The making of the EU’s Data Protection Regulation

As anyone who deals with draft bills knows, those involved need to have a lot of staying power. The proposed European Data Protection Directive is a case in point. Ever since the EU Commission in Brussels tabled its initial draft regulation (Verordnungsentwurf (PDF)) in January 2012, there have been countless public discussions, debates and negotiations, for example as to whether the regulations should apply to an equal extent to public and private data processors or under which circumstances data processors have a “legitimate interest” in saving personal data without the explicit consent of the person concerned. Also: Which penalties should be imposed for violating the rules and for which offences can people be prosecuted in the first place?

It helps to take a look at how the legislation process works on EU level and what stage the reform of the Data Protection Regulation has reached, in order to find one‘s way through this maze of discussions.

The triad of EU institutions involved in the legislative process: the European Commission, European Parliament and the European Council

In legislative procedures of this kind, the European Commission has what is referred to as the power of initiative, with which a legislation process commences. It availed itself of this right at the beginning of 2012 by tabling the aforementioned draft data protection regulation. Regulations are powerful instruments in the EU because they take immediate effect in all Member States – as opposed to directives, which first have to be implemented in the form of national laws. A Data Protection Directive has been in existence since 1995, from the early days of the Internet, in other words.

The Regulation, however, can only be passed when both the Council of the European Union and the EU Parliament have voted in favour. The Council comprises the representatives of all 27 Member States, whereas the EU Parliament is elected by the European citizens. The two committees have a maximum of three attempts (readings) of the regulation. If no consensus is reached, a meeting of the Conciliation Committee is convened.

The Council and the Parliament are currently reviewing the draft bill submitted by the Commission and working on amendments. Feedback can be expected in March. But how do the numerous contributions to the text and all the contrasting opinions evolve to become a Regulation?

Who is working on the text?

The Parliament

There are five Parliamentary panels discussing the Data Protection Regulation, each submitting their relevant arguments. The Civil Liberties, Justice and Home Affairs Committee (LIBE) plays a leading role. It also provides the Rapporteur: Jan Philipp Albrecht of the Green Party (Die Grünen). It is Albrecht’s responsibility to collate the opinions put forward by the participating committees and assemble them as far as possible and in such a way that the report submitted by his committee may serve as a proposal to be put to the vote at the next parliamentary session.

The first draft put forward by Albrecht on 16 January 2013 accordingly attracted a great deal of media interest. But it is still only a draft proposal. Observers point out that some of the statements issued by the other four panels contained opposing views which Albrecht had failed to address. In the end, the individual stances on the question of consent, for example, differed widely. So the next few weeks leading up to the indicative vote of the LIBE Committee scheduled for the end of March are very important. By then it is hoped that a more cohesive text will be available.

The Council

There is just one working group that deals with the Data Protection Regulation in the Council of the European Union, but it consists of representatives from all 27 countries: the Working Party on Information Exchange and Data Protection (DAPIX). The group operates under Ireland’s EU Presidency and is reportedly organising the process in a very determined manner. The Irish Government sees the genesis of a Data Protection Regulation as a precondition for promoting the European online market – one of the goals it has set itself for its term of presidency.

For the time being, meetings take place on desk officer level in order to obtain an insight into the different points of view – although, admittedly, no agreement on individual aspects has so far been forthcoming. The first joint official statement is not likely to be issued by the EU Council until March.

Springtime – time to show one’s colours

We will have to wait until the spring to find out who is forming a coalition with whom on the subject of data protection and whether the EU Parliament and Council will back the same wording for the Regulation. To speed matters up, the two committees want to arrange another meeting to negotiate critical issues in a smaller circle (Trialogue) before the text is read out in Parliament for the first time.

Ultimate clarity in data protection remains improbable

Anyone who thinks that there will be less talk about data protection once the first European Data Protection Regulation has been passed – perhaps in 2014 – is mistaken, however. Because, at the latest when local courts have to rule on the first incidents and problems crop up when it comes to interpreting the norms, they will pass the cases on, and it will be up to the European Court of Justice to provide clarity.