GDPR applies to all EU member states, but what is different about the way the General Data Protection Regulation (GDPR) is implemented within the EU member states, is, unlike the 1995 Directive, the GDPR is not a Directive, guidance or best practice, but actual EU wide Regulation. This means that the GDPR is enacted across all of the EU member states, from the same date and in the same way that it was written and issued by the EU. The GDPR did not require adaptation and transposition into member state law, it is member state law.
The reason behind the GDPR
Part of the reason behind the GDPR, was the need to harmonise data protection controls across the EU, as well as bringing the EU’s data protection legislation up to date with the way in which the EU and the world operates, interacts, conducts business and communicates. In today’s world for example, within excess of 2 billion Facebook users alone, it is hard to imagine that when the previous data protection legislation was enacted, in 1995, it is estimated that less than 1% of the population had access to the internet, and that social media sites such as Explorer, Facebook, Ebay and Amazon didn’t even exist!
It is clear that the previous legislation did not adequately, or specifically provide protection for data used and communicated in today’s world, hence the need for the change and GDPR.
So, does it all just impact the EU then? Or does this piece of EU Regulation carry force and impact around the world? Article 3 of the GDPR details the territorial scope of the regulation as being “the processing of personal data in the context of the activities of an establishment of a controller or a processor in the Union, regardless of whether the processing takes place in the Union or not”, and “applies to the processing of personal data of data subjects who are in the Union by a controller or processor not established in the Union, where the processing activities are related to the offering of goods or services, irrespective of whether a payment of the data subject is required, to such data subjects in the Union or the monitoring of their behaviour as far as their behaviour takes place within the Union”.
So, to clarify, whether the data subject is in the EU, or the processing of data runs in or through the EU, GDPR will apply. However, one might ask oneself, that if a controller or processor is not physically located within the EU, how can they be penalised if they breach? A question I am sure is on the lips of a lot of non EU controllers and processors, given the increased level of fines that can now be made.
In short, the answer is – that such firms can still be penalised, as even though they may be physically located outside of the EU, to operate inside of the EU, or to process the data of an EU citizen, the data controller or processor must still, according to Article 27 of the GDPR, designate a representative who shall act as a contact point for the processer or controller, with for example, the relevant supervisory authority.
Therefore, whilst this is an EU based regulation, the consequences of getting it wrong, could, be impacting the whole of the world, if they wish to trade in, with or through the EU.
With regard to the UK specifically and Brexit, the UK has made it clear that Brexit will not impact on the implementation of the GDPR and that indeed, if the UK wishes to trade with the EU and the world post Brexit, it will have to align itself to the data protection laws under which every other country operates.