With no major legislative milestones since the March 2014 EU Parliamentary vote endorsing the LIBE draft of the new Data Protection Legislation, observers from outside the EU might understandably wonder whether the legislative process has derailed somehow. But it hasn’t – the train has just pulled over to a siding while the summer break passes. It will build up a new head of steam when the new Parliament holds its first plenary session in mid-September 2014.
To recap the legislative process, the EU Commission, Parliament and Council all need to agree on the final wording of the new Regulation. The EU Commission put forth a first draft in 2012 and the Parliament proposed a much more pro-individual draft in March 2014. It’s now the turn of the Council of the European Union (a non-elected group of representatives of the governments of the 28 Member States of the EU) to consider the draft Regulation and propose its version. Then a “tri-logue” will follow, during which the three branches of the EU government will try to agree upon a final form of the Regulation.
Some of the delay in finalizing the Regulation is inherent in the EU political process. However, the delay also has political roots, as summarized in part here by an industry association.
The Council has continued to meet while the Parliament is on break, and a small, but important, piece of the Regulation – the rules governing the transfer of personal data outside of the European Economic Area — has effectively been endorsed by the Council (see my summary here). However, a number of important issues remain open, including the “one stop shop” approach to regulation.
While much work remains to be done, the general consensus at the moment is that the final version of the Regulation will be adopted sometime in 2015 and come into force in 2017.