25th June 2020


by: Admin


Categories: News

Does GDPR Harmonise Data Protection Across Member States?

Does GDPR Harmonise Data Protection Across Member States?

The implementation of consistent data protection across the EU constitutes undoubtedly a worthy cause, that is nevertheless burdened by such seemingly insurmountable difficulties as differences in legal systems, differences in judicial systems and, even, differences in culture among Member States.’[1] This paper seeks to examine these issues and to assess to what extent harmonisation is currently being achieved.

It is important, first, to understand the meaning of the term “harmonisation”. This can be defined as ‘the act of making different people, plans, situations, etc. suitable for each other.’[2] Emphasis should be placed on the wording “suitable for each other”, as opposed to being identical to each other. The General Data Protection Regulation [3] (‘GDPR’), in its final version, never sought to provide uniform or identical rules relating to the protection of personal data throughout EU Member States, given the divergence, permitted within the provisions of the regulation itself, which will be examined later within this paper.


It is important to appreciate the legal effect of an EU regulation, which is that ‘it is a binding legislative act’[4] and ‘it must be applied in its entirety across the EU’. A regulation has direct effect in EU Member States. This needs to be contrasted with directives, which the previous law governing the protection of personal data within the EU was governed by.[5] Directives are a ‘legislative act that sets out the goal that all EU countries must achieve. However, it is up to the individual countries to devise their own laws on how to reach these goals.’[6] [7]

The word harmonise is used only five times within the text of the GDPR and then only within the recitals.[8] It is however widely accepted that the purpose of GDPR was to harmonise data protection rights for individuals across all Member States.[9]

The European Commission states that:

The regulation is an essential step to strengthen individuals’ fundamental rights in the digital age and facilitate business by clarifying rules for companies and public bodies in the digital single market. A single law will also do away with the current fragmentation in different national systems and unnecessary administrative burdens…The European Data Protection Board (EDPB) is an independent European body which shall ensure the consistent application of data protection rules throughout the European Union.[10]

Many academic writers and practitioners have questioned whether the GDPR, is actually achieving this ”consistent application.”[11] It is critical to appreciate the extent of the discretion afforded within the regulation, namely that out of ‘65 articles that directly accord rights to data subjects, some 46 percent permit member states to engage in a variation.’[12] Arguably, this was to enable ‘EU institutions to allow some minimal latitude to the states (even though that would create dissonance, rather than harmony). More likely, those EU institutions found it necessary to provide this flexibility in order to get the GDPR enacted in the first place.’[13]

It should be noted that some European Union countries, such as Sweden[14] and Spain,[15] have incorporated the right to privacy within their written constitutions. This can be contrasted with the UK, where there are statutory and common law legal rights to privacy,[16] as opposed to constitutional ones. This is relevant with regards to understanding the legal different baselines which operated nationally within Member States when the GDPR was introduced.

Whilst this question, specifically asks the questions as to “harmonisation” within Member States of the EU, this paper includes current counties subject to this the GDPR, which includes the UK[17] and the members of the European Economic Area.[18]

Divergence Permitted by GDPR

Recital 10 of the GDPR provides the overarching lawful basis enabling Member States, in specified circumstances, to implement derogations from the GDPR, namely:

  • ‘Member States should be allowed to maintain or introduce national provisions to further specify the application of the rules of this Regulation.
  • Member States have several sector-specific laws in areas that need more specific
  • The Regulation also provides a margin of manoeuvre for Member States to specify its rules (for the processing of personal data).
  • The Regulation does not exclude Member State law that sets out the circumstances for specific processing situations, including determining more precisely the conditions under which the processing of personal data is ’[19]

This does in turn mean ‘that countries cannot be as flexible as they think.’[20] In order to gain a flavour of the types of divergence permitted by the GDPR, an illustrative example is provided below.

