The General Data Protection Regulation (GDPR) is applicable since the 25 May of 2018. But it is “not the end of the road, but a beginning of a new chapter”, as the Commissioner Jourová said in her keynote speech at General Data Protection Regulation conference. The purpose of these opening remarks is twofold. On the one hand, it is to give an overview of the normative and substantive nature of the GDPR in order to explain why national adaptations are required. On the other hand, it is to give a first overview of the general approach of these national adaptations. The detailed analysis state by state will be the purpose of the daily working papers of this e-conference. The first global comment that can be made is that the GDPR ensures the worldwide visibility of the European Model of Data protection, but that the readability of this model is still unclear.
I – The visibility of the European Model of Data protection proposed by the GDPR
The noise of the application of the GDPR made both by the Media and the numerous notifications received from search engines, social networks, political parties, banks, associations, digital platforms, etc., illustrates the rising visibility of the GDPR. In these opening remarks it is necessary to recall that the GDPR is the result of five years of discussion at the European level. Adopted in April 2016, the GDPR replaces the former Directive 1995/46 EC that was the first European legal framework on data protection. The GDPR is a monster text of 99 articles. It concretizes the European personal data protection law in fundamental rights in the post Lisbon Treaty legal context. Therefore, the GDPR clearly applies to all processing of personal data of the residents of the EU including in the situation where the data controller or processor are not established in the EU. Nevertheless, the GDPR, like the former directive, has the double ambition “to ensure consistent and high level of protection of individuals and to remove the obstacles to flows of personal data.” The GDPR provides for the visibility of a European model of data protection law based on three main features. Firstly, this European model provides rights in order that individuals remain in control of their data. Therefore, personal data has to be collected fairly, lawfully, and for legitimate, specific and explicit purposes. The collection needs to be based on a freely given, specific, informed and unambiguous consent, or on a legal ground. The GDPR creates a deeper right to information, a right to portability, a right to erasure including a right to be forgotten, a legal framework for profiling and individual automated decisions beyond the former right to access, right to object and right to rectification. Secondly, the European model is based on the regulation of the data protection by the controller and the processor under the control of the Data Protection Authorities (DPAs). The obligations of the data controller and processor have been increased through the principle of accountability. These actors need to comply, to verify that they comply and to document their compliance. In counterparts, the controller and the processor can benefit from the limitation of the prior formalities for their processing. Furthermore, the GDPR creates a new independent European body: the European Data Protection Board (EDPB) which is composed of representatives of the national data protection authorities and the European Data Protection Supervisor (EDPS). The national DPA and EDPB should support the stakeholders towards compliance through, guidelines, certification, promotion of a code of conduct etc. Thirdly, the European Model provides stronger enforcement. The power of the national DPAs are harmonized and its cooperation organized in particular through the mechanism of consistency and the concept of lead DPA. The EDPB will have the possibility to adopt binding decisions, in cases where several EU countries are concerned by the same case. The DPAs will have the power to impose fines on businesses of up to 20 million EUR or 4% of a company’s worldwide turnover. Furthermore, the Member States have to introduce effective remedies including judicial remedies in their national law in case of violation or damage caused by a violation of the GDPR.
II- The current lack of readability of this European Model
The current lack of readability of this European Model is due to several factors, which are interrelated and are mainly due to the General nature of the GDPR.
A- The General Nature of the GDPR
The GDPR is generally considered as a special Regulation among other EU Regulations. This affirmation is based on the existence of the so-called opening clauses, which allow or impose an obligation on Member States to adapt their national legislation in order to implement the rules of the GDPR. Nevertheless, this particularity should not be overestimated, because it can be found in other EU-Regulations. Furthermore, the border between the EU Regulations, which should be complete, and the EU Directives, which always need to be transposed into national Law, are more blurred in reality.
In actuality, it is not the existence of opening clauses but rather the importance of the margin de manoeuvres given to the Member States in the GDPR that could be disturbing. Half of the provisions of the GDPR contain opening clauses. Furthermore, some opening clauses give options to the Member States. The most telling example is the age for the Child’s consent in relation to information society services, which could vary from 16 to 13 years old, according to article 8 GDPR. A quick overview of the national adaptations shows that each option has been used by the Member States. In such a case, the GDPR cannot achieve its purpose of uniform application of the rules at the level of the EU.
Furthermore, the GDPR allows the Member States to specify the application of data protection rules in specific sectors such as the public, employment and social security, and public health sectors, and for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes. Further, conditions and limitations can be introduced for genetic and biometric data. It is hardly conceivable how these kinds of opening clauses could simplify the legal environment for the actors involved.
