The General Data Protection Regulation and its Violation of EU Treaties

Mario Rosentau
pp. 36-40[PDF]

While the EU General Data Protection Regulation, which entered force on 25 May, is generally good and necessary in its vigorous protection of the fundamental rights of self‑determination and identity of European people, the article identifies a core issue that has gone unnoticed: the GDPR violates EU treaties. It is, at base, a ‘European law’, yet European laws are banned under the TEU and TFEU.

The article examines the background for this conflict. The ambitious plan for ratification of 2003’s draft treaty establishing a constitution for Europe fell at the first hurdle in 2005. The draft Constitution envisaged a legislative innovation: the European law and European framework law, directly applicable in the Member States and superior to them. These legal instruments, envisaged as replacing EU regulations, could readily be cited as a major federalist pillar of the draft. Yet there would be no European laws – they were rejected with the draft constitution in the 2005 referenda, and the current treaties do not foresee any law-like European legislation.

The author outlines the GDPR’s nature as a European law thus: the regulation 1) potentially concerns all residents of Europe, albeit by adding to the rights of individuals and protecting their freedoms; 2) addresses virtually all legal entities and undertakings acting, physically or through a network, in the European judicial area; 3) addresses the Member States and the EU itself; 4) and has cross-border applicability and covers the whole EU. Furthermore, its reach extends to service providers outside the EU if their service targets EU data subjects. There are substantial impacts on subjects on whom obligations are substantial. Hence, the author concludes that the GDPR’s scope, depth, and impacts exceed all the limits that the EU treaties permit for regulations. Furthermore, the treaties do not even know the term ‘general regulation’.

Since the GDPR possesses the characteristics of a ‘European law’ – and even is ‘seamlessly’ positioned in a place reserved by the draft EU Constitution for the ‘European law on data protection’ – while such laws have been rejected, a key issue is highlighted: how deep an EU-level political integration and relinquishment of the individual European nations’ sovereignty do the Member States actually want? For instance, most analyses of the causes of Brexit cite loss of sovereignty of the UK as one of the main factors in the decision. The author concludes that, since the GDPR is with us to stay, amendment of the EU treaties can no longer be avoided. Noble objectives cannot justify infringements of the present ‘European Constitution’ and the constitutions of the Member States.

Keywords: General Data Protection Regulation (GDPR); establishing treaties of the EU (TEU and TFEU); legislative directives and legislative regulations of the EU; fundamental principles of EU’s Constitutional Law; Brexit; sovereignty of the member states of the EU; violation of EU treaties

The EU General Data Protection Regulation (GDPR) entered into force on 25 May, two weeks after Europe Day. Quite a lot has been said about the objectives for it, its requirements, and the steps of preparation both on a practical and on a jurisprudential level.*1 In brief, one can state that the GDPR is generally good and necessary: it will vigorously protect the fundamental rights of self-determination and identity of European people.*2

In all of this data-protection bustle, one rather fundamental issue has gone unnoticed, though: the General Data Protection Regulation violates EU treaties! In other words, in essence it runs counter to the ‘constitutional organisation’ of the EU, formed in line with the establishing treaties. How so? The conflict arises from the interaction of two elements. Firstly, the GDPR is, at base, a ‘European law’. Secondly, European laws are banned by European treaties.

I will begin with the second of these elements. If we are to understand this, we need to go back in time about 15 years.

In February 2002, at the instigation of France, the Convention on the Future of Europe became enforceable, with the aim of developing the constitutional agreement or constitution for the EU. By June 2003, the draft constitution was ready, and in October of the following year it was sent to the EU member states for ratification. Whether regrettably or not, the most ambitious plan to reform the European Union crashed at the hurdle of the very first referenda: on 29 May 2005, 55% of those voting in France cast their vote against the project, and two days later, on 1 June, 61.6% of voters in the Netherlands did the same. Although earlier ‘repeat referenda’ in Denmark and Ireland had proved able to save the treaties of Maastricht and Nice and while some countries, Germany and Austria among them, did attempt to continue the process of creating the EU constitution, the opposition scared the leaders enough for the plan to be dropped.

