The European Legislative Process

The General Data Protection Regulation passed through the Ordinary Legislative Procedure within the relevant Union legislative bodies. As the name suggests, this is the most common form of legislation creation — 89% of all proposals between 2009 and 2014 underwent this process. The following outlines the parties involved, what the regulation went through, and how it became law.

There are three European authorities officially responsible for the legislative process, and two advisory bodies worth noting for their specific relation to data privacy.

European Commission

The European Commission is the EU's executive body. It represents the interests of the European Union as a whole through a total of 28 commissioners, one from each member state, and 23,000 staff members. The body works on the basis of collective decision-making to propose legislation, enforce European law (with the help of the Court of Justice), represent the EU internationally, set objectives, and manage EU policies and the budget.

European Parliament

The European Parliament is the only body whose members are directly elected by the citizens of the EU. Its aim is to preserve democracy and represent the interests of the people. It holds powers over passing legislation, the EU budget, and the President and appointments of the Commission. It is made up of 751 members, elected to five-year terms, with representation based upon the population of each member state.

Council of Ministers of the European Union

The Council represents the governments of each member state. It shares the power of adoption for legislation and the budget with Parliament, and coordinates policy for the individual member states as well as foreign and security policy for the Union. Based on proposals from the Commission, the Council is the authoritative body to conclude and sign off on international agreements.

Article 29 Data Protection Working Party

The Article 29 Working Party is an advisory body set up under the Data Privacy Directive 95/46/EC, composed of representatives of the national data protection authorities (DPAs), the EDPS and the European Commission. Its role is to advise the Commission on general data protection matters and promote the uniform application of the Data Protection Directive across the EU.

European Data Protection Supervisor

The European Data Protection Supervisor is the independent supervisory authority set up in 2014 by the Parliament and Council to advise EU administrations on the processing of personal data, supervise these bodies to ensure compliance, handle complaints and monitor new technologies related to the processing of personal data.

How the procedure works

The process begins with a proposal by the Commission, which is to be adopted, rejected, or amended through a process of co-decision between the Parliament and the Council. The Parliament makes its first reading, accepting or amending the proposal, before passing it to the Council for its own first reading. If the Council adopts the Parliament's position, the legislation is passed; if there are further amendments, all three bodies meet for the Trilogue negotiations. The GDPR was initially proposed by the Commission in January 2012, amended by the Parliament in March 2014, and amended by the Council in June 2015. A political agreement was reached on 15 December 2015, and the regulation became directly binding throughout the EU following the two-year grace period.

The GDPR is a regulation, which is immediately applicable across the Union — rather than a directive, which must be transposed into national law by each individual member state.