Recap: the 2018 EU Commission Communication on the application of the GDPR [COM(2018) 42 final]
by Giulio Messori
2018 has finally come. For all the experts – and let me say some other ‘presumed’ experts – in the Data Protection field, this year is the golden goose to catch.
During the last year and a half, we saw a lot of guidelines, checklists, reports, papers and articles coming from both the private side and the public side. On January 24th, the EU Commission published a bunch of new guidelines related to the application of the GDPR in May of this very same year.
In this article, I will try to explain, why – from my point of view – it is a fundamental document. I will not focus on the obvious characteristics of the GDPR (for that there is plenty of material), but rather on what I find more ‘new’ and interesting.
1. EU Commission took a clear picture of the GDPR implementation situation
It did that both for the Member States side (by the way, up to now only 2 States seem to be having adopted the relevant national legislation regarding GDPR), the Data Protection Authorities side (with new budget coming to support DPAs), the stakeholders side (with new guidance and Q/A) and to all actors (by evaluating if there will be the need for new delegated or implementing acts).
2. The Art. 29 WP transition into the European Data Protection Board
The European Commission is monitoring the transition of the Art. 29 Working Party to the new European Data Protection Board. National Guidelines need to be updated, repealed or fine-tuned with those adopted by the Working Party. The Commission also set out this clear table which identifies the next guidelines which will be published from the WP in the following months.
3. GDPR as a ‘source of inspiration’ for other Countries Legislations
We all know the renewed territoriality scope included in art. 3 and its effects on extra-EU companies (only if they are processing EU citizens’ Personal Data).
However, in this document, the Commission is working on ‘exporting’ the same principles and standards contained in the EU Data Protection framework in other countries as well. Reference has been made to the Council of Europe Convention 108, ‘the only legally binding multilateral instrument in this area of personal data protection’, which shall be further modernized. The aim is to create a unique set of high data protection standards and in order to do that, more and more non-EU States should ratify the Convention.
The EU Commission also points to other countries which are currently adopting or updating their existing Data Protection legislation: ‘there are signs that the Regulation serves increasingly as a reference point and a source of inspiration‘.
4. Future Collaborations with other Member States (e.g. Japan)?
The good news is that there is room for future Adequacy Decisions with some other key trading partners, like East and South-East Asia and the Latin America States.The other good news is that, among all, the Commission is working with Japan in order to achieve an adequate level of protection for Data flowing from EU to Japan (and vice-versa). Also, South Korea is involved in the talks for a new adequacy decision.
The point in here is to draft good international data flows mechanisms. We have all seen the debate coming from the EU-US Safe Harbour, then from the EU-US Privacy Shield. And still, nothing is completely functional on that mechanism up to now, as the Art. 29 has pointed out in its First Annual Joint review of November 27th, 2017: ‘[…] in case no remedy is brought to the concerns of the WP29 in the given time frames, the members of WP29 will take appropriate action, including bringing the Privacy Shield Adequacy decision to national courts for them to make a reference to the CJEU for a preliminary ruling’ (cit., WP 255).
New mechanisms with new States should be clear and give transparency to citizens first. We should not repeat what has been mistaken with the United States.
5. Don’t forget future National Rules
As the last point, let’s just not forget that the GDPR allows and empowers the Member States to further legislate on determinate topics regarding special categories of data, such as genetic data, biometric data, and data concerning health. Repeating the text of the GDPR is not allowed, of course. It needs to be something more. It also gives the possibility to ‘specify the application’ of the GDPR data protection rules in other specific fields (see pg. 8 of the Communication for the entire list!).
Conclusion: a question for you
I hope these 5 brief points give you the idea that as we are talking, the EU Privacy framework is steadily growing and evolving. Even outside EU. There is a lot to study and be focused on, but that’s not news.
I would like to conclude with a question for all Privacy professionals. What I am still wondering about is what will happen on May 25th with DPAs. Will they have a ‘blacklist’ and a ‘whitelist’ of companies non-compliant with the GDPR? Will they issue fines immediately or will they be Merciful’? Will they scare the first round of companies in order to let other non-targeted companies understand that the GDPR era has come? I may be having the view from the Italian Perspective, but what is your feeling in your Member State, with your DPA? I would be very glad to hear your opinion.