A brief history of the General Data Protection Regulation

Ernst-Oliver Wilhelm, CIPP/E, CIPM, CIPT, FIP

On 28 January 2016: The 47 countries of the Council of Europe as well as European

institutions, agencies and bodies celebrated the 10th annual European Data Protection Day
which marks the anniversary of the Council of Europe's Convention 108. The series of events
dedicated to this anniversary included a conference co-hosted by the European Parliament
and the European Data Protection Supervisor for EU officials on the EU data protection
reform.

On 21 December 2015: The European Commission published a fact sheet containing

frequently asked questions and answers regarding the European Data Protection Reform
Package on basis of agreement the European Parliament and Council have reached recently.

On 18 December 2015: The Permanent Representatives Committee (Coreper) confirmed with

an overwhelming majority (only one vote against) the compromise texts agreed by the
Council, Parliament and Commission on 15 December. After a legal-linguistic review of the
texts, they will be submitted for adoption by the Council and, subsequently, by the
Parliament. The General Data Protection Regulation (and the Directive on Data Transfers for
Policing and Judicial Purposes) are likely to enter into force in spring 2018.
On 17 December 2015: The European Parliament’s Committee for Civil Liberties, Justice
and Home Affairs committee (LIBE) formally adopted the result of the trialogue negotiations
on the General Data Protection Regulation (GDPR). With an overwhelming majority (48 in
favor, four against, four abstentions) the LIBE committee approved the GDPR text including
provisions on clear and affirmative consent, children on social media, right to be forgotten,
the right to know when your data has been hacked, plain language and fines of up to 4
percent of firms' total worldwide annual turnover.

On 15 December 2015: A critical milestone has been achieved in the trilogue between the EU
Commission, Council and Parliament regarding the European Data Protection Reform: Lead
negotiators of the Parliament and the Council which in the past adopted different positions on
various topics agreed on a common version of the GDPR and the Directive on Data Transfers
for Policing and Judicial Purposes.

On 9 December 2015: While U.S. and EU countries are discussing ways to improve the speed
and scope of sharing data in the wake of attacks on Paris, California and a Russian passenger
plane, U.S. Attorney General Loretta Lynch warned that the planned European Union data
protection law could undermine efforts to thwart terrorist attacks by restricting transatlantic
information sharing.

On 12 November 2015: The moving picture “Democracy – Im Rausch der Daten” was
released in Germany showing the endurance and hard work of Viviane Reding, Jan-Phillipp
Albrecht, Ralf Bendrath and others in making the dream of a revised data protection
framework for the European Union come true.

On 9 October 2015: European Data Protection Supervisor Giovanni Butarelli updated his
previously published Opinion 03/2015 on the GDPR and highlights trust as a necessary
precondition for innovative products and services that rely on the processing of personal data
and that the General Data Protection Regulation needs to be a blueprint for an ethical
approach.

On 27 August 2015: Politico reported that a broad industry coalition is lobbying the European
Union to strike out article 43a of the draft GDPR that could force companies to deny requests
for personal data from non-member countries. The EU Parliament had added the so called
“anti-FISA” clause to the draft in the wake of Edward Snowden’s surveillance disclosures
(the Council had not included the clause in its preferred text for the regulation).
On 27 July 2015: European Data Protection Supervisor Giovanni Buttarelli sent his
recommendations (Opinion 3/2015) to the EU co-legislators negotiating the final text of the
GDPR and launched a mobile app to compare the latest texts from the Commission, the
Parliament and the Council more easily on tablets and smartphones.

On 24 June 2015: The Commission's original proposals for the Data Protection Reform have
been scrutinized and amended by law makers in both the Parliament and Council. Now,
representatives from the Parliament, Council and Commission met in Brussels and started the
so called “trilogue” aiming at finalization of the wording of the GDPR in mutual agreement.

On 15 June 2015: The Council reached a general approach on the GDPR. A general approach
represents a political agreement on the basis of which the Council can now begin negotiations
with the European Parliament with a view to reaching overall agreement on the GDPR.

