At its plenary session on 12 March 2014, the European Parliament (EP) adopted two draft legislative resolutions on the data protection reform proposals adopted by the European Commission (Commission) in January 2012 (see Legal update, European Parliament vote approves draft data protection regulation). The resolutions were put to it by the Committee on Civil Liberties, Justice and Home Affairs (LIBE Committee). They related to the proposed General Data Protection Regulation (Regulation) and the proposed Data Protection Directive intended to regulate data held for the purposes of policing and associated activities. The resolution on the Regulation was strongly supported with 621 votes in favour, 22 abstentions, and only 10 votes against, while the proposed Directive was supported by a much narrower majority with 371 votes in favour, 30 abstentions, and 276 votes against.

Viviane Reding, the EU Commissioner who heads the directorate responsible for the instruments promptly hailed the votes as a "strong signal", and an "unequivocal" message in favour of the proposed data protection reform and as making progress on the reforms "irreversible". Ms Reding is a strong supporter of modernising the data protection framework and has invested significant political capital in bringing the reform package to completion. However, this assessment is based on the prevailing mood and the distribution of seats in the current EP. Given the possibility for a significant move towards a much more Eurosceptic EP following the May 2014 elections, more dispassionate observers may doubt that success in the plenary vote at first reading makes the process of reform "irreversible".

In reality, the outcome of the legislative process on the reform package remains unclear. In this piece we briefly set out the background to the reform proposals, focusing specifically on the Regulation, explain the procedure and the timescale for the legislative process, decribe the political context, and explore some of the main areas of tension and likely outcome.

Since 1995 data protection in the European Union has been subject to law driven by Brussels. The 1995 Data Protection Directive (1995/46/EC) (Directive) sets the general standards for the protection of personal data in the EU and was implemented by national law in all the member states. It is a truism that law chases technology and by the turn of the century there were rumblings that the Directive was failing to keep pace with the changing world. These rumblings grew more and more persistent as social media took hold, mobile apps became commonplace, and surveillance technologies became pervasive. The fact that online services can be offered to EU citizens from outside Europe, and hence outside the reach of its data protection law, has caused significant concern to many EU regulators and politicians.

Within the EU, aspects of the Directive have been implemented and interpreted differently between member states. In addition there are differences between the administrative procedures imposed by local regulators and differences between enforcement approaches and penalties in different states. As a result, the pattern of data protection regulation across the EU remains variable, presenting problems for those businesses which operate across borders. The possibility of wholesale reform came with the coming into force of the Treaty of Lisbon in December 2009. Under the Treaty, there is a new basis for legislation at EU level in Article 16 (2) of the Treaty on the Functioning of the European Union (TFEU).

Between 2009 and 2012 the Commission undertook public consultations, surveys and studies on the possible reform of the data protection regime and in January 2012 published its proposals for reform in the proposed Regulation and Directive (for more information, see Practice note, EU data protection regime proposals: analysis and noter-up).

Since its publication, the Regulation has been proceeding slowly through the legislative framework. The plenary vote is an important milestone but there is still a long way to go before it becomes law.

The procedure for the adoption of the Regulation is the ordinary legislative procedure of the Union (Article 294, TFEU). The Parliamentary process is set out in the European Parliament Rules of Procedure.

Following the first reading of a proposal in the EP the European Council (Council) will normally consider the proposal and adopt its own text, referred to as its "common position". The Rules of Procedure further provide for the Commission to comment on the amendments proposed by the EP and to make alternative proposals. In order to shorten the legislative procedure, the European institutions will often attempt to achieve consensus at this stage in so-called "trilogues" between the EP, the Council and the Commission. This seeks to ensure that the position eventually adopted by the Council is one that the EP is likely to adopt immediately in its second reading without further amendments. If consensus between the three institutions cannot be achieved, at this stage, the Council is likely to adopt its own common position, which the EP will normally refer back to the reporting committee for further review and comment. Any additional changes proposed by that committee will then be voted on in second reading. Until that point, the potential for informal agreement between the three bodies continues to exist.

The relatively tight time periods prescribed by the procedural rules can be extended slightly but not indefinitely.

For information about the EU legislative procedure, see EU toolkit, EU legislative procedures.

As noted earlier, the EP has now completed its first reading, in which it accepted the extensive amendments proposed by the LIBE Committee. This part of the process took over two years from the date that the LIBE Committee was announced as the responsible committee. In the context of the formal legislative procedure, the EP will now be limited to commenting on and reviewing any amendments made by the Council. Until the Council adopts its common position, the EP will not be able to adopt further amendments of its own volition. However, in practice, it is likely that informal trilogues between the three institutions will commence as soon as the Council has agreed its own negotiation position. The proposals are therefore not, as claimed by Commissioner Reding, "irreversible", but are instead liable to continued intense political negotiations. This means that there are ample opportunities yet for the instrument to fall, or for further amendments to be made before it is finally agreed.

