2016-01-30_GDPR_history

 

On 28 January 2016: The 47 countries of the Council of Europe as well as European institutions, agencies and bodies celebrated the 10th annual European Data Protection Day which marks the anniversary of the Council of Europe's Convention 108. The series of events dedicated to this anniversary included a conference co-hosted by the European Parliament and the European Data Protection Supervisor for EU officials on the EU data protection reform.

On 21 December 2015: The European Commission published a fact sheet containing frequently asked questions and answers regarding the European Data Protection Reform Package on basis of agreement the European Parliament and Council have reached recently.

On 18 December 2015: The Permanent Representatives Committee (Coreper) confirmed with an overwhelming majority (only one vote against) the compromise texts agreed by the Council, Parliament and Commission on 15 December. After a legal-linguistic review of the texts, they will be submitted for adoption by the Council and, subsequently, by the Parliament. The General Data Protection Regulation (and the Directive on Data Transfers for Policing and Judicial Purposes) are likely to enter into force in spring 2018.

On 17 December 2015: The European Parliament’s Committee for Civil Liberties, Justice and Home Affairs committee (LIBE) formally adopted the result of the trialogue negotiations on the General Data Protection Regulation (GDPR). With an overwhelming majority (48 in favor, four against, four abstentions) the LIBE committee approved the GDPR text including provisions on clear and affirmative consent, children on social media, right to be forgotten, the right to know when your data has been hacked, plain language and fines of up to 4 percent of firms' total worldwide annual turnover.

On 15 December 2015: A critical milestone has been achieved in the trilogue between the EU Commission, Council and Parliament regarding the European Data Protection Reform: Lead negotiators of the Parliament and the Council which in the past adopted different positions on various topics agreed on a common version of the GDPR and the Directive on Data Transfers for Policing and Judicial Purposes.

On 9 December 2015: While U.S. and EU countries are discussing ways to improve the speed and scope of sharing data in the wake of attacks on Paris, California and a Russian passenger plane, U.S. Attorney General Loretta Lynch warned that the planned European Union data protection law could undermine efforts to thwart terrorist attacks by restricting transatlantic information sharing.

On 12 November 2015: The moving picture “Democracy – Im Rausch der Daten” was released in Germany showing the endurance and hard work of Viviane Reding, Jan-Phillipp Albrecht, Ralf Bendrath and others in making the dream of a revised data protection framework for the European Union come true.

On 9 October 2015: European Data Protection Supervisor Giovanni Butarelli updated his previously published Opinion 03/2015 on the GDPR and highlights trust as a necessary precondition for innovative products and services that rely on the processing of personal data and that the General Data Protection Regulation needs to be a blueprint for an ethical approach.

On 27 August 2015: Politico reported that a broad industry coalition is lobbying the European Union to strike out article 43a of the draft GDPR that could force companies to deny requests for personal data from non-member countries. The EU Parliament had added the so called “anti-FISA” clause to the draft in the wake of Edward Snowden’s surveillance disclosures (the Council had not included the clause in its preferred text for the regulation).

On 27 July 2015: European Data Protection Supervisor Giovanni Buttarelli sent his recommendations (Opinion 3/2015) to the EU co-legislators negotiating the final text of the GDPR and launched a mobile app to compare the latest texts from the Commission, the Parliament and the Council more easily on tablets and smartphones.

On 24 June 2015: The Commission's original proposals for the Data Protection Reform have been scrutinized and amended by law makers in both the Parliament and Council. Now, representatives from the Parliament, Council and Commission met in Brussels and started the so called “trilogue” aiming at finalization of the wording of the GDPR in mutual agreement.

On 15 June 2015: The Council reached a general approach on the GDPR. A general approach represents a political agreement on the basis of which the Council can now begin negotiations with the European Parliament with a view to reaching overall agreement on the GDPR.

On 7 January 2015: Jan-Philipp Albrecht, German Member of the EU Parliament and rapporteur on the GDPR, issued a warning that the GDPR could be delayed until 2016 due to interferences from Germany, France and the UK which were holding up progress for different national reasons. Albrecht warned that failure to agree to the GDPR would encourage and increase snooping of security services on citizens in Europe.

On 10 October 2014: The Council reached a partial general approach on specific aspects of the draft regulation setting out a general EU framework for data protection (namely chapter IV on controller and processor). The partial general approach includes the understanding that a) nothing is agreed until everything is agreed, b) it is without prejudice to any horizontal questions, and c) it does not mandate the presidency to engage in informal trilogues with the European Parliament on the text.

On 12 March 2014: The European Parliament demonstrated strong support for the GDPR by voting in plenary with 621 votes in favor, 10 against and 22 abstentions. Following the European Parliament vote, progress on EU data protection reform which is assumed to ensure more effective control of people over their personal data is considered irreversible.

On 28 January 2014: EU Vice-President Viviane Reding calls for a new data protection compact on European Data Protection Day 2014 in order to rebuild trust in the digital economy in general and transatlantic flows of personal data in particular. Considering the fact that some companies and governments continue to see data protection as an obstacle rather than as a solution to the challenges of the digital age, she demands to move away from the lowest common denominator towards a high level of protection of personal data.

On 21 October 2013: EU Parliament’s Committee on Civil Liberties, Justice and Home Affairs (LIBE) voted to adopt the compromise draft for the GDPR which provides multiple amendments, some of which are significant in comparison to the original draft prepared by the European Commission in January 2012 (e.g., significantly increased sanctions, extended territorial scope, third country data transfers, limits on profiling, Data Protection Officer). The compromise draft was accepted by an overwhelming majority (49 in favor, one against, and three abstentions) of the LIBE Committee which gave a mandate to the Rapporteur Jan-Phillip Albrecht to negotiate the compromise draft with the Council of the EU.

