News and developments
Privacy, Data Protection & Cybersecurity
19 February 2018
COMMISSION COMMUNICATION – GUIDANCE ON THE DIRECT APPLICATION OF THE GENERAL DATA PROTECTION REGULATION
The European Commission (the “Commission”) has issued, on the 24 January, a Communication containing guidance in view of facilitating the direct application of the General Data Protection Regulation (“GDPR”) in all the European Union (the “EU”) as of 25 May 2018 (the “Communication”). Simultaneously, the Commission has also published a set of GDPR-related Q&A and an online tool to help companies – focusing on SMEs -, citizens and public administrations understand the new rules.
The Communication deemed to lay out (i) the main novelties and opportunities stemming from the GDPR, (ii) the preparatory work undertaken so far at EU level to ensure the application of the Regulation as of 25 May, (iii) what is still to be done at European and national level and (iv) what are the measures the Commission will adopt in the near future.
From the harmonization of the European data protection legal framework, to the strengthening of individuals’ rights (with a highlight on the right to data portability), to the protection of individuals against personal data breaches, to the aggravated fining regime, to reinforcing data processor accountability, to the new international data transfer mechanisms, there are several novelties brought by the GDPR which are mentioned in the Communication.
The Commission also refers to the Expert Group it has been gathering for the sharing of expertise in data protection matters and to the ongoing talks with third countries – notably, Japan and South Korea - in view of issuing an adequacy decision (which would allow the free flow of personal data towards said countries), as well as to the several Article 29 Working Party Guidelines being finalized, covering topics such as Consent, Transparency, Binding Corporate Rules (article 47 GDPR), data breach notifications and automated individual decision-making.
The Commission notes that, on the date of this notice, only two Member States (Austria and Germany) had adopted the relevant national laws towards adapting their legal systems to the GDPR (in the meantime, other Member-States have initiated this process). The Commission notes that there is some discretion for national legislators in this regard that measures may not undermine the direct, simultaneous and uniform application of the GDPR in all the EU.
The Commission further notes the following:
Finally, the Commission outlines the next steps it will take to guarantee the effective application of the GDPR, though the possible adoption of implementing or delegated acts (on what concerns, notably, the issue of certification) and the integration of the GDPR into the EEA-Agreement – allowing for the free flow of data between the EU, Iceland, Liechtenstein and Norway. Moreover, the Commission notes the enforcement of the GDPR in the United Kingdom until the EU-withdrawal date and notes its intention to follow-up on the first year of GDPR application in May 2019, during an event which will precede the report to be prepared by the Commission in 2020, on the evaluation and review of the GDPR.
Magda Cocco | [email protected]
Inês Antas de Barros | [email protected]
Sebastião Barros Vale | [email protected]