The age at which a child may consent to processing of their personal data in relation to information society services, is 16,[21] but the GDPR allows for Member States to lower this age to not younger than 13. The UK is a country which has elected to lower the age to 13, and furthermore, in the UK the reference to information society services is taken not to include preventative or counselling services.[22] This aspect, relating to the age of consent of children, has been implemented with a considerable amount of difference between Member States, with a least 10 countries selecting a younger age for consent.[23]

It is important to:

consider the effect of this permitted variation on a commercial entity that wishes to collect personal data from children… Instead of adopting a single set of procedures directed to this collection, it must inform itself about the standard in each member state and adapt its procedures accordingly. In doing so, it must immerse itself in exactly the type of differentiation among members’ state law that harmonization was supposed to eliminate.[24]


Other examples, where it is left to Member States to “modify the GDPR”,[25] include topics such as:

  • definitions;[26]
  • lawfulness of processing, such as in relation to legal obligations and the performance of tasks carried out in the public interest or in the exercise of official authority vested in the controller;[27]
  • restrictions on the obligations and rights regarding data subjects, subject to certain restrictions;[28]
  • where consent may be given by data subjects for the processing of special category personal data;[29]
  • processing of personal data relating to criminal convictions and offences;[30]
  • professional secrecy;[31]
  • imposing restrictions on data subjects’ rights, subject to certain requirements; and[32]
  • for processing carried out for journalistic purposes or the purpose of academic, artistic or literary expression, subject to certain [33]

This is not an exhaustive list, but it does demonstrate the types of fundamental issues which may be subject to Member State law, and thus has the potential, if not likely, effect of reducing harmonisation of data protection legislation throughout the EU.

However, it should be recognised that, Recital 73 of the GDPR states, in relation to restrictions of rights and principles, that:

restrictions concerning specific principles and rights…as well as the communications of a personal data breach to a data subject and certain related obligations of the controllers may be imposed by Union or Member State law, as far as necessary and proportionate in a democratic society to safeguard public security…Those restrictions should be in accordance with the requirements set out in the Charter[34] and in the European Convention for the Protection of Human Rights and Fundamental Freedoms.

This does offer some further level of protection to the privacy of individuals, particularly when taken in conjunction with recital 10, given the limitations it imposes on such restrictions.

Independence of Data Protection Authorities

It is clear that national data protection authorities must be independent,[35] and this was similarly the position prior to the implementation of the GDPR.

One of the most famous cases regarding the independence of data protection authorities is that of Schrems v Data Protection Commissioner.[36] Whilst this case was determined under the previous EU directive,[37] this case decided that ‘supervisory authorities responsible for supervising the processing of personal data must enjoy an independence allowing them to perform their duties free from external influence.’[38] This decision, regarding the independence of data protection authorities, was not the first of its kind (see e.g. European Commission (supported by Data Protection Supervisor) v Federal Republic of Germany).[39]

Given that the independence of data protection authorities is beyond question, it is obvious that the opinions of the interpretation or implementation by a data protection authority in one Member State, may potentially differ from their government, other data protection authorities and/or the EDPB. This in itself has the potential for an inconsistent harmonisation of the GDPR throughout the European Union.

A recent case demonstrating such independence is the decision by the Portuguese Data Protection Authority,[40] where it held that certain provisions of national data protection legislation were incompatible with the GDPR and that it therefore intended to “disregard” such legislation.[41]


Data protection authorities therefore clearly hold a central role in data protection within Member States as they are responsible for monitoring and enforcing the application of the GDPR within their respective jurisdictions.[42] ‘From this point of view, the task of warranting consistent applications of these same provisions falls largely within their hands.’[43]

Data protection authorities are however also legally required to cooperate or conduct joint operations, where appropriate, and provide mutual assistance to each other within the EU,[44] and this will be explained in more detail below.


The European Data Protection Board & Cooperation and Consistency

Chapter 7 of the GDPR deals with ‘cooperation and consistency, and also introduces the EDPB, which was established by the GDPR.

The EDPB is an ‘independent European body, which contributes to the consistent application of data protection rules throughout the European Union and promotes cooperation between the EU’s data protection authorities.’[45] It is tasked with ensuring ‘the consistent application’ of GDPR,[46] which it does in a variety of ways, such as monitoring, advising and issuing guidelines, recommendations and best practices.


