It is important to note that the GDPR leaves some leeway for the European Member States (hereinafter referred to as Member States) in specific areas, to establish further guarantees for their national legislation. This inevitably creates a more complex harmonization process where the controllers and processors also have to check their accountability with reference to the EU and to the national legislation. As expected by legal professionals, the national implementations of the GDPR will further help in defining the specifications of all derogations that the GDPR allows for. At the same time, these local derogations demand a lot of caution from smaller enterprises that may be established, offering goods or services, or monitoring behaviour of data subjects in more than one European Member State; since they do not only need to comply with the GDPR but also with each applicable national law. As a consequence, companies could be in a position where resources are limited, and the legislation has quickly evolved so as to make data protection a serious duty for any company that stores or processes personal data, even occasionally.
On the other hand, national data protection authorities have been more active in providing organizations with guidance on how to cope with the requirements and obligations that have arisen from both the EU and national laws. The data protection authorities and the European Data Protection Board help transform the legal complex documents into more comprehensive and practical tools.
Cyberwatching.eu will help raise awareness of national legislations that can differentiate from the harmonized law by providing recommendations to SMEs which specifically mention where a derogation of a Member State is possible or not. However, even though the GDPR provided an updated legal framework to protect personal data, the challenge comes up when one considers what the practical implementation of this framework is. The GDPR allows for approved certification mechanisms as a way to demonstrate the compliance with the data protection rules; however, until such certification mechanisms get approved according to the GDPR, the data protection matters still cannot be easily integrated with the cyber security solutions available in the market. This means that currently there seems to be a gap between the legislation and its application when it comes to techniques of ensuring and demonstrating compliance through certifications. Furthermore, there seems to be a gap in applying the GDPR in more complex processing operations that may be involved in, for example, Internet of Things and Artificial Intelligence.
To complicate matters further, the reach of the GDPR extends outside the borders of the European Union. It is fundamental to mention that the amount and complexity of international legislation on data protection can vary enormously – any country may have new, old or no laws relating to this field. In consideration of the possible disparity that may exist internationally, the GDPR has created a requirement where in order for transfers of personal data to take place outside the European Union, there must be appropriate safeguards for the protection of personal data. One of the possible ways to assess an adequate level of protection in a country outside the EU is to check whether there has been an adequacy decision published by the European Commission, which will allow controllers and processors to transfer legally.
Furthermore, another crucial element that enlarges the impact of the GDPR on an international level is its extraterritorial scope. More precisely, the GDPR is applicable to all legal entities who:
Hence, this means that the GDPR applies also to organizations that do not have an establishment in the European Union. This international scope has generated further challenges, such as, when it comes to jurisdictional matters regarding online services of technological companies violating the applicable law. An example of this uncertainty is the 50 million euros administrative fine issued by the French Data Protection Authority to Google, which used the reasoning that since at the moment of investigation Google Ireland Limited was not the controller of Google’s processing activities, it allows for the Commission Nationale de l’Informatique et des Libertés (CNIL) to also issue a fine instead of having a scenario where the Irish Data Protection Authority is considered to be the “lead supervisory authority".