The EU data protection reform and the (forgotten) use of criminal sanctions

Abstract

The proposed data protection regulation2 includes mention of the use of criminal and administrative sanctions. Both were possible in EU data protection law but, after the reform, the use of administrative sanctions will become mandatory. With regard to criminal sanctions to address data protection wrongs, nothing changes: member states can choose to create them or not. Why is the new EU, with its enhanced post-Lisbon powers, so timid and '1995-ish' with regard to criminal law? How is it possible that, to reform a set of rules created by a directive, a regulation is chosen with the aim of harmonising just about everything in EU data protection law, but not the chapter on sanctions and enforcement? This contribution lists some explanatory factors and reflects on future regulatory choices in member states.