX:32002L0058&from=en, archived at http://perma.cc/LCQ4-LCJR.
 See GDPR, supra note 2.
 Directive 95/46/EC of the European Parliament and of the Council of 24 October 1995 on the Protection of Individuals with Regard to the Processing of Personal Data and on the Free Movement of Such Data, 1995 O.J. (L 281) 31, http://eur-lex.europa.eu/legal-content/EN/TXT/PDF/?uri=CELEX:31995L0046&from=EN, archived at http://perma.cc/DW3S-KL29.
 Id. art. 1.
 Id. arts. 7, 10.
 European Commission Press Release IP/12/46, Commission Proposes a Comprehensive Reform of Data Protection Rules to Increase Users’ Control of their Data and to Cut Costs for Businesses (Jan. 25, 2012), http://europa.eu/ rapid/press-release_IP-12-46_en.pdf, archived at http://perma.cc/BXE7-682P.
 Communication from the Commission to the European Parliament, the Council, the European Economic and Social Committee of the Regions, Safeguarding Privacy in a Connected World A European Data Protection Framework for the 21st Century, COM (2012) 9 final (Jan. 25, 2012), http://eur-lex.europa.eu/legal-content/EN/TXT/PDF/?uri=CELEX:52012DC0009&from=en, archived at http://perma.cc/MT7A-X6NG.
 Proposal for a Regulation of the European Parliament and of the Council on the Protection of Individuals with Regard to the Processing of Personal Data and on the Free Movement of Such Data (General Data Protection Regulation), COM (2012) 11 final (Jan. 25, 2012), http://eur-lex.europa.eu/legal-content/EN/TXT/PDF/ ?uri=CELEX:52012PC0011&from=EN, archived at http://perma.cc/76TF-GZQS.
 Proposal for a Directive of the European Parliament and of the Council on the Protection of Individuals with Regard to the Processing of Personal Data by Competent Authorities for the Purposes of Prevention, Investigation, Detection or Prosecution of Criminal Offences or the Execution of Criminal Penalties, and the Free Movement of Such Data, COM (2012) 10 final (Jan. 25, 2012), http://eur-lex.europa.eu/legal-content/EN/TXT/PDF/?uri= CELEX:52012PC0010&from=EN, archived at http://perma.cc/UZ96-M46T.
 See GDPR, supra note 2.
 Directive 2016/680 of the European Parliament and of the Council of 27 April 2016 on the Protection of Natural Persons with Regard to the Processing of Personal Data by Competent Authorities for the Purposes of the Prevention, Investigation, Detection or Prosecution of Criminal Offences or the Execution of Criminal penalties, and on the Free Movement of Such Data, and Repealing Council Framework Decision 2008/977/JHA (Criminal Law Enforcement Data Protection Directive), 2016 O.J. (L 119) 89, http://eur-lex.europa.eu/legal-content/EN/TXT/ PDF/?uri=CELEX:32016L0680&from=EN, archived at http://perma.cc/X8TW-3C9Z.
 GDPR, supra note 2, art. 99.
 Criminal Law Enforcement Data Protection Directive, supra note 14, art. 64.
 Id. art. 63.
 ePrivacy Directive, supra note 3.
 Proposal for a Regulation of the European Parliament and of the Council Concerning the Respect for Private Life and the Protection of Personal Data in Electronic Communications and Repealing Directive 2002/58/EC (Regulation on Privacy and Electronic Communications) (ePrivacy Regulation), COM(2017) 10 final (Jan. 10, 2017), http://ec.europa.eu/newsroom/dae/document.cfm?doc_id=41241, archived at http://perma.cc/YX4Q-G2KX.
 Id. art. 29, para. 2.
 Directive 2006/24/EC of the European Parliament and of the Council of 15 March 2006 on the Retention of Data Generated or Processed in Connection with the Provision of Publicly Available Electronic Communications Services or of Public Communications Networks and Amending Directive 2002/58/EC, 2006 O.J. (L 105) 54, http://eur-lex.europa.eu/legal-content/EN/TXT/PDF/?uri=CELEX:32006L0024&from=EN, archived at http://perma.cc /AG3E-MEPT.
 Joined Cases C-293/12 and C-594/12, Dig. Rights Ireland Ltd. v. Minister for Communications, Marine and Natural Resources, ECLI:EU:C:2014:238, http://curia.europa.eu/juris/celex.jsf?celex=62012CJ0293&lang 1=en&type=TXT&ancre, archived at http://perma.cc/XZK2-Y7D5. For background information, see Theresa Papademetriou, European Union: ECJ Invalidates Data Retention Directive (Law Library of Congress, June 2014), http://www.loc.gov/ law/help/eu-data-retention-directive/eu-data-retention-directive.pdf, archived at http://perma.cc/B8VM-XTDU.
