Written by: Roxana Lemaire

Just like a fine wine improves with age, so does the GDPR.

January 28 is Data Protection Day, so let’s look back at what started this all: the General Data Protection Regulation, known as GDPR.

How it all started: the Data Protection Directive (1995)

Back when the world of the internet was in its infancy, so was the Data Protection Directive (Directive 95/46/EC). Even in its early days, the Directive was already binding within the EU member states, as it regulated how personal data were to be collected and processed in the European Union. It protected individuals regarding the processing of personal data and the free movement of that data.

Next steps: EDPS’ opinion (2011)

After 16 years of silence, the European Data Protection Supervisor (hereafter EDPS) published an opinion titled “A comprehensive approach on personal data protection in EU” on June 22, 2011. The intention of this Communication was to lay down the Commission’s approach to review the EU legal system for the protection of personal data in all areas of the Union’s activities, particularly considering the challenges from globalisation and new technologies. The goal? Further development of the legal framework on data protection, including data processing by EU institutions and bodies.

From opinion to Proposal (2012)

After the Communication, the ball really started rolling. A year later, in January 2012, the European Commission wrote a proposal to reform the EU’s data protection rules by strengthening online privacy rights and boosting Europe’s digital economy.

Afterwards, on March 7, the EDPS adopts an opinion on the data protection reform package of the Commission. In this opinion, the EDPS questions the relationship between EU and national law, as well as other concerns such as the transfer of data to third countries, administrative sanctions, and restrictions on basic principles and rights.

Two weeks later, March 23, the Article 29 Working Party (hereafter WP29) adopts an Opinion on the data protection reform proposal as well. In the opinion, the WP29 addresses a lack of regulation for collecting and transferring data by private parties or non-law enforcement public authorities, as well as the subsequent use of data by law enforcement authorities.

After a couple of months, on October 5, WP29 provided further input on the data protection reform in an Opinion, to guide the European Parliament and Council on key data protection concepts, such as personal data and consent.

The next milestone: European Parliament adopts GDPR (2014)

Two years after that, on March 12, 2014, we were good on our way to reach a milestone: the European Parliament adopts GDPR. The EP agreed on a heavily amended text that aimed at allowing data subject to exercise their rights and increased the accountability for processors of data. Hereafter, the EP demonstrated strong support for GDPR in a plenary vote with 621 votes in favour, 10 against, and 22 abstentions.

The start of an overall agreement (2015)

A year later, June 15, 2015, the Council reached a general approach on the GDPR. A political agreement was established so negotiations with the European Parliament could start to reach an overall agreement on the new EU data protection rules. The first trilogue was planned for June 24^th.

After the trilogue, the EDPS published its recommendations on July 27^th,  negotiating the final text of the GDPR in a draft of suggestions. The Opinion was an exercise in transparency and accountability so that the legislative form would be a transparent process on one hand. On the other hand, the EDPS addressed the imbalance between innovation in the protection of personal data and its exploitation to ensure effective safeguards in our digitised society. In addition, the EDPS launched a mobile app that compared the Commission’s proposal with the latest texts from the Parliament and the Council.

December 15, 2015 we received an early Christmas gift: the European Council, Parliament, and Commission reached an agreement on the data protection reform. According to the President of the Council, the reform strengthens citizen’s rights while adapting the rules to the digital age for companies and reducing the administrative burden.

An action plan as a base for GDPR (2016)

A new year means new beginnings and actions! In light of the agreement on the data protection reform, the WP29 issued an action plan to implement the GDPR. The action plan consists of guidelines, tools, and procedures to allow the new legal framework to be effective for the first semester of 2018. In the summer of 2016, Regulation 2016/679 on the protection of natural persons with regard to the processing of personal data and the free movement of such data was adopted, and repealed Directive 95/46/EC.

Finally, the GDPR enters into force (2016-2018)

May 26, 2016. An important day for all the internet users, and a milestone for the EU. The GDPR enters into force after it was published in the Official Journal of the EU on May 6^th.

However, we all know that improvement is key. On January 10, 2017, the European Commission made a new proposal to improve the existing rules and extend them to all electronic communication providers. The goal was to improve online protection of our private life, as well as opening new opportunities for businesses.

After the first proposal it was time for the Member States to transpose the Data Protection Directive for the police and justice sectors into national legislation, and it was applicable as of May 6^th, 2018. This Directive for the police and justice sectors, known as the Law Enforcement Directive (LED), protects the personal data of individuals involved in criminal proceedings, but it also increases trust and facilitates cooperation by harmonising the protection of personal data by law enforcement in the EU, Member States and Schengen countries.

A couple of days later, a proposal was made for a Regulation of the European Parliament and of the Council on the protection of individuals regarding the processing of personal data by Union institutions, bodies, offices and agencies, as well as on the free movement of that data.

We’ve come a long way, happy Data Protection Day! 

This goes to show that the GDPR has come a long way since it was first proposed in the 1990s. After almost 30 years of continuous development and improvement, the GDPR finally came into effect on May 25, 2018, marking a significant milestone in the history of data protection.

The regulation now aims to give EU citizens more control over their personal data and to unify data protection laws across the EU. It has had a significant impact on businesses and organisations, both in the EU and globally, as they have had to make significant changes to their data protection practices to comply with the new rules.

Overall, the GDPR has played a crucial role in shaping the way we think about and handle personal data, and it will continue to shape the future of data protection for years to come. There is still a lot of work to be done for regulators and data processors alike but one thing’s for sure; the GDPR is here to stay.