GDPR: When is a law a law?


By Elodie Ellingsen, Data Privacy Officer

The UK government website glossary defines a Regulation as “a legislative act of the EU which is directly applicable in Member States without the need for national implementing legislation. [Article 288 TFEU].”

Did you know that under EU law, Regulations become automatically binding and directly applicable on the date they enter into force?

EU Regulations are legal acts, which apply to all EU countries as soon as they enter into force; they do not need to be made into national law to apply. Furthermore, if there is a conflict between a Regulation and an existing national law, the Regulation takes priority over that law.

The date of entry into force is usually the 20th day following publication of the Regulation in the Official Journal of the European Union. While publication means that EU rules have been adopted and published, they are not necessarily mandatory on the date of entry into force. The date when they become mandatory is the date of applicability. In the case of the GDPR, publication in the Official Journal took place on 4 May 2016, and although it came into force on 24th of May 2016, it is not mandatory and applicable until 25th of May 2018 – six months from tomorrow.

The GDPR timeline below shows just how long this process has taken – five years alone to get the Regulation into writing, and so complex that the Article 29 Working Party is still finalising advisory details. In that context, six months is not a long time; don’t wait to ensure you’ve completed your journey to compliance.

GDPR Timeline

24/10/1995 Directive 95/46/EC adopted
22/06/2011 EDPS Opinion on EC Communication ‘A comprehensive approach on personal data protection in EU’
25/01/2012 The proposal for GDPR was released.
25/01/2012 EC proposal to strengthen online privacy rights and digital economy
07/03/2012 EDPS Opinion on EC data protection reform package
23/03/2012 WP29 Opinion on data protection reform proposal
05/10/2012 WP29 update on data protection reform
21/10/2013 European Parliament Committee on Civil Liberties, Justice and Home Affairs (LIBE) had its orientation vote.
12/03/2014 EP adopts GDPR.
15/06/2015 The Council reaches a general approach on the GDPR.
27/07/2015 EDPS recommendations on the final text of the GDPR.
05/12/2015 EP, Council and EC reach an agreement on the GDPR.
15/12/2015 Negotiations between European Parliament, Council and Commission resulted in a joint proposal.
17/12/2015 European Parliament’s LIBE committee voted positively on the outcome of the negotiations between the three parties.
02/02/2016 The Article 29 Working Party issues an action plan for the implementation of the GDPR.
08/04/2016 Adoption by the Council of the European Union
14/04/2016 Adoption by the European Parliament
04/05/2016 The regulation will enter into force 20 days after its publication in the Official Journal of the European Union on 4 May 2016. Its provisions will be directly applicable in all member states two years after this date.
24/05/2016 The Regulation enters into force, 20 days after publication in the Official Journal of the EU
10/01/2017 EC proposes two new regulations on privacy and electronic communications and on the data protection rules applicable to EU institutions.
06/05/2018 Data Protection Directive for the police and justice sectors into national legislation applicable from this day.
25/05/2018 The General Data Protection Regulation will apply and be enforced from this day.