The GDPR stipulates that there is to be a “consistency mechanism”[47] in order to ‘contribute to the consistent application of the Regulation throughout the Union’,[48] and that ‘the supervisory authorities shall cooperate with each other.’[49] However, this only needs to be used, particularly, where ‘a supervisory authority intends to adopt a measure intended to produce legal effects as regards processing operations which substantially affect a significant number of data subjects in several Member States’,[50] albeit that it does not preclude such cooperation in other circumstances.

Article 64 of GDPR provides that data protection authorities can apply to the EDPB to issue an opinion where they are intending to adopt certain measures, namely they:

  • are aiming to adopt a list of the processing operations subject to the requirement for a data protection assessment;[51]
  • have concerns as to whether a code of conduct complies with GDPR;[52]
  • are seeking to detail the requirements for accreditation of a certification body;[53]
  • are seeking to determine standard data protection clauses;[54]
  • are seeking to authorise contractual clauses; and/or[55]
  • are seeking to approve binding corporate [56]

Under Article 65 of the GDPR, the EDPB can offer dispute resolution and/or adopt binding decisions, where there is an objection raised by a data protection authority regarding another data protection authority, the latter of which is acting as the lead data protection authority, where there is a conflict as to which data protection authority is competent to act or where a data protection authority does not follow an opinion issued by the EDPB.

There are, however, exemptions to following these processes, which applies where a data protection authority ‘considers that there is an urgent need to act in order to protect the rights and freedoms of data subjects.’[57]

It has been submitted that the EDPB would:

finally force the DPAs[58] in Europe to get to a consistent interpretation and enforcement of the GDPR across the European Union… Whenever a concerned DPA has doubts about a measure of the competent lead authority at the main establishment of a controller it can raise the case in the course of the Board’s so called consistency mechanism. If no agreement is found, the Board can now take a binding decision by majority which needs to be implemented by the lead authority.[59]

The EDPB achieves this by issuing consistency findings in one of two ways, opinions and binding decisions, the latter of which only occur when there is a dispute between national data protection authorities.[60] As of the date of writing only 50 opinions,[61] and no binding decisions,[62] have been issued.

From the UK’s perspective, it is unlikely that the UK’s Data Protection Authority, the Information Commissioner’s Office, would be able to engage in such a process following the conclusion of the transitional Brexit arrangements, but it currently does so, whilst not formally a member, during the Brexit transitional arrangements.[63]

A recent example of the EDPB’s work in relation to harmonisation relates to the recent COVID-19 pandemic. EDPB issued a statement[64] in relation to the potential use of apps to help mitigate the COVID-19 pandemic.[65] The European Commission subsequently[66] issued Guidance on Apps supporting the fight against the COVID 19 pandemic in relation to data protection,[67] advising that ‘’Data Protection Authorities should be fully involved and consulted in the context of the development of the app and they should keep its deployment under review.’[68] Hungary has recently been criticised in relation to their government ‘seeking to put on hold a series of rights outlined in the GDPR, including rights to access and personal information’[69] as a consequence of the introduction of ‘emergency powers passed as a result of the coronavirus outbreak in the country.’[70] In the UK, the data protection impact assessment relating to the NHD COVID-19 App Pilot,[71] is currently being reviewed by the ICO.[72] It is likely that these are matters which will be interpreted by different data protection authorities within the EU in various ways, but it is encouraging that the EDPB have recently stated that the respect of individuals’ integrity, dignity and the right to data protection, is not only possible, it is essential’,[73] in relation to such COVID- 19 tracing apps.

