Last saturday was the twentieth anniversary of the European data protection legislation. On October the 24th of 1995, the Directive 95/46/EC was approved.
It was a turning point for all Member States, in order to remove the obstacles to the free flow of personal data, the level of protection of the rights and freedoms of individuals, but at the end of 1995 we had a different world. The World Wide Web was at the beginning (the W3C was founded only one year before) and the undisputed most efficient company specialized in www-related services and products (Google) was incorporated only four years later.
About three years ago, with a radically changed World Wide Web, the European Commission decided to turn over again in order to give citizens control over their own personal data again, and to simplify the regulatory environment for business, proposing a Data Protection Reform Package and, in particular, a General Data Protection Regulation (GDPR). The approval process should conclude at the end of 2015 and likely allow for formal adoption of GDPR in early 2016, to be followed by a two-year transitional period.
EU Institutions ensures that the GDPR will establish a single set of rules on data protection, valid across Europe, because the current framework, based on the Directive 95/46/EC, has not prevented fragmentation in the way personal data protection is implemented across the EU.
EU Institutions have also said that companies will deal with one law, not 28, and that this will save businesses around €2.3 billion a year. The new rules will particularly benefit small and medium-sized enterprises (SMEs), reducing red tape for them.
Now, if it is all true, I wonder why the text of GDPR grants so many powers to Member States and their supervisory authorities in executing the GDPR.
First of all, I am worried about Article 21 of GDPR: it states that Member State may restrict, by way of a legislative measure, the scope of the obligations and rights provided for, among others, Data Subjects. It is specified “only when such a restriction constitutes a necessary and proportionate measure” but to safeguard interests too large and not so important as the rights of Data Subject (one of them is, for example, an important economic or financial interest of the Union or of a Member State, including monetary, budgetary and taxation matters and the protection of market stability and integrity).
The provision of art. 21 of GDPR is a slavish copy of article 13 of Directive 95/46/EC but I do not understand the need to propose it again, especially within a self-executing act such as a regulation that, in theory, do not need a national transposition provided by Member State legislation.
Moreover, the GDPR establish that (Whereas 134) authorizations by supervisory authorities based on Directive 95/46/EC should remain in force. It means that all decisions adopted by supervisory authorities in twenty years of activity will remain valid, despite of their prospective collisions with GDPR.
Not to mention the Directives 2002/58/EC (the ‘ePrivacy Directive’) and 2009/136/EC, which will have to be amended after GDPR approval and will be still in force through national legislations.
Are we sure about “one continent, one law”? Yes, but rules must work in practice.
Last July, the European Data Protection Supervisor states that principles set down in the Data Protection Reform Package should be applied consistently, dynamically and innovatively, so that they are effective for the citizens in practice. The reform needs to be comprehensive, hence the commitment to a package, but, as data processing is likely to fall under separate legal instruments, there must be clarity as to their precise scope and how they work together, with no loopholes for compromising safeguards.