We have all been conditioned to fear the arrival of May 2018. Hell-fire, brimstone and a newly powerful Information Commissioners Office (ICO) will rain administrative fines from the skies. Yet, for those who have summoned the ability to stay awake long enough to brave the final pages of the regulation, article 99 suggests its implementation date is less clear than originally thought.
There was an Article 99?
The final commandment that is article 99 reads:
- - This Regulation shall enter into force on the twentieth day following that of its publication in the Official - Journal of the European Union.
- - It shall apply from 25 May 2018.
One number short of an upside-down mark of the beast, the 99th article suggests that the GDPR has been in force since the twentieth day subsequent to its publication, that being the 17th of May 2016. Yet, its application is not honoured until two years after.
The Optimist and the Pessimist
The optimists amongst us would most likely put this down to an overly keen desire to use legal language in order to say something considerably simple, after all the two-year deadline still applies. Could it be that after ten years of debate the final regulation was a little shorter than expected and it needed some padding out? Bureaucracy is by no means thought of as a stranger in the halls of the various European Union chambers.
The pessimist in me takes less comfort from the definition of a regulation, which on the European Union’s own website, is defined as immediately in force in all EU countries, without needing to be transposed into national law. This suggests that as defined in article 99, the GDPR is already in force, just that the supervisory body (the ICO in the UK) cannot act until two years later, when its application begins. In practice, a breach today could potentially be investigated retrospectively and penalties levied after the May 2018 date we are all familiar with.
It’s in the Small Print
Holy scripture like in its writing, ten people who read the GDRP will likely result in ten different interpretations. The irony seems lost on the pen wielding European Union that a regulation aimed at providing clarity to data subjects regarding data collection and processing activities, reads as ambiguously as any other common set of terms and conditions in existence today. "Do as I say and not as I do" springs to mind.
Returning to the original question of whether the GDPR is in force already, it certainly appears that way according to final article. A cruel joke for those who didn’t read through to the end.
Consequentially the GDPR is suspended in a preliminary state where the eyes are watching but the teeth cannot bite. However, muzzled or not, the eyes do not forget and whether you agree with this blog post or not it would be better to “errm” on the side of caution. Especially when there are examples to be made and fines to be collected.
Famously, it is over when the fat lady sings. It is less clear when it begins.