EU data privacy law is currently undergoing a regime change. The General Data Protection Regulation (“GDPR”), the EU’s new data protection law, has been subject to a great degree of attention on both sides of the Atlantic. Much of this attention focuses on the GDPR’s expanded territorial reach, increased enforcement fines, and new rules in relation to consent. However, there has been surprisingly little attention paid to the interaction between the GDPR and the new laws of EU Member States being created in response to it. This blog seeks to address this issue, and highlight the absence of a choice of law mechanism within the GDPR to address these competing Member State national data protection laws.
The EU operates as a union of 28 independent nations (known as Member States), founded on the basis of a series of Treaties. The Treaties establish a division of powers between the EU and individual Member States which has similarities to U.S. federalism. The EU may only legislate in areas where it has competence conferred by the Treaties, and outside these specified areas, Member States retain exclusive competence to legislate.[i]
In exercising its (limited) legislative competence, the EU has a number of legislative instruments at its disposal; most significantly, Directives and Regulations. Directives can be thought of as pieces of framework legislation, which mandate that Member States put in place certain legislation, as well as the terms of that legislation. However, a Directive is not a directly applicable piece of legislation[ii]–it requires implementation in Member States. Directives also often leave a degree of discretion to Member States in how the law is implemented. Therefore, for every Directive there will be 28 national versions of the law in question, varying according to the discretion of the Member States.
Conversely, a Regulation is directly applicable in its own right, and does not require implementing legislation in Member States. For each Regulation, there is a single piece of legislation which applies across the EU.
Existing data protection law originates in a Directive (the Data Protection Directive”). Consequently, along with the Data Protection Directive, there are national data protection laws across the EU. To complicate matters further, in many cases the national law implementing the Data Protection Directive was merged with prior national legislation (e.g. the Irish Data Protection Acts 1988 and 2003, French Act No 78-17 on Information Technology, Data Files and Civil Liberties dated 6 January 1978, the German Bundesdatenschutzgesetz). As a result, there is no single EU data protection law. Rather, there is a multitude of national data protection laws, which must be interpreted harmoniously with the Data Protection Directive.
The GDPR, which comes into effect on 25 May 2018, is a Regulation, not a Directive. From its initial proposal, the EU legislature emphasized the importance of having a “single set of rules”, and consequently chose to legislate by Regulation. Theoretically, this should have done away with the problem of competing applicable national data protection laws.
2. The purpose of applicable law rules in EU data protection law
2.1. Determining if and which data protection laws apply
As explained in the previous section, at present there is not a single EU data protection law, but 28 national versions of data protection law derived from a common EU source. For any organizations operating or serving customers in multiple Member States, the existence of multiple national data protection laws under the current regime raises an obvious question – with which of these laws must the organization comply?[iii] Is a company headquartered in Paris, but offering services to customers in Germany and Spain subject to French, German or Spanish data protection law? Or all three?
The Data Protection Directive contains a rule to be used to determine when a Member State’s national law is applicable. Article 4 of the Data Protection Directive adopts a three-stage test, depending on whether the organization has an establishment in a Member State, whether that Member State’s laws apply by virtue of public international law, or whether the organization is using equipment in that Member State.
In practice, determining applicable data protection law has been complex for organizations operating across multiple EU Member States. For such organizations, these complexities lead to two questions in particular:
- Are we subject to EU data protection law?
- To which EU data protection law are we bound?
The first question has led to the Google Spain decision,[iv] which concerned the application of EU data protection law to Google Inc., and a confirmation of extra-territorial application of the GDPR. This is beyond the scope of this blog, though it raises its own interesting issues.