Current Issues Relating to the Harmonisation of the GDPR


The EDPB have reported, two years after the introduction of the GDPR that they, ‘as regulators, have adopted guidance to clarify the terms of GDPR, as well as consistency option to ensure consistent application of the law throughout the EEA.’[74]

They state that what has become clear to them during the past two years ‘is that the resolution of cross-border cases is time and resource intensive’[75], and that it is therefore ‘of utmost importance that national governments fund their regulators appropriately. The effective application of the powers and tasks attributed by the GDPR to SAs[76] is largely dependent on the recourses available to them.’[77] Finally,

they acknowledge that ‘another challenge are the differences in national administrative procedural laws and practices.’ They conclude that it is ‘too soon to consider revising the GDPR.’[78]

Germany has already vocalized concerns about the future of the GDPR based on failures of other data protection authorities, such as the Irish Data Protection Commission due to, for example, lack of resources and a difference in culture between the two countries in relation to privacy.[79] The German Federal Commissioner for Data Protection and Freedom of Information[80] has proposed that one solution to this might be a ‘streamlined system allowing the transfer of cross- border cases to a European data protection agency if a three-quarter majority of EU member states’ regulators were in favour.’[81]

From the UK’s perspective, and linked to the issue of harmonisation within the EU, in order to continue to enable the transfer of personal data between the UK and the EU, post-Brexit, the simplest way of doing this would be for the UK to obtain an adequacy decision,[82] albeit that this is a lengthy process.[83] The very fact that there are genuine concerns as to whether the UK might be granted such an adequacy decision, due to concerns about privacy,[84] tends to support the fact that the EU has concerns about the UK’s compliance with GDPR.[85] This, in turn, evidences further failures in the compliance with EU data protection legislation here within the UK, and thus harmonisation between relevant European countries.


At the time of writing, almost precisely two years after the introduction of the GDPR, it is acknowledged, not least by the EDPB themselves, that there are problems relating to the harmonisation of the GDPR within the EU [86]. It is unfortunate that the European Commission have not released its two-year review of the GDPR from implementation within the specified legislative timescales,[87] and that this review has now been delayed until June 2020,[88] for reasons which have not been specified. This failure to report within the statutory timescales may, in itself, be of concern and might indicate that there will be a considerable number of topics which require detailed addressing.

It is the writer’s opinion that that the regulation, in its current form, is not, and cannot achieve full “harmonisation”, as per the definition set out at the commencement of this paper. “Harmonisation” requires some form of being ‘suitable for each other’[89]. Whilst the general rules are clearly uniform, the divergences which might have been needed to get the GDPR through the legislative process in the first place, have demonstrably created substantial differences to the rights of individuals and the implementation of the principles, within individual Member States, and thus it fails to provide an equal level of the protection of personal data throughout EU Member States. This is in no small part also due to the varying national laws and opinions regarding the importance of the privacy of individuals.

Unfortunately, the cooperation and consistency measures, contained within GDPR[90] are insufficient to overcome these difficulties, albeit that they do go some way towards meeting the objective of harmonization.

[1] PHADERA II, ‘European And National Legal Challenges When Applying The New General Data Protection Regulations Provisions On Co-Operation’ (Phaedra 2016) <http://www.phaedra- project.eu/wp-content/uploads/PHAEDRA2_D31_final_15092016.pdf> accessed 13 April 2020.


[2] ‘HARMONIZATION | Meaning In The Cambridge English Dictionary’ (Dictionary.cambridge.org, 2020)

<https://dictionary.cambridge.org/dictionary/english/harmonization> accessed 20 May 2020.


[3] Regulation (EU) 2016/679 of the European Parliament and of the Council on 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC


[4] ‘Regulations, Directives And Other Acts | European Union’ (European Union, 2020) <https://europa.eu/european- union/eu-law/legal-acts_en> accessed 22 May 2020.


[5] Directive 95/46/EC of the European Parliament and of the Council of 24 October 1995 on the protection of individuals with regard to the processing of personal data and on the free movement of such data


[6] ‘Regulations, Directives And Other Acts | European Union’ (European Union, 2020) <https://europa.eu/european- union/eu-law/legal-acts_en> accessed 22 May 2020.


[7] Which was achieved in the UK through the Data Protection Act 1998.


