European Union
Image Source:

This article is written by Shikha Pokhriyal from the School of Law, Delhi Metropolitan Education, GGSIPU. This article talks about the European Union Data Protection Bill 2018 and General Data Protection Regulations (GDPR) and how these bills will help protect people’s personal data.


European Union data protection law aims at protecting the personal data of the citizens from breaches or hacking. The companies often reveal the personal data or the information shared with them, by their customers. European Union recognized the right to protection of personal data as a fundamental right. The General Data Protection Regulations (GDPR) is a piece of legislation that helps regulate and control an individual’s data. Customers share their personal information with companies when they associate with them in some kind of business trade like selling and buying. The customers for smooth functioning of relationship with the companies have the name, address, mobile number, email ids, etc. The companies often share this personal data and leak this information that results in harassing the consumer. 

There is a need for the legal provisions that would frame required guidelines to protect the consumer’s confidential information. European Union took a step towards this issue and introduced the European Union Data Protection Bill in the year 2018. This Bill is the need of the hour as so many cyber-related cases are recorded and in large numbers, people hesitate to file a complaint regarding the issues like hacking and cyber fraud. 

Download Now

General Data Protection Regulations (GDPR)

General Data Protection Regulations is considered as the most difficult and appreciated security law in the whole world. This regulation is drafted by the European Parliament and aims to protect the data of the citizens belonging to the European Union and it imposes obligations on any organizations operating in the world. The main aim to introduce this law was to introduce a universal rule that would apply to every member of the European Nation. The GDPR is applicable when a consumer who belongs to European Union buys goods or services from any seller in the world, that seller is a citizen of the European Union or not will be obligated under the provisions of GDPR.

If any seller or business owners violate the provisions of the GDPR they would be obligated to submit huge fines. The GDPR includes four terms that define the general data protection regulations. Legal terms like personal data, data processing, the data subject, the data controller, and the data processor are used to understand data protection law better. 

Personal data

Personal data is confidential information that helps to identify the person. Pieces of information like name, contact number, email addresses, and any other information that a consumer shares for the requirement to buy goods or services. Location services, web cookies, gender, and political opinions are also considered as personal information. 

Data processing

Data processing includes actions like collecting, recording, organizing or storing, or any other action that is performed on the data of a person. 

Data subject

Consumers or site visitors are considered as data subjects. The personal pieces of information of these people are processed. 

Data controller

A data controller is a natural person or any authority who determines the intention behind processing the data. This person controls how and why the personal data should be processed.

Data processor 

A data processor is the third party who can process the personal data but on behalf of the data controller. The GDPR contains separate rules and regulations for the people belonging to a third party.

Principles of data protection


The data controller is held accountable for the protection of the personal data of the consumers. When the data controller hires the data processor or the third party and gives them access to the personal data, the data controller must ensure that the data processor or the third party is following the provisions of the general data protection regulations. When the data controller delegates the work to the third party that means to the data processor and gives them access to the personal data of the different consumers, and if the data processor uses that information for any illegal purpose then the liability falls upon the data controller.

Lawfulness and transparency

Whatever data is being processed by the data controller, that data should be processed within the ambits of the law and with fair intention.

Data minimization

The data controller should use the personal data as much as it is required of the consumer and should not use the extra information to indulge in illegal activities.

Integrity and confidentiality 

The data controller must confidentially use the data. The data should be processed in such a way that it ensures all the security of personal information is not compromised.


The purpose of using the personal data of the consumer should be legal and limited. The data collector should use the data according to the subject matter.


The data collector should store the data for the required period only and not beyond that unnecessarily. 


The jurisdiction of the General Data Protection Regulations extends to the citizens who are not members of the European Union. The regulations apply to the organizations or individuals established in European Union whether their data processing takes place inside or outside the territory.

For instance: if the United State based business is selling goods and services and also supplying them to the consumers in the European Union, and collecting their data from them for smooth functioning then the provisions of GDPR are applicable.


The data collector before using the personal data of the consumers should always take consent of the data subject that is of the consumers or the people who are viewing the website. For instance, whenever we use a site to watch free movies, the notification pops up asking to accept all the cookies and there are terms or conditions stated by the website that depends upon a person to accept it or reject it.

European Union Data Protection Bill 2018

The European Union and the council passed the European Union Data Protection Bill on 23rd October 2018. This Bill was introduced to ensure the protection of natural persons concerning the processing of personal data by the Union institutions, bodies, offices, and agencies and on the free movement of such data.