The Commission has not yet exercised its right to comment on the EP's amendments. At this stage it appears to be content with the text adopted by the EP in first reading although there is no entry the Prelex file (on which the record of the legislative process is maintained) stating the Commission position (agreement, partial agreement and so on). This also leaves open the possibility that the Commission may publish a modified legislative proposal if it considered that necessary to keep the process moving.

At the time of writing, the Council has not concluded its first reading. It should be noted that no mandatory timescales are applicable at this stage of the proceedings. Unlike the EP, which was motivated to conclude the first reading before the recess for the Parliamentary elections in May 2014, the Council has no external pressure to conclude its first reading. Having said that, political pressure does of course exist, particularly in countries like Germany that are traditionally deemed to be privacy-conscious. Nevertheless, the Council has not given any undertakings to adhere to a hard timescale despite some press reports which have interpreted the conclusions reached at its meeting in October 2013 in this way. At the time, the Council concluded that:

However, one could argue that this was not actually a commitment to conclude the data protection package by that date and might be best regarded as a general statement of aspiration rather than an actual deadline. This means that both the timing and the content of the Regulation remain subject to political machinations both at national and EU level with all three EU institutions and several member states interpreting events to suit their own agenda. Although there are various press reports and blogs which suggest that the package will be agreed by 2015 and come into force in 2017, in reality there is no firm timetable in place and the deliberations of the Council continue at the time of writing.

The Council working group on the package has held a significant number of meetings to review the instruments and produced a number of thoughtful papers and suggested amendments. The Council's mantra in this context has been that "nothing is agreed until everything is agreed". The papers and suggested amendments which have been published cannot therefore be said to constitute its last word. They do, however, demonstrate those areas which are of concern and where there has been significant work.

The working group reported to the Council in December 2013. The report of that meeting stated that three main themes were considered by the Council:

The "one stop shop" proposal for the regulation of companies which operate in more than one EU country has been one such area. The essence of this concept is that a company which has operations in several member states should have a primary, if not exclusive, relationship with one "lead" regulatory authority rather than having to deal with regulators in each state in which it operates. The nature of such a relationship, the role and powers of the lead regulator and the impact on other regulators have proved to be contentious issues. The Council published a working paper on 14 October 2013 on the role of supervisory authorities and the appropriate allocation of exclusive or shared powers between supervisory authorities. However, there remain very different views between member states. Some are deeply opposed to the principle of regulators being able to deal with problems of non-compliance affecting citizens in other countries. Others are concerned about not being able to take enforcement action where controllers based in other member states process their citizens' personal data. In December 2013, the legal adviser to the Council provided an opinion in which he doubted the legality of the one stop shop proposals under EU fundamental law. This contradicts the advice of the Commission's legal service, which argues that the one stop shop as proposed does meet EU requirements. This argument over the legality of the proposals will increase the difficulty of finding a consensus between the different interest groups on this point.

The position of the public sector under the Regulation remains a further thorny issue, particularly from the German perspective. The fact that a regulation is of general application and lays down mandatory standards for all processing would remove the power to impose specific requirements in some or all parts of the public sector in Germany. It could also remove at least some of the public sector's data processing activities from national judicial oversight. This makes the measure unpopular within Germany, where citizens have traditionally placed great faith in their national courts.

The Council has also expressed its reservations with the extent of the powers reserved to the Commission and with the complexity of the new rules and potential burden on business. The concern regarding the Commission's powers is shared by several other EU players, including the European Data Protection Supervisor, the Article 29 Working Party and the EP. In fact, many of the amendments adopted by the EP in its first reading already address this issue, although it cannot be ruled out that the Council will propose a further tightening of the relevant provisions. The decisions on which delegated and amending acts to accept and reject and how far it is possible to provide more flexibility for the public sector will be determined as part of the working party’s final report.

With regard to the question of complexity and regulatory burden, the Council working group reported that there was a "large consensus" that a more risk-based approach should be followed to reduce the administrative burden and the compliance costs on companies.

Work has continued in the Council working group since January 2014. The most recent meeting of the Justice and Home Affairs Council was held in Brussels on March 3 and 4, 2014. The data protection reform package was on the agenda for ministers. The press release issued after the event (Council: Press release) reported that there had been a policy debate on several aspects of the proposal:

Work on the draft Regulation is likely to continue under the in-coming Italian presidency on 1 July. However, in reality there remains considerable uncertainty over the likely timescale. Even if the Council achieves a negotiating position on all the outstanding issues over the next two months both the Parliament and the Commission are to be replaced. The impact of this is considered below.

