Article 98 GDPR

From GDPRhub
The printable version is no longer supported and may have rendering errors. Please update your browser bookmarks and please use the default browser print function instead.
Article 98 - Review of other Union legal acts on data protection
Gdpricon.png
Chapter 10: Delegated and implementing acts

Legal Text


Article 98 - Review of other Union legal acts on data protection

The Commission shall, if appropriate, submit legislative proposals with a view to amending other Union legal acts on the protection of personal data, in order to ensure uniform and consistent protection of natural persons with regard to processing. This shall in particular concern the rules relating to the protection of natural persons with regard to processing by Union institutions, bodies, offices and agencies and on the free movement of such data.

Relevant Recitals

Recital 17: Adaptation of Regulation (EC) No 45/2001
Regulation (EC) No 45/2001 of the European Parliament and of the Council applies to the processing of personal data by the Union institutions, bodies, offices and agencies. Regulation (EC) No 45/2001 and other Union legal acts applicable to such processing of personal data should be adapted to the principles and rules established in this Regulation and applied in the light of this Regulation. In order to provide a strong and coherent data protection framework in the Union, the necessary adaptations of Regulation (EC) No 45/2001 should follow after the adoption of this Regulation, in order to allow application at the same time as this Regulation.

Recital 173: Relationship to Directive 2002/58/EC
This Regulation should apply to all matters concerning the protection of fundamental rights and freedoms vis-à-vis the processing of personal data which are not subject to specific obligations with the same objective set out in Directive 2002/58/EC of the European Parliament and of the Council, including the obligations on the controller and the rights of natural persons. In order to clarify the relationship between this Regulation and Directive 2002/58/EC, that Directive should be amended accordingly. Once this Regulation is adopted, Directive 2002/58/EC should be reviewed in particular in order to ensure consistency with this Regulation.

Commentary

The aim of Article 98 GDPR is to ensure the adaptation of Union Acts relating to data protection in a manner which corresponds with the GDPR's regulatory framework.[1] Given that data protection affects several different sectors, each of which have their own characteristics, questions arise when considering which legal Union Acts this provision extends to. In this regard, the GDPR refers to certain legal instruments that also have to be taken into consideration under Article 98 GDPR.[2] However, beyond Acts explicitly referred to in the GDPR's text, there remains a degree of discrepancy regarding whether other Acts relating to data protection fall within the scope of Article 98 GDPR.

Commentators have argued in favour of a broad reading of the provision, suggesting that the Commission should review all EU legislation which addresses data protection, including more specific acts, such as the Anti-Money Laundering Directive and the Europol Regulation.[3] Noting that a broader reading of Article 98 GDPR is supported by the wording of Article 2(3) GDPR, which provides that:

'For the processing of personal data by the Union institutions, bodies, offices and agencies, Regulation (EC) No 45/2001 applies. Regulation (EC) No 45/2001 and other Union legal acts applicable to such processing of personal data shall be adapted to the principles and rules of this Regulation in accordance with Article 98'.

Decisions

→ You can find all related decisions in Category:Article 98 GDPR

The CJEU has yet to rule on Article 98 GDPR. Nonetheless, the opinion of Attorney General Bobek in Confédération paysanne and Others, has suggested that there exists a wider constitutional duty for Union legislation to be 'technically and socially responsive, and, provided that it is necessary in view of later evolution, to be updated'.[4] The CJEU has not yet explicitly confirmed the existence of this duty; however, it has been alluded to in Agrarproduktion Staebelow.[5]

References

  1. Kühling, Raab, in Kühling, Buchner, DS-GVO BDSG, Article 98 GDPR, margin number 2 (Beck 2020, 3rd edition).
  2. Some examples are: the ePrivacy Directive (Directive 2002/58/EG), which formulates more specific rules for the processing personal data occurring in the context of electronic communications, which supersede the GDPR(see Article 95 GDPR); the e-Commerce Directive (Directive 2000/31/EG), especially in the context of liability and responsibility of hosting, caching and content providers (see Article 2(4) GDPR); the Directive on the Re-use of Public Sector Information (Directive 2003/98/EC amended by Directive 2013/37/EU) regarding documents that are not or only partially accessible for reasons of data protection (see Recital 154 GDPR); the Regulation on Community Statistics on Public Health and Safety at Work (Regulation (EC) No 1338/2008), especially regarding its relevant definitions as well as the interpretation of “public health” for the GDPR (see Recital 54 sentence 3 GDPR); the Directive on Patients' Rights in Cross-Border Healthcare (Directive 2011/24/EU), regarding personal data processed within healthcare services and patients’ access rights to their files (see Recital 35 sentence 2 GDPR); the Regulation on Clinical Trials on Medicinal Products for Human Use (Regulation (EU) No 536/2014), which includes special provisions in cases of consent to participation in clinical trials (see Recital 161 GDPR); and lastly, the Regulation on European Statistics (Regulation (EC) No 223/2009), which provides special rules regarding confidential information which is, at the same time, personal data as well (see Recital 163 GDPR).
  3. Tosoni in Kuner et al., The EU General Data Protection Regulation (GDPR), Article 98 GDPR, p. 1315 (Oxford University Press 2020).
  4. Case C- 528/ 16, Confédération paysanne (AG Opinion), para 139.
  5. Case C-504/ 04, para 40. For a more in-depth discussion on this point, see Tosoni in Kuner et al., The EU General Data Protection Regulation (GDPR), Article 98 GDPR, p. 1315 (Oxford University Press 2020).