Introduction
In this project, a student from Maastricht University conducted a preliminary study on the awareness of the EU General Data Protection Regulation in Limburg. The aim was to find out whether it is already possible to estimate ex ante its impact on companies in the border region. The General Data Protection Regulation,[1] hereafter referred to as GDPR, includes major changes in data processing procedures for public and private organisations within the EU and, due to its broad and extraterritorial scope, may also apply to organisations abroad. The GDPR includes a wide range of changes related to personal data security in the EU. As the regulation comes into force on 25 May 2018, businesses and public authorities need to prepare for the deadline.
Purpose of GDPR
After years of preparation, the EU Parliament approved the GDPR on 14 April 2016 to replace the Data Protection Directive 95/46/EC. As a regulation, the GDPR was designed to harmonise data protection laws across the European Union. However, the GDPR contains a number of open clauses, which give member states leeway regarding the exact implementation of specific provisions of the GDPR. Moreover, the GDPR touches on different national legal systems, which can lead to different legal outcomes in different member states. Therefore, the implementation of the GDPR is not and will not be fully consistent across the EU. The question is whether these discrepancies could create uncertainties for organisations with multiple cross-border activities.
In particular, the study sought to paint a preliminary picture of the potential effects the GDPR has and will have on Dutch businesses in the border region of the Dutch province of Limburg. According to the wording in the GDPR, the regulation focuses on: strengthening the rights of individuals; strengthening the EU internal market; ensuring better enforcement of the rules; streamlining international transfers of personal data and setting global standards for data protection.
Results of the interviews
Perhaps the most striking aspect highlighted by many experts in the field so far is the lack of implementation of the GDPR across all different sectors. At the time of the interviews, companies had less than a year before GDPR became applicable across the EU. One reason why companies did not seem to be in a hurry to make the required changes is that they did not comply with the current legal regime that preceded the GDPR.
Others started creating awareness, meaning they started implementing, leading to longer-term compliance. These were mainly newer companies operating in the online media sector and are therefore closer to the current debate. When asked about the exceptions allowed by different member states to implement the GDPR in different ways, none of the respondents seemed concerned. In fact, respondents indicated that the current directive brings many more exceptions, which does not prevent them from trading across borders.
The preliminary study was also designed to ask companies about their positive expectations and benefits of the regulation. Due to the aforementioned lack of awareness of the interviewed companies, they could not properly self-assess whether the regulation will be beneficial for their business. One aspect brought up was that companies’ cooperation with other companies could have an impact, as enforcement by data protection authorities is still not very thorough. German companies in particular are much more aware of privacy issues and could therefore reject potential business partners in the future if they do not pursue the same level of data protection.
The lack of preparation is cause for concern, as it can be expected that a majority of companies in the region will not comply with the GDPR as the deadline approaches. It was also interesting to note that none of the companies surveyed had contacted the relevant data protection authority. As Member States have some discretion on some specific aspects of the implementation of the GDPR, it was expected that there could be problems in terms of cooperation with cross-border companies. However, none of the respondents claimed to experience any disadvantage. Experts say it could be because they do not yet realise the full effects and comprehensive scope of the regulation. Others mention that many of these exemptions are so specific in nature that only a very small group of companies will have to deal with them.
Conclusions
Many of the companies surveyed are still not taking appropriate measures regarding the obligations of the regulation and are not fully aware of the consequences. They find it difficult to make the necessary arrangements. In particular, this means that they do not have a clear picture of the positive or negative impact of the regulation on their own business when it comes to cross-border business.
This preliminary study has indicated that broader research on the final situation of companies across the Euregio is needed to assess the state of preparation around the deadline. There are indications that this could be particularly relevant for companies doing business with German counterparts. If their German counterparts are already GDPR-compliant, they can expect a similar standard regarding GDPR compliance from potential business partners. If companies in the province of Limburg do not comply with the strict standards of GDPR, others may not want to do business with them. It will be interesting to do a proper analysis of Dutch, German and Belgian companies in the border regions.
The answers from the small number of companies are to some extent alarming: most companies are unlikely to be ready in time for the full implementation date on 25 May 2018. Surprisingly , so far this does not seem to be a concern for the respective companies.
Whether this is because they will not be so affected by the changes or because they will not realise the far-reaching consequences until they face major problems remains to be seen. The preliminary study has shown that further research is needed to also avoid a scenario where too many companies put cross-border businesses at risk.
[1] Regulation (EU) 2016/679
[2] http://europa.eu/rapid/press-release_IP-12-46_en.htm
[3] Companies from different sectors: privacy consultants and experts, automotive industry, transportation companies, marketing companies, healthcare providers, app builders, various tech start-ups, contractors.