On May 14 2013: London Economics published the results of an independent survey commissioned by the UK Information Commissioner’s Office to help understand the challenges that the European Commission’s proposed GDPR may present businesses. Of the 506 businesses surveyed, 87 percent of respondents were unable to estimate the likely cost of complying with the requirements of the proposed regulation, and 82 percent of respondents were unable to quantify their current spending on data protection compliance.

On 28 January 2013: EU’s Justice Commissioner and Vice-President Viviane Reding on European Data Protection Day 2013 highlights that we live in a digital world in which personal data has enormous economic value. In this digital world, European businesses need to take advantage of the new computing and information-sharing landscape and European consumers need to be able to navigate safely though the digital age. Thus, a uniform and modern data protection law for the European Union needed to secure trust and generate growth in the digital single market.

On 25 October 2012: The Council took note of the state-of-play on the General Data Protection Regulation. In particular, the choice of legal instrument was raised during the debate: Some delegations expressed their preference for a directive instead of a regulation since it allowed for more flexibility where this was needed. However, some other delegations preferred the choice of a regulation, as proposed by the Commission.

On 5 October 2012: The Article 29 Data Protection Working Party published its Opinion 08/2012 as further input on the data protection reform discussion (WP199), which deals specifically with the definition of personal data, the notion of consent and the proposed delegated acts

On 2 September 2012: The European Parliament published a study entitled “Reforming the Data Protection Package” which was conducted by a Polish law firm and German academics from the European Legal Studies Institute and highlighted improvements as well as relevant shortcomings in the GDPR regarding new technologies and services, the internal market dimension, the rights of the consumer and international data transfers.

On 12 April 2012: German Member of the European Parliament and Committee for Civil Liberties, Justice and Home Affairs (LIBE) Jan Philipp Albrecht was officially appointed as rapporteur of the European Parliament for the General Data Protection Regulation.

On 23 March 2012: The Article 29 Data Protection Working Party published its Opinion 01/2012 as initial input on the data protection reform discussion which welcomes the reinforcement of the position of data subjects, the enhancement the responsibility of controllers and strengthening of the position of supervisory authorities, both nationally and internationally bearing the potential to significantly reduce the existing fragmentation and strengthen data protection across Europe.

On 21 February 2012: EurActiv reported that the United States had been very active in trying to amend the draft legislation to protect the interest of US companies operating in the EU and that as a consequence of this pressure, the text proposed by the Commission was significantly amended, before it even reached the European Parliament and the EU Council for consideration.

On 25 January 2012: The European Commission proposed a comprehensive reform of the EU's 1995 data protection rules to strengthen online privacy rights and boost Europe's digital economy. Technological progress and globalisation have profoundly changed the way our data is collected, accessed and used. In parallel with the proposal for a General Data Protection Regulation (5853/12), the Commission adopted a Directive on Data Processing for Law Enforcement Purposes (5833/12).

On 17 November 2011: At the opening session of the 35th Privacy Conference of the German Association for Data Protection and Data Security (GDD), Paul Nemitz, Director for Fundamental Rights and Citizenship of the European Commission, announced that the European Commission plans to implement a Regulation that is directly applicable to all EU Member States, to harmonize data protection laws in Europe.

On 22 June 2011: Under the lead of German Member of the European Parliament Axel Voss, the Committee for Civil Liberties, Justice and Home Affairs (LIBE) adopted a proposal on 'A comprehensive approach to personal data protection in the EU' as a reaction to the communication from the Commission on the future of European Data Protection Law. The key topic is the amendment of the existing Data Protection Directive 95/46/EG.

On 4 November 2010: The European Commission sets out strategy on how to protect individuals' data in all policy areas, including law enforcement, while reducing red tape for business and guaranteeing the free circulation of data within the EU. This policy review is meant to be used by the Commission with the results of a public consultation to revise the European Data Protection Directive.

On 1 December 2009: The Article 29 Working Party (WP29) and the Working Party on Police and Justice (WPPJ) released the “Future of Privacy” paper as a response to the invitation for consultation by the European Commission on the new challenges for personal data protection. Main principles of data protection are considered still valid despite the new technologies and globalisation. However, the paper highlights that the level of data protection in the EU can benefit from a better application of the existing data protection principles in practice and modernization of the legal framework.

On 19 May 2009: The European Commission kicked off a conference dedicated to the use and protection of personal data and to examining new challenges for privacy including but not limited to matters of data protection in a globalised world with increased mobility and in the wake of modern communication and information technologies, data exchange by public authorities and private companies and international transfers of personal data in the context of cloud computing.

On 24 October 1995: The European Data Protection Directive (officially: Directive 95/46/EC on the protection of individuals with regard to the processing of personal data and on the free movement of such data) was created as an essential element of EU privacy and human rights law. The directive came into force on 13 December 1995 and required EU member states to implement the corresponding provisions in national law by 24 October 1998.

On 28 January 1981: The treaty regarding the protection of individuals with regard to automatic processing of personal data was signed as Council of Europe Convention 108 and went into effect on 1 October 1985. All 47 members of the Council of Europe have ratified the treaty, except Turkey.

Note from the Author: For the sake of a clear focus on the GDPR and keeping the history hereof brief indeed I have abstained from adding some elements to this list which one may consider worth to be mentioned but missing here e.g. any trialogue or LIBE meeting as well as any discussion on some partial aspects of the GDPR (e.g. one stop shop, right to be forgotten, role of the DPO). Furthermore, one may notice that for the same reason I have given reference to the Directive on Data Transfers for Policing and Judicial Purposes (though being part of the Data Protection Reform Package like the GDPR) on a selective basis only.