Skip to content
emma-frances-logan-356717-unsplash Cropped
31 January 2013

The making of the EU’s Data Protection Regulation

As anyone who deals with draft bills knows, those involved need to have a lot of staying power. The proposed European Data Protection Directive is a case in point. Ever since the EU Commission in Brussels tabled its initial draft regulation (Verordnungsentwurf (PDF)) in January 2012, there have been countless public discussions, debates and negotiations, for example as to whether the regulations should apply to an equal extent to public and private data processors or under which circumstances data processors have a “legitimate interest” in saving personal data without the explicit consent of the person concerned. Also: Which penalties should be imposed for violating the rules and for which offences can people be prosecuted in the first place?

It helps to take a look at how the legislation process works on EU level and what stage the reform of the Data Protection Regulation has reached, in order to find one‘s way through this maze of discussions.

The triad of EU institutions involved in the legislative process: the European Commission, European Parliament and the European Council

In legislative procedures of this kind, the European Commission has what is referred to as the power of initiative, with which a legislation process commences. It availed itself of this right at the beginning of 2012 by tabling the aforementioned draft data protection regulation. Regulations are powerful instruments in the EU because they take immediate effect in all Member States – as opposed to directives, which first have to be implemented in the form of national laws. A Data Protection Directive has been in existence since 1995, from the early days of the Internet, in other words.

The Regulation, however, can only be passed when both the Council of the European Union and the EU Parliament have voted in favour. The Council comprises the representatives of all 27 Member States, whereas the EU Parliament is elected by the European citizens. The two committees have a maximum of three attempts (readings) of the regulation. If no consensus is reached, a meeting of the Conciliation Committee is convened.

The Council and the Parliament are currently reviewing the draft bill submitted by the Commission and working on amendments. Feedback can be expected in March. But how do the numerous contributions to the text and all the contrasting opinions evolve to become a Regulation?

Who is working on the text?

The Parliament

There are five Parliamentary panels discussing the Data Protection Regulation, each submitting their relevant arguments. The Civil Liberties, Justice and Home Affairs Committee (LIBE) plays a leading role. It also provides the Rapporteur: Jan Philipp Albrecht of the Green Party (Die Grünen). It is Albrecht’s responsibility to collate the opinions put forward by the participating committees and assemble them as far as possible and in such a way that the report submitted by his committee may serve as a proposal to be put to the vote at the next parliamentary session.

The first draft put forward by Albrecht on 16 January 2013 accordingly attracted a great deal of media interest. But it is still only a draft proposal. Observers point out that some of the statements issued by the other four panels contained opposing views which Albrecht had failed to address. In the end, the individual stances on the question of consent, for example, differed widely. So the next few weeks leading up to the indicative vote of the LIBE Committee scheduled for the end of March are very important. By then it is hoped that a more cohesive text will be available.

The Council

There is just one working group that deals with the Data Protection Regulation in the Council of the European Union, but it consists of representatives from all 27 countries: the Working Party on Information Exchange and Data Protection (DAPIX). The group operates under Ireland’s EU Presidency and is reportedly organising the process in a very determined manner. The Irish Government sees the genesis of a Data Protection Regulation as a precondition for promoting the European online market – one of the goals it has set itself for its term of presidency.

For the time being, meetings take place on desk officer level in order to obtain an insight into the different points of view – although, admittedly, no agreement on individual aspects has so far been forthcoming. The first joint official statement is not likely to be issued by the EU Council until March.

Springtime – time to show one’s colours

We will have to wait until the spring to find out who is forming a coalition with whom on the subject of data protection and whether the EU Parliament and Council will back the same wording for the Regulation. To speed matters up, the two committees want to arrange another meeting to negotiate critical issues in a smaller circle (Trialogue) before the text is read out in Parliament for the first time.

Ultimate clarity in data protection remains improbable

Anyone who thinks that there will be less talk about data protection once the first European Data Protection Regulation has been passed – perhaps in 2014 – is mistaken, however. Because, at the latest when local courts have to rule on the first incidents and problems crop up when it comes to interpreting the norms, they will pass the cases on, and it will be up to the European Court of Justice to provide clarity.

This post represents the view of the author and does not necessarily represent the view of the institute itself. For more information about the topics of these articles and associated research projects, please contact info@hiig.de.

Uta Meier-Hahn

Former Associated Researcher: The evolving digital society

Sign up for HIIG's Monthly Digest

HIIG-Newsletter-Header

You will receive our latest blog articles once a month in a newsletter.

Explore current HIIG Activities

Research issues in focus

HIIG is currently working on exciting topics. Learn more about our interdisciplinary pioneering work in public discourse.

Further articles

Modern subway station escalators leading to platforms, symbolizing the structured pathways of access rights. In the context of online platforms, such rights enable research but impose narrow constraints, raising questions about academic freedom.

Why access rights to platform data for researchers restrict, not promote, academic freedom

New German and EU digital laws grant researchers access rights to platform data, but narrow definitions of research risk undermining academic freedom.

Three groups of icons representing people have shapes travelling between them and a page in the middle of the image. The page is a simple rectangle with straight lines representing data used for people analytics. The shapes traveling towards the page are irregular and in squiggly bands.

Empowering workers with data

As workplaces become data-driven, can workers use people analytics to advocate for their rights? This article explores how data empowers workers and unions.

A stylised illustration featuring a large "X" in a minimalist font, with a dry branch and faded leaves on one side, and a vibrant blue bird in flight on the other. The image symbolises transition, with the bird representing the former Twitter logo and the "X" symbolising the platform's rebranding and policy changes under Elon Musk.

Two years after the takeover: Four key policy changes of X under Musk

This article outlines four key policy changes of X since Musk’s 2022 takeover, highlighting how the platform's approach to content moderation has evolved.