The General Data Protection Regulation (GDPR) is a legal instrument of importance for the European Economic Area (EEA). Pursuant to Article 7(a) of the Main Agreement on the EEA (EEA Agreement), all EEA-States are obliged to adopt the GDPR domestically. This applies not only to the EU member states but also to the EFTA States Iceland, Lichtenstein and Norway. The following article shows the detailed composition of the EEA (1.), on which basis the GDPR will apply in the EEA (2.) and how the corresponding incorporation procedure is structured (3.).
1. The EEA Agreement
On 2 May 1992, the then Member States of the European Community (EC) and EFTA signed the EEA Association Agreement within the meaning of Article 217 TFEU in the form of a mixed agreement. With the exception of Switzerland, all EFTA member states joined the EEA. Due to the adoption of fundamental freedoms, the EEA has since then formed the largest single market in Europe and the world.
2. Applicability of GDPR in the EU and the EEA
As a regulation within the meaning of Article 288(2) TFEU, all EU Member States are generally, entirely and directly bound by it. The consequence is that, without any further national implementing measure, the GDPR is directly applicable law in the respective EU Member State, i.e. there is no need for a domestic act of transformation or proclamation in compliance with national law. In order to ensure homogeneity, however, it is necessary for the EFTA States Norway, Iceland and Lichtenstein to incorporate the act into the EEA Agreement and to establish the applicability of the GDPR.
3. The incorporation process
The Joint EEA Committee (Articles 92 et seq. of the EEA Agreement) is the governing body for the incorporation of EU secondary law into the EEA. It is composed of EU ambassadors from EFTA countries, representatives of the European Commission and EU Member States. Pursuant to Article 102(1) EEA Agreement, the EEA Joint Committee is informed by the EU of an EEA-Relevant legal act, examines and incorporates it by decision. The procedure for incorporation is divided into five phases and is governed by Article 102 (1) to (6) of the EEA Agreement in conjunction with Regulation (EC) No 2894/94 concerning arrangements for implementing the agreement on the EEA.
The first phase begins with an classified by the EU Commission of whether a possible EU act is also relevant to the EEA. This is done before the legal act is discussed and concretely drafted. The GDPR has been evaluated as EEA-Relevant, thereby the first phase was completed. Subsequently, the EEA States will be given the opportunity to participate at EU level until the start of the second phase. Within the framework of the EU legislative procedure, Member States can send representatives to the EU Commission’s expert groups and send comments from the EFTA states in advance. They have an advisory function, without any decision power. The EFTA States have made use of this right in the legislative process for the GDPR.
Since the GDPR has been adopted by the European Parliament, it is being examined by the EFTA States, that will issue opinions on necessary adjustments and constitutional relevance of the draft (second phase). The opinions will then be submitted to the Joint EEA Committee, which will draw up a draft for implementation and submit it to the European Parliament (third phase). The most important prerequisite for this draft will be that the phrasing and wording should comply as closely as possible with the GDPR standards adopted by EU in order to ensure a coherent application within the EEA.
The European Parliament then gives its opinion. The Joint EEA Committee shall examine it and, if necessary, make appropriate amendments (fourth phase). If none of the parties objects, the final decision may be taken by the Joint EEA Committee (fifth phase). This requires unanimity of the coordinating parties. Therefore, according to the so-called “single voice principle”, both the EU and the EFTA States have at least a theoretical right of veto.
Overall, a rapid implementation procedure and the extension of GDPR to the entire EEA is expected. The fact that the right of veto is actually used by one of the parties involved is extremely unlikely. From the perspective of the EU Member States and the EFTA States Iceland, Lichtenstein and Norway, there is a great interest in the applicability of the GDPR throughout the EEA and the associated continuation of the European Single Information Market.