Skip to content


Making sense of our connected world


Making sense of our connected world

emma-frances-logan-356717-unsplash Cropped

The making of the EU’s Data Protection Regulation

31 January 2013

As anyone who deals with draft bills knows, those involved need to have a lot of staying power. The proposed European Data Protection Directive is a case in point. Ever since the EU Commission in Brussels tabled its initial draft regulation (Verordnungsentwurf (PDF)) in January 2012, there have been countless public discussions, debates and negotiations, for example as to whether the regulations should apply to an equal extent to public and private data processors or under which circumstances data processors have a “legitimate interest” in saving personal data without the explicit consent of the person concerned. Also: Which penalties should be imposed for violating the rules and for which offences can people be prosecuted in the first place?

It helps to take a look at how the legislation process works on EU level and what stage the reform of the Data Protection Regulation has reached, in order to find one‘s way through this maze of discussions.

The triad of EU institutions involved in the legislative process: the European Commission, European Parliament and the European Council

In legislative procedures of this kind, the European Commission has what is referred to as the power of initiative, with which a legislation process commences. It availed itself of this right at the beginning of 2012 by tabling the aforementioned draft data protection regulation. Regulations are powerful instruments in the EU because they take immediate effect in all Member States – as opposed to directives, which first have to be implemented in the form of national laws. A Data Protection Directive has been in existence since 1995, from the early days of the Internet, in other words.

The Regulation, however, can only be passed when both the Council of the European Union and the EU Parliament have voted in favour. The Council comprises the representatives of all 27 Member States, whereas the EU Parliament is elected by the European citizens. The two committees have a maximum of three attempts (readings) of the regulation. If no consensus is reached, a meeting of the Conciliation Committee is convened.

The Council and the Parliament are currently reviewing the draft bill submitted by the Commission and working on amendments. Feedback can be expected in March. But how do the numerous contributions to the text and all the contrasting opinions evolve to become a Regulation?

Who is working on the text?

The Parliament

There are five Parliamentary panels discussing the Data Protection Regulation, each submitting their relevant arguments. The Civil Liberties, Justice and Home Affairs Committee (LIBE) plays a leading role. It also provides the Rapporteur: Jan Philipp Albrecht of the Green Party (Die Grünen). It is Albrecht’s responsibility to collate the opinions put forward by the participating committees and assemble them as far as possible and in such a way that the report submitted by his committee may serve as a proposal to be put to the vote at the next parliamentary session.

The first draft put forward by Albrecht on 16 January 2013 accordingly attracted a great deal of media interest. But it is still only a draft proposal. Observers point out that some of the statements issued by the other four panels contained opposing views which Albrecht had failed to address. In the end, the individual stances on the question of consent, for example, differed widely. So the next few weeks leading up to the indicative vote of the LIBE Committee scheduled for the end of March are very important. By then it is hoped that a more cohesive text will be available.

The Council

There is just one working group that deals with the Data Protection Regulation in the Council of the European Union, but it consists of representatives from all 27 countries: the Working Party on Information Exchange and Data Protection (DAPIX). The group operates under Ireland’s EU Presidency and is reportedly organising the process in a very determined manner. The Irish Government sees the genesis of a Data Protection Regulation as a precondition for promoting the European online market – one of the goals it has set itself for its term of presidency.

For the time being, meetings take place on desk officer level in order to obtain an insight into the different points of view – although, admittedly, no agreement on individual aspects has so far been forthcoming. The first joint official statement is not likely to be issued by the EU Council until March.

Springtime – time to show one’s colours

We will have to wait until the spring to find out who is forming a coalition with whom on the subject of data protection and whether the EU Parliament and Council will back the same wording for the Regulation. To speed matters up, the two committees want to arrange another meeting to negotiate critical issues in a smaller circle (Trialogue) before the text is read out in Parliament for the first time.

Ultimate clarity in data protection remains improbable

Anyone who thinks that there will be less talk about data protection once the first European Data Protection Regulation has been passed – perhaps in 2014 – is mistaken, however. Because, at the latest when local courts have to rule on the first incidents and problems crop up when it comes to interpreting the norms, they will pass the cases on, and it will be up to the European Court of Justice to provide clarity.

This post represents the view of the author and does not necessarily represent the view of the institute itself. For more information about the topics of these articles and associated research projects, please contact

Uta Meier-Hahn

Former Associated Researcher: The evolving digital society

Sign up for HIIG's Monthly Digest

and receive our latest blog articles.

Our Journals

Future Events

Further articles

Call for Participation: Be part of it and give young committed people a voice!

Am Dialogtag: Stärkung für junges und digitales Engagement erhalten junge Menschen die Möglichkeit, sich über alltägliche Herausforderungen und Forderungen in Bezug auf ihr freiwilliges Engagement auszutauschen. Dabei treten sie mit…

Man with a lot of post its on his face

Working from Home but Never Alone: Why People Analytics Have to Be Designed with the Employee in Mind

Remote working challenges management, employees and works councils alike. People analytics could offer support, but only if the software is designed with the employees’ well-being and privacy in mind.

We need to talk about data – New report reframes the debate around data sovereignty

The dueling slogans: “free flow of data” and “data sovereignty” actually prevent seriously addressing the complex challenges of cross-border data flows. A report, released this week by the Internet &...