The EU General Data Protection Regulation is on its way...but when?
As a privacy lawyer based in Brussels, I often get asked when the General Data Protection Regulation (the "GDPR") will be adopted. People often look surprised or shocked when I tell them that it could take at least another year. Recently, there have been several announcements stating that the GDPR could be adopted before the end of 2015. While possible, this seems very unlikely due to the complex and lengthy legislative procedure of the European Union. Here's an overview of how it all works…
The law-making procedure in Europe is enshrined in the founding treaties of the European Union called Treaty on European Union and Treaty on the Functioning of the European Union, which were updated by the Lisbon Treaty on 1st December 2009. Essentially, there are three institutions involved in the EU's legislative procedure, whose powers and responsibilities are defined under the EU treaties:
- the European Commission (the Commission"): which represents the interests of the Union as a whole.
- the European Parliament (the Parliament"): which represents the EU’s citizens and is directly elected by them.
- the Council of Ministers of the European Union (the Council"): which represents the governments of the 28 EU Member States. The Presidency of the Council is shared by the Member States on a rotating basis every six months. Currently, the EU presidency is held by Latvia until June 30th and will then will passed on to Luxembourg.
Together, these three institutions produce through the "Ordinary Legislative Procedure" the policies and laws that apply throughout the EU. The main steps of the Ordinary Legislative Procedure are described below.
Step 1: Commission's initial proposal
The Commission submits its legislative proposal simultaneously to the Parliament and the Council. The Commission did so with its proposal for a GDPR on 25th January 2012.
Step 2: 1st reading in the Parliament
The President of the Parliament refers the proposal to a parliamentary committee (in this case, the Civil Liberties, Justice and Home Affairs committee, more commonly referred to as "LIBE committee"), which appoints a rapporteur (Jan Philipp Albrecht from the Group of the Greens/European Free Alliance party) who is responsible for drawing up a draft report containing amendments to the proposed text. The committee votes on this report and any amendments to it tabled by other members. This is usually the moment when all the lobbying in Brussels takes place, which as we know was immensely important for this text (more than 4,000 proposed amendments!). The Parliament then discusses and votes on the legislative proposal in its plenary session on the basis of the committee report and amendments. The result is the Parliament's position, which in the case of the GDPR was adopted on 12th March 2014. The Parliament's 1st reading position is then forwarded to the Council.
Step 3: 1st reading in the Council
The Council can begin preparatory work in parallel with the 1st reading in Parliament, but it may only formally conduct its 1st reading based on the Parliament's position. The Council can either accept the Parliament's position, in which case the legislative act is adopted; or where the Council does not adopt all the Parliament's amendments or wants to introduce its own changes, it adopts a 1st reading position, which is sent to Parliament for a 2nd reading. This is currently where we stand with the GDPR . The Council is expected to adopt its amendments any time soon. However, it is worth noting that there is no time limit for the Council's 1st reading, which explains why this can take a long time, particularly when the EU Member States disagree amongst themselves on some of the proposals (as is the case with the so-called "one-stop-shop" rule). The Commission may also decide at any time during the 1st reading to withdraw or alter its proposal, although this seems unlikely given the attention that the GDPR has drawn in Europe and abroad.
Step 4: 2nd reading in the Parliament
Upon receipt of the Council's 1st reading position, the Parliament has three months (with a possible extension to four) to examine the Council's position. The Council's position goes first to the responsible committee (LIBE committee), which prepares a recommendation for the Parliament's 2nd reading. In this case, the text to be amended is the Council's 1st reading position rather than the Commission's initial proposal.
The outcome of the 2nd reading can be that the Parliament:
- rejects the Council's 1st reading position. This puts an end to the legislative procedure, which can only be re-launched if the Commission makes a new proposal. However, this has only happened once in July 2005 on the software patents directive.
- fails to vote within the time limit and in that case, the text is deemed to have been adopted in accordance with the Council's 1st reading position.
- approves the Council's 1st reading position without any amendments.
- proposes amendments to the Council's 1st reading position.
In principle, 2nd reading amendments in Parliament are admissible only is they seek to (a) wholly or partly restore the Parliament's 1st reading position; (b) reach a compromise between the Parliament and the Council; (c) amend part of the Council's text that was not included in, or differs in content from, the original Commission's proposal; or (d) take account of a new fact or legal situation that has arisen since the 1st reading. However, if European parliamentary elections have taken place since the 1st reading - which is the case here - the President may decide that the restrictions do not apply. In theory, this broadens the scope of amendments that the Parliament could make on the Council's 1st reading of the GDPR .
Law-making behind the scenes
The EU treaties provide for a 2nd reading in the Parliament and Council and, where both institutions fail to agree on a common position, a Conciliation Committee (composed of an equal number of MEPs and Council representatives) is convened with a view to reaching an agreement on a joint text that is finally adopted in a 3rd reading in Parliament.
In recent years, however, the number of laws that have made it all the way to the Conciliation Committee has dropped significantly and, on the contrary, approximately 80% of law are now agreed after the first reading. In fact, most of the law-making now takes place behind the scenes. The so-called "trilogues" are not mentioned anywhere in the EU treaties, but are specifically designed to speed up the legislative procedure.
The way it works is that when the co-legislators are aiming for a 1st reading agreement they will then organise informal meetings that are held behind closed doors and are attended by representatives of the Parliament (rapporteur and, where appropriate, shadow rapporteurs), the Council (chair of the working party and/or Coreper), and the Commission (department responsible for the dossier and the Commission's Secretariat-General). This is aimed at ensuring that the Parliament's amendments adopted in plenary are acceptable to the Council. The Commission typically plays the role of a mediator or facilitator in respect of these compromise texts. However, due to its permanent staff of highly-qualified officials, the Commission is better equipped in terms of resources and expertise than the two other institutions to impose its view during these negotiations.
In conclusion, things will certainly accelerate once the Council adopts its 1st reading position, which is excepted at some point this year following the Justice and Home Affairs Council on 15-16 June. The question remains whether the Council and Parliament will succeed to reach a common position during the trilogues, in which case a swift adoption of the GDPR in 2016 (or possibly even end of 2015) seems possible. Otherwise, the adoption of this text could be pushed to the end of 2016 or 2017 if the legislative procedure continues all the way to the Conciliation Committee, which isn't completely unfounded given the strong divergences around this text. Only time will tell…
This article was first published in the IAPP's Privacy Tracker.