2.2. Overlapping national data protection laws
The second question has been equally controversial, and is the subject of ongoing litigation. In particular, litigation has proliferated across the EU on the issue of whether multiple national data protection laws may apply to the same organization. (For example, can a company be subject to French, German and Irish data protection law?) One might argue that such overlap in application is contrary to the spirit of the Directive and EU law more generally. After all, part of the EU’s mission is the removal of trade barriers across Member States, and Directives are tools to do so, by harmonizing different legislative regimes. Indeed, the Data Protection Directive was explicitly adopted with the aim of completing the EU internal market.[v]
The EU’s highest court, (the Court of Justice of the European Union, or “CJEU”) has considered a number of cases concerning applicable law issues under the Data Protection Directive, but has not grappled with the issue of overlapping application of national data protection laws directly. Indeed, the CJEU seemed to purposefully avoid the issue in one recent decision.[vi] The latest opinion by the Advocate General (an advisor to the CJEU) suggested that overlapping national legislation may be appropriate in some cases.[vii] Given the highly politicized nature of data protection issues in the EU more generally, it would not be surprising if the CJEU failed to reach a consensus here.
This second question, with its problems of applying multiple data protection laws to the same activity, was meant to be solved by the very nature of the GDPR. Organizations were promised a “single set of rules” by the EU legislature, which was the rationale for selecting to legislate by Regulation. After all, a Regulation is a single legal instrument, applicable across the EU, and therefore, choice of law issues should not arise. There is only a single law to apply; the Regulation itself. However, as we will see, the GDPR is not a traditional Regulation. Consequently, this potential overlap of laws is not solved, but in fact made more vexing, as there is no applicable law or rule under the GDPR to dictate which national laws should apply.
3. GDPR and applicable laws
3.1. GDPR: A Flexible Regulation?
While the GDPR is a Regulation by name, in substance it might be thought of as a hybrid between a Regulation and Directive.
The GDPR was the subject of intensive three-way negotiations between the three EU legislative bodies.[viii] There was significant political pressure to agree by the end of 2015, the stated deadline. On December 18, 2015, it was announced that an agreement had been reached. However, upon review of the final text, it became apparent that agreements had not been reached on a number of issues.
The GDPR leaves several significant issues to be addressed by Member States, envisaging that Member States will incorporate elements of the GDPR into their national legislation,[ix] and some national legislation has already emerged.[x] The number of opportunities for potential divergence—and therefore the role of national law—is significant. European Digital Rights, a European public interest organization, has cited no fewer than 51 areas of potential flexibility for Member States. Moreover, these divergences often concern crucially important issues. Notably, the GDPR leaves to Member States the discretion to vary the age of consent for agreeing to the use of certain online services.[xi] Prof. Daphne Keller has highlighted the significance of leaving the protection of free expression to Member States, in the context of Right to be Forgotten requests.[xii] Consequently, in these areas of divergence, rather than looking to the GDPR, national rules will be dominant.
Therefore, rather than a single set of rules, organizations will now be faced with the rules in the GDPR, and 28 (or 27, after the United Kingdom exits the EU) sets of Member State legislation.
3.2. Determining applicable law under the GDPR
The GDPR is entirely silent on when these Member State laws will apply to a given organization. Jiahong Chen has persuasively suggested that the silence is due to legislators’ assumptions that an agreement would be reached, and therefore problems of applicable law were unanticipated.[xiii] Thus, areas of divergence seem to have been inserted by political necessity, but without the foresight to address problems of overlapping or competing national laws.
By contrast, the GDPR contains extensive and complex rules in order to determine when a national EU data protection authority has the jurisdiction to investigate complaints or impose sanctions, and when multiple data protection authorities may co-operate.[xiv] But these rules govern the competence of data protection authorities, and not choice of law.[xv]
In the absence of explicit rules, organizations operating across Member States are left in a position of considerable uncertainty. While there are uniform EU private choice of law rules in relation to civil and commercial matters,[xvi] as Jiahong Chen has identified, data protection matters do not truly fit within these rules.[xvii]
4. Looking to the future
The EU legislature’s aim to create a single set of rules has not come to fruition. While there is a great deal more convergence on the substance of EU data protection law compared to under the Data Protection Directive, it is by no means a complete harmonization. The practical reality is that national data protection laws will continue to diverge. While a complex co-operation and consistency mechanism has been designed to determine the division of responsibilities between data protection authorities, the GDPR is silent as to when the national data protection legislation will apply. In the absence of any applicable law rule, organizations will face considerable uncertainty as to their legal obligations.
