This essay discusses the relationship between technical standards and mandatory security measures under the European data protection legal framework.
The starting point of the discussion is the existing data protection primary legal source which, at EU level, is EC Directive 95/46 (hereinafter the “Directive”). This is soon bound to be replaced by a new legislative instrument, this time in the form of a Regulation (hereinafter the “GDPR”). A specific point of interest of the forthcoming GDPR is that it seems to propose an ampler view of security measures and, unlike the Directive, expressly tackles to some extent the issue of the relevance of standards. The discourse on the GDPR will rest on a text which is still in the form of a draft, reflecting the different positions that the institutions involved in the “trialogue” legal procedure have expressed with specific regard to the desirability of standardization of security measures.