[8] Recital 3 relating to the now superseded Directive 95/46/EC, recital 10 relating to harmonised level of data protection despite national scope, recital 53 relating to the processing of sensitive data in the health and social sector, recital 150 relating to administrative fines and recital 152 relating to power of sanction of the Member States.


[9] e.g. ‘Legal Framework’ (European Data Protection Board, 2020) <https://edpb.europa.eu/legal- framework_en> accessed 13 April 2020 and David Bender, ‘GDPR Harmonization: Reality Or Myth?’ (Iapp.org, 2020) <https://iapp.org/news/a/gdpr-harmonization-reality-or-myth/> accessed 13 April 2020.


[10] ‘Data Protection In The EU’ (European Commission – 2020) <https://ec.europa.eu/info/law/law- topic/data- protection/data-protection-eu_en> accessed 13 April 2020.


[11] e.g. David Bender, ‘GDPR Harmonization: Reality Or Myth?’ (Iapp.org, 2020). <https://iapp.org/news/a/gdpr- harmonization-reality-or-myth/> accessed 13 April 2020.


[12] David Bender, ‘GDPR Harmonization: Reality Or Myth?’ (Iapp.org, 2020) <https://iapp.org/news/a/gdpr- harmonization-reality-or-myth/> accessed 13 April 2020


[13] Ibid.


[14] ‘Datainspektionen’ (Datainspektionen.se, 2020) <https://www.datainspektionen.se/other-lang/in-english/about-

privacy/> accessed 22 April 2020.


[15] Article 18 of the Spanish Constitution 1978.


[16] e.g. The Human Rights Act 1998 and the law of confidence.


[17] Currently under the Agreement of the withdrawal of the United Kingdom of Great Britain and Northern Ireland from the European Union and the European Atomic Energy Community 2019/C 384 1/01, and which post Brexit, will be incorporated into UK legislation by virtue of s.3 of the European Union (Withdrawal) Act 2018.


[18] As set out by various EEA agreements, applicable to Iceland, Liechtenstein and Norway.


[19] ‘Harmonisation And Flexibility Within The GDPR’ (Ics.ie, 2020) <https://www.ics.ie/news/harmonisation-and- flexibility-within-the-gdpr> accessed 25 May 2020.


[20] Ibid.


[21] Art. 8 GDPR


[22] Data Protection Act 2018, s.9.


[23] ‘GDPR Tracker – Children Online’ (Bird & Bird, 2020) <https://www.twobirds.com/en/in- focus/general-data-protection-regulation/gdpr-tracker/children> accessed 13 April 2020.


[24] David Bender, ‘GDPR Harmonization: Reality Or Myth?’ (Iapp.org, 2020) <https://iapp.org/news/a/gdpr- harmonization-reality-or-myth/> accessed 13 April 2020.


[25] ‘Will The UK’S Approach To The GDPR Be Harmonised?’ (Hawktalk, 2016)

<https://amberhawk.typepad.com/amberhawk/2016/05/will-the-uks-approach-to-the-gdpr-be- harmonised.html> accessed 13 April 2020.


[26] Such as ‘controllers’ (Article 4(7)), which is defined in s.3 of the Data Protection Act 2018 in the UK, and ‘recipients’ (Article 4(9)), which is defined for the purposes of Parts 3 and 4 of the Data Protection Act in sections 33 and 84 of the Data Protection Act 2018 in the UK.


[27] Art. 6(2) GDPR.


[28] Regarding Articles 5, 12-22 and 34 GDPR.


[29] Art. 9(2)(a) GDPR.


[30] Art. 10 GDPR.


[31] e.g. Articles 9(3) and 14(5)(d) GDPR.


[32] Art. 23 GDPR


[33] Art. 85(2) GDPR.


[34] Charter of Fundamental Rights of the European Union.


[35] Art. 52(1).


[36] Case C-362/14), [2016] 2 W.L.R. 873.


[37] Directive 95/46/EC of the European Parliament and of the Council of 24 October 1995 on the protection of individuals with regards to the processing of personal data and on the free movement of such data – Article 28.


