The European Union’s General Data Protection Regulation (“GDPR”) is arguably the most comprehensive – and complex – data privacy regulation in the world. As companies prepare for the GDPR to go into force on May 25, 2018, there continues to be a great deal of confusion regarding the requirements of the GDPR.
To help address that confusion, Bryan Cave is publishing a multi-part series that discusses the questions most frequently asked by clients concerning the GDPR.
Question: What Agencies Are Authorized To Interpret The GDPR?
Answer: The GDPR is intended to apply equally across all European Union member states, and it will come into effect immediately on 25 May 2018 without any need for additional domestic legislation in European Union member states. However, with more than thirty areas where member states are permitted to adopt their own national rules (e.g., because member states have constitutional rules in these areas, or because these issues fall outside the European Union's legislative competence), there will inevitably continue to be differences in data protection across the European Union.
The national data protection authorities or supervisory authorities under the GDPR (“DPAs”) appointed by each European Union member state will be responsible for enforcing the GDPR. They also provide guidance on the interpretation of that law and cast their opinions at an European Union level through what is currently the Article 29 Working Party and which will be renamed the European Data Protection Board. Although their guidance is not legally binding, it is indicative of the enforcement position they are likely to take.