The European Commission published a proposal to replace the 1995 Data Protection Directive with a directly applicable EU regulation. This started a multi-year negotiation aimed at creating one set of privacy rules across the EU to support the single market and cross-border digital services.
The European Parliament’s Civil Liberties (LIBE) committee took a key “orientation” vote that helped shape Parliament’s negotiating approach. This step mattered because most detailed bargaining on the GDPR text happened through committee amendments before the full Parliament vote.
The European Parliament adopted its first-reading position on the proposed regulation. This moved the file into the next phase, where Parliament’s position could be negotiated with EU governments in the Council to reach a final compromise text.
EU member-state governments, meeting in the Council, agreed on a “general approach,” which is their shared negotiating position. This was a turning point because it enabled formal trilogue negotiations with the Parliament and Commission to begin in earnest.
The Court of Justice of the EU (CJEU) struck down the EU–US Safe Harbor adequacy decision, increasing pressure to strengthen EU rules on data transfers and oversight. The ruling highlighted concerns about government access to personal data and the role of independent regulators.
Representatives of the European Parliament, the Council, and the Commission reached a political agreement on the GDPR’s final direction. This did not yet make the GDPR law, but it largely settled the contested issues so the text could be finalized for formal adoption.
The Council of the European Union formally adopted the GDPR as part of the final EU legislative steps. This adoption, together with the Parliament’s approval shortly after, completed the law-making process and cleared the way for publication and the transition period.
The European Parliament approved the GDPR, confirming the compromise reached in trilogue. With both co-legislators aligned, the regulation could be signed and published as binding EU law.
The GDPR was published in the Official Journal of the European Union, which is the step that makes the final text official and start the countdown to entry into force. Publication also gave organizations a stable, final legal text to begin detailed compliance planning.
Twenty days after publication, the GDPR entered into force, beginning a two-year period before the rules would fully apply. During this time, organizations prepared for new duties like stronger consent standards and expanded individual rights, and regulators prepared enforcement tools.
After Safe Harbor was invalidated, the European Commission adopted an adequacy decision for the EU–US Privacy Shield framework to support transatlantic commercial data transfers. This mattered for implementation because international transfers were a major practical compliance issue for many businesses.
The Article 29 Working Party (WP29), the EU’s pre-GDPR coordinating body for national data protection authorities, published guidance to help interpret new GDPR concepts. Topics included Data Protection Officers (DPOs) and the “one-stop-shop” system for cross-border cases, supporting more consistent implementation.
The GDPR became fully applicable in all EU member states, shifting from preparation to enforcement. From this date, regulators could use GDPR powers and penalties, and organizations had to follow the regulation’s requirements in day-to-day operations.
With GDPR applicability, the European Data Protection Board (EDPB) was established to promote consistent enforcement across the EU. It replaced WP29 and became central to coordinating national regulators, especially for cross-border cases.
General Data Protection Regulation: Adoption and Implementation (2012-2018)