Sep 26, 2018 12:00:00 AM | Data Transfer Extending the GDPR across the borders of the EU: data protection in the EEA

The European Economic Area (EEA) is the combination of European Union (EU) and European Free Trade Association (EFTA) states, except for Switzerland. The EEA has now incorporated the GDPR into the EEA agreement. This was done by an EEA Joint Committee Decision dated 6^th July 2018, which came into force on 20^th July, 2018. 

The EEA extends the four freedoms of the internal market (free movement of persons, goods, services and capital) from the EU to three of the EFTA states, and therefore they are also subject to the harmonisation of data protection by the GDPR. This blog highlights what this means to the EFTA states, what are the ratio behind and the advantages of the EEA GDPR adoption, and how consistent application of the GDPR is secured.

EEA & GDPR: What this means 

The introduction of the EEA essentially implies that the GDPR, although EU legislation, is also directly applicable to the three EEA EFTA States: Iceland, Norway and Liechtenstein.

Also, the government of Liechtenstein has recently adopted a statement regarding the total revision of its Data Protection Act with effect from 1 January 2019. In the meantime, transitional legislation adopted as an amendment to the existing Data Protection Act is in operation in Liechtenstein.

Iceland and Norway, on the other hand, implemented their national data protection laws on 15^th and 20^th July, 2018 respectively. 

Why it was GDPR adopted across the EEA

The GDPR provides for the harmonisation of personal data protection laws within the EU, aimed at facilitating the unhindered flow of personal data between member states, and thus to further the development of the digital economy across the internal market. From a data management perspective this creates a Europe-wide clarity. Therefore, at its core, the GDPR recognises the scale of the data driven economy, its potential growth in light of technological innovations in this field and aims to facilitate this in a manner that does not disrupt the single market.

Given that the aim of the EEA Agreement is also homogeneity in the single market, the GDPR was a key piece of legislation that needed to be integrated into the EEA Agreement to ensure this homogeneity in the digital economy across the EEA. Relevant EU legislation like the GDPR is incorporated into the EEA Agreement by way of an EEA Joint Committee Decision, which is adopted only after receiving approval from both the EFTA states and the EU by way of specific procedures established in this regard. 

The adoption of the GDPR by the EEA Joint Committee means that the GDPR is now directly applicable to Iceland, Norway and Liechtenstein, and personal data can freely flow between these states and all EU member states. Otherwise, as per the GDPR, the transfer of personal data from EU member states to these states would fall within the paradigm of international data transfer, perhaps prompting the necessity of an adequacy decision. 
Another crucial benefit associated with the integration of GDPR into the EEA Agreement is with regard to the full participation of the EEA states in the ‘one-stop-shop’ mechanism.

This serves to determine a lead data protection authority responsible for monitoring the activities of a data controller or processor operating in more than one state. This provision enables legal certainty for specific data controllers/processors, irrespective of the individual states that they operate in. 

Consistent application of GDPR

The GDPR is still a fairly new piece of legislation and one can expect its interpretation and application to evolve over time. Since the core idea behind the GDPR is homogeneity and legal certainty, its application across all states ought to be consistent. 

The European Data Protection Board ('EDPB') as well as the Court of Justice of the European Union ('CJEU') will presumably play integral roles in assuring this. 

Therefore, it comes as a relief to the EEA states that the composition of the EDPB extends to the EEA states. However, as of now, the EEA states' representatives lack voting power within the EDPB, and are ineligible to chair/deputy chair the EDPB. This implies a lack of concrete authority on the part of the EEA states to contribute to the trajectory of evolution of GDPR. 

This could especially be seen as a disadvantage in the context of binding decisions under Article 65 of the GDPR, where the subject matter involves conflicting views between DPAs of EU member states and that of an EEA state. It remains to be seen if this position changes in the future. 

As far as CJEU decisions are concerned, the EEA Joint Committee is obliged to constantly review the development of case law and act in a manner so as to preserve the homogeneity in the interpretation of the Agreement. It also guarantees a system of cooperation and exchange of information between the CJEU and the EFTA court. 

What about Switzerland?

Notably, Switzerland is not a member of the EEA. Therefore, the GDPR is not directly applicable to Switzerland. However, the Swiss Data Protection Act is set to undergo revisions to be aligned with the GDPR. The final draft of the revised Data Protection Act was published by the Swiss Federal Council on 15th September 2017, and is expected to enter into force later this year, or in early 2019.