From Proposal to Law: EU’s New Data Protection Regulations

30. June 2017 | Drooms Global

Data protection is a big talking point in the modern world. Big security breaches have taken place across the globe, and companies and national governments alike have been found collecting data in ways many people are not comfortable with. People are looking for better protection – indeed, over 90% of Europeans want better data protection across the European Union. The EU has answered these calls. Since 2012, it has been working on its EU Data Protection Reform. In 2018, the EU’s General Data Protection Regulation (GDPR) will come into force. Here’s a look at the timeline for the new rules.


Starting the reforms

The EU’s previous legislation in the area of personal data dates back to 1995. The Data Protection Directive 95/46EC came into effect on 24 October that year. It was created to regulate the way personal data was processed.

In 2011, calls to update the framework started gathering strength. On 25 January 2012, the European Commission introduced its initial proposal for the updated data protection regulation. In February that year, a workshop took place to consider the proposal’s implications and to see how the draft version might be improved. Throughout 2012, national governments issued their resolutions and opinions regarding the new plans.

Moving towards a resolution

The EU and its member states spent a few years discussing the draft version. Things started moving again in 2014, with the most important developments taking place as follows:

  • On 12 March 2014, the European Parliament voted in favour of the new data protection laws in the first reading.
  • On 15 June 2015, the Council of the European Union approved the proposal in its first reading.

As soon as the Council of the European Union approved the proposal, the GDPR was able to move on to a process known as ‘the trilogue’. This involves enhanced scrutiny, final changes and the creation of the final version and timeline for the rules.

Progress speeds up

Once the legislation had entered the trilogue process, things started to move along quicker. The next steps in the timeline were:

  • On 24 June 2015, the overall roadmap for the negotiations was established.
  • On 14 July 2015, the territorial scope and the representatives were identified.
  • In September 2015, the group met up to discuss and outline the following aspects of the rules:
    • Data protection principles
    • Data subject rights
    • Controller and processor
  • In October 2015, the meetings continued with the following topics being covered:
    • Independent Supervisory Authorities
    • Cooperation and consistency
    • Remedies, liability and sanctions
  • In November 2015, the discussion turned to:
    • Objectives and material scope
    • Specific regimes
    • Other remaining open issues from previous meetings
  • In December 2015, the final meetings took place, during which the topics discussed included:
    • Implementing and delegated acts
    • Final provision

Overcoming the final hurdles ahead

The meetings resulted in a final draft version of the proposal, which was then put forward to the European Parliament and the European Council. The approval process moved along swiftly:

  • On 15 December 2015, the Parliament and the Council agreed on the text and outlined the timeline for the official signing.
  • On 8 April 2016, the Council of the European Union adopted the new data protection regulation.
  • On 16 April 2016, the European Parliament followed the Council by adopting the regulation.
  • On 4 May 2016, the GDPR was published in the Official Journal of the European Union.

Once the GDPR was published, it triggered a 20-day countdown after which the regulation entered into force. Following this, a two-year  post-adoption period was triggered, after which it will become fully enforceable throughout the European Union.

Therefore, the official date the regulation will begin to apply will be 25 May 2018. EU member states will have to transpose the directive into their national law by 6 May 2018. For information about the changes, the European Commission’s website has plenty of information regarding what the regulation will mean for individuals and businesses.