The draft treaty establishing a constitution for Europe*3 envisaged an important innovation – two legal instruments directly applicable in the Member States and superior to them: the European law and European framework law (see CONV 850/03, articles 10, 32, and 33). The legislators of the Member States would have had no say about European laws once these had been adopted by the European Parliament and Council; however, the institution of European framework laws was designed to allow some issues to be delegated to parliaments. Furthermore, now the directives would have been renamed regulations and the current regulations would have been abolished as unnecessary next to European laws.

But there would be no European laws – they were rejected by the draft. If one were to be asked what was federalist in the draft European constitution, among other things the list would undoubtedly feature these very European laws and framework laws.*4

Some words about the current legislative organisation of the EU are necessary at this juncture. The EU ‘constitution’ is made up of two so-called foundational treaties: the Treaty on the European Union (TEU) and the Treaty on the Functioning of the European Union (TFEU).*5 Pursuant to the treaties, the legislative acts of the EU consist of the directives, regulations, and decisions of the European Parliament and the Council (under the TFEU’s Article 288, among other terms). It should be mentioned that acts going by the same name may be adopted by the Parliament or the Council alone as well as by other EU institutions, but without a legislative procedure they are not ‘legislative’.*6

Thus far, legislative directives have been the main shapers of European law.*7 The specific character of a directive as compared to national law is that it is not directly applicable. The EU directives are compulsory for EU member states’ legislators; that is, a similar regulation (it cannot be identical to the directive) needs to be enforced in national law so as to harmonise law and the legal system across Europe. This process is called the implementation of the directive. A directive never enters into force directly: in a Member State, the act to which the rules of the directive are transposed remains the superior and directly applicable law. However, the directive retains its nature as a compulsory source of interpretation of lawin cases wherein national laws address the scope of the directive in an incomprehensible, incomplete, or incorrect manner.*8 Directives are intended to harmonise EU law, where the objective for the harmonisation of EU law is to be noble, beneficial, and acceptable, at least as long as conformance with the commonalities and values of Europe as occidental culture and morality is maintained.*9

Regulations are mandatory and directly applicable in all EU member states. In this sense, they are similar to laws. That said, the EU’s mandate to impose European law directly through regulations is significantly more limited relative to the scope for national laws. The constitutions of Member States do not normally dictate which themes or sectors should be regulated by laws and which should not: the right and freedom of the state to legislate is the main attribute of sovereignty under democratic rule of law (restrictions rooted in such important values as human rights are not sector-specific, for the most part). However, in terms of the themes and sectors addressed, the treaties of the EU do stipulate the procedures and legislative acts that should be used to regulate such areas. Legislative regulations may or must be used to regulate around 20–30 themes and sectors. These include, for example, competition rules and other general principles for the economy, the principles for services of general economic interest, principles and restrictions governing publication of or access to EU documents, procedures and conditions for submitting citizens’ initiatives, rules governing the financing of pan-European political parties, and frameworks for the implementation of such elements as common commercial policy. Regulations must be applied also to organise administrative co-operation between EU institutions (e.g., Europol and the Court of Justice) and EU member states. Some regulations address very narrow and sector-specific issues (such as the distribution of mobile-communication frequency bands or food safety); others deal with more general procedures for cross-border operations and enforcement issues (e.g., Regulation (EC) No 44/2001, ‘on jurisdiction and the recognition and enforcement of judgments in civil and commercial matters’, and Regulation (EC) No 593/2008, ‘on the law applicable to contractual obligations (Rome I)’).*10 Although several EU regulations have effects on numerous persons, both legal and natural, none has ever affected, in principle, all European citizens, residents, and legal entities – a feature in common with national laws in relation to their subjects. Regulations that are in such restricted use do not infringe the fundamental rights and freedoms of EU citizens and residents or impinge on their legitimate interests. On the contrary, the regulations usually force professional actors to act in a way that protects people’s fundamental rights and freedoms. Likewise, EU regulations in the past have not infringed or violated the sovereignty of Member States, be it ‘shared with the Union’ or ‘kept to themselves’.

