General Data Protection Regulation and Its Violation of EU Treaties *
While the GDPR is generally efficient and necessary in its vigorous protection of the fundamental rights of self‑determination and identity of the European citizens, the article identifies a core issue that has gone unnoticed: the GDPR violates the EU treaties.It is basically a ‘European law’, yet European laws are banned under the TEU and the TFEU.
The author examines the background of this conflict. The ambitious plan for ratification of the 2003 draft treaty establishing a Constitution for Europe fell at the first hurdle in 2005. The draft Constitution envisaged a legislative innovation: the European law and the European framework law, directly applicable in the Member States and superior to the national laws. Yet, there would be no European laws – these were rejected with the draft Constitution in the 2005 referendum, and the current treaties do not foresee any law-like European legislation.
The GDPR is by nature a European law because it:
- concerns potentially all the European residents, albeit by adding to the rights of individuals and protecting their freedoms;
- applies to virtually all undertakings with substantial impacts on them;
- addresses the Member States and the EU itself;
- has cross-border applicability and covers the whole EU;
- is named “general regulation”, although this kind of legislative act is not provided by the EU treaties. Hence, the scope, depth, and impact of the GDPR exceed all the limits that the EU treaties permit for regulations.
Since the GDPR possesses certain characteristics of a ‘European law’, this highlights a key issue: if the existence of the GDPR violates the EU treaties, it also violates the Estonian Constitution. The author concludes that since the GDPR is here to stay, amending the EU treaties can no longer be avoided.
* Peer-reviewed article.