Table Of ContentTHE EU GENERAL DATA PROTECTION
REGULATION (GDPR)
The EU General
Data Protection
Regulation (GDPR)
A Commentary
Edited by
CHRISTOPHER KUNER
LEE A. BYGRAVE
CHRISTOPHER DOCKSEY
Assistant Editor
LAURA DRECHSLER
3
3
Great Clarendon Street, Oxford, OX2 6DP,
United Kingdom
Oxford University Press is a department of the University of Oxford.
It furthers the University’s objective of excellence in research, scholarship,
and education by publishing worldwide. Oxford is a registered trade mark of
Oxford University Press in the UK and in certain other countries
© Oxford University Press 2020
The moral rights of the authors have been asserted
First Edition published in 2020
Impression: 1
All rights reserved. No part of this publication may be reproduced, stored in
a retrieval system, or transmitted, in any form or by any means, without the
prior permission in writing of Oxford University Press, or as expressly permitted
by law, by licence or under terms agreed with the appropriate reprographics
rights organization. Enquiries concerning reproduction outside the scope of the
above should be sent to the Rights Department, Oxford University Press, at the
address above
You must not circulate this work in any other form
and you must impose this same condition on any acquirer
Crown copyright material is reproduced under Class Licence
Number C01P0000148 with the permission of OPSI
and the Queen’s Printer for Scotland
Published in the United States of America by Oxford University Press
198 Madison Avenue, New York, NY 10016, United States of America
British Library Cataloguing in Publication Data
Data available
Library of Congress Control Number: 2019942848
ISBN 978– 0– 19– 882649– 1
Printed and bound by
CPI Group (UK) Ltd, Croydon, CR0 4YY
Links to third party websites are provided by Oxford in good faith and
for information only. Oxford disclaims any responsibility for the materials
contained in any third party website referenced in this work.
Foreword
It is a truism that the law lags behind technology. The British Statute of Anne enacted in
1710, considered to be the world’s first legislation to grant copyright under public law,
appeared over 250 years after Gutenberg introduced the movable type printing press. By
that reckoning, data protection law has reacted with nimble vigour to the digitalisation of
society and the economy. The EU’s General Data Protection Regulation (‘GDPR’) must
be viewed in the context of the worldwide trend to adopt similar laws, a trend inspired by
the EU itself. On the adoption of the GDPR’s predecessor, Directive 95/ 46/ EC, around
30 countries had similar rules, and the bulk of these were within Western Europe; now
there are almost 130, across all continents.
The EU remains, however, wholly unique in one sense—i t is the only jurisdiction
whose own constitution, in the form of Article 8 of the Charter of Fundamental Rights
and Article 16 of the Treaty on the Functioning of the European Union, obliges the
adoption of comprehensive rules for the protection of personal data. The GDPR is in-
deed comprehensive: its material and territorial scope matches the depth and breadth of
digital technologies’ encroachment (welcome or not) into our lives; updated or brand
new rights and obligations with regards to profiling, automated decision-m aking, port-
ability, erasure and other areas take aim at standard practices which potentially harm the
individual; and the powers of independent supervisory authorities are expanded at the
same time as the requirements for them to cooperate and apply the law consistently are
set down in remarkable detail.
This towering new Commentary unfolds, in thoughtful and erudite detail, the con-
text, significance and interplay of each of the GDPR’s 173 recitals and 99 articles. It will
become indispensable to anyone expected to engage actively with the Regulation and its
counterparts beyond the EU.
By implication the Commentary also illustrates the massive scale of the challenge fa-
cing all of us in the data protection and human rights community. The GDPR is an
extraordinary legislative achievement, and yet it is only one piece of a much bigger puzzle.
Enforcement will be contested and loopholes explored. On the one hand, it has already
had an enormous impact on the perception of privacy by individuals, companies and
governments, and its influence— combined with the Charter— can be seen in the increas-
ingly positive and expert jurisprudence of the CJEU and national courts. On the other
hand, its limits will inevitably be challenged as machine learning, ubiquitous and covert
surveillance, genetic engineering and other techniques expand against a backdrop of ever
starker global inequalities. These technologies will have a profound impact—o ne that is
already being felt— on the dignity not only of individuals but also of groups and whole
societies. That is why I expect the next generation will see the GDPR as a staging post,
important but incomplete, in humanity’s endless grappling with what is possible, what is
lawful and what is right— in other words, with the legal and ethical challenges that we are
confronted with in our digitised world.
