Data Protection Reform and the Internet: The Draft Data Protection Regulation

This contribution critically examines the proposal for a new General Data Protection Regulation -- both the original Commission Proposal and the amendments adopted by the Parliament. It focuses on the proposed changes to some key traditional data protection concepts: the territorial scope, consent, purpose limitation principle, and on some novelties introduced by the draft Regulation: the principle of accountability, data portability and the principles of data protection by design and by default.The efforts to reform EU data protection have shown that the very concept of data protection as a right and as a regulatory regime is in crisis. The Commission Proposal seems to accept the bankruptcy of the idea to build data protection law around individual control over what is going on with his/her personal data, while tightening the tools for monitoring and ensuring compliance.The Parliament text turned the idea of the data protection reform around by introducing -- albeit in not too explicit way -- the individual autonomy back into the data protection discussion. It remains to be seen what the consequences of inclusion of the references to the individual autonomous choices would have for interpretation of the Regulation, if those references will make it to the final text. Even more importantly, the Parliament text seems to have made an attempt to divorce itself from the traditional ‘consent versus fair use’ dichotomy that has been used to describe dominant and conflicting approaches to data protection. The Parliament text seems to craft an alternative way for data protection by introducing a risk-based approach to data protection and by differentiating between ‘regular’ personal data and pseudonymous data that receive different degrees of protection.