2.3 EU Institutions & Legislative Process

Key Takeaways

  • The European Commission holds the right of legislative initiative and proposes EU laws; the European Parliament and the Council of the EU co-legislate and adopt them.
  • The Court of Justice of the European Union (CJEU) interprets EU law uniformly, including through preliminary rulings requested by national courts under Article 267 TFEU.
  • The European Data Protection Board (EDPB) replaced the Article 29 Working Party on 25 May 2018, issues binding consistency decisions, and is composed of the national supervisory authorities.
  • The European Data Protection Supervisor (EDPS) supervises data processing by the EU institutions themselves and advises EU legislators on privacy matters.
Last updated: June 2026

How EU Privacy Law Is Made and Enforced

Quick Answer: The European Commission proposes legislation; the European Parliament and the Council of the EU adopt it together under the ordinary legislative procedure; the Court of Justice of the EU (CJEU) interprets it. Two specialist bodies matter for data protection: the European Data Protection Board (EDPB) coordinates the national authorities, and the European Data Protection Supervisor (EDPS) polices the EU's own institutions.

Domain I tests these roles because GDPR enforcement, official guidance, and case law all flow through them. The single hardest set of distractors on this topic involves the three confusingly similar "councils": the Council of the EU (legislating ministers), the European Council (heads of state setting strategy), and the Council of Europe (the non-EU human-rights body from Section 2.2). Lock those three down and you will clear most of the institutional questions.

The Legislative Institutions

Three institutions drive the ordinary legislative procedure (formerly "co-decision"):

InstitutionRoleComposition
European CommissionEU executive; holds the near-exclusive right of initiative — it proposes laws (it proposed the GDPR in 2012)One Commissioner per member state
European ParliamentCo-legislator; democratic scrutinyDirectly elected MEPs
Council of the EUThe other co-legislatorMinisters from member-state governments

Under the ordinary procedure, the Commission's proposal goes to both the Parliament and the Council, which must agree on an identical text (through up to three readings and, in practice, informal "trilogue" negotiations) before it becomes law.

Disambiguate the councils:

  • Council of the EU = legislative body of national ministers (rotating presidency).
  • European Council = heads of state/government setting overall political direction; it does not pass laws.
  • Council of Europe = a separate international organization that runs the ECHR and Convention 108 — not an EU institution at all.

If a stem says a body "proposed" the GDPR, the answer is the Commission; if it says a body "co-adopted" it, the answer pairs the Parliament and the Council of the EU.

The Court of Justice of the European Union (CJEU)

The CJEU, seated in Luxembourg, ensures EU law is interpreted and applied uniformly across all member states. For privacy, its most important tool is the preliminary ruling under Article 267 TFEU: a national court facing a question of EU law may refer it to the CJEU (and a court of last instance generally must refer), whose answer then binds the referring national court and guides all others.

Many landmark privacy rulings reached the CJEU through this route — Google Spain, Schrems I and II, and Digital Rights Ireland (covered in Section 2.5). The court has two broad powers the exam tests:

  • Interpretation — clarifying what a GDPR provision means (binding across the EU).
  • Review/annulment — striking down EU secondary law or Commission decisions (such as an adequacy decision) when they conflict with the Charter.

Worked example: a Spanish data subject cannot "appeal directly to Luxembourg." Individuals litigate in national courts (or complain to their national supervisory authority); only the national court refers the EU-law question upward under Article 267. This is a common distractor: the data subject filing directly with the CJEU is wrong.

The Specialist Data Protection Bodies

The GDPR created and empowered two institutions you must keep distinct:

BodyRoleKey facts
EDPB (European Data Protection Board)Ensures consistent application of the GDPR across member statesComposed of the heads of the national supervisory authorities plus the EDPS; issues guidelines, recommendations, and binding decisions under the consistency mechanism (Art. 65); replaced the Article 29 Working Party on 25 May 2018
EDPS (European Data Protection Supervisor)Supervises processing by the EU institutions and bodies themselvesIndependent authority; also advises EU legislators on privacy; is a member of the EDPB

The Article 29 Working Party (WP29) was the EDPB's predecessor under the 1995 Directive; its old opinions (e.g., on consent, anonymisation) were largely endorsed by the EDPB and remain influential.

Classic distractor: a stem describes a body that "oversees how the European Commission processes staff data." That is the EDPS (it polices EU institutions), not the EDPB (which coordinates the national regulators supervising ordinary companies). Also distinguish both from a single national authority such as France's CNIL or Ireland's DPC — the lead authority in many Big Tech cases under the one-stop-shop mechanism.

Mapping the bodies to GDPR functions clarifies who does what: the Commission drafts and may adopt implementing/delegated acts and adequacy decisions; the Parliament + Council co-legislate the GDPR itself; the CJEU interprets and can annul; the EDPB issues guidance and binding consistency decisions and resolves disputes between national authorities; the EDPS supervises the EU's own institutions; and the national supervisory authorities investigate, enforce, and impose fines on ordinary controllers.

A scenario naming a fine against a private company points to a national authority (possibly coordinated through the EDPB), never the EDPS or the Commission.

Diagram: The Ordinary Legislative Procedure

The flow from proposal to law moves from the Commission's initiative, through co-decision by the Parliament and Council of the EU, to an adopted Regulation or Directive that the CJEU later interprets and may review against the Charter.

Test Your Knowledge

Which EU body replaced the Article 29 Working Party when the GDPR became applicable in 2018 and issues binding consistency decisions?

A
B
C
D
Test Your Knowledge

Under Article 267 TFEU, how does a privacy question typically reach the CJEU from a national proceeding?

A
B
C
D
Test Your Knowledge

Which EU institution holds the right of legislative initiative and formally proposed the GDPR?

A
B
C
D