There has been lately a wave of optimism of those looking for legal certainty that the GDPR will be adopted by the UK even after the country leaves the European Union. This wave was prompted by a declaration of the British Secretary of State, Karen Bradley, at the end of October, when she stated before a Committee of the Parliament that “We will be members of the EU in 2018 and therefore it would be expected and quite normal for us to opt into the GDPR and then look later at how best we might be able to help British business with data protection while maintaining high levels of protection for members of the public“. The information commissioner of the UK, Elisabeth Denham, welcomed the news. On another hand, as Amberhawk explained in detail, this will not mean that the UK will automatically be considered as ensuring an adequate level of protection.
The truth is that as long as the UK is still a Member of the EU, it can’t opt in or opt out, for that matter, from regulations (other than the ones subject to the exemptions negotiated by the UK when it entered the Union – but this is not the case for the GDPR). They are “binding in their entirety” and “directly applicable”, according to Article 288 of the Treaty on the Functioning of the EU. So, yes, quite normally, if the UK is still a Member State of the EU on 25 May 2018, then the GDPR will start applying in the UK just as it will be applying in Estonia or France.
The fate of the GDPR after Brexit becomes effective will be as uncertain as the fate of all other EU legislative acts transposed in the UK or directly applicable in the UK. But let’s imagine the GDPR will remain national law after Brexit, in a form or another. If this happens, it is likely that it will take a life of its own, departing from harmonised application throughout the EU. First and foremost, the GDPR in the UK will not be applied in the light of the Charter of Fundamental Rights of the EU and especially its Article 8 – the right to the protection of personal data. The Charter played an extraordinary role in the strengthening of data protection in the EU after it became binding, in 2009, being invoked by the Court of Justice of the EU in its landmark judgments – Google v Spain, Digital Rights Ireland and Schrems.
The Court held as far back as 2003 that “the provisions of Directive 95/46, in so far as they govern the processing of personal data liable to infringe fundamental freedoms, in particular the right to privacy, must necessarily be interpreted in the light of fundamental rights” (Österreichischer Rundfunk, para 68). This principle was repeated in most of the following cases interpreting Directive 95/46 and other relevant secondary law for this field, perhaps with the most notable results in Digital Rights Ireland and Schrems.
See, for instance:
“As far as concerns the rules relating to the security and protection of data retained by providers of publicly available electronic communications services or of public communications networks, it must be held that Directive 2006/24 does not provide for sufficient safeguards, as required by Article 8 of the Charter, to ensure effective protection of the data retained against the risk of abuse and against any unlawful access and use of that data” (Digital Rights Ireland, para. 66).
“As regards the level of protection of fundamental rights and freedoms that is guaranteed within the European Union, EU legislation involving interference with the fundamental rights guaranteed by Articles 7 and 8 of the Charter must, according to the Court’s settled case-law, lay down clear and precise rules governing the scope and application of a measure and imposing minimum safeguards, so that the persons whose personal data is concerned have sufficient guarantees enabling their data to be effectively protected against the risk of abuse and against any unlawful access and use of that data. The need for such safeguards is all the greater where personal data is subjected to automatic processing and where there is a significant risk of unlawful access to that data” (Schrems, para. 91).
Applying data protection law outside the spectrum of fundamental rights will most likely not ensure sufficient protection to the person. While the UK will still remain under the legal effect of the European Convention of Human Rights and its Article 8 – respect for private life – this by far does not equate to the specific protection ensured to personal data by Article 8 of the Charter as interpreted and applied by the CJEU.
Not only the Charter will not be binding for the UK post-Brexit, but the Court of Justice of the EU will not have jurisdiction anymore on the UK territory (unless some sort of spectacular agreement is negotiated for Brexit). Moreover, EU law will not enjoy supremacy over national law, as there is the case right now. This means that the British data protection law will be able to depart from the European standard (GDPR) to the extent desirable by the legislature. For instance, there will be nothing staying in the way of the British legislature to adopt permissive exemptions to the rights of the data subject, pursuant to Article 23 GDPR.
So when I mentioned in the title that the GDPR in the post-Brexit UK will in any case be left without its “heart”, I was referring to its application and interpretation in the light of the Charter of the Fundamental Rights of the EU.
