Читать книгу International Data Protection Laws - Amit Luhach - Страница 7

Part I

European Union: General Data Protection Regulation

The Directive was the European Union´s (EU) primary legal instrument on data protection and was effective from 13 December 1995 to 24 May 2018. During this time, the CJEU handed down numerous decisions, which may be valid under the new data protection legislation i.e. GDPR. The Directive, though technologically neutral, was unable to keep pace with the new technological developments. The lack of harmonization among Member States´ data protection laws led to the European Commission´s (EC) review on the legal framework of data protection in 2009 and 2010. This resulted in the publication of the proposal for the GDPR in 2012. After prolonged negotiations between the European Parliament and the Council of EU, the GDPR was finally adopted on 14 April 2016. It provided for a two-year transition period and came into force on 25 May 2018. The purpose of GDPR was to harmonize the protection of personal data in the EU. It is directly applicable to all EU Member States¹, meaning that it automatically applies to each Member State without the need for national implementation legislation. However, certain areas fall outside the EU´s legislative competence but remain in the area of national law such as national security, justice administration, press regulation and labour law. Consequently, the GDPR provides the Member States with certain leeway to makes their own rules. This means that even after following the GDPR, it is still necessary to check the national laws to avoid any pitfalls. The GDPR provides a legal framework with the following main components i.e. in addition to determining core principles and data subject´s rights, it sets new obligations on organizations and regulates data processing agreements between companies; also it provides mechanisms for cross border transfers. Furthermore, it enhances the powers of supervisory authorities, allowing them to impose high fines to efficiently enforce the GDPR. It contains 11 Chapters which includes 99 articles and 173 recitals. The articles contain the operative law and the recitals help in interpreting them. The GDPR is a new law and there are not many cases decided under it. However, the most important decisions include Schrems I and Schrems II² which are discussed in the upcoming chapters. The cases decided on basis of the earlier Directive act as a source for interpreting the provisions of the GDPR – at least where the principles on which the CJEU decisions have been left untouched by the GDPR.