The above-mentioned thematic and sector-linked precept is, in principle, restrictive and exhaustive, since the structure of the EU (its ‘constitution’) is based on several inter-linked fundamental principles. According to these, the EU shall not impose obligations or restrictions on the Member States and their subjects beyond the frameworks of the treaties. Some of these fundamental principles are that:

a)    competencies are conferred on the Union by the treaties (TEU Article 5(1–2));

b)    all competencies that are not conferred on the Union by the treaties remain with the Member States (TEU Article 4(1) and Article 5(2)), a principle that, for purposes of legal certainty, has been articulated twice in the treaty language; and

c)    the above-mentioned principles are complemented by the principles of subsidiarity (see TEU Article 5 (1) and (3) and proportionality (viz., eligibility, restraint, and necessity of the relevant measure) (see TEU Article 5 (1) and (4)).

Hence, the first constituent element of conflict between the GDPR and EU treaties that I have posited has been substantiated: European laws are not permitted, since they were rejected in 2005 and the current treaties do not foresee any law-like European legislation.

Now, let us investigate why the GDPR is by nature a (European) law. To this end, let us look at to whom the GDPR is addressed, what the spatial scope of its applicability is, and what impacts (legal consequences especially) it has.

Firstly, the GDPR potentially concerns all residents of Europe, albeit by adding to the rights of individuals and protecting their freedoms. This is good, and any future general regulations of the EU should be allowed only if they follow the same path. Secondly, the GDPR addresses virtually all legal entities and undertakings acting, physically or through a network, in the European judicial area. This includes those having established that they could opt out of the processing of personal data or that other grounds exist for them not needing to fulfil the additional obligations imposed by the general regulation. They can comply with the GDPR by opting out of the processing of personal data. Data processors whose operations are going to necessitate seeking of individuals’ consent to process their personal data will thereby incur significant and legal and technical costs. Thirdly, the GDPR addresses the Member States: among other requirements, there is a demand that they interface their data-protection supervisory authorities for integration into a mechanism of single points of contact. Furthermore, the GDPR is addressed to the Union itself: the European Data Protection Board and the office of a European Data Protection Supervisor are to be set up, and additional obligations are imposed on the European Commission and the European Court of Justice.

The GDPR has cross-border applicability and covers the whole Union. Furthermore, its reach extends to service providers outside the EU: if their service targets EU data subjects, they too need to fulfil all the obligations prescribed by the GDPR, with the EU committing to observe their online behaviour.

The GDPR’s impacts on subjects on whom it imposes obligations are substantial. First of all, their fulfilment entails significant financial costs or making other investments – both in the preparatory stages and in the form of ongoing costs. Such investment is not inappropriate per se, but the Union’s competence to impose costs of this nature is debatable. Also, the legal consequences of infringements are significant: taking the form of progressive fines of up to 10 or even 20 million euros or, in the case of an undertaking, 2% or 4% of the total worldwide annual turnover (under Article 83 of the GDPR). The GDPR thereby prescribes liability that is significantly higher than, for instance, the criminal liability of a legal entity for any act under the Estonian Penal Code.

Thus, the scope, depth, and impacts of the GDPR exceed all the limits that the treaties permit regulations to have. On top of this, the treaties do not even know the term ‘general regulation’. Although the designation ‘General Data Protection Regulation’ is ‘hidden’ in brackets in the headings, it is precisely this term that, perhaps intentionally, has entered general use.

Accordingly, the General Data Protection Regulation possesses the characteristics of a ‘European law’ (insofar as the resolution of some issues has been delegated to the legislators of the EU member states, the GDPR fulfils the criteria for being a ‘European framework law’ too, but this does not make a difference). It may be worth noting that this has been acknowledged at least at some levels: former member of the European Parliament Marju Lauristin explicitly stated at a webinar that the GDPR is ‘like a (general) law’.*11 Another interesting fact worth noting is that the draft EU constitution stated that future rules for data protection need to be imposed by means of a European law*12 (CONV 850/03, Article 50(2)) – this provision is almost identical to Article 16 of the TFEU, on which the GDPR is explicitly based (see the first sentence of the preamble). Consequently, the general regulation is ‘seamlessly’ positioned in a place reserved by the draft EU constitution for the ‘European law on data protection’.