 Joined Cases C-203/15, Tele2 Sverige AB v. Post-och telestyrelsen and C-698/15 Secretary of State for the Home Department v. Tom Watson, paras. 75–81, ECLI:EU:C:2016:970, http://eur-lex.europa.eu/legal-content/EN/TXT/? uri=CELEX%3A 62015CJ0203, archived at http://perma.cc/PT73-PD2J.
 Id. at 96.
 Id. at 112.
 Communication from the Commission to the European Parliament, the European Council and the Council. Fourth Progress Report Towards an Effective and Genuine Security Union, COM (2017) 041 final (Jan. 25, 2017), http://eur-lex.europa.eu/legal-content/EN/TXT/PDF/?uri=CELEX:52017DC0041&from=EN, archived at http://perma.cc/JTJ4-6P9T.
 TFEU, supra note 1, art. 288, para. 2; GDPR, supra note 2, art. 99. Some provisions nonetheless require for their implementation the adoption of measures of application by the Member States—for example, the appointment of a national regulator and administrative sanctions for a violation of the GDPR. The GDPR also contains “opening clauses” that permit diverging national legislation in certain areas—for example, for the processing of special categories of personal data or in the context of employment.
 GDPR, supra note 2, art. 4(2).
 Id. art. 3, para. 1.
 Case C-230/14, Weltimmo v. Nemzeti Adatvédelmi és Információszabadság Hatóság, paras. 30, 31, ECLI:EU:C:2015:639, http://curia.europa.eu/juris/celex.jsf?celex=62014CJ0230&lang1=en&type=TXT&ancre, archived at http://perma.cc/7HF3-BGJR; GDPR, supra note 2, recital 22.
 GDPR, supra note 2, art. 3, para. 2.
 Id. recital 24.
 Id. art. 3, para. 3; recital 25.
 Id. art. 5, para. 1.
 Id. art. 5, para. 2.
 Id. art. 6, para. 1(a), art. 7.
 Id. art. 6, para. 1(b).
 Id. art. 6, para. 1(c); art. 6, para. 3; recitals 41, 45.
 Id. art. 6, para. 1(d); recital 46.
 Id. art. 6, para. 1(e); art. 6, para. 3; recital 45.
 Id. art. 6, para. 1(f); recitals 47–50.
 Id. art. 7, para. 4; recital 43.
 Id. recital 42.
 Id. art. 4(11).
 Id. art. 7, para. 3.
 Id. recital 32.
 Id. art. 7, para. 4; recital 43.
 Id. recital 32.
 “Information society services” are defined as services normally provided for remuneration, at a distance, by electronic means and at the individual request of a recipient of services. See Directive (EU) 2015/1535 of the European Parliament and of the Council of 9 September 2015 Laying Down a Procedure for the Provision of Information in the Field of Technical Regulations and of Rules on Information Society Services art. 1, para. 1(b), 2015 O.J. (L 241) 1, http://eur-lex.europa.eu/legal-content/EN/TXT/PDF/?uri=CELEX:32015L1535&from=EN, archived at http://perma.cc/HS39-U8Z3. Annex I provides an indicative list of services that are not covered by the term.
 GDPR, supra note 2, art. 8.
 Id. art. 12, para. 1; recital 58.
 Id. arts. 12–14.
 Id. art. 13.
 Id. art. 9, para. 1.
 Id. recital 51.
 Id. art. 9, para. 2.
 Id. art. 9, para. 4.
 Id. art. 15.
 Id. art. 20.
 Id. art. 16.
 Id. art. 17.
 Id. art. 18.
 Id. art. 12, para. 3.
 Id. art. 15.
 Id. art. 15, para. 3.
 Id. art. 20.
 Id. art. 16.
 Id. art. 17.
 Case C-131/12, Google Spain SL, Google Inc. v. Agencia Española de Protección de Datos, Mario Costeja González, ECLI:EU:C:2014:317, http://curia.europa.eu/juris/celex.jsf?celex=62012CJ0131&lang1= en&type=TXT&ancre, archived at http://perma.cc/TX38-MV8T. For a summary of the case, see Theresa Papademetriou, Court of Justice of the European Union: Decision Upholds Right to Have Personal Data Erased, Global Legal Monitor (May 21, 2014), http://www.loc.gov/law/foreign-news/article/court-of-justice-of-the-european-union-decision-upholds-right-to-have-personal-data-erased/, archived at https://perma.cc/Q36W-JCB9.
 GDPR, supra note 2, art. 17, para. 1; recital 65.
 Id. art. 17, para. 2; recital 66.
 Id. art. 17, para. 3.
 Id. art. 18, para. 2.
 Id. art. 17, para. 1.
 Id. art. 21; recitals 69, 70.
 Id. art. 21, para. 2.
