Following a lengthy process spanning over 4 years two major pieces of EU legislation in the data protection field were adopted in 2016. One, known as the GDPR or “the” Regulation and the other, a Directive focused on police and criminal matters. Both pieces form part of the EU Data Protection Reform aimed at making the EU fit for the digital era.
- Regulation (EU) 2016/679 (GDPR) is a vital step to strengthen EU citizens’ rights in the digital era but also aims to facilitate business by simplifying rules for companies. Once ‘applicable’ it will, to a certain extent, eliminate the current fragmentation and costly administrative burdens that businesses have to adhere to.
- Directive (EU) 2016/680 (Law Enforcement Directive) deals with police and criminal justice matters. Once implemented at national level it will protect citizens’ right to data protection whenever personal data is used by criminal law enforcement authorities. In particular, it will ensure that the personal data of victims, witnesses and suspects of crime are duly protected whilst it will also facilitate cross-border cooperation in the fight against crime and terrorism.
Why was a Regulation the chosen legal act?
Because EU Regulations unify requirements applicable across the EU territory and must be complied with by Member States (MS), businesses and citizens alike whereas a Directive would perpetuate the existing obstacles i.e. divergences in the implementation of its requirements by national laws. Directives bind as to the result to be achieved via national legislation and open up alternative routes for MS to obtain those results. The DPD 95/46/EC (which is still in force but will lose validity on 24 May 2018 the day before the GDPR becomes enforceable) created divergent rules in different MS that the GDPR tries to minimise.
The GDPR is already ‘in force’ since 24 May 2016 but it will only become ‘applicable’ on 25 May 2018. That may difficult to understand if you do not deal with EU law on a regular basis e.g. you deal with purely national matters not governed in any way by it or because EU law seems too distant from your daily core tasks that you think it has little or no impact on them. However, as we are witnessing during the Brexit process EU law is so intertwined with UK law that sometimes it is difficult to tell them apart.
The different dates mean that the GDPR is giving businesses and the EU Commission time to adapt to the new requirements.
To businesses: gives them time to adapt processes and procedures before non-compliance can be enforced via e.g. hefty fines of up to 4% annual worldwide turnover or 10 000 000 EUR whichever is higher. This means that, if your business falls within the scope of the GDPR it is better to start complying with it now and not to leave adapting your internal procedures to the last minute because the risks are too high.
To the EU Commission: gives it time to issue all necessary delegated and implementing acts for it to become fully operational in 2018. It is unlikely, though, that we will see all of those adopted before May 2018 but your legal team must keep an eye on developments in that area.
Obliged entities, i.e. those organisations falling within the GDPR scope of application, should pay close attention not only to the content of the GDPR but also to the delegated and implementing acts that the EU Commission will adopt in the coming months, case law of the CJEU and national supervisory authorities’ sites.
What about national law on Data protection and its relation to the GDPR?
The GDPR is not a “revolution” it is an “evolution” in the field. The GDPR goes well beyond the obligations and rights established by the DPD 95/46/EC but maintains many of its principles intact. This means that business already compliant with the national legislation that implemented the DPD are better positioned to achieve full compliance with the GDPR with less effort.
Let’s take the UK case to illustrate the matter. The DPD was implemented via the Data Protection Act 1998 which has been operating well for almost 20 years. As the GDPR confers upon MS alternatives and options (just like the DPD did) it is not surprising that to see a new Bill going through Parliament on the matter. What is important to know is that it is not an implementation of the GDPR but the exercise of the choices it gives to MS for instance for restrictions and derogations or to decide when parental consent is required for those processing personal data of children under the age of 16 as Member states can reduce this age to 13.
Furthermore, the Data Protection Bill 2017, goes beyond the GDPR as it also implements the Law Enforcement Directive and covers matters purely dealt by international law i.e. Convention 108 of the Council of Europe. As stated in the factsheet produced for its introduction to Parliament expresses it has a far-reaching effect and is meant to govern the field for years to come. It has not been drafted with Brexit in mind.
Will businesses still have to comply with the GDPR post-Brexit?
Regardless of the form Brexit may take in late March 2019 the GDPR will be enforceable well before that date and, in all likelihood, the UK will not relax protection of personal data post-Brexit as it will impact negatively on citizens’ rights. Furthermore, as a result of the incorporation of the EU law corpus into UK law, which will take place via the Great Repeal Bill, the content of the GDPR will continue to live in UK law as national law.
It is difficult to envisage the UK downgrading protection of personal data from April 2019. Hence, investing in a robust data protection system now is all about mitigating risks in the medium/long run.
What and where to look for reliable information and guidance on the GDPR?
Since the GDPR does not need implementation per se as it is a Regulation you will need to keep up-to-date with developments at EU level (e.g. WP29 which deals with practical aspects of the GDPR and other matters) before turning to domestic legislation. And, once you turn to national law you need to ensure it is compliant with the GDPR itself. It is also vital for you to familiarise with the work of your national supervisory authority, in the UK the Information Commissioner’s Office (ICO), whose website has a wealth of information on the matter.
In the UK Information Commissioner’s own words: “[…] organisations will still have to comply with this regulation and we will still have to look to the GDPR for most legal obligations. However, the GDPR gives Member States limited opportunities to make provisions for how it applies in their country. One element of the DP Bill is the details of these. It is therefore important the GDPR and the Bill are read side by side”.
GDPR interaction with other EU legal acts
- Regulation (EU) No 1215/2012 (Jurisdiction Regulation): Where specific rules on jurisdiction are contained in the GDPR in particular as regards proceedings seeking a judicial remedy including compensation against a controller or processor the Jurisdiction Regulation gives way to the specific rules of the GDPR.
- Regulation (EU) No 536/2014: For the purpose of consenting to the participation in scientific research activities in clinical trials the GDPR gives way to the mentioned legal act.
- Regulation (EC) No 45/2001: the GDPR does not apply to the processing of personal data by the EU institutions, bodies, offices and agencies which is governed by the specific Regulation.
- Directive 2000/31/EC (E-commerce Directive): The GDPR shall be without prejudice to the application of articles 12-15 of the Directive, in particular regarding the liability rules of intermediary service providers.
- Directive 2002/58/EC (E-privacy Directive): The GDPR will apply to all matters concerning the protection of fundamental rights and freedoms vis-à-vis the processing of personal data which are not subject to specific obligations with the same objective in the E-privacy Directive, including the obligations on the controller and the rights of natural persons. In order to clarify the relationship between the GDPR and the Directive the latter would be amended (*the Commission decided to repeal the Directive and replace it with a Regulation – see here).
Obliged entities should assess at all times the GDPR interaction with other pieces of EU law that govern specific matters also contained in it and apply the correct piece to any given situation i.e. the GDPR where it does not give way to a more specific act.
Article 23 contains the so-called restrictions the GDPR allows in its application and leaves the door open to MS and/or the EU to issue further legislation restricting its scope.
In addition, Chapter IX contains derogations that alongside the restrictions of article 23 are likely to give rise to different levels of protection in different MS and in some way maintain divergences.
One pain point for obliged entities is data transfer which is compounded when the transfer involves non-EU MS. In this regard, attention should be paid to EU Commission Decisions issued under the DPD such as the Privacy Shield (successor of the Safe Harbour scheme for data transfers between the EU and the US). The current list is found here.