The Data Protection Bill included the following provisions:

  • The European Parliament considered the processing of personal data as a fundamental right and therefore a natural person is entitled to get some protection. Under Article 8(1) of the Charter of the Fundamental Rights of the European Union and Article 16 (1) of the Treaty on the Functioning of the European Union (TFEU), ensure that every person is entitled to get the right of protection against the personal data concerning them. The right of protection of personal data of a natural person is also considered a fundamental right under Article 8 of the European Convention of the Treaty on the Functioning of the European Union (TFEU). 
  • The European Data Protection Officer is appointed. The European Parliament specifies that the right to data protection is legally enforceable. To ensure the protection of the natural person, and create the processing of data within the institutions and bodies, an independent body to monitor this issue is appointed. The Data Protection Officer is obligated to monitor and regulate the processing of personal data by the Union institutions and the bodies. This provision does not apply to the bodies and Union institutions processing the personal data that falls outside the ambit of Union law.
  • When the Union Institutions and the bodies process the data of the people, the reason being they are employed there, their data should be protected. This provision does not apply to the person who is dead. This provision is also not applicable to the legal person and especially when the undertakings are established as legal persons.
  • Any information concerning an identified or identifiable natural person shall be liable under the principles of data protection. Information that reveals the true identity of a natural person should be used carefully and reasonably by the data controller.
  • Application of pseudonymization to personal data can reduce the risk concerning the subjects of the data. Pseudonymization of data means replacing or removing the valuable information of a data subject that can act as an identifiable source. Also, it would help the data controllers and processors to complete their data protection obligation.
  • Consent of the data subject is an essential requirement and should be given in a written statement. This means whenever we visit a new website, they ask for consent while stating all the terms and conditions, and if we agree, we have to tick right.

General Provisions

Subject matter and objective: Chapter 1

Chapter 1 of the Data Protection Bill deals with the subject matter and the objective of the Bill.

  • For the protection of natural person data processing, these regulations lay down certain provisions that should be followed by the Union institutions and bodies while using the data.
  • This regulation protects fundamental rights and freedom of natural persons and specifically their right to the protection of personal data
  • To monitor the application of this regulation, the European Data Protection Officer will be appointed to oversee all the data processing by the Union institutions and bodies. 

Important keywords in the Bill: Article 3 

Article 3 of the Data Protection Bill deals with definition following terms:

Operational personal data

Personal data that has been processed by the Union bodies and institutions to carry out to fulfill the objectives.


Processing means taking action on personal data or sets of personal data. Such as collecting, recording, storage or organizing.

Union institutions and bodies

This includes the Union institutions, bodies, offices, and agencies set up by or based on, the Treaties of the European Union(TEU),  or the Euratom Treaty.

Genetic data

Personal data that is related to acquired genetic or inherited features of a natural person helps to provide some special knowledge about that natural person.

Data concerning health

 Personal data consists of the contents regarding physical and mental health. 

The European Union Data protection law will help to reduce the frauds that happen due to information leaks. India also needs legal provisions like this so that cybercrime can be controlled here. In India, cyber crimes are still governed by the Information Technology Act 2000 and have few provisions regarding protecting personal data. Section 43A of the Act deals with the payment of compensation for failure to protect sensitive personal information. The Supreme Court in the year 2017, in the case of Puttuswamy V. Union of India, recognized the right to privacy as the fundamental right and included it under Article 21 of the Indian Constitution. This right to privacy includes the protection of the personal data of an individual. The court said provisions to protect personal data are insufficient, and there is a need to create laws like General Data Protection Regulations. The law that should be introduced to protect the personal information of the people should be fair and transparent.


In a world where whole lives are dependent upon the digital world and internet, the crimes regarding the cyber have increased massively. Cyber frauds, hacking, and using personal information for illegal purposes have affected the lives of millions of people just because they were surfing a website or were shopping. These fun activities turned out to be the most disastrous activities for the people who suffer from cybercrimes. The data protection law will ensure to protect every person of the European Union. To protect the person from frauds and scams that happen due to misuse of personal information, it can only be prevented when a country implements strict punishments on these activities. It is the duty of the companies and the websites to secure the data shared by the consumers or viewers. 


Students of Lawsikho courses regularly produce writing assignments and work on practical exercises as a part of their coursework and develop themselves in real-life practical skills.

LawSikho has created a telegram group for exchanging legal knowledge, referrals, and various opportunities. You can click on this link and join:

Follow us on Instagram and subscribe to our YouTube channel for more amazing legal content.


Please enter your comment!
Please enter your name here