With just over three months left before full application (and enforceability) of the GDPR all things GDPR are hot topics for companies, Member States, legal professionals and citizens alike and, EU information on the matter is even more valuable. This note provides an overview of the current state of play and is solely based on official EU information.
In late January 2018 the EU Commission published guidance on the new data protection rules ie GDPR. It also launched an online tool aimed at assisting SMEs and citizens in general prepare for the application of the GDPR. The guidance takes the form of a Communication from the Commission to the European Parliament and the Council and provides an overview of the spectrum of past, current and upcoming activities in the field at EU and international levels. For instance, it covers the opportunities opened up by the new data protection legislation including the modernisation of the Council of Europe Convention 108 – only legally binding multilateral instrument in the area of personal data protection; work towards adopting new adequacy decisions; the measures that the Commission intends to adopt in the coming months, etc. It also includes information on the impact that Brexit will have on the application of the GDPR in the UK (*in line with a document on the matter published on 9 January 2018).
One of the main conclusions drawn from the Communication is that preparations are progressing at various speeds across the EU. As of late January, only two Member States – Austria and Germany – had already adopted the relevant national legislation. The Commission calls on Member States to speed up the adoption of national legislation and make sure the measures are in line with the GDPR by May as it intends to enforce the GDPR as soon as it becomes applicable by all means allowed under EU law eg infringement procedures.
In terms of further guidance the Commission summarises the work of the Article 29 Working Party and provides information on adopted and upcoming working documents/guidance (profiling, data breach, transparency, consent, binding corporate rules for processors and controllers, etc).
As regards delegated and implementing acts the Communication only mentions that in 2018-2019 the Commission will assess the need to make use of its power to adopt such acts.
Integration of the GDPR into the EEA agreement
The Commission will work with the EFTA States (Iceland, Liechtenstein and Norway) in the European Economic Area (EEA) with the view to integrate the GDPR into the EEA agreement. Once the integration is in force personal data will be able flow freely between EU and EEA countries in the same way as they do between EU Member States.
Brexit impact on the application of GDPR in the UK
In the context of the negotiations of the UK-EU withdrawal agreement (article 50 TEU), the Commission will aim to ensure that the provisions of EU law on personal data protection applicable on the day preceding the withdrawal date continue to apply to personal data in the UK processed before the withdrawal date. From the withdrawal date, and subject to any transitional arrangement that may be contained in the withdrawal agreement, the rules for transfers of personal data to third countries will apply to the UK. An adequacy decision – such as the existing in favour of Argentina or Canada – may be adopted if so the UK wishes.
Please note the above bears no relation to the EU Withdrawal Bill that will, if adopted in its current text, internalise into UK law all existing EU legislation at the time of the withdrawal. One of the Bill’s aims is to avoid the vacuum that the loss of validity of EU law from the withdrawal date will have as per the repeal of the ECA 1972. Further, the Data Protection Bill, which contains provisions giving effect to certain provisions of the GDPR alongside other purely national rules applicable in the field, will continue to apply as national legislation beyond the withdrawal date until it is amended or repealed.
Related upcoming legislation
EU institutions: Proposal for a Regulation of the European Parliament and of the Council on the protection of individuals with regard to the processing of personal data by the Union institutions, bodies, offices and agencies and on the free movement of such data, and repealing Regulation (EC) No 45/2001 and Decision No 1247/2002/EC. Undergoing codecision procedure (2007/0002/COD).
The prospective Regulation aims to align, as far as possible, the data protection rules for EU institutions, bodies, offices and agencies with the data protection rules of the GDPR in order to provide a strong and coherent data protection framework in the EU. Whenever the provisions of the proposal are based on the same concept as the provisions of the GDPR, both should be interpreted homogeneously, in particular because the scheme of the proposal should be understood as the equivalent of the scheme of the GDPR. It also incorporates the relevant rules laid down in the future e-Privacy Regulation with regard to the protection of terminal equipment of end-users.