This leads to the question, as noted by Julian Wagner and Alexander Benecke (EDPL 2016), whether the GDPR is a new kind of Regulation. The strongest argument in favour of this thesis is that the GDPR itself is labelled as a General Regulation [emphasis added]. Such wording is not part of the Art. 288 TFUE, which only mentioned the existence of Regulations. It is also not a current labelling in the praxis of the regulations.
The General nature of the GDPR could be appreciated both ways. According to the Longman dictionary, “general” means not detailed or relating to whole rather than specific situations. The General nature of the GDPR reflects this double dimension. It includes a vertical dimension of the specification of the set-up of the legal framework at national level. It implies a horizontal dimension. This dimension is the result of the global approach between the GDPR and other European sectorial acts such as the specific directive on data protection in the area of police and justice or the future regulation on the handling of personal data by EU institutions and other EU bodies currently under discussion.
This General nature of GDPR is both an important factor in the visibility of the European model of data protection and a cause of its lack of readability. It brings the issue of coherence of the rules and the difficulties in assessing whether the derogations are not becoming the rules. This requires an analysis of the national uses of these opening clauses in order to identify if there are noticeable differences between Member States. It seems that some Member States have used these margins of manoeuvre less moderately than others have. It will also be interesting to see whether these opening clauses have been used for the benefit of the private sector or the public sector. Therefore, this e-conference will give some indication as to whether the general nature of the GDPR has an impact on the coherence of the European model of data protection.
B- The Complicated Nature of the National Adaptations of the GDPR
As the GDPR is a general regulation, the nature of the national adaptation raises two kinds of questions. The first is a question of terminology. The concept of transposition is usually dedicated to the direction. Both scholars and the European Commission itself have used the term national implementation. Nevertheless, this could create some confusion with the implementing power of the European Commission. Therefore, the phrase national adaptation seems to be more neutral and allows the inclusion of a cultural approach to the national impact of the GDPR, such as the extended the scope of the application of some of its measures.
The second issue is related to drafting difficulties of these national adaptations. It has been stressed by the European Commission, that the “national legislator can therefore neither copy the text of the Regulation when it is not necessary in the light of the criteria provided by the case law, nor interpret it or add additional conditions to the rules directly applicable under the Regulation. If they did, operators throughout the Union would again be faced with fragmentation and would not know which rules they have to obey.”(p. 9) This e-conference will give some insights on whether there are some differences between Member States regarding those drafting obligations.
C- The Current Incomplete Nature of the National Adaptations of the GDPR
Currently, Member States could be classified in two groups:
- Those that have enacted national law in connexion to the GDPR
- Those that are in the process of adopting their national law
Nevertheless, the e-conference will demonstrate that most of the national adaptations are still incomplete.
D- The Current Widespread Legal Uncertainty
The current legal uncertainty is not only due to the lack of national adaptations of the GDPR. The national reports of the e- conference will inform about the existence of concerns regarding the conformity of national adaptations with the GDPR, but also with national constitutional law of the Member States. In those situations, the question of whether the data subject will always be able to directly invoke the GDPR will arise.
Modalities of the e-conference
This e-conference will provide a daily publication of a blog post or Working paper on the national adaptations of the GDPR at 12:30 pm French Time. For this first week, we will start with some of the pioneer States in Data protection Law in Europe:
Tuesday 5 June : The New Federal Data Protection Act – Implementation of the GDPR in Germany, by Dr. jur. Christian L. Geminn is a senior researcher at Kassel University
Wednesday 6 June : Austrian Adaptation of the GDPR, by Leissler Günther, Reisinger Patrizia, Böszörmenyi Janos, attorneys at law, schoenherr attorneys at law in Vienna
Thursday 7 June : The Swedish measures accompanying the GDPR, by Patricia Jonason, Senior Lecturer at the University of Södertörn
Friday 8 June : The French Adaptation of the GDPR, by Olivia Tambou, Senior Lecturer at the University Paris Dauphine
This e-conference is organized by Dr. Olivia Tambou, Associate Professor at the University Paris-Dauphine and Dr Karen McCullagh, Lecturer at the University of East Anglia, with the support of Sam Bourton, PhD candidate and Associate Lecturer in Law at the University of the West of England, UK.
Suggested Citation: Tambou Olivia, Opening Remarks, e-conference on National Adaptations of the GDPR, Blogdroiteuropeen, June 2018, available at https://wp.me/p6OBGR-2Xx