EEA Adoption of the GDPR and Why You Need to Take Action
By Gabrielle Berry, Associate, Advisory, Radius
In quick summary, the GDPR, put into force on May 25, 2018, is an extensive regulation aimed at protecting individual privacy through limitations on how electronic information about an individual can be obtained, maintained, integrated, used or transferred. Enforcement against a business is based not only on where the business is headquartered or has a physical presence, but on where its customers are located. Any organization that offers goods or services to someone resident of an EEA country will now officially be subject to the GDPR.
Under the GDPR, the potential penalties for releasing personal data relating to an identifiable natural person are clear-cut and significant, with fines for serious breaches of up to 20 million euros or 4 percent of annual worldwide revenue, whichever is higher.
In short, organizations cannot afford to ignore the addition of Iceland, Liechtenstein and Norway to the list of GDPR jurisdictions when developing and maintaining their data-protection-related policies and practices.
Incorporation of Legislation
The GDPR replaces the Data Protection Directive 95/46/EC, which was intended to ensure the free movement of data while protecting individuals’ data privacy. Concerns about new technologies, as well as public desire for a more comprehensive approach to data protection and privacy, led to the new law. Notably, the GDPR focuses on legal liability among various actors, such as data processors and data controllers, to a higher degree than the Directive.
The Data Protection Directive was recognized as being relevant to the functioning of the EEA, and so was incorporated into Annex XI of the EEA agreement in 1999.
The GDPR, as the successor to the Directive and with many of the same goals, was incorporated within the EEA on the same basis. In addition to this EEA incorporation, the individual governments of the newly covered EFTA states had to amend national legislation to bring it into conformity with GDPR rules.
Some Exceptions to Keep in Mind
Switzerland is the one EFTA member that has not chosen to join the EEA, and as mentioned has not yet adopted the GDPR. To the extent that Swiss businesses deal with the data of EEA nationals, they must comply with the regulation like all other organizations.
Switzerland’s updates to its own DPA will likely take effect in 2019. The updated DPA will broadly align Swiss data protection regulations with the GDPR. It is important to note there will likely be some differences between the two regulatory systems, so businesses that collect the data of Swiss citizens must keep this in mind.
In a similar vein, under Article 23, the GDPR allows for a certain number of local exceptions and differing approaches in limited areas — what are called derogations. These are mostly in the areas of national security, criminal enforcement, budgets, taxation and public health. These will need to be considered individually.
Implications for Compliance
All multinationals who may collect the personal data of residents of the three additional EEA countries now covered by the GDPR — Iceland, Liechtenstein and Norway — will need to ensure that they are accounted for in their data privacy controls, from those related to employee data collection to marketing activities and everything in between.