The rules on the GDPR stated that the European Commission would review the progress of EU member states in terms of their integration of the GDPR rules in May 2020. At this stage it is known that only three EU countries have not changed their data protection laws to align with the GDPR; Slovenia, Greece, and Portugal. The Commission has the ability to issue fines to any EU country that does not comply with the GDPR requirement.
On a commercial level, the GDPR can be seen to be implemented across businesses in the countries where it applies, and in fact to businesses who sell to customers based in countries where the GDPR applies. There are still a few websites that have chosen to take the route of banning entry by any user whose IP address shows them to be in an EU country, and a notice will show that states the related business to the website has taken the step due to the data protection issues. Essentially, businesses globally are deciding whether or not their own trade is affected by banning sales or interest from EU countries, or if they are better off aligning to the requirements. Businesses that are based in areas where their own data protection law holds the same level of stringent requirements that the GDPR does, such as in California, have been seen to align faster and facilitate EU trade to continue. There have been over 500 cross-border cases of data protection rights seen since the GDPR was incepted. A report on these cases and other rules enforcement subjects must be compiled by the European Commission for review by May 25th.
The most meaningful change within the GDPR is how it will play out in the UK, with laws being set to be taken into review post Brexit. There are a number of issues relating to Brexit that will have a bearing on the GDPR and its impact, but the UK is set to adhere to all EU standard rules throughout 2020. In that time, they will be considering how their own internal laws will align with the GDPR, as there has been a commitment made by the UK to adhere to the standards created by the GDPR after they pull out of EU regulatory oversight post-Brexit. It remains to be seen how this will affect businesses that trade with UK consumers, and it is a good example of why it has become important.
In a global context, it’s imperative for all jurisdictions to have comparable data protection laws. When there are stipulations made by laws that transcend jurisdictions, such as the GDPR does in relation to non-EU businesses that hold information on residents of EU countries, there is a good reason to ensure on a national level that all data protection laws adhere. This acts to further the ability for consumers and businesses to trade globally, and even for social and news media-related information to be shared. While certain data protection laws can differ from the GDPR, such as the California Consumer Protection Act, the spirit of the laws aligns and that makes going the extra bit further to ensure data protection alignment to the GDPR or other global data laws much easier.
2020 will see the interpretation of data protection requirements that were set out by the GDPR reviewed for enforcement and adherence. This includes on a national level in all EU member states, but also for companies globally that store information of EU residents, even with their knowledge and consent. Businesses globally have been seen to be generally conducive to aligning their practices to the GDPR standard where they have an EU consumer base, but that has been seen to not be the case across the board. Some companies have chosen instead to block access to their sites by an EU resident whose IP address indicates their residence in a GDPR compliant country. It is likely that those companies will align in the future, but that remains to be seen.