 Id. art. 6, paras. 1(e), (f).
 Id. art. 21, para. 1.
 Id. art. 21, para. 6.
 Id. arts. 51, 52.
 Id. arts. 56, 60.
 Id. arts. 60–62.
 COM (2012) 11 final, supra note 11, para. 188.8.131.52.; recitals 97, 98; art. 51, para. 2.
 GDPR, supra note 2, arts. 68, 69.
 Id. arts. 65, 70.
 Id. arts. 4(12), 33, 34.
 Id. art. 83, paras. 4 & 5.
 Id. art. 77.
 Id. art. 82.
 Id. recital 146.
 Id. art. 80.
 See Directive 2002/58/EC, supra note 18.
 Directive 2009/136/EC of the European Parliament and of the Council of 25 November 2009 Amending Directive 2002/22/EC on Universal Service and Users’ Rights Relating to Electronic Communications Networks and Services, Directive 2002/58/EC Concerning the Processing of Personal Data and the Protection of Privacy in the Electronic Communications Sector and Regulation (EC) No. 2006/2004 on Cooperation Between National Authorities Responsible for the Enforcement on Consumer Protection Laws (Cookies Directive), 2009 O.J. (L 337) 11, http://eur-lex.europa.eu/LexUriServ/LexUriServ.do?uri=OJ:L:2009:337:0011:0036:en:PDF, archived at http://perma.cc/KW92-SUVC.
 ePrivacy Directive, supra note 3, art. 1, para. 2.
 See COM(2017) 10 final, supra note 19.
 ePrivacy Directive, supra note 3, art. 1, para. 1.
 Id. arts. 3, 5.
 Id. art. 5, para. 3.
 Id. art. 2(b).
 Id. art. 6; art. 15, para. 1.
 Id. art. 2(c).
 Id. art. 9, para. 1.
 For a definition of “information society services,” see supra note 50.
 Article 29 Working Party, Opinion 5/2004 on Unsolicited Communications for Marketing Purposes under Article 13 of Directive 2002/58/EC, 11601/EN, WP 90 (Feb. 27, 2004), at 4, http://ec.europa.eu/justice/policies/privacy/ docs/wpdocs/2004/wp90_en.pdf, archived at http://perma.cc/D4TG-PTVG.
 TFEU, supra note 1, arts. 289, 294.
 Id. art. 288, para. 2.
 ePrivacy Regulation, consideration 38, art. 18.
 Id. art. 3, para. 1.
 Id. art. 3, para. 2.
 Id. art. 18.
 Id. art. 4, no. 3a; art. 5.
 Id. recital 22.
 Id. arts. 8, 10.
 Id. art. 16.
 Id. art. 16, para. 2.
 Id. art. 16, para. 3.
 Id. art. 14.
 LIBE, Draft Report on the Proposal for a Regulation of the European Parliament and of the Council Concerning the Respect for Private Life and the Protection of Personal Data in Electronic Communications and Repealing Directive 2002/58/EC (Regulation on Privacy and Electronic Communications), doc. no. 2017/0003(COD), June 9, 2017, http://www.europarl.europa.eu/sides/getDoc.do?pubRef=-//EP//NONSGML+COMPARL+PE-606.011+ 01+DOC+PDF+V0//EN&language=EN, archived at http://perma.cc/D4A4-AFL2.
 Jennifer Baker, LIBE Submits More than 800 Amendments to ePrivacy Regulation, iapp (July 20, 2017), https://iapp.org/news/a/libe-submits-more-than-800-amendments-to-eprivacy-regulation/, archived at http://perma.cc/KNR7-BK7J.
 LIBE, Report on the Proposal for a Regulation of the European Parliament and of the Council Concerning the Respect for Private Life and the Protection of Personal Data in Electronic Communications and Repealing Directive 2002/58/EC (Regulation on Privacy and Electronic Communications), doc. no. A8-0324/2017, Oct. 20, 2017, http://www.europarl.europa.eu/sides/getDoc.do?pubRef=-//EP//NONSGML+REPORT+A8-2017-0324+0+DOC+PDF+V0//EN, archived at http://perma.cc/CMN6-LE3T.
 Council of the EU, General Secretariat, Notice of Meeting and Provisional Agenda, doc. no. CM 4609/17, Oct. 19, 2017, http://data.consilium.europa.eu/doc/document/CM-4609-2017-INIT/en/pdf, archived at http://perma.cc/4RL2-2ATA.
 European Parliament, Legislative Train Schedule: Proposal for a Regulation on Privacy and Electronic Communications (last updated Oct. 20, 2017), http://www.europarl.europa.eu/legislative-train/theme-connected-digital-single-market/file-e-privacy-reform, archived at http://perma.cc/4R3G-9STC.
Last Updated: 05/29/2018