European Commission: Guidance on the direct application of the General Data Protection Regulation

IRIS 2018-4:1/10

Eugénie Coche

Institute for Information Law (IViR), University of Amsterdam

In the light of the General Data Protection Regulation, which will become directly applicable on 25 May 2018 and will replace the Data Protection Directive (95/46/EC) and the Police Directive (2016/680/EU), the EU Commission issued a Communication aimed at guiding all relevant actors in their preparations vis-à-vis this new legal instrument. The Communication first provides an overview of the main legal changes, in terms of rights and obligations, which will be brought about by the Regulation. It then lists the different initiatives that have already been taken at EU level in view of the coming into force of such legislation, followed by recommendations on what should still be done by both the EU and Member States. Lastly, it sets out different measures which the Commission intends to take in the near future.

As opposed to its predecessor, the Regulation will avoid fragmentation within the EU as it will be directly applicable in all EU member states. Moreover, third-country companies which process EU citizens’ personal data will fall within the scope of the Regulation. Other novelties include rules on data protection by design and by default; new rights for individuals, such as the “right to be forgotten” and the right to data portability; and the imposition of sanctions of up to EUR 20 million or 4% of a company’s worldwide annual turnover. Stronger protection will also be given in respect of personal data breaches and, in the light of the new accountability principle, a data protection impact assessment will sometimes be required by controllers or processors. Lastly, the obligations and responsibilities of both processors and controllers are clarified, the enforcement system is given more weight through a review of the data protection authorities’ governance competences, and a higher level of protection is ensured for data transfers outside the EU.

Concerning the preparatory works undertaken so far at EU level, both the Article 29 Working Party (which in May 2018 will become the European Data Protection Board) and the Commission have taken action. The former has mainly issued guidelines in which it interpreted different provisions and aspects of the Regulation in order to create more legal certainty. The Commission has been supporting both member states (by setting up an expert group) and data protection authorities (by encouraging the work of the Article 29 working party. Furthermore, in the light of the updating of Council of Europe Convention 108, the Commission states that it will actively promote the swift adoption of the modernised text of the Convention with a view to the EU becoming a party to it.

The Commission calls on member states to adapt their legislation in order to align it with the Regulation. They should also ensure the independence of their national data protection authorities by providing them with the necessary resources. Lastly, all organisations (especially SMEs) falling within the scope of the Regulation shall review their data policy cycle (so as to clearly indentify which data they hold, for what purpose and on what legal basis), in order to comply with their new obligations under the Regulation.

The Commission itself will, in the coming months, complement its previous efforts by providing stakeholders with a practical online tool consisting of questions and answers; by awarding grants aimed at providing support, training and awareness-raising; by possibly issuing implementing or delegated acts to further support the implementation of the new rules; by integrating the Regulation into the European Economic Area (EEA) Agreement and by clarifying the legal consequences of a withdrawal agreement between the EU and the UK. Lastly, one year after the coming into force of the Regulation, in May 2019, the Commission will report on the Regulation and take action in the event of significant problems.


References


This article has been published in IRIS Legal Observations of the European Audiovisual Observatory.