Find what you’re reading useful? Please consider supporting pdpecho.
Interested in the GDPR? See the latest posts:
CNIL just published the results of their GDPR public consultation: what’s in store for DPOs and data portability? (Part I)
CNIL’s public consultation on the GDPR: what’s in store for Data Protection Impact Assessments and certification mechanisms? (Part II)
The GDPR already started to appear in CJEU’s soft case-law (AG Opinion in Manni)
A million dollar question, literally: Can DPAs fine a controller directly on the basis of the GDPR, or do they need to wait for national laws?
by Gabriela Zanfir-Fortuna
The need to discuss the legal effect of the GDPR emerged as there are some opinions in the privacy bubble informing that it will take at least a couple of years before the GDPR will de facto have legal effect at national level, after the moment it becomes applicable in 2018. The main argument for this thesis is that national parliaments of the Member States will need to take action in a way or another, or that national governments will need to issue executive orders to grant new powers to supervisory authorities, including the power to fine.
This post will bring forward some facts emerging from EU primary law and from the case-law of the Court of Justice of the EU (CJEU) that need to be taken into account before talking about such a de facto grace period.
The conclusion is that, just like all EU regulations, the GDPR is directly applicable and has immediate effect from the date it becomes applicable according to its publication in the EU Official Journal (in this case, 25 May 2018), with no other national measures being required to give it effect in the Member States (not even translations at national level). While it is true that it contains provisions that give a margin of appreciation to Member States if they wish to intervene, most of the articles are sufficiently clear, detailed and straightforward to allow direct application, if need be ( for instance, if a Member State is late in adjusting and adapting its national data protection law).
1) EU regulations enjoy “direct applicability”: the rule is that they are “immediately applicable” and they don’t need national transposition
First and foremost, it is a fact emerging from the EU treaties that EU Regulations enjoy direct applicability, which means that once they become applicable they do not need to be transposed into national law.
This rule is set out in the second paragraph of Article 288 of the Treaty on the European Union, which states that:
On the contrary, according to the third paragraph of Article 288 TFEU, directives “shall be binding, as to the result to be achieved, upon each Member State to which it is addressed, but shall leave to the national authorities the choice of form and methods.”
Therefore, as the CJEU explained in settled case-law, “by virtue of the very nature of regulations and of their function in the system of sources of Community law, the provisions of those regulations generally have immediate effect in the national legal systems without it being necessary for the national authorities to adopt measures of application” (see Case C-278/02 Handlbauer, 2004, §25 and Case 93/71 Leonesio, 1972, §5) and in addition they also “operate to confer rights on individuals which the national courts have a duty to protect” (Case C-70/15 Lebek, 2016, §51).
However, the CJEU also ruled that “some of their provisions may nonetheless necessitate, for their implementation, the adoption of measures of application by the Member States” (Case C-278/02 Handlbauer, 2004, §26; C-403/98 Monte Arcosu, 2001, §26). But this is not the case of sufficiently clear and precise provisions, where Member States don’t enjoy any margin of manoeuvre. For instance, the Court found in Handlbauer that “this is not the case as regards Article 3(1) of Regulation No 2988/95 which, by fixing the limitation period for proceedings at four years as from the time when the irregularity is committed, leaves the Member States no discretion nor does it require them to adopt implementation measures” (§27).
Therefore, whenever an EU regulation leaves the Member States no discretion, nor does it require them to adopt implementation measures, the provisions of that regulation are directly and immediately applicable as they are.
2) EU regulations’ direct applicability is not depending on any national measure (not even translation published in national official journals)
The CJEU explained as far back as 1973 that for EU regulations to take effect in national legal systems of Member States there is not even the need to have their texts translated and published in the national official journals.
Asked whether the provisions of a Regulation can be “introduced into the legal order of Member States by internal measures reproducing the contents of Community provisions in such a way that the subject-matter is brought under national law”, the Court replied that “the direct application of a Regulation means that its entry into force and its application in favour of or against those subject to it are independent of any measure of reception into national law” (Case 34/73 Variola, 1973, §9 and §10). AG Kokott explained that such measures include “any publicity by the Member States” (Opinion in C-161/06 Skoma-lux, §54) in an Opinion that was substantially upheld by the Court in a judgment stating that the publication of a regulation in the Official Journal of the EU in an official language of a Member State is the only condition to give it effect and direct applicability in that Member State (Judgment in Case C-161/06).