So what? The issue here is this: how deep an EU-level political integration and relinquishment of the sovereignty of the Member States do the European nations that have joined the Union actually want? For instance, most analyses of the causes of Brexit cite loss of sovereignty of a Member State as one of the factors contributing to the decision. It does not matter whether this loss is perceived rather than real.*13

The contradiction between the GDPR and the treaties can be illustrated via the following thought experiment. Sooner or later, Estonia probably will begin writing its ‘e-state’ (e‑riik) into the Constitution. Let us imagine that, with respect to the e-state, the Estonian legislator would like to stipulate principles for the protection of personal data in the Constitution, while experience of the Estonian e-state indicates that some of the regulations established by the GDPR should be reconsidered or changed. Does the Estonian Parliament have the right to provide for the protection of personal data in the Estonian Constitution otherwise as provided by the GDPR? By the GDPR’s “logic” it does not. According to the “logic of the treaties, however, it does. In consequence, the two “logics” – the dogmatic of the GDPR and the treaties – are at odds. Which was to be proved.

This is even more germane because the GDPR is not the end of the matter. There is another EU regulation on the horizon – the so-called ePrivacy Regulation*14 – which will replace an earlier (outdated) directive. If the trend of replacing directives with directly applicable regulations were to continue, such legislation would be ‘stealthily federal’.

The foregoing discussion points to two parallel tendencies that can be observed in the European legislation: regulations replacing directives and such regulations expanding into laws. In this process, the Member States are relinquishing their sovereignty to a greater extent than agreed upon in the treaties. Is that good or bad? Is this a way to better integrate Europe or a hidden path to federalising it? I leave it to everyone to form his or her own opinion. One thing is certain, though: the legislative process of the Union needs to be transparent and based on European treaties.

One solution would be to introduce the term ‘general regulation’ in the treaties. Doing so would make their use – in addition to the specification of possible sectors and themes – subject to the condition that general regulations are to be established solely for the protection of the fundamental rights and freedoms of people (individuals) and of their security. Via an additional condition, it should be made clear that such fundamental rights and freedoms must not be restricted, either directly or indirectly, under the pretext of protective measures of any sort – for instance, in the fight against terrorism. Restricting people’s fundamental rights and freedoms should remain exclusively within the purview of the EU member states.

The GDPR is with us to stay. In principle, two ways of avoiding violation of the treaties existed. One of them was to establish data-protection rules in the form of a directive. True, this would have meant time-consuming and probably arduous implementation of the directive in the laws of the Member States, but it would have been the right way. The second appropriate option would have been to amend the treaties beforehand. With this multiplication of the time, effort, and political will needed, a GDPR-like result would have likely been virtually impossible. However, amendment of the treaties cannot be avoided anymore, because noble objectives cannot justify infringements of the ‘European constitution’ and the constitutions of the Member States. And we all know where roads paved with good intentions lead.



