February 25

The EU General Data Protection Regulation (GDPR) Commentary

Christopher Kuner, Lee A. Bygrave, Christopher Docksey (EDS. ) and Assistant Editor Laura Drechsler

review by

Christopher F. Mondschein

The 25th of May 2020 marks the two-year anniversary of the entering into force of the EU General Data Protection Regulation 2016/679 (GDPR). The GDPR is undoubtedly a complex piece of legislation and recent years have spawned a great number of materials that aid in the interpretation of its provisions. In this regard, ‘The EU General Data Protection Regulation (GDPR) Commentary’ edited by Christopher Kuner, Lee A. Bygrave, Christopher Docksey, and Assistant Editor Laura Drechsler is a timely and welcome contribution, as it offers an authoritative source of information and an ideal starting point for researching answers to questions surrounding the GDPR.

The book stands at a whopping 1488 pages and was first published by Oxford University Press on 6 March 2020. It is available as a hardcover, e-book, or in a bundle with enhanced features that includes being ‘fully searchable, fully annotatable, organisation of notes and favourites, linking out to referenced websites within the app, direct links to full ECLI cases, user-created links into specific sections of content, and easy section-printing capabilities’.

The commentary follows a per-article structure that covers each of the 99 articles of the GDPR in a separate section. After a preface by the editors and a preface by the late Giovanni Buttarelli, former European Data Protection Supervisor, the commentary devotes 43 pages on the background and evolution of the GDPR. Since part of the GDPR’s complexity can be attributed to the compromise between differing views of legislative actors during the GDPR’s conception, this well-crafted section offers a valuable insight into the genesis of some of the contentious provisions of the GDPR and enlightens readers to the background of these provisions.

For readers familiar with per-article style commentaries, this book will not hold any surprises. The commentary section for each provision of the GDPR follows a consistent approach throughout the book. Each section starts by displaying the article of the GDPR along with the relevant recitals. Next, references to related provisions in other EU data protection legislation are listed as well as the relevant case law. The main text of the commentary opens with an explanation of the policy rationale of the provision, followed by the provision’s legal background and by an analysis of the provision. The segment on the legal background connects the GDPR’s provision to relevant provisions of its predecessor (Directive 95/46/EC), as well as to relevant international data protection instruments and to developments at the national level of EU Member States. The analysis of the provisions follows different structures per article, as is dictated by the varying scope of each provision – here, form follows function. At the end of each section, a curated bibliography is presented to enable readers to engage in further research and to have authoritative sources available at a glance.

The quality and the depth of the analysis is coherent between different articles and even more ‘exotic’ provisions of the GDPR never feel like they were treated with neglect. The body of authors for this commentary encompasses a mix of individuals from the public and private sector and from academia, with contributors from various different national backgrounds. In this regard, the editors have done a great job in matching the expertise of the contributors to the subject matter of specific provisions, which further illustrates the authoritativeness of the commentary.

In sum, the commentary’s structure weaves a tight net of information for readers and helps them to contextualise the GDPR’s provisions by laying out both the genesis and the logic behind each provision.

So far (and to the author’s best knowledge), this commentary is the first fully-fledged English-language, per-article GDPR commentary that is available. Given the GDPR’s extraterritorial scope, the relevance of an authoritative commentary in English cannot be overstated: a high demand for authoritative resources on the GDPR exists not only within the EU/EEA but also outside of the EU/EEA as legal practitioners and academics alike are confronted with the GDPR. This also has to do with the fact that the GDPR is influencing data protection laws in a number of foreign jurisdictions, where the GDPR acts as a model and inspiration for national data protection laws. In this respect, an English language GDPR commentary such as this book will be more widely accessible at an international level than, for example, a German-language GDPR commentary (of which numerous, by now, exist).

This also brings us to the question of the target audience for this book. For academics in search of an authoritative source of interpretation of the GDPR and a resource to provide an ideal starting point for one’s research, the answer to the question whether to buy this book should be a resounding ‘yes’. For novices or students lacking any background in data protection law and/or EU law, the commentary may be a bit much to take in at the beginning. Opting for a more condensed introductory book on the GDPR would be a better start, as the structure and content of the GDPR can be overwhelming for starters. However, if one already has a basic understanding of the field, the commentary will provide a great resource for a deep-dive into the GDPR.

For practitioners, the commentary also presents a valuable source of information. Here, one must be aware that the strength of the commentary lies with its focus on the EU law dimension of the GDPR. The combination of the experience of the authors, the careful curation of the contributions, and the chosen format underline the commentary’s authoritative value on all matters relating to the ‘core’ of the GDPR. Yet, while it references national developments where necessary and feasible, the commentary does not provide a full picture of these national developments. Of course, it must be stressed that the editors never make such a claim. Further, it cannot be expected from a commentary to treat in-depth all data protection issues for each and every sector, every new technological development, etc. in an exhaustive manner. This commentary focuses on the ‘core’ of the GDPR and it does so with authority and depth. For practitioners, two important factors may be the timeliness and relevance of updated information on developments surrounding the GDPR and the available budget (N.B: the OUP website sets the hardback price at £275.00 and the digital bundle including access to the companion website and digital download aat £315.00). In this regard, the commentary will have to compete against the myriad of GDPR-related information systems and compliance platforms that give regular updates on national developments, enforcement actions, and so on.

A last point to mention is that the editors of the commentary state that the book ‘take[s] into account legal processes up to 1 August 2019’. This also brings me to the main point of criticism with the commentary. Data protection law and the GDPR are subject to (arguably, rapid) developments. The dynamism of this field of law can be illustrated by the number of pending cases before the CJEU (for example, landmark cases such as Schrems II, C‑311/18) and the pending guidelines and opinions from the European Data Protection Board (EDPB) and other institutional actors at EU and at the national level. Here, the question is at what point will these new developments affect the authoritativeness of the commentary and what will the cycle of updates be? Again, these are not questions constrained to this commentary in particular but are of a more general nature, however, the particularity of data protection might require somewhat frequent updates.

Regardless of the answer to the question above, I am certain that the commentary will provide much needed guidance to a wide audience of academics, practitioners and students from all around the globe and that it will be one of the standard works in data protection law for years to come.


Christopher F. Mondschein is a Researcher at the European Centre on Privacy and Cybersecurity (ECPC) at the Faculty of Law at Maastricht University


Your privacy is important for us

We use cookies to improve the user experience. Please review privacy preferences.

Accept all Settings

Check our privacy policy and cookies policy.