The new EU legal regime for data protection that was adopted in 2016 rests on multiple foundations, including the EU Charter of Fundamental Rights, secondary legislation (the main instrument being the EU General Data Protection Regulation 2016/679 or GDPR), Member State law, and relevant judgments of the Court of Justice of the EU. The multi-layered structure of EU data protection law makes it a highly complex system that can sometimes be impenetrable even for specialists. However, the challenges of elucidating such a complicated legal regime are overcome impressively in this new book, which is a major addition to the data protection literature.
The book’s special value lies in its combination of EU law analysis with a series of national reports on the reception of EU law in 25 EU Member States (all minus Latvia and Lithuania) and three third countries (Norway, Switzerland, and the UK). The reports are based on a detailed questionnaire, which allows the authors to adopt a common structure for their contributions while examining the interplay between EU and Member State law. The results of this analysis give food for thought about several important questions for EU law that go beyond data protection, such as whether extensive national implementation is compatible with an EU regulation like the GDPR; the tension between national constitutional orders and EU law; and the interpretation of concepts such as national security.
The General Report (written by Orla Lynskey) examines some of the key features of the new EU data protection regime and analyses them in light of the national reports, while the Institutional Report (written by Anna Buchta and Herke Kranenborg) focuses on the institutional features of the regime at the EU level and the case law of the Court of Justice. These two reports are both excellent, as they evidence a profound knowledge of the topic and are clearly written so as to be accessible also for non-specialists in data protection. The major part of the book consists of the national reports (mostly in English but occasionally in French or German), compiled by experts in their respective legal systems. I am not an expert on the national legal systems examined therein, but these reports seem to have been compiled with meticulous care, and provide an important source of detailed information on Member State law.
Although Professor Rijpma (the editor of the volume) notes in his introduction (p. xiii) that ‘the effects of the EU’s data protection regime are felt well beyond the borders of the European Union’, the book does not deal with the international impact of the new regime (with the exception of a brief discussion of some data transfer issues in the Institutional Report, see pp. 104-105). Examining some of the GDPR’s provisions of particular international relevance (such as Article 3 on territorial scope or Articles 44-50 on international data transfers) and their interpretation in the Member States would have made an excellent book even more valuable. One minor point: ‘NSA’ (meaning national supervisory authority) was perhaps an unfortunate choice of acronym for the national data protection authorities, given the public debate about surveillance of European data by the US National Security Agency (also NSA).
In conclusion, this is an outstanding volume that makes an important contribution to research in EU and national data protection law.
Christopher Kuner is Professor of Law at VUB Brussel, Visiting Professor at Maastricht University, Editor-in-Chief of International Data Privacy Law, and an editor of ‘The EU General Data Protection Regulation (GDPR): A Commentary’ published in 2020 by Oxford University Press.