What progress on the GDPR? The work of the European Commission

This post is also available in: frFrançais (French)

Passed in April 2016, the General Data Protection Regulation has to be applied as of 25 May 2018. The Regulation aims to modernise the European data protection framework in order to take into account technological advances and to reduce juridical differences between the Member States. It replaces the Directive 95/46/EC.

The implementation in each Member State is the next step. The implementation is institutionally supervised and supported particularly by the European Commission and the Article 29 Working Party (Art. 29 WP).

Objectives. The European Commission recalled the objective of the General Data Protection Regulation: ensuring free data flow “in the name of the Single Market”.

Role of the European Commission. The EC moved from a legislative negotiator to an implementer. It works on the implementation of the GDPR in each Member State in order to facilitate the work of national authorities. Each month, the European Commission meets Member States’ representatives as well as NGOs and companies to work on the GDPR and the Directive for Police and Criminal Justice Authorities. The EC engages in dialogue with all stakeholders to ensure an effective legislation and to avoid multiplications and contradictions with the GDPR.

Advancement of the implementation. Today, differences between national legislations are numerous. Moreover, the Member States integrate GDPR provisions in their legal framework at different rhythms.

Opening clauses. They are a cause for concern for companies which fear a multiplication of national requirements. They request a platform presenting different national provisions to provide an overview of each national procedure. The EC reminds that there are certainly opening clauses that have a consequence on the Single Market but they mostly affect the public sector and have little impact on private actors.

Period of implementation. Companies also fear the relatively short time to implement the GDPR, especially small and medium-sized companies which have no legal department. It is necessary to furnish clear guidelines from the start on key points. According to the EC, a balance must be struck between quality guidelines (including a consultation with all actors) and quick availability of information.

ConcernsThe European Parliament adopted an extremely critical resolution on the adequacy of the protection afforded by the EU-US Privacy Shield that is supposed to protect personal data during the transfers to the United States. It is necessary to obtain guarantees from American authorities before May 2018, the date on which the GDPR will enter into force. Otherwise, the CJEU may invalidate one more time the transatlantic agreement, plunging companies into legal uncertainty. The European Commission answered that this issue will be taken into consideration during the annual review with an analysis based on tangible elements.

ConclusionThe legislation is not frozen: it will likely be completed by an additional work on guidelines after the implementation. Moreover, the European Commission and the Member States work on collective redress. In order to continue this implementation, the Commission recalls that it expects reactions from actors in case of risky evolutions.AEDH is pleased to see that the Commission has entered into a dialogue with all the concerned actors for the implementation of the legislation and will be vigilant to make sure that the legislation is as protective as possible for European residents.