*1 For a lengthier analysis, see, for instance, Paul Voigt, Axel von dem Bussche. The EU General Data Protection Regulation (GDPR): A Practical Guide. Springer 2017. – DOI: Link; Paul B. Lambert. Understanding the New European Data Protection Rules. CRC Press – Taylor & Francis Group 2018. – DOI: Link .
*2 Incidentally, the UK plans to enforce more or less similar rules in the domestic law after Brexit. See A New Data Protection Bill: Our Planned Reforms. Statement of Intent of the Department for Digital, Culture, Media & Sport, 7 August 2017, available online at Link (most recently accessed on 2 July 2018)
*3 Draft Treaty Establishing a Constitution for Europe, CONV 850/03, submitted 18 July 2003.
*4 The question about the depth of EU integration, including but not limited to choice of arrangement among a federation, confederation, and ‘third way’, was a focal one among a set of many primary-level and not just technical questions. In my publications, I personally supported the third option – i.e., a new kind of union.
*5 See the consolidated versions of the Treaty on the European Union and the Treaty on the Functioning of the European Union: 2016/C 202/01.
*6 The legislative approach is divided into an ordinary procedure(see the TFEU’s Article 289(1) and Article 294) and a specific procedure (see it’s Article 289(2)). Under the latter legislative procedure, the Council may adopt directives, regulations, and other legislative acts. In cases foreseen by the treaties, the Council must consult ex ante the European Parliament (under the TFEU’s Article 81(3) or another EU institution, while the consent of the European Parliament is required in other cases (see Article 86). In certain cases, a specific procedure is required of the Parliament too (addressed in, for example, the TFEU’s Article 223(2)), while some situations require that the Parliament obtain consent from both the Council and the Commission before making a decision (under Article 226).
*7 The general preference for directives over regulations is further confirmed by relatively recent European Commission recommendations to EU regulators: Better Law-making for Better Results, EU Action Plan COM(2015) 215 final.
*8 EC case C-101/01, 6.11.2003, para. 98.
*9 In the jurisprudence of values, morality forms the basis for law. The fundamental standards of morality – that one shall not kill, shall not steal, shall not defraud, etc. – are the primary norms of law. Typically, we do not find such prohibitions in the text of the law. Instead, laws establish secondary norms, the so-called reaction norms that are addressed to officials. For instance, criminal law specifies what officials should do if someone has engaged in deception, thereby causing another’s loss for his own gain.
*10 The difference between directives and regulations is once again striking in connection with Brexit: Upon secession, all EU regulations will cease to apply. To prevent a resultant legal void from obtaining, the UK then must reinstate the content of these regulations in its national legislation – probably by means of the Great Repeal Bill. See Michael Emerson. Which model for Brexit? – N. da Costa Cabral et al. (eds). After Brexit: Consequences for the European Union. Palgrave Macmillan 2017. – DOI: Link .
*11 Webinar of the Institute of Social Studies, University of Tartu, 19 December 2017 (min 4:30-5:45, in Estonian, incl: “An EU regulation is like a [European] general law…”), available online at Link (most recently accessed on 27 July 2018)
*12 In its currently valid form, the Treaty on the Functioning of the European Union prescribes the ‘ordinary legislative procedure’ – i.e., any legislative act for the same purpose (see its Article 16 (2)).
*13 See, for instance, the following pieces in N. da Costa Cabral et al. (eds). After Brexit: Consequences for the European Union. Palgrave Macmillan 2017: Nuno Cunha Rodrigues. Brexit and the future of the EU: Move back or move forward? (pp. 65–82, on pp. 66, 73, 76). – DOI: Link; Pauline Schnapper. Brexit and the risk of European disintegration (pp. 83–99, on pp. 85–87). – DOI: Link; Annette Bongardt, Francisco Torres. A qualitative change in the process of European integration (pp. 101–127, on pp. 112, 114–115, passim). – DOI: Link; Ioanna Ntampoudi. Post‑Brexit models and migration policies: ­Possible citizenship and welfare implications for EU nationals in the UK (pp. 245–270, on pp. 246, passim). – DOI: Link . Other examples are provided by Andrew Glencross. Why the UK Voted for Brexit: David Cameron’s Great Miscalculation. Palgrave Studies in European Union Politics 2016, pp. 61–70, passim. – DOI: Link; Lee McGowan. Preparing for Brexit: Actors, Negotiations and Consequences. Palgrave Studies in European Union Politics 2018, pp. 8, 12, 20, passim. – DOI: Link; Roger Liddle. The Risk of Brexit: The Politics of a Referendum. Policy Network / Rowman & Littlefield International 2016, pp. 37, 57, 66, 116–118; Giles Merritt. Slippery Slope: Europe’s Troubled Future. Oxford University Press 2016, pp. 11, 14, 164, passim; Paul J.J. Welfens. An Accidental Brexit: New EU and Transatlantic Economic Perspectives. Palgrave Macmillan 2017, pp. 14, 35, 49, 214, 271–272, passim. – DOI: Link .
*14 SWD(2017) 6 final.

pp. 36-40 [PDF]