The Court concluded in Variola that “a legislative measure under national law which reproduces the text of a directly applicable rule of Community law cannot in any way affect such direct applicability, or the Court’s jurisdiction under the Treaty” (operative part of the judgment). The Court also explained in Variola that “by virtue of the obligations arising from the Treaty and assumed on ratification, Member States are under a duty not to obstruct the direct applicability inherent in Regulations and other rules of Community law. Strict compliance with this obligation is an indispensable condition of simultaneous and uniform application of Community Regulations throughout the Community” (Case 34/73 Variola, 1973, §10).
3) National authorities could impose administrative penalties directly on the basis of a provision of a Regulation, where necessary
The Court dealt with the question of national authorities imposing administrative fines directly on the basis of the provisions of an EU regulation in Case C-367/09 Belgish Interventie en Restitutie Bureau on the interpretation of provisions from Regulation 2988/95.
After recalling its case-law on direct applicability of EU regulations (§32), including the exemption that some provisions of a Regulation necessitate for their implementation the adoption of measures of application (§33), the CJEU found that in that specific case national authorities cannot impose fines directly on the basis of Articles 5 and 7 of Regulation 2988/95 because “those provisions merely lay down general rules for supervision and penalties for the purpose of safeguarding the EU’s financial interests (…). In particular, those provisions do not specify which of the penalties listed in Article 5 of Regulation No 2988/95 should be applied in the case of an irregularity detrimental to the EU’s financial interests nor the category of operators on whom such penalties are to be imposed in such cases” (§36).
Therefore, the Court did not question the possibility of a national authority to impose fines directly on the legal basis provided by a regulation. The CJEU went directly to analyse the content of the relevant provision and found that fines could not be imposed because of the general character of that provision, which required additional measures to be adopted both at Member State and at EU level (were the provisions more clear, the authorities could have directly issued fines on the basis of the regulation).
One look at Article 83 GDPR and one can easily tell that this is not the case of that provision – it is clear who imposes fines, for what, against whom, on what criteria and what is the maximum amount for each category of fines. Neither is it the case of Article 58 on the powers of supervisory authorities. Article 83 GDPR allows Member States some discretion only if they wish to provide specific rules for fining public authorities (paragraph 7) and only if their legal system does not provide for administrative fines – in this case, the states are allowed to apply Article 83 in such a manner that the fine is initiated by the competent supervisory authority and imposed by competent national courts (paragraph 9).
4) Conclusion: beware of the GDPR from day 1
The GDPR, like all EU regulations, is directly applicable and has immediate effect in the legal order of Member States by virtue of its publication in the Official Journal of the EU and the conditions of applicability in time expressed therein, no additional national measures being required to give it effect.
While there are provisions that give Member States a margin of appreciation and a discretion to implement national measures, most of the provisions are sufficiently clear and precise to be applied as they are.
Of course there will be national data protection laws that will specify additional rules to the GDPR, giving effect to that margin of appreciation. But the national laws that will complement an EU regulation, such as the GDPR, are valid only as long as “they do not obstruct its direct applicability and do not conceal its [EU] nature, and if they specify that a discretion granted to them by that regulation is being exercised, provided that they adhere to the parameters laid down under it” (CJEU, Case C‑316/10 Danske Svineproducenter v Justitsministeriet, §41).
As always, here is the fine print (or the caveat) whenever we are discussing about the interpretation of EU law: only the CJEU has the authority to interpret EU law in a binding manner.
(Note: The author is grateful to dr. Mihaela Mazilu-Babel, who provided support with preliminary research for this post)
Find what you’re reading useful? Please consider supporting pdpecho.
Leave a comment
Posted in Comments, GDPR
Tagged administrative fines GDPR, Article 288 TFEU, Article 83 GDPR, data protection, direct applicability of EU regulations, direct applicability of the GDPR, Gabriela Zanfir-Fortuna, GDPR, Handlbauer, Lebek, Mihaela Mazilu-Babel, privacy, Regulation No 2988/95, Second paragraph of Article 288 TFEU, Variola