Jan Philipp Albrecht*

Time is running. On 24 May 2018 the General Data Protection Regulation of the EU (GDPR) will apply directly to processing activities of personal data which have a link to the European Union’s territory or market. From this day on a breach of its provisions will be punishable by a sanction of up to 4% of the yearly worldwide turnover in case of an enterprise or up to €100 million in all cases. All Data Protection Authorities (DPAs) will have to impose these sanctions and they will be equipped with a wide range of tasks and powers on top. Binding majority decisions by a newly created European Data Protection Board can force any Member States’ DPA to adopt, change or withdraw a certain measure. From 24 May 24 2018 the fragmented digital market of today and the lack of enforcement in the field of data protection provisions will end. There will be a unified and directly applicable data protection law for the European Union which replaces almost all of the existing Member States’ provisions and which will have to be applied by businesses, individuals, courts and authorities without transposition into national law.

Those who try to create a different perception by denying these facts are putting in danger everyone who has to prepare for this new law in time until 24 May 24 2018. There are some who say that the GDPR would not create more harmonisation but rather create even more national differences than today. Their main argument is that the GDPR has many provisions where there is a reference to Member States’ laws and that the Regulation would in actual fact be more of a Directive. This view completely ignores the fact that the change from a Directive to a Regulation is in itself a revolutionary change: Instead of Member States having to transpose each and every provision to national law with wide discretion, the GDPR now regulates almost all of the questions directly and only leaves exceptional and limited specification powers to Member States which then have to always justify any divergence from the aim of a fully harmonised legal frame. It is clear that there will be areas where the Member States still preserve their competences, for example regarding media and press laws or national security and defence. And it is natural that the GDPR does not lay out all the possibilities for specific data processing activities in the public sector for which national law will – as is the case today – provide for legal basis in other laws than genuine data protection laws.

It is paramount to understand how the GDPR will change not only the European data protection laws but nothing less than the whole world as we know it. Already since the agreement between the European Parliament and the Council in December 2015 its impact on the market and business strategies could be seen. Many companies have decided to put compliance with the GDPR as one of their key tasks on management level. Some major players are even changing their strategies in order to become leaders regarding data protection friendly products and services. Privacy, security and data protection made in Europe is an evolving trade mark even though the new unified standard is not even in action. When this happens on 24 May 24 2018 it will be a significant advantage for those who prepared early. All others will be struggling to compete as from this moment the data protection principles and rules will not only be consistently enforced across the European market by means of heavy sanctions but will serve as a global gold standard for every new innovation, for consumer trust in digital technologies and for an entry point to the growth opportunities of an emerging digital market.

Regarding the substantial provisions, the GDPR will bring more legal certainty and coherence than today, where 28 different legal systems as well as 28 different judicial and enforcement cultures define the regulatory environment. In times where merely no company can afford to not be present in the digital sphere and use services of Internet companies from all around the world this creates massive bureaucracy and legal uncertainty. The change to a single legal framework including a level playing field for all companies on the European market is extremely positive for both businesses and consumers. But this is just the beginning: The replacement of prior notifications to DPAs by a strict application of the accountability principle is reducing unnecessary red tape for companies. The introduction of several provisions for more transparency and simple information policies is paramount in order to give back control to consumers and make their consent meaningful again. New innovative concepts like the right to data portability, standardised privacy icons and data protection by design and default are opening wide opportunities to foster innovation and competition in the direction of data protection and consumer friendly products and services. The risk based approach applied in important provisions like breach notifications, data protection impact assessments or the appointment of data protection officers brings a reasonable approach for businesses but also effective protection of the fundamental right to data protection in the digital ecosphere of tomorrow.

In order to uphold the EU’s primary law obligation to data protection the Court of Justice of the EU has recently made very clear that there is no way to get around the high level of protection for personal data in the EU. The GDPR therefore is in continuity of the Courts’ judgments, in particular regarding the cases Google v Spain on the ‘right to be forgotten’ and Facebook v Ireland on Safe Harbour. The clear decision in favour of the market location principle as well as the strict wording on international data transfers are results of the underlying problems which emerged throughout the growing Internet economy in Silicon Valley and elsewhere over the last decade. The GDPR now sets a standard which is to be taken as a clear statement by the biggest single market in the world. No data controller will be able to ignore this and other governments will be under pressure to raise their data protection standards in order to allow their economies access to the digital single market of the European Union. The effects of this can be seen already today, where some countries (like Japan) discuss introducing similar provisions to those laid down in the GDPR and UK businesses are doing their best to make sure the GDPR applies to its full extent even after the Brexit actually might have happened. In the course of the revision of the Council of Europe’s Convention 108 the GDPR will leave its footprint also in neighbouring countries of the EU or even further abroad. In contrast to the horror picture of a digital fortress Europe distributed by US business representations, the GDPR is serving as a starting point for international standards and a trustworthy digital market.

The newly created European Data Protection Board will finally force the DPAs in Europe to get to a consistent interpretation and enforcement of the GDPR across the European Union and its single market. Whenever a concerned DPA has doubts about a measure of the competent lead authority at the main establishment of a controller it can raise the case in the course of the Board’s so called consistency mechanism. If no agreement is found, the Board can now take a binding decision by majority which needs to be implemented by the lead authority. Redress against Board decisions is possible for individuals against the implementation act in front of the competent national court and for the DPAs in front of the Court of Justice of the EU. This procedure will dramatically improve legal certainty and coherence in the area of data protection law. The Board and the courts will have the task to adjust the application of the technical, neutral and principle-oriented GDPR to every new development in technology, markets and processing activities. With this new framework the General Data Protection Regulation will serve as a role model for other policy areas where the consequences of globalisation and digitisation require a new regulatory approach in order to effectively safeguard values and standards. It is showing the European Union a way out of its current paralysis as it shows that it is possible to achieve common action through a democratic process on the basis of high standards for citizens’ and consumers’ rights as well as a competitive and innovative single market.