Architecture of European Privacy

Liisa Holopainen

February 3, 2017 at 10:30

With all eyes on GDPR, are we missing the bigger picture? A comprehensive privacy project should cover all applicable blocks of the European privacy architecture.

The central building block of European privacy architecture is undoubtedly the GDPR, but it is by no means a stand-alone element. The other blocks of the architecture are of two main types: first, national or union law derogations to GDPR rules; and second, sector specific EU law concerning the processing of personal data.

Member States can pass national laws that will modify the scope of GDPR obligations. Possibly the most significant of these national derogations concerns processing of employee data. This is significant because of its wide relevance: all companies handle employee data.

A comprehensive privacy assessment should identify all sector specific privacy regimes applicable to your line of business. Most commonly applicable of these is the ePrivacy regime (currently established by directive, in future by regulation with a wider scope of application). Other relevant regimes concern, for example, commercial aviation (the PNR Directive), banking (PSD1 and PSD2), and electronic identification (the eIDAS regime).

My point is simply this: when assessing your company’s GDPR compliance, do not forget to look at the bigger picture. A comprehensive privacy project should include identification of all applicable blocks of the European privacy architecture, and GDPR compliance should be consolidated with compliance with other applicable privacy regimes.

Follow this spot for more discussion on the different blocks of European privacy architecture. Next time: the ePrivacy regime.

Related blogs