The EU Institutions That Make and Police Privacy Law

Before we name the EU institutions, fix one big distinction in your mind, because Domain one tests it. There are two separate European bodies, and they are easy to confuse. The Council of Europe is a wider human-rights organisation of forty-six member states; it created the European Convention on Human Rights and runs the European Court of Human Rights in Strasbourg.

The European Union is a smaller political and economic union of twenty-seven member states; it made the GDPR and is served by the Court of Justice of the European Union in Luxembourg. The Council of Europe is not an EU body. Keep those two clubs and their two courts separate, and several exam questions become easy.

Now the EU institutions. Start with the European Commission, the Union's executive arm. The Commission has the right of initiative, which means it is the institution that proposes new EU legislation.

When the exam asks which European institution is vested with the competence to propose data protection law, the answer is the Commission. The Commission also does something you will meet again in Domain three: it adopts adequacy decisions, the formal findings that a non-EU country offers an adequate level of data protection, which then permits data transfers to that country. And as guardian of the treaties, the Commission can take member states to court for failing to apply EU law.

The Commission proposes, but two bodies decide. The European Parliament is directly elected by EU citizens and acts as a co-legislator. The Council of the European Union is made up of government ministers from each member state, and it is the other co-legislator.

Under the ordinary legislative procedure, the Commission proposes a law and the Parliament and the Council must both agree on it, which is exactly how the GDPR was adopted in twenty sixteen. Be careful with one more name: the European Council, with a capital C and no 'of the EU,' is a different body, the summit of heads of state and government. It sets the EU's broad political direction but does not pass legislation.

So we have three easily confused names: the Council of Europe, the Council of the EU, and the European Council. The exam absolutely tests that trio.

The Court of Justice of the European Union, the CJEU, is the EU's supreme court for matters of EU law. Its job is to make sure EU law is interpreted the same way in every member state. Much of its work comes through preliminary references, where a national court pauses a case and asks the CJEU how to read EU law.

The CJEU has shaped data protection profoundly. It gave us the right to be forgotten in Google Spain, case C-131/12. It struck down the Safe Harbor transfer framework in Schrems I, case C-362/14, and then the Privacy Shield in Schrems II, case C-311/18.

We will study those cases later, but for now know that the CJEU's rulings bind every member state and can invalidate even a Commission decision.

Finally, the data-protection-specific institutions, which we will study in depth in Domain four but should meet now. Every EU member state has its own independent supervisory authority, often called a Data Protection Authority, or DPA, such as France's CNIL or Ireland's Data Protection Commission. Sitting above them is the European Data Protection Board, the EDPB, which brings the national authorities together to ensure the GDPR is applied consistently across the Union.

And separately, the European Data Protection Supervisor, the EDPS, is the independent authority that oversees how the EU's own institutions handle personal data. Three letters apart, the EDPB coordinates the member-state regulators, while the EDPS polices the EU's internal bodies.

Let's lock it in. The Commission proposes EU law and adopts adequacy decisions. The Parliament and the Council of the EU adopt it together.

The European Council sets political direction but does not legislate, and the Council of Europe is an entirely separate human-rights body. The CJEU interprets EU law and, through cases like Google Spain and the two Schrems judgments, has reshaped privacy. And the EDPB and EDPS are the data-protection regulators we will return to in Domain four.

Next, we trace the actual statutes, from the old Directive 95/46 to the GDPR that replaced it. Go test yourself on the institutions first.