Once the General Data Protection Regulation (GDPR) comes into effect, it will replace the EU Data Protection Directive as well as all national data protection legislation existing under the Directive (subject to certain matters not regulated by the GDPR). Consequently, the national data protection laws of all EEA countries (i.e., the 28 EU member states plus Iceland, Norway and Liechtenstein) will become obsolete.
In our first post on the GDPR, we walked you through the implementation status of the law. In this post, we explain some basic European concepts relevant to EU data protection legislation, namely the difference between the EU and the EEA and the shift from a directive to a regulation.
EEA Versus EU
The European Union (EU) is an economic and political union of currently 28 member states. It operates an internal (or single) market which allows the free movement of goods, capital, services and people between member states. The idea is to create one EU territory without internal borders or other regulatory obstacles to the free movement of goods, capital, services and people.
The EU member states are currently Austria, Belgium, Bulgaria, Croatia, Republic of Cyprus, Czech Republic, Denmark, Estonia, Finland, France, Germany, Greece, Hungary, Ireland, Italy, Latvia, Lithuania, Luxembourg, Malta, Netherlands, Poland, Portugal, Romania, Slovakia, Slovenia, Spain, Sweden and the UK. Next in line for joining the EU are Albania, the former Yugoslav Republic of Macedonia, Montenegro, Serbia and Turkey, all of which have candidate status.
The European Economic Area (EEA) consists of the 28 EU member states plus Iceland, Norway and Liechtenstein. It was established by the 1992 EEA Agreement and essentially allows Iceland, Norway and Liechtenstein to participate in the single market without forming part of the EU. All EU legislation relevant to the single market is incorporated into the EEA Agreement in the form of annexures so that such EU legislation applies throughout the whole EEA.
How Is This Relevant To Data Protection?
Data protection falls within one of the policy areas of the single market. Accordingly, the 1995 EU Data Protection Directive was incorporated into the EEA Agreement in a slightly adapted version resulting in the Directive applying to all 31 EEA countries. Once adopted, the GDPR will also need to be incorporated into the EEA Agreement to apply also in the EEA countries other than the 28 EU Member States.
From Directive To Regulation
Presently, the 1995 EU Data Protection Directive is the legal instrument setting out the data protection principles and obligations to be implemented into national laws by the EEA countries.
A directive is a legislative act which sets out – in a rather abstract form - the general goals to be achieved by all EU/EEA member states through national implementing legislation. As the member states have a great deal of freedom in deciding how to transpose any given directive into national law, there is potential for significant divergences to exist between the relevant national laws, as is the case with the current Data Protection Directive.
In contrast to a directive, a regulation is a binding legislative act at an EU level that is directly applicable in each of the member states without requiring national implementing legislation. Naturally, therefore a regulation guarantees a greater level of harmonisation across the EU.
In the long-term, a single set of European data protection rules will certainly be beneficial from a compliance point of view for multinational businesses as it will eliminate the need to design and implement processes and policies that satisfy various requirements across different European jurisdictions. However, given the wide territorial scope of the GDPR (explained in our next post), it also means that organisations across the globe, currently “safe” from the Directive's reach, will need to reconsider and adapt their data protection practices – a big task if taken seriously.