Effective implementation: from Principles to Realities E-VOLUTION OF DATA PROTECTION 7-8 September 2017, Tartu Effective implementation: from Principles to Realities ERIC SITBON
Some key principles 1. A Regulation which is directly applicable in all Member States and fully harmonises certain data protection rules 2. A Regulation based on Article 16 TFEU 3. A Regulation covering the private and public sectors but excluding certain activities from its scope 4. A Regulation which seeks to ensure a more effective enforcement of data protection rules 5. A Regulation containing directly applicable rules which will be applied consistently by national Courts with the involvement of the CJEU
Principle 1: a Regulation which is directly applicable in all Member States – Reality? (1) No transposition. However, in some instances, see Recital 8 The Regulation lays down general rules and principles. Several provisions of the Regulation may be specified by Member States; however, it does not amount to minimal harmonisation. Public sector: Articles 6(2)&(3) (more specific provisions to adapt the application of the Regulation)
Principle 1: a Regulation which is directly applicable in all Member States – Reality? (2) Some examples of powers given to Member States: Rules on child’s consent (information society services) : Article 8(1) by MS law between the age of 13 and 16 years old; Article 23 on restrictions Freedom of expression and information : Article 85 Public access to official documents: Article 86 Processing in the context of employment: Article 88 Safeguards and derogations in certain areas (e.g. statistics or research): Article 89
Principle 2: a Regulation based on Article 16 TFEU What are the implications compared to Directive 95/46/EC based on Article 114 TFEU? How has the CJEU interpreted Article 16 TFEU and Article 8 of the Charter in recent case law? Reality on the ground: how will the big players of the digital economy apply the GDPR?
Principle 3: a Regulation covering the private and public sectors but excluding certain activities from its scope The GDPR has a broad scope but excludes certain activities, some of which are regulated by national law or by other Union acts applying adapted rules Delineation may prove difficult to implement in some instances
Principle 4: a Regulation which seeks to ensure a more effective enforcement of data protection rules Harmonised administrative fines but a broad margin of appreciation to calculate the amount of the fines – which actor(s) will ensure a consistent application of those fines? In addition, exceptions have been introduced in Article 83 (7) and (9) (see corresponding Recitals 150 and 151) The binding decisions of the European Data Protection Board to resolve disputes between national supervisory authorities: a more consistent implementation?
Principle 5: a Regulation containing directly applicable rules which will be applied consistently by national Courts with the involvement of the CJEU An increased role for national courts? An increased role for the CJEU through preliminary rulings and direct actions (see Recital 143)?
Recommendations and conclusion Member States should ‘screen’ their national laws as early as possible to enable a smooth application of the GDPR in May 2018 supervisory authorities, especially those likely to often be ‘lead authorities’, should be properly staffed and proactive
THANK YOU !