36 JURIDICA INTERNATIONAL 27/2018
Lecturer of Comparative Jurisprudence
University of Tartu
The General Data Protection
Regulation and its Violation
of EU Treaties
The EU General Data Protection Regulation (GDPR) entered into force on 25 May, two weeks after Europe
Day. Quite a lot has been said about the objectives for it, its requirements, and the steps of preparation both
on a practical and on a jurisprudential level.*1 In brief, one can state that the GDPR is generally good and
necessary: it will vigorously protect the fundamental rights of self-determination and identity of European
In all of this data-protection bustle, one rather fundamental issue has gone unnoticed, though: the
General Data Protection Regulation violates EU treaties! In other words, in essence it runs counter
to the ‘constitutional organisation’ of the EU, formed in line with the establishing treaties. How so? The con-
ﬂ ict arises from the interaction of two elements. Firstly, the GDPR is, at base, a ‘European law’. Secondly,
European laws are banned by European treaties.
I will begin with the second of these elements. If we are to understand this, we need to go back in time
about 15 years.
In February 2002, at the instigation of France, the Convention on the Future of Europe became enforce-
able, with the aim of developing the constitutional agreement or constitution for the EU. By June 2003, the
draft constitution was ready, and in October of the following year it was sent to the EU member states for
ratiﬁ cation. Whether regrettably or not, the most ambitious plan to reform the European Union crashed at
the hurdle of the very ﬁ rst referenda: on 29 May 2005, 55% of those voting in France cast their vote against
the project, and two days later, on 1 June, 61.6% of voters in the Netherlands did the same. Although earlier
‘repeat referenda’ in Denmark and Ireland had proved able to save the treaties of Maastricht and Nice and
while some countries, Germany and Austria among them, did attempt to continue the process of creating
the EU constitution, the opposition scared the leaders enough for the plan to be dropped.
The draft treaty establishing a constitution for Europe*3 envisaged an important innovation – two
legal instruments directly applicable in the Member States and superior to them: the European law and
For a lengthier analysis, see, for instance, Paul Voigt, Axel von dem Bussche. The EU General Data Protection Regula-
tion (GDPR): A Practical Guide. Springer . – DOI: https://doi.org/./----; Paul B. Lambert.
Understanding the New European Data Protection Rules. CRC Press – Taylor & Francis Group . – DOI: https://doi.
Incidentally, the UK plans to enforce more or less similar rules in the domestic law after Brexit. See A New Data Protection Bill:
Our Planned Reforms. Statement of Intent of the Department for Digital, Culture, Media & Sport, August , available online
at https://www.gov.uk/government/uploads/system/uploads/attachment_data/ﬁ le//--_DP_Bill_-_State-
ment_of_Intent.pdf (most recently accessed on July )
Draft Treaty Establishing a Constitution for Europe, CONV /, submitted July .