Cross-border Impact Assessment 2017
Preliminary Research 2: General Data Protection Regulation in Limburg
The entire dossier is available here in Dutch and English.
Ex-ante analysis of the effects of the General Data Protection Regulation in Limburg
Student Project by Martin van Rooij, Maastricht University
In this project, a Maastricht University student did a pre-study on the awareness of the EU General Data Protection Regulation in Limburg. The purpose was to find out whether it is already possible to assess ex ante its effect on enterprises in the border region. The General Data Protection Regulation, hereinafter referred to as GDPR, includes major changes in data handling procedures for public and private organisations within the EU and may also apply to organisations abroad due to its broad and extraterritorial scope. The GDPR encompasses a broad array of changes regarding the security of personal data in the EU. Since the Regulation will enter into force on 25 May 2018, undertakings and public authorities have to prepare for the deadline.
Aim of the GDPR
After years of preparation, the EU Parliament approved the GDPR on 14 April 2016 to replace Data Protection Directive 95/46/EC. As a Regulation, the GDPR was designed to harmonize the data protection laws across the European Union. However, the GDPR includes a number of opening clauses, granting Member States leeway regarding the exact implementation of specific provisions of the GDPR. Further, The GDPR touches upon various national legal regimes resulting in potentially differing legal outcomes in different Member States. Therefore, the implementation of the GDPR is and will not be entirely consistent throughout the EU. The question is, whether these discrepancies can lead to uncertainties for organisations with multiple cross-border activities.
In particular, the research tried to establish a preliminary outlook on possible effects the GDPR has and will have on Dutch business in the border-region of the Dutch Province of Limburg. According to the wording in the GDPR the regulation focuses on: reinforcing individuals’ rights; strengthening the EU internal market; ensuring stronger enforcement of the rules; streamlining international transfers of personal data and; setting global data protection standards.
Purpose of the GDPR
The main argument for a coherent EU-wide approach to data protection is to untangle and harmonize the different rules and regulations that became apparent throughout the Union. The ideal situation for business in any country is a common approach without administrative burden, as is described in the Commissions’ goals: “Organisations will only have to deal with a single national data protection authority in the EU country where they have their main establishment. Likewise, people can refer to the data protection authority in their country.” Some of the basic obligations of the Regulation relate inter alia to the nomination of a data protection officer in specific cases, the recognition of binding corporate rules and model clauses for the transfer of personal data to countries outside the EU as one of the means to transfer personal data from the EU to third countries and the introduction a scheme to recognize of Codes of Conduct.
The findings are based on interviews with business managers in the region, as well as experts on the GDPR in Limburg. A total of 23 interviews were conducted. However, because of the sensitive information discussed, all interviewees agreed to participate on the condition that their commentary was to be discussed anonymously.
Even though the GDPR is a Regulation and should thus be implemented harmoniously throughout the EU, many provisions allow for national legislators to implement exceptions to the rule, which are contained in so-called opening clauses in the GDPR. Any such difference between countries creates a potential obstacle.. The issue of compliance with data protection rules is thus a contentious issue for business and experts alike. The 23 qualitative interviews with company representatives and experts in the field were only a small selection of the numerous companies contacted. Many refused to participate in this research. It is likely that those who did not want to discuss their level of data protection compliance might realize their standards are subpar.
Results from the interviews
Perhaps the most striking aspect that many experts in the field iterated so far is the lack of implementation of the GDPR throughout all different sectors. At the time of the interviews, businesses had less than a year before the GDPR became applicable throughout the EU. One of the reasons why businesses did not seem to hurry with the required changes is because they did not comply with the current legal regime preceding the GDPR.
Others started to create awareness, meaning that they commenced implementation, leading to compliance in the longer term. These were mainly newer companies that are active in the online media sector and thus are closer to the topical debate. When asked about the exceptions that allow different Member States to implement the GDPR in different ways, none of the respondents seemed to express their concern. In fact, respondents indicated that the current Directive entails many more exceptions, which does not prevent them from trading cross-border.
The pre-study was also meant to ask companies about their positive expectations and the benefits of the Regulation. Due to the abovementioned lack of awareness of the companies interviewed, they were not in a situation to commit a proper self-assessment on the question whether the Regulation will be beneficial for their business. One aspect that was raised was that the cooperation of companies with other companies might have an influence since the enforcement of the Data Protection Authorities is still not very thorough. Especially German businesses are much more aware of privacy concerns and might thus reject potential partners in business in the future if they do not commit to the same level of data protection.
The lack of preparation is cause for concern as it can be expected that a majority of the business in the region will not comply with the GDPR as the deadline comes closer. It was also interesting to note that none of the companies interviewed had been in contact with the appropriate Data Protection Authority. Since Member States have some freedom regarding some specific aspects of the implementation of the GDPR, it was expected that some issues might arise with respect to cooperating with cross-border business. However, none of the respondents claimed any disadvantage because of it. Experts say it might be because they do not yet realize the full effects and the all-encompassing scope of the Regulation. Others mention that many of these exceptions are so specific in nature that only a very small group of business will be affected.
Many of the companies interviewed are still not taking appropriate measures with respect to the obligations of the Regulation and they are not fully aware of consequences. They find it difficult to make the necessary arrangements. In particular, this means that they do not have a clear picture of the positive or negative effects of the Regulation on their own business when it comes to cross-border business.
This pre-study has indicated that broader research on the final situation of the companies in the entire Euregion is necessary in order to assess the state of preparation around the date of the deadline. There are indications that this could in particular be relevant for companies who do business with German counterparts. If their German counterparts are already GDPR compliant, they might expect a similar standard with regard to GDPR compliance of potential business partners. If businesses in the Province of Limburg do not uphold the strict standards of the GDPR, it is possible others might not wish to conduct business with them. It will be interesting to conduct a proper analysis of Dutch, German and Belgian companies in the border regions.
The answers of the small number of companies are to some extent alarming: most companies will probably not be prepared in time for the full implementation date on 25 May 2018. Surprisingly, this does not seem to be a concern for the respective companies so far.
Whether this is because they will not be affected to such a large degree by the changes or because they will only realize the far-reaching implications once they encounter major problems remains to be seen. The pre-study has shown that further research is necessary to also prevent a scenario were too many companies jeopardize cross-border businesses.
 Regulation (EU) 2016/679
 Companies from different sectors: privacy consultants and experts, automotive industries, transport companies, marketing companies, healthcare providers, app-builders, several tech start-ups, contractors.