On 24 January 2018, the European Commission (EC) published a Communication on the implementation of the General Data Protection Regulation (GDPR), entering into force on 25 May 2018: “Stronger protection, new opportunities”.
The Communication describes the preparatory works by the Commission to help with the implementation of the GDPR and what the Commission plans to help Member States and companies to comply with the new data protection framework.
Most of the work at the EU level has been done by the group of Data Protection Authorities (the so-called Article 29 Working Party). It has been preparing guidelines, on the basis of extensive consultations and workshops with a variety of stakeholders. More work still needs to be done in order to ensure the effective implementation of the new rules.
Although the GDPR is a Regulation and therefore applies “as is” in all Member States, some legislation needs to be adapted to the new obligations set by the GDPR, especially regarding the flexibilities with which the “Regulective” can be implementedat Member States’ discretion, on automated decision making and transfer of personal data to third countries, among other things i. Ironically, while industry demanded harmonisation at the start of the legislative process, it spent most of the decision-making process demanding national flexibilities and exceptions, leading to the opposite outcome to the one it initially asked for. Sometimes, one is left with the impression that lobbyists are working to create work for themselves.
At the moment of publication of this Communication, just four months before the GDPR enters into force, only two out of 28 Member States (Austria and Germany) have finished this legislative preparation. It is also to be clarified how Member States will ensure that national Data Protection Authorities (DPAs) are given the means to fulfill their new functions as prescribed by the GDPR.
Finally, the Communication stresses that the core principles of data protection are not affected by the new Regulation As a result, few changes are needed from organisations, if they already comply with the existing Data Protection Directive. However, the Commission notes that citizens and small and medium-sized companies are not well informed about the provisions of the GDPR. It has launched guidelines on the new rules for business and rights for citizens.
One cannot help but wonder why neither Member States nor companies seem to be prepared for new legislation that has been discussed since the adoption of the Commission’s initial Communication in November 2010 and in the four years of legislative discussion, that were shaped by an unprecedented lobbying campaign by parts of the industry. This ostensible lack of preparedness is also surprising bearing in mind that the Regulation does not change existing core principles that should already be respected by controllers through the transposition (and enforcement) of the Data Protection Directive into national law since 1998.
Communication from the Commission (24.01.2018)
Commission’s GDPR guidelines for citizens and small and medium companies
PROCEED WITH CAUTION: Flexibilities in the General Data Protection Regulation (05.07.2016)
General Data Protection Regulation: Document pool
(Contribution by Anne-Morgane Devriendt, EDRi intern)