[38] Para 68.


[39] (Case C-518/07) [2010] ECR 1-1885 at para 26.


[40] Deliberation No. 2019-494 of September 3.


[41] ‘CNPD Issued A Deliberation (Deliberation No. 494/2019, Of September 3) Stating That They Will Not Apply Some Of The Rules Of The Portuguese Law Implementing GDPR’ (Garrigues.com, 2019)

<https://www.garrigues.com/en_GB/new/cnpd-issued-deliberation-deliberation-no-4942019- september-3- stating-they-will-not-apply-some> accessed 22 April 2020.


[42] Art. 57(1)(a) GDPR.


[43] PHADERA II, ‘European And National Legal Challenges When Applying The New General Data Protection Regulations Provisions On Co-Operation’ (Phaedra 2016) <http://www.phaedra- project.eu/wp-content/uploads/PHAEDRA2_D31_final_15092016.pdf> accessed 13 April 2020.


[44] Art. 60-62 GDPR.


[45] ‘About EDPB’ (2020) <https://edpb.europa.eu/about-edpb/about-edpb_en> accessed 25 April 2020.


[46] Art. 70 GDPR.


[47] Art. 63 GDPR.


[48] Recital 135 GDPR.


[49] Art. 63 GDPR.


[50] Recital 135.


[51] Art. 64(1)(a) GDPR.


[52] Art. 64(1)(b) GDPR.


[53] Art. 64(1)€ GDPR.


[54] Art. 64(1)(d) GDPR.


[55] Art. 64(1)€ GDPR.


[56] Art. 64(1)(f) GDPR.


[57] Art 66(1) GDPR, subject to certain provisos set out in Art. 66 GDPR.


[58] Data Protection Authorities.


[59] Jan Phillips Albrecht, ‘How The GDPR Will Change The World’ (2016) 2 European Data Protection Law Review

<https://edpl.lexxion.eu/article/edpl/2016/3/4> accessed 22 April 2020. It should also be noted (from the same article that ‘redress against Board decisions is possible for individuals against the implementation act in front of the competent national court and for the DPAs in front of the Court of Justice of the EU. This procedure will dramatically improve legal certainty and coherence in the area of data protection law. The Board and the courts will have the task to adjust the application of the technical, neutral and principle-oriented GDPR to every new development in technology, markets and processing activities.’


[60] Art. 65 and Art. 70(1)(t) GDPR.


[61] Relating to binding corporate rules, accreditation of certification bodies, code of conduct monitoring and processing requirements exempt from data protection impact requirements.

[62] ‘Consistency Findings’ (European Data Protection Board, 2020) <https://edpb.europa.eu/our-work- tools/consistency-findings_en> accessed 13 April 2020.


[63] ‘Information Rights And Brexit Frequently Asked Questions’ (Ico.org.uk, 2020) <https://ico.org.uk/media/for- organisations/documents/brexit/2617110/information-rights-and-brexit- faqs-v2_3.pdf> accessed 22 April 2020.


[64] On the 19th March 2020


[65] ‘Statement By The EDPB Chair On The Processing Of Personal Data In The Context Of COVID-19 Outbreak’ (European Data Protection Board, 2020)

<https://edpb.europa.eu/sites/edpb/files/files/news/edpb_statement_2020_processingpersonaldataan dcovid-19_en.pdf> accessed 22 April 2020.


[66] On the 17th April 2020.


[67] ‘Official Journal C 124I/2020’ (Eur-lex.europa.eu, 2020) <https://eur-lex.europa.eu/legal- content/EN/TXT/HTML/?uri=OJ:C:2020:124I:FULL&from=EN> accessed 22 April 2020.


[68] Ibid at clause 3.10.


[69] ‘EU Data Watchdog ‘Very Worried’ By Hungary’s GDPR Suspension’ (www.euractiv.com, 2020)

<https://www.euractiv.com/section/data-protection/news/eu-data-watchdog-very-worried-by-hungarys- gdpr- suspension/> accessed 25 May 2020.


[70] Ibid.


