GDPR: When is a law a law?
By Elodie Ellingsen, Data Privacy Officer
The UK government website glossary defines a Regulation as “a legislative act of the EU which is directly applicable in Member States without the need for national implementing legislation. [Article 288 TFEU].”
Did you know that under EU law, Regulations become automatically binding and directly applicable on the date they enter into force?
EU Regulations are legal acts, which apply to all EU countries as soon as they enter into force; they do not need to be made into national law to apply. Furthermore, if there is a conflict between a Regulation and an existing national law, the Regulation takes priority over that law.
The date of entry into force is usually the 20th day following publication of the Regulation in the Official Journal of the European Union. While publication means that EU rules have been adopted and published, they are not necessarily mandatory on the date of entry into force. The date when they become mandatory is the date of applicability. In the case of the GDPR, publication in the Official Journal took place on 4 May 2016, and although it came into force on 24th of May 2016, it is not mandatory and applicable until 25th of May 2018 – six months from tomorrow.
The GDPR timeline below shows just how long this process has taken – five years alone to get the Regulation into writing, and so complex that the Article 29 Working Party is still finalising advisory details. In that context, six months is not a long time; don’t wait to ensure you’ve completed your journey to compliance.
GDPR Timeline
24/10/1995 | Directive 95/46/EC adopted |
22/06/2011 | EDPS Opinion on EC Communication ‘A comprehensive approach on personal data protection in EU’ |
25/01/2012 | The proposal for GDPR was released. |
25/01/2012 | EC proposal to strengthen online privacy rights and digital economy |
07/03/2012 | EDPS Opinion on EC data protection reform package |
23/03/2012 | WP29 Opinion on data protection reform proposal |
05/10/2012 | WP29 update on data protection reform |
21/10/2013 | European Parliament Committee on Civil Liberties, Justice and Home Affairs (LIBE) had its orientation vote. |
12/03/2014 | EP adopts GDPR. |
15/06/2015 | The Council reaches a general approach on the GDPR. |
27/07/2015 | EDPS recommendations on the final text of the GDPR. |
05/12/2015 | EP, Council and EC reach an agreement on the GDPR. |
15/12/2015 | Negotiations between European Parliament, Council and Commission resulted in a joint proposal. |
17/12/2015 | European Parliament’s LIBE committee voted positively on the outcome of the negotiations between the three parties. |
02/02/2016 | The Article 29 Working Party issues an action plan for the implementation of the GDPR. |
08/04/2016 | Adoption by the Council of the European Union |
14/04/2016 | Adoption by the European Parliament |
04/05/2016 | The regulation will enter into force 20 days after its publication in the Official Journal of the European Union on 4 May 2016. Its provisions will be directly applicable in all member states two years after this date. |
24/05/2016 | The Regulation enters into force, 20 days after publication in the Official Journal of the EU |
10/01/2017 | EC proposes two new regulations on privacy and electronic communications and on the data protection rules applicable to EU institutions. |
06/05/2018 | Data Protection Directive for the police and justice sectors into national legislation applicable from this day. |
25/05/2018 | The General Data Protection Regulation will apply and be enforced from this day. |