Council of the EU: General Data Protection Regulation becomes applicable

IRIS 2018-6:1/7

Ronan Ó Fathaigh

Institute for Information Law (IViR), University of Amsterdam

On 25 May 2018, the European Union’s General Data Protection Regulation became applicable, with the repeal of the previous Data Protection Directive (95/46/EC) also becoming effective (see IRIS 1998-8/21). The GDPR is now binding in its entirety and directly applicable in all member states. While the GDPR is directly applicable, the date of 25 May 2018 is also the deadline for member states to notify the European Commission of any national legislation adopted pursuant to a number of Chapters and Articles in the GDPR, including Chapter VI on independent supervisory authorities for monitoring the implementation of the GDPR; Article 83(9) on legal remedies in legal systems that do not provide for administrative fines; Article 84 requiring national legislation on penalties applicable to infringements of the GDPR; and Article 88 on data processing in the context of employment. Furthermore, from 25 May 2018, the European Data Protection Board will replace the Article 29 Working Party established under the previous Directive (see, for example, IRIS 2015-2/3).    

The GDPR runs to 88 pages, with 173 Recitals, 11 Chapters, and 99 Articles, with its stated purpose being to lay down rules relating to the protection of natural persons with regard to the processing of personal data and rules relating to the free movement of personal data. The European Commission helpfully published guidance for all relevant actors on the implementation of the GDPR (see IRIS 2018-4/10), highlighting changes introduced under the GDPR, including rules on data protection by design and by default; new rights for individuals, such as the right to be forgotten and the right to data portability; and the imposition of sanctions of up to EUR 20 million or 4% of a company’s worldwide annual turnover. Stronger protection will also be given in respect of personal data breaches and, in the light of the new accountability principle, a data protection impact assessment will sometimes be required by controllers or processors. Lastly, the obligations and responsibilities of both processors and controllers are clarified; the enforcement system is given more weight through a review of the data protection authorities’ governance competences; and a higher level of protection is ensured for data transfers outside the European Union.

Notably, there is a specific provision in the GDPR relating to the media, namely Article 85. It provides that member states shall by law reconcile the right to the protection of personal data pursuant to this Regulation with the right to freedom of expression and information, including processing for journalistic purposes and the purposes of academic, artistic or literary expression. Thus, for processing carried out for journalistic purposes or the purposes of academic, artistic or literary expression, member states shall provide for exemptions or derogations from Chapter II (principles), Chapter III (rights of the data subject), Chapter IV (controller and processor), Chapter V (transfer of personal data to third countries or international organisations), Chapter VI (independent supervisory authorities), Chapter VII (cooperation and consistency) and Chapter IX (specific data processing situations) if they are necessary to reconcile the right to the protection of personal data with the freedom of expression and information. Member states must notify the European Commission of national legislation adopted pursuant to Article 85. Notably, under Recital 153, where such exemptions or derogations differ from one member state to another, the law of the member state to which the controller is subject should apply. In order to take account of the importance of the right to freedom of expression in every democratic society, it is necessary to interpret notions relating to that freedom, such as journalism, broadly.

Finally, in relation to the audiovisual field, it should also be noted that Recital 153 provides that with regard to reconciling the rules governing freedom of expression and information, including journalistic, academic, artistic and/or literary expression, with the right to the protection of personal data, this should apply in particular to the processing of personal data in the audiovisual field and in news archives and press libraries.