In legal terms there is minimal, if any, connection between the data protection reform package and the operations of governments in conducting mass surveillance operations. National security is outside the remit of the European Union. It is a matter for member states. Nevertheless, there has been a political impact on the data protection reform package. There appears to have been an increase in support in the EP for the extension of territorial scope under the Regulation. More generally it has been one of the pieces swirling around in the maelstrom of political complaints and resolutions which have followed the Snowden case, in a similar way to the Safe Harbor arrangements for the transfer of personal data to the US (see Article, The future of the US-EU Safe Harbour).

The overt link made between the Snowden case is the imperative to re-build and foster trust in the digital economy. The argument runs that Snowden and associated revelations have undermined trust both in the privacy of communication services and the way that governments collect information about individuals. This lack of trust is pervasive. It segues into other areas. As such it also impacts on the use of digital services. Digital services are important for the growth of the digital economy. Therefore Europe needs stronger data protection laws to bolster trust that users’ data will be treated properly in the digital economy.

The political arguments may have been helpful in taking the legislative reform package through the plenary session of the Parliament, but have had no apparent impact on the work of the Council. Whether the surveillance arguments will influence the new Parliament or Commission remains to be seen.

Members of the EP are elected every 5 years and 2014 is an election year. The last plenary session of the parliament took place in the week of 14 April which ended the work of this current Parliament. The new Parliament will be elected between 22 and 25 May. After the elections, and following the assignment of the new MEPs to the various committees, the new Parliament will begin its work properly in September after the summer recess. It follows that negotiations between the Council and the EP are not going to commence until it is back in legislative harness in September/October.

It has already become apparent that there are significant differences between the views of the Council and the Parliament, for example over the level of fines, the operation of the one stop shop, and the level of administrative burden the Regulation would entail. There is therefore no doubt that the Council will go into potential trilogues with the other two institutions with a text that differs significantly from both the original Commission proposal and the version adopted by the EP in first reading. If the trilogues fail and the Council adopts a common position that has not been pre-approved by the EP’s negotiators, the options for the Parliament will be to reject all the changes proposed by the Council (in which case the instrument will fail), or propose counter-amendments. Any such amendments will take time to debate, draft and agree.

Any revised amendments must then be put to the Commission which must, in its turn, deliver an opinion on the amendments to the Council and the Parliament. It is likely therefore that, by the time the Parliament is ready to put revised amendments forward, a new Commission will be in place because the term of the current Commission finishes in autumn of 2014.

The future of Commissioner Reding is not clear. She will not be staying in her current position as Luxembourg has put forward a new Commissioner, Mr Jean Claude Junckers. The task of taking forward the work on the reform package will therefore fall to another Commissioner who may, or may not, share the commitment of Ms Reding or her views on the package. Ms Reding is standing as an MEP and, if she is successful, may find herself arguing for the reform package from within the EP.

Again, there will inevitably be a settling in period for a new Commissioner who may wish to make his/her own mark on the package. This is largely unknown at this stage but there will inevitably be internal discussions within the Commission on the more controversial aspects of the package. It seems reasonable to anticipate this will take a couple of months before the Commission can notify its position to the Council.

In the event that the Council does not agree with the EP's position at first reading (which appears likely), and if no consensus can be reached in the context of the trilogues, both the EP and Council will consider the proposals again at second reading. In the event that they still do not reach consensus at second reading, the instruments would then be considered under the conciliation process.

Instruments rarely fail once they have reached the conciliation procedure and there are only a couple of examples of where this has occurred in practice.

As outlined above, the key areas of disagreement between the EP and the Council are likely to include the "one stop shop" mechanism, regulation of the public sector, the powers reserved to the Commission, and restrictions on profiling. Other key areas of contention may include the instrument chosen for the Regulation (some member states maintain this should be re-cast as a directive), the consistency mechanism, and whether the appointment of data protection officers should be mandatory or optional.

Despite Ms Reding's claims of certainty, the future of the Regulation still appears uncertain. In particular, there is no clear path as to timing. It is also difficult at this stage to gauge the extent of the differences between the EP's position and that of the Council. To date, the Council has published a number of draft notes on various aspects of the Regulation, but these notes do not represent the agreed position of the Council so it is difficult to get an overall sense of where the Council stands and where it will come out on certain issues.

This uncertainty is multiplied by the upcoming changes to the EP and the Commission. The players will not remain the same and, depending on the outcome of the elections, the make-up of the EP may be quite different. This could significantly affect the EP's review of any amendments proposed by the Council.

What is certain is that enormous effort has been expended on the Regulation and politically the stakes are high. It therefore seems unlikely that the instruments will fail entirely and the overall direction of travel can be seen. Whatever the final outcome, the Regulation looks set to mark a game-changing departure from the current Data Protection Directive.