Regulatory framework

This subtopic contains an overview of the EU data protection and cybersecurity regulatory framework. It is aimed at lawyers who need a high level overview of the legal framework and key issues, and who are not specialised in data protection. For in-depth practical guidance on data protection, see the Information Law practice area (subject to subscription).

Data protection

Data protection law in the EEA (the EU plus Iceland, Norway, and Liechtenstein) is intended to ensure information about living individuals (within the definition of ‘personal data’) is used fairly and responsibly.

To help ensure that, data protection laws impose a large number of obligations on those ‘processing’ personal data (and on controllers of such processing) and grant rights to those whose personal data is processed (the ‘data subjects’). In summary, ‘processing’ includes doing almost anything with personal data, including storing, sharing, deleting or using it.

This part of the subtopic primarily addresses EEA data protection law, the General Data Protection Regulation, Regulation (EU) 2016/679 (EU GDPR), that apply to ‘general’ processing of personal data. The regime is referred to as ‘general’ since there are special regimes applicable

To view the latest version of this document and thousands of others like it, sign-in with LexisNexis or register for a free trial.

TAKE A FREE TRIAL

Latest EU Law News

European Commission initiates review of Technology Transfer rules

The European Commission has published findings from its evaluation of Commission Regulation (EU) No 316/2014 (the Technology Transfer Block Exemption Regulation or TTBER) and accompanying Guidelines. The Commission has determined that while the rules have been largely effective, improvements are needed in areas such as market share thresholds, data licensing, and technology pools. The Commission will now launch an impact assessment to explore policy options for revising the rules before their expiration in April 2026. A public consultation is planned for December 2024, allowing stakeholders to provide input on potential changes to ensure the rules remain fit for purpose in the evolving technological landscape.4o

JRC identifies 18 product categories for potential EU ecodesign regulation

The Joint Research Centre (JRC) has published a report assessing various product categories for potential regulation under the new EU Regulation 2024/1781 (the Ecodesign for Sustainable Products Regulation (ESPR)). The JRC has identified 18 product groups, including both final and intermediate products, which show significant potential for reducing environmental impacts and enhancing EU strategic autonomy if regulated under the ESPR. The findings will inform the Commission's first ESPR Working Plan, due for adoption in the first half of 2025. The report also highlights the potential of horizontal requirements on durability, recyclability, and recycled content across multiple product groups.

Questions & unsatisfactory answers—the European Commission publishes guidance on the importer requirements of the EU Methane Regulation

EU Law analysis: Alex Kerr, partner at Baker Botts LLP, examines the European Commission’s Q&A document on the importer requirements of the EU Methane Regulation.

European Payments Council initiates call for interest in VOP scheme services

The European Payments Council (EPC) has issued a call for interest, inviting organisations to express their interest in providing services as routing and/or verification mechanisms (RVM) that comply with the verification of payee (VOP) scheme. The EPC developed the VOP scheme to help payment service providers (PSPs) in the European Union (EU) and the European Economic Area (EEA) comply with new regulatory requirements for payee verification, which will take effect on 5 October 2025. Responses are sought by 20 December 2024.