Incorporation of the GDPR into the EEA Agreement

Published 13-04-2018
GDPR will go into force in the EU on 25 May 2018. A draft Joint Committee Decision (JCD) is under consideration by the EU and the EEA EFTA States with the aim of being incorporated into the EEA Agreement on 1 June.
The General Data Protection Regulation (GDPR) (EU) 2016/679 will go into force in the EU on 25 May 2018. A draft Joint Committee Decision (JCD) is under consideration by the EU and the EEA EFTA States with the aim of being incorporated into the EEA Agreement on 1 June. The EFTA Secretariat was interviewed by the legal journal LexisNexis about how the incorporation will be implemented.

Why will the GDPR be incorporated into the EEA Agreement, and what are the main implications of this?

The EEA Agreement brings together the 28 EU Member States and the three EEA EFTA states (Iceland, Liechtenstein and Norway), establishing an internal market governed by the same basic rules regarding free movement of goods, services, persons and capital. In order to ensure homogeneity between these 31 states, EEA-relevant EU acts are continuously incorporated into the EEA Agreement.

In 1995, the EU adopted Directive 95/46/EC (the Data Protection Directive) on the protection of individuals with regard to the processing of personal data and the free movement of such data. The Data Protection Directive recognised the importance of removing barriers to cross-border flows of personal data for the good functioning of the internal market, which existed due to divergent rules in EU Member States. The Data Protection Directive sought to strike a balance between a high level of protection for privacy of individuals and the free movement of personal data within the EU.

In the light of the importance of the Data Protection Directive to the functioning of an internal market, it was considered EEA-relevant and was incorporated into Annex XI of the EEA Agreement in 1999. With the incorporation of the Data Protection Directive into the EEA Agreement and its application, personal data also flows freely within the EEA under the same conditions as within the EU.

As a successor to the Data Protection Directive, the GDPR (Regulation (EU) 2016/679) is relevant to the scope of the EEA Agreement. The primary goal remains the same—to protect the privacy of natural persons and to remove the obstacles to flows of personal data within the EU, which still exist because of divergent legal approaches of the EU Member States. The GDPR has become an important component in the strengthening and functioning of the internal market.

With the incorporation of the GDPR into the EEA Agreement, individuals in the EEA EFTA states and in the EU benefit from the same level of protection. Data controllers and processors established in EEA EFTA states will be subject to the obligations laid down in EU legislation and their compliance will be monitored by the independent data protection authority of each EEA EFTA state.

What needs to be done before the GDPR can be incorporated into the EEA Agreement and come into force?

In order to extend the applicability of the GDPR to the EEA EFTA states, the GDPR needs to be incorporated into the EEA Agreement (for more information about how EU acts become EEA acts, please see a note by Subcommittee V on ‘How EU acts become EEA acts and the need for adaptations’).

This is done by a decision of the EEA Joint Committee, which is responsible for the management of the EEA Agreement. It is the body which is responsible for deciding which secondary EU legislation should be incorporated into the EEA Agreement, which is initially drafted by the EEA EFTA states and handed over to the European External Action Service (EEAS). The EEAS then processes the draft Joint Committee decision in accordance with Council Regulation (EC) 2894/94 concerning arrangements for implementing the agreement on the EEA. After the adoption of the corresponding EU position, and when the EEA EFTA states and the EU are in agreement, the EEA Joint Committee adopts the Joint Committee decision at its meeting.

In addition to the adoption of an EEA Joint Committee decision incorporating the GDPR into the EEA Agreement, the national Parliaments of the EEA EFTA states need to amend national legislation in accordance with the rules of the GDPR.

Once parliamentary approval has been given by all three national Parliaments (fulfilment of constitutional requirements) and the draft Joint Committee decision has been incorporated into the EEA Agreement, the GDPR becomes applicable throughout the EEA.

Does the EEA plan to have the GDPR incorporated into the EEA Agreement by the time the GDPR applies in the EU?

As regards the timeframe of the incorporation of the GDPR into the EEA Agreement, the EU Member States and the EEA EFTA states aim to incorporate the GDPR into the EEA Agreement before 25 May 2018, for it to become applicable in the EEA at the same time as in the EU.

This article was first published on Lexis®PSL Information Law on 14 March 2018. Click for a free trial of Lexis®PSL."

Senior Officer
Services, Capital, Persons & Programmes Division

+32 22861 762

Head of Information and Communication
Secretary-General's Office

+32 22861 719 (office)
+32 473 334 920 (mobile)

Seminar on the European Economic Area - Brussels 13 September 2018