This post has been written by Martina Mantovani.
On 4 May 2016, Regulation (EU) 2016/679 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data (General Data Protection Regulation, or GDPR) was published on the Official Journal. It shall apply as of 25 May 2018.
Adopted on the basis of Article 16(2) TFEU, the Regulation is the core element of the Commission’s Data protection reform package, which also includes a Directive for the protection of personal data with regard to the processing by criminal law enforcement authorities.
The new measure aims at modernising the legislative framework for data protection, so as to allow both businesses and citizens to seize the opportunities of the Digital Single Market.
First and foremost, businesses will benefit from a simplified legal landscape, as the detailed and uniform provisions laid down by the GDPR, which are directly applicable throughout the EU, will overcome most of the difficulties experienced with the divergent national implementations of Directive 95/46/EC, and with the rather complex conflict-of-law provision which appeared in Article 4 of the Directive.
Nevertheless, some coordination will still be required between the laws of the various Member States, since the new regime does not entirely rule out the relevance of national provisions. As stated in Recitals 8 and 10, the GDPR ‘provides a margin of manoeuvre for Member States’ to restrict or specify its rules. For example, Member States are allowed to specify or introduce further conditions for the processing depending, inter alia, on the nature of the data concerned (Recital 53 refers, in particular, to genetic, biometric, or health-related data).
Secondly, the new Regulation marks a significant extension of the extraterritorial application of EU data protection law, with the express intent of leveling the playing field between European businesses and non-EU established companies operatig in the Single Market. In delimiting the territorial scope of application of the new rules, Article 3 of the GDPR borrows on the case-law of the Court of Justice regarding Article 4 of Directive 96/45/EC. Pursuant to Article 3(1), the Regulation applies to any processing of personal data in the context of the activities of an establishment of a controller or a processor in the Union, ‘regardless of whether the processing itself takes place within the Union or not’ (along the lines of the Google Spain case).
Moreover, Article 3(2) refers to the targeting, by non-EU established controllers and processors, of individuals ‘who are in the Union’, for the purposes of offering goods or services to such subjects or monitoring their behaviours. This connecting factor, further specified by Recital 23 in keeping with the findings of the Court of Justice in Weltimmo, is somehow more specific than the former ‘equipment/means’ criteria set out by the Directive (cfr. Opinion 8/2010 of the Working Party on the Protection of Individuals with regard to the processing of personal data, on applicable law).
One of the key innovations brought along by the GDPR is the so-called one-stop-shop mechanism. The idea, in essence, is that where a data controller or processor processes information relating to individuals in more than one Member State, a supervisory authority in one EU Member State should be in charge of controlling the controller’s or processor’s activities, with the assistance and oversight of the corresponding authorities of the other Member States concerned (Article 52). It remains to be seen whether the watered down version which in the end found its way into the final text of the Regulation will effectively deliver the cutting of red tape promised to businesses.
The other goal of the GDPR is to provide individuals with a stronger control on their personal data, so as to restore consumers’ trust in the digital economy. To this end, the new legislative framework updates some of the basic principles set out by Directive 95/46/EC — which are believed to ‘remain sound’ (Recital 9) — and devises some new ones, in order to further buttress the position of data subjects with respect to their own data.