New General Data Protection Regulation—Where Are We Are and Where Might We Be Heading?
© Springer Science+Business Media Dordrecht 2015Deborah Mascalzoni (ed.)Ethics, Law and Governance of BiobankingThe International Library of Ethics, Law and Technology1410.1007/978-94-017-9573-9_7
The New General Data Protection Regulation—Where Are We Are and Where Might We Be Heading?
Uppsala University, Uppsala, Sweden
Jane Reichel (Corresponding author)
The current EU Directive on Data Protection,1 has been described as the most far reaching Data Protection regime in the world (Svantesson 2013). Still, the ongoing work within the EU to enact a new General Data Protection Regulation seems to be heading towards an even stricter regime.2 Medical researchers in biobanking and epidemiology have had quite a fright on behalf of the proposal, especially the amendments suggested by rapporteur Albrecht of the European Parliament’s LIBE Committee in December 2012,3 that to a large extent were accepted by the Committee in a October 20134 and the European Parliament in its first reading of the proposal in March 2014.5 In this short overview, the status of the legislative procedures will be addressed, a comment on the consequences of changing the legal form from a directive to a regulation, as well as a brief description of the content of the General Data Protection Regulation relevant to research on health data.
2 The Legislative Process as It Stands in the Spring 2014
The legislative procedure for enacting the General Data Protection Regulation is the ordinary legislative procedure in Article 289.1 and 294 Treaty of the Functioning of the European Union, TFEU. It is a co-decision procedure where the European Parliament and the Council decide jointly on the adoption of a legal act, upon the initiative of the Commission.6 If the European Parliament and the Council agrees on the same text at the first reading, the proposed act is enacted. In other case, the procedure continues with a second and possibly even a third reading, before which a conciliation committee is convened with members from the Council and the Parliament. The Commission continues to be involved throughout the procedure. First, the any amendments made by the Parliament or the Council must be accepted by the Commission, otherwise the Council can only enact the proposal unanimously, whereas otherwise a qualified majority is sufficient (Article 293.1 TFEU). Secondly, as long as the Council has not acted, the Commission may amend or even withdraw its proposal itself at any stage, if the developments are not in accordance with the interests of the Commission (Article 293.2 TFEU).
The process of enacting the General Data Protection Regulation coincides with the elections to the European Parliament in May 2014, and with the appointment of a new Commission later in the same year. This means that there now is a new European Parliament, which will not necessarily find itself bound by the views of the previous parliament. The position of the European Parliament taken on March 12, 2014, in the first reading, might thus be reassessed in later readings. However, the new Parliament can also decide not to start from scratch, but build on the work already done. The next step in the procedures at this point is the first reading of the Council, expected to be held in the summer of 2014. If the Council does not accept the amendments of the Parliament, negotiations between the Parliament and the Council can start. As mentioned above, the procedures can continue into a second and even a third reading. The ambition of the EU legislators is still said to be to adopt the text before the end of the year 2014,7 but there are no guarantees that this timetable can be upheld. Further, according to the original proposal, the regulation shall apply from two years after it has entered into force (Article 90), allowing the Member States some time to make necessary adjustments to national law.
3 Change of Form: From Directive to Regulation
One of the more notable changes from the current situation is the fact that the proposed piece of legislation takes the form of a regulation and not as today, a directive. A regulation is a coherent form of legislation, which is binding in its entirety and directly applicable in all Member States. Directives are, on the other hand, merely binding as to the result to be achieved, but leaves to the Member States the choice of form and methods (Article 288 TFEU). A directive is thus a legislative form carried out in two steps, one European and one national, normally allowing some room for the Member States to adjust the legislation to national conditions, in form and to larger or lesser extent, in regards to content of the legislative act.