On 7 January 2015: Jan-Philipp Albrecht, German Member of the EU Parliament and

rapporteur on the GDPR, issued a warning that the GDPR could be delayed until 2016 due to
interferences from Germany, France and the UK which were holding up progress for different
national reasons. Albrecht warned that failure to agree to the GDPR would encourage and
increase snooping of security services on citizens in Europe.

On 10 October 2014: The Council reached a partial general approach on specific aspects of
the draft regulation setting out a general EU framework for data protection (namely chapter
IV on controller and processor). The partial general approach includes the understanding that
a) nothing is agreed until everything is agreed, b) it is without prejudice to any horizontal
questions, and c) it does not mandate the presidency to engage in informal trilogues with the
European Parliament on the text.

On 12 March 2014: The European Parliament demonstrated strong support for the GDPR by
voting in plenary with 621 votes in favor, 10 against and 22 abstentions. Following the
European Parliament vote, progress on EU data protection reform which is assumed to ensure
more effective control of people over their personal data is considered irreversible.

On 28 January 2014: EU Vice-President Viviane Reding calls for a new data protection
compact on European Data Protection Day 2014 in order to rebuild trust in the digital
economy in general and transatlantic flows of personal data in particular. Considering the fact
that some companies and governments continue to see data protection as an obstacle rather
than as a solution to the challenges of the digital age, she demands to move away from the
lowest common denominator towards a high level of protection of personal data.
On 21 October 2013: EU Parliament’s Committee on Civil Liberties, Justice and Home
Affairs (LIBE) voted to adopt the compromise draft for the GDPR which provides multiple
amendments, some of which are significant in comparison to the original draft prepared by
the European Commission in January 2012 (e.g., significantly increased sanctions, extended
territorial scope, third country data transfers, limits on profiling, Data Protection Officer).
The compromise draft was accepted by an overwhelming majority (49 in favor, one against,
and three abstentions) of the LIBE Committee which gave a mandate to the Rapporteur Jan-
Phillip Albrecht to negotiate the compromise draft with the Council of the EU.

On May 14 2013: London Economics published the results of an independent survey

commissioned by the UK Information Commissioner’s Office to help understand the
challenges that the European Commission’s proposed GDPR may present businesses. Of the
506 businesses surveyed, 87 percent of respondents were unable to estimate the likely cost of
complying with the requirements of the proposed regulation, and 82 percent of respondents
were unable to quantify their current spending on data protection compliance.

On 28 January 2013: EU’s Justice Commissioner and Vice-President Viviane Reding on

European Data Protection Day 2013 highlights that we live in a digital world in which
personal data has enormous economic value. In this digital world, European businesses need
to take advantage of the new computing and information-sharing landscape and European
consumers need to be able to navigate safely though the digital age. Thus, a uniform and
modern data protection law for the European Union needed to secure trust and generate
growth in the digital single market.

On 25 October 2012: The Council took note of the state-of-play on the General Data
Protection Regulation. In particular, the choice of legal instrument was raised during the
debate: Some delegations expressed their preference for a directive instead of a regulation
since it allowed for more flexibility where this was needed. However, some other delegations
preferred the choice of a regulation, as proposed by the Commission.

On 5 October 2012: The Article 29 Data Protection Working Party published its Opinion
08/2012 as further input on the data protection reform discussion (WP199), which deals
specifically with the definition of personal data, the notion of consent and the proposed
delegated acts

On 2 September 2012: The European Parliament published a study entitled “Reforming the
Data Protection Package” which was conducted by a Polish law firm and German academics
from the European Legal Studies Institute and highlighted improvements as well as relevant
shortcomings in the GDPR regarding new technologies and services, the internal market
dimension, the rights of the consumer and international data transfers.

On 12 April 2012: German Member of the European Parliament and Committee for Civil
Liberties, Justice and Home Affairs (LIBE) Jan Philipp Albrecht was officially appointed as
rapporteur of the European Parliament for the General Data Protection Regulation.

