On 15 June 2015, the Ministers of the Council of the European Union (the "Council") agreed upon a global approach to the European Commission's proposal for a Regulation of the European Parliament and of the Council on the protection of individuals with regard to the processing of personal data and on the free movement of such data (General Data Protection Regulation, the "Regulation"). This agreement represents an important step towards the adoption of the Regulation initiated three years ago.
In light of the new challenges brought for the protection of personal data by the digital age, the rules governing data protection within the EU, adopted in 1995, along with the Directive on the protection of individuals with regard to the processing of personal data and on the free movement of such data, appeared to be outdated. Therefore, in 2012, the European Commission proposed a new legal framework for the protection of personal data in the EU, consisting of two legislative proposals: (i) one for the General Data Protection Regulation and (ii) the other, for a Directive of the European Parliament and of the Council on the protection of individuals with regard to the processing of personal data by competent authorities for the purposes of prevention, investigation, detection or prosecution of criminal offences or the execution of criminal penalties, and the free movement of such data (the "Police Directive"). The aim of the latter Regulation proposed by the European Commission is to strengthen data protection rights of individuals and boost Europe's economy in the digital single market.
However, given that the proposal of the European Commission must follow the "ordinary legislative procedure" (co-decision) before taking effect, the text of the Regulation has not been adopted as of date, three years after the proposal was made.
The ordinary legislative procedure
According to Article 294 of the Treaty on the Functioning of the European Union, the European Commission has the exclusive right of legislative initiative. The proposed text must then be adopted jointly by the European Parliament and the Council.
The European Parliament first examines the text and decides whether to adopt (with or without amendments) or to reject the proposal. The Council subsequently takes position on the text and communicates it to the European Parliament. If a consensus is not reached by the two institutions, a second reading takes place. In the event it is not fruitful and a subsequent conciliation committee does not reach an agreement either, a third reading must follow.
An overview of the evolution towards the adoption of the Regulation
On 12 March 2014, the European Parliament strongly endorsed the European Commission's proposal at first reading, with some amendments, and thus, gave its support to the data protection reform. However, the revised version of the text communicated to the Council has raised objections from the latter, regarding some of the provisions. In order for the procedure to move forward, the Council had to reach an agreement on the full text which, in practice, implies political agreements with Member States. On 15 June 2015, over a year after the adoption of the European Commission's proposal by the European Parliament, the Council finally approved a compromise text.
In the end, the three European institutions, namely the European Commission, the European Parliament and the Council, agree on the founding principles of the data protection reform, i.e. (i) a single and comprehensive set of European rules on data protection applicable in all Member States, (ii) reinforced rights to ensure control by individuals over their personal data, including the "right to be forgotten", (iii) same rules for companies based within and outside the EU and (iv) the establishment of a "one-stop shop" mechanism for businesses and citizens.
The Article 29 Working Party also reached a common position regarding core topics (definitions, scope of application, main principles, data subjects' rights, powers of data protection authorities and governance model) which was welcomed by the three European institutions.
Nevertheless, sources of disagreement still persist and will have to be addressed during the final negotiation rounds for the adoption of the Regulation. These relate namely to the functioning of the "one-stop shop" mechanism, the erosion of the purpose limitation principle owing the possibility of incompatible further processing with a "legitimate interest" basis, consent requirements, the fines imposed for breach of data protection law, the reduction of data subjects' rights, the broadening of the so-called "household exemption", data minimization, the pseudonymisation of personal data, the introduction of a risk-based approach, the rights and obligations of data controllers and data processors, amongst others.
In the pipeline
The so-called "trilogue" discussions, which are between the three European institutions, can now begin, with the aim of determining a final version of the Regulation. During the first trilogue meeting held on 24 June 2015, the three institutions established a 'flexible' roadmap for further meetings to discuss step-by-step the text of the Regulation. The objective will be to conclude negotiations by the end of 2015, for the Regulation to enter into force two years later. The next trilogue meeting is expected to take place in July. Nevertheless, as there is no time limit to the trilogue negotiations, it is difficult to set a reliable and definite timetable. It is noteworthy that the adoption of this Regulation has already been postponed several times. In parallel, the other objective is to reach consensus over the Police Directive in October 2015.