Since 2016, the European General Data Protection Regulation has been one of the most popular topics of discussion, academic and otherwise. While the PIL discussion has mostly focused on the unilateral conflicts rule in Article 3 of the Regulation, which defines its “external” scope of application, some scholars – like Martina Mantovani on this blog – have pointed out that despite providing a unified regime that applies across the Union, the Regulation’s repeated deference of specific questions to the laws of the Member States still requires a certain degree of “internal” coordination. On this aspect of the Regulation, Merlin Gömann has just published an impressive volume of over 800 pages (in German), offering what easily constitutes the most comprehensive treatment of the problem to date.
In essence, Gömann tries to work out how (and by whom) this coordination can (and must) be achieved according to primary EU law. He comes to the conclusion that the respective scopes of the national laws implementing the Regulation cannot be determined by unilateral conflict rules of the Member States but need to be derived from the Regulation itself. Accordingly, the conflict rules contained in many national laws implementing the Regulation are in violation of primary EU law (also explained in some more detail here).
According to the author, the necessary coordination between national laws must instead be achieved by applying Art. 3 GDPR by analogy. Gömann carefully explains the consequences of his proposition on more than 200 pages – including the somewhat surprising fact that national data-protection authorities might be required to apply the substantive data-protection laws of another Member State. And if this weren’t enough of an academic achievement already, Gömann concludes his book by also developing specific propositions on how the GDPR could be reformed in order to provide a proper system of coordination between the residual national laws.