National legislatures might seek to add some clarity by including some guidance within the national legislation currently being adopted. Nevertheless, it is ultimately a question of EU law, and certainty can only come from a decision of the CJEU. Such a decision could be a long time coming, leaving organizations in an undesirable limbo.
[i] See Article 5, Treaty on the European Union. However, the EU’s powers are drafted very broadly, and have expanded over time. By contrast, areas outside EU competence are not specified. In combination, this has led to a very broad view of the EU powers (which some have referred to as ‘competence creep’). See Stephen Weatherill, Competence Creep and Competence Control, 23 YEARBOOK OF EUROPEAN LAW 1 (2004).
[ii] Directives, may however, have “direct effect”; being recognized by national courts even in the absence of national legislation. This can be complicated, and is beyond the scope of this blog.
[iii] This issue can be further complicated with the addition of the enquiry as to whether the organization is acting as a controller or a processor. For the purposes of this blog, and for simplicity, the reader may assume that “organizations” referred to are classified as data controllers within the meaning of the Data Protection Directive or GDPR.
[iv] Case C‑131/12, Google Spain SL, Google Inc. v. Agencia Española de Protección de Datos (AEPD),
Mario Costeja González.
[v] The Data Protection Directive was adopted on the basis of the EU legislative competence under Article 114 of the Treaty on the Functioning of the European Union (formerly Article 95 of the Treaty of the Economic Community). Article 114 permits the EU legislature to adopt harmonizing legislation in order to establish or ensure the functioning of the EU single market.
[vi] See Verein fur Konsumenteninformation v. Amazon (C-191/15), where the Advocate General expressly addressed the issue of overlapping national laws in his opinion, but the CJEU avoided the issue in its judgment.
[vii] Case C-210/16, Opinion of Advocate General Bot, Unabhängiges Landeszentrum für Datenschutz Schleswig-Holstein v Wirtschaftsakademie Schleswig-Holstein GmbH, in the presence of Facebook Ireland Ltd, Vertreter des Bundesinteresses beim Bundesverwaltungsgericht, ¶ 95-99.
[ix] Recital 8 of the GDPR provides “Where this Regulation provides for specifications or restrictions of its rules by Member State law, Member States may, as far as necessary for coherence and for making the national provisions comprehensible to the persons to whom they apply, incorporate elements of this Regulation into their national law.”
[x] Prof. Eoin O’Dell of Trinity College Dublin, Ireland, has usefully gathered the most up to date information on the progress of these national legislative measures on his website – http://www.cearta.ie/2017/07/what-is-the-current-status-of-gdpr-incorporation-in-the-eus-28-member-states/ [last accessed, Oct. 19, 2017].
[xi] Article 8 of the GDPR.
[xii] Daphne Keller, The “Right to be Forgotten” and National Laws under the GDPR, THE CENTER FOR INTERNET AND SOCIETY, http://cyberlaw.stanford.edu/blog/2017/04/%E2%80%9Cright-be-forgotten%E2%80%9D-and-national-laws-under-gdpr [last visited Oct. 20, 2017].
[xiii] Jiahong Chen, How the best-laid plans go awry: the (unsolved) issues of applicable law in the General Data Protection Regulation, 6(4) International Data Privacy Law 310, 312 (2016).
[xiv] Chapter VI, and VII, GDPR.
[xv] Interestingly, as an exception from the lead regulator principle under the GDPR, another data protection authority might intervene on local cases (see Recital 127, and Article 56(2) of the GDPR). Issues arising under national data protection laws might well come to be understood as such local cases, to be regulated by the national data protection authority, regardless of the main establishment of the organization.
[xvi] Rome I Regulation (Regulation (EC) No 593/on the law applicable to contractual obligations (Rome I))  OJ L177/6; and Rome II Regulation (Regulation (EC) No 864/2007 on the law applicable to non-contractual obligations (Rome II))  OJ L199/40.
[xvii] Jiahong Chen, How the best-laid plans go awry: the (unsolved) issues of applicable law in the General Data Protection Regulation, 6(4) International Data Privacy Law 310, 317 (2016).