On 23 March 2012: The Article 29 Data Protection Working Party published its Opinion
01/2012 as initial input on the data protection reform discussion which welcomes the
reinforcement of the position of data subjects, the enhancement the responsibility of
controllers and strengthening of the position of supervisory authorities, both nationally and
internationally bearing the potential to significantly reduce the existing fragmentation and
strengthen data protection across Europe.

On 21 February 2012: EurActiv reported that the United States had been very active in trying
to amend the draft legislation to protect the interest of US companies operating in the EU and
that as a consequence of this pressure, the text proposed by the Commission was significantly
amended, before it even reached the European Parliament and the EU Council for
consideration.

On 25 January 2012: The European Commission proposed a comprehensive reform of the

EU's 1995 data protection rules to strengthen online privacy rights and boost Europe's digital
economy. Technological progress and globalisation have profoundly changed the way our
data is collected, accessed and used. In parallel with the proposal for a General Data
Protection Regulation (5853/12), the Commission adopted a Directive on Data Processing for
Law Enforcement Purposes (5833/12).

On 17 November 2011: At the opening session of the 35th Privacy Conference of the German
Association for Data Protection and Data Security (GDD), Paul Nemitz, Director for
Fundamental Rights and Citizenship of the European Commission, announced that the
European Commission plans to implement a Regulation that is directly applicable to all EU
Member States, to harmonize data protection laws in Europe.

On 22 June 2011: Under the lead of German Member of the European Parliament Axel Voss,
the Committee for Civil Liberties, Justice and Home Affairs (LIBE) adopted a proposal on 'A
comprehensive approach to personal data protection in the EU' as a reaction to the
communication from the Commission on the future of European Data Protection Law. The
key topic is the amendment of the existing Data Protection Directive 95/46/EG.
On 4 November 2010: The European Commission sets out strategy on how to protect
individuals' data in all policy areas, including law enforcement, while reducing red tape for
business and guaranteeing the free circulation of data within the EU. This policy review is
meant to be used by the Commission with the results of a public consultation to revise the
European Data Protection Directive.

On 1 December 2009: The Article 29 Working Party (WP29) and the Working Party on
Police and Justice (WPPJ) released the “Future of Privacy” paper as a response to the
invitation for consultation by the European Commission on the new challenges for personal
data protection. Main principles of data protection are considered still valid despite the new
technologies and globalisation. However, the paper highlights that the level of data protection
in the EU can benefit from a better application of the existing data protection principles in
practice and modernization of the legal framework.

On 19 May 2009: The European Commission kicked off a conference dedicated to the use
and protection of personal data and to examining new challenges for privacy including but
not limited to matters of data protection in a globalised world with increased mobility and in
the wake of modern communication and information technologies, data exchange by public
authorities and private companies and international transfers of personal data in the context of
cloud computing.

On 24 October 1995: The European Data Protection Directive (officially: Directive 95/46/EC
on the protection of individuals with regard to the processing of personal data and on the free
movement of such data) was created as an essential element of EU privacy and human rights
law. The directive came into force on 13 December 1995 and required EU member states to
implement the corresponding provisions in national law by 24 October 1998.

On 28 January 1981: The treaty regarding the protection of individuals with regard to
automatic processing of personal data was signed as Council of Europe Convention 108 and
went into effect on 1 October 1985. All 47 members of the Council of Europe have ratified
the treaty, except Turkey.

Note from the Author: For the sake of a clear focus on the GDPR and keeping the history
hereof brief indeed I have abstained from adding some elements to this list which one may
consider worth to be mentioned but missing here e.g. any trialogue or LIBE meeting as well
as any discussion on some partial aspects of the GDPR (e.g. one stop shop, right to be
forgotten, role of the DPO). Furthermore, one may notice that for the same reason I have
given reference to the Directive on Data Transfers for Policing and Judicial Purposes
(though being part of the Data Protection Reform Package like the GDPR) on a selective
basis only.