The EU General Data Protection Regulation (GDPR) will apply to businesses operating in the EU from 25 May 2018 – in 100 days’ time.
Senior Commissioners Ansip (Digital Single Market) and Jourová (Justice) yesterday announced guidelines and other materials to “facilitate a direct and smooth application of the new data protection rules across the EU [and beyond] as of 25 May.” The guidance comprises a 17-page “communication” plus Q&A, an online tool, and factsheets. The Communication recaps the main innovations and opportunities opened up by the GDPR; takes stock of EU-level preparatory work; and outlines next steps for the Commission, national data protection authorities, and national governments. The Commission is raising the ante by recommending that EU governments now adapt their national legislation to the GDPR rules; data protection authorities apply the rules including through fines; and companies respect the new rules as at 25 May. The Commission itself will monitor the application of the new rules and “take appropriate actions, including proceedings against EU counties which fail to apply the new rules.”
Flavor of the month or more ominous?
We would say the latter and detect a concerted effort by the Commission and national DPAs to enforce quickly after the application date. The Commission will also want to report favorably on its and others’ enforcement efforts when reporting on the GDPR (in 2020).
This latest broadside also addresses the elephant in the room – Brexit. On 9 January, the Commission issued a notice warning all stakeholders processing personal data to consider the “legal repercussions” of Brexit. This note was not well received. The guidelines confirm that, as of the EU withdrawal date and subject to any transitional arrangement, the GDPR rules on transfers outside the EU, i.e. to “third countries,” will apply to the UK.