[71] ‘Data Protection Impact Assessment NHS COVID-19 App PILOT LIVE RELEASE Isle Of Wight’ (Faq.covid19.nhs.uk, 2020) https://faq.covid19.nhs.uk/DPIA%20COVID- 19%20App%20PILOT%20LIVE%20RELEASE%20Isle%20of%20Wight%20Version%201.0.pdf accessed 18 May 2020.


[72] ‘Statement In Response To Media Enquiries About The Data Protection Impact Assessment For The NHSX’S Trial Of Contact Tracing App’ (Ico.org.uk, 2020) <https://ico.org.uk/about-the-ico/news- and- events/news-and-blogs/2020/05/dpia-for-the-nhsx-s-trial-of-contact-tracing-app/> accessed 26 May 2020.


[73] Andrea Jelinek, ‘Two Years GDPR: A European Data Protection Culture Built On The Trust Of Individuals’ (Linkedin.com, 2020) <https://www.linkedin.com/pulse/two-years-gdpr-european-data- protection-culture-built-greet- gysen/> accessed 25 May 2020.


[74] Ibid.


[75] Ibid.


[76] Supervisory Authorities, which is to say data protection authorities.


[77] Andrea Jelinek, ‘Two Years GDPR: A European Data Protection Culture Built On The Trust Of Individuals’ (Linkedin.com, 2020) <https://www.linkedin.com/pulse/two-years-gdpr-european-data- protection-culture-built-greet- gysen/> accessed 25 May 2020.


[78] Ibid.


[79] Nicole Kobie, ‘Germany Says GDPR Could Collapse As Ireland Dallies On Big Fines’ (Wired.co.uk, 2020) <https://www.wired.co.uk/article/gdpr-fines-google-facebook> accessed 13 May 2020.


[80] Ulrich Kelber.


[81] The Irish Times, ‘German Regulator Says Irish Data Protection Commission Is Being ‘Overwhelmed’ (2020) <https://www.irishtimes.com/business/financial-services/german-regulator-says-irish-data-protection-commission-is-being-overwhelmed-1.4159494> accessed 13 May 2020.


[82] Article 45 GDPR


[83] Indeed, the shortest time for an adequacy decision was completed in 18 months with Argentina – Neil Ross, ‘Explaining Adequacy; Personal Data Transfers To The EEA Under No Deal’ (Techuk.org, 2020) <https://www.techuk.org/insights/news/item/15910-explaining-adequacy-personal-data-transfers-to-the-eea-under-no-deal> accessed 13 May 2020.


[84] Lewis Lloyd, ‘Stackpath’ (Instituteforgovernment.org.uk, 2020) <https://www.instituteforgovernment.org.uk/explainers/future-relationship-data-adequacy> accessed 22 April 2020.


[85] Including in such areas as the Investigatory Powers Act 2016, the processing of personal data in respect of immigration control and indeed the Data Protection Act 2018 itself. – ‘UK–EU Future Relationship: Data Adequacy’ (The Institute for Government, 2020) <https://www.instituteforgovernment.org.uk/explainers/future-relationship-data-adequacy> accessed 13 May 2020.


[86] Andrea Jelinek, ‘Two Years GDPR: A European Data Protection Culture Built On The Trust Of Individuals’ (Linkedin.com, 2020) <https://www.linkedin.com/pulse/two-years-gdpr-european-data- protection-culture-built-greet- gysen/> accessed 25 May 2020.


[87] Art. 97(1) GDPR – 25.5.20 and every four years thereafter.


[88] ‘European Commission’s GDPR Review Pushed To June’ (Iapp.org, 2020) <https://iapp.org/news/a/commissions- gdpr-review-pushed-to-june/> accessed 27 May 2020.


[89] ‘HARMONIZATION | Meaning In The Cambridge English Dictionary’ (Dictionary.cambridge.org, 2020)

<https://dictionary.cambridge.org/dictionary/english/harmonization> accessed 20 May 2020.


[90] Contained within Chapter 7 GDPR.