Nonetheless, the GDPR is an enormous achievement, it is with us now, and it will
provide the legal bedrock for protecting privacy and personal data in many years to come.
vi Foreword
This Commentary makes a valuable contribution to promoting understanding of this
extraordinary piece of legislation and to implementing the legal, ethical and social values
of the European Union.
Giovanni Buttarelli
European Data Protection Supervisor
Brussels, February 2019
Editors’ Preface
The General Data Protection Regulation (‘GDPR’) adopted by the European Union
(‘EU’) in May 2016 is a landmark in both data protection law and EU law. European
legislation on data protection has exercised unparalleled influence around the world, and
the GDPR is likely to set the global standard for data protection legislation. The GDPR
also reflects a number of momentous changes to EU law that have occurred in recent
years, such as the enactment of the Treaty of Lisbon and the elevation of the Charter of
Fundamental Rights to primary law.
Preparation of this Commentary has not been easy. Worldwide interest in the GDPR
grew into a near frenzy as 25 May 2018 (its date of application) approached. Our con-
tributors, all of whom are in great demand as recognised experts in the field of data pro-
tection, understandably had little time for writing their parts of the Commentary until
this interest had calmed down somewhat. In addition, data protection law has become an
exceptionally fast- paced area of the law, with court judgments, guidelines and opinions
of data protection authorities, and scholarly publications being issued at a rate that left us
struggling to keep up. As a result, we had to push the delivery date for this Commentary
further into the future than we had originally hoped. This has, however, had the advan-
tage of allowing us to take into account legal processes up to 1 August 2019, and thus to
cover a large number of important developments that occurred after the GDPR began to
be applied, including judgments of the Court of Justice of the EU, guidelines and opin-
ions of the European Data Protection Board, and corrigenda to the text of the GDPR.
The sheer length of the GDPR means that an exhaustive analysis of all the issues it raises
would span many volumes. We have thus tried to strike a balance between providing a full
exposition of the relevant issues and keeping the book to a manageable length. To this end,
we plan to place additional materials and updates online on the Oxford University Press
website, and to update this volume in the future. We considered including the full text of
the GDPR, including the recitals, in an appendix, but decided not to, as this would have
made a long book even longer. The corrected text of the GDPR can be easily found on the
Europa web site of the European Union. We can also assure the reader that all the recitals
of the GDPR are reproduced together with the various articles to which they relate.
We view the creation of an extensively harmonised, pan- European framework for data
protection as one of the GDPR’s most important innovations. The book thus focuses on
the GDPR as an instrument of EU law and does not cover the many Member State laws
that have accompanied its application. However, we do discuss Member State develop-
ments on a selective basis, in order to illustrate how the GDPR has been received in na-
tional legal systems. Similarly, we do not cover in detail other important instruments of
EU data protection law, such as the Law Enforcement Directive, the e- Privacy Directive
and the EU Regulation on Data Processing by the EU Institutions, except when this is
particularly relevant to understanding the GDPR.
Between us, we three editors have written the commentaries on 21 articles of the
GDPR. For the remaining 78 articles, we have been fortunate to assemble an outstanding
team of contributors from different Member States and legal systems across Europe and
from outside the EU. We hope that this gives our Commentary a breadth of outlook
viii Editors’ Preface
that reflects the pan- European view of data protection that both the EU legislator and
the Court of Justice of the EU have taken. We also believe that it was crucial to include
contributors from different sectors and with a variety of expertise and outlooks. Thus, we
are pleased that our Commentary includes authors from academia, EU institutions, data
protection authorities, national governments, law firms and the private sector.
While there is still a lack of precedent and practice for many provisions of the GDPR,
we believe that readers will be looking for guidance as to what particular provisions mean
and how courts and regulators may interpret them. We have thus encouraged authors to
go beyond mere description of the articles assigned to them and to indicate, where ap-
propriate, their opinion as to what the best interpretation of a provision might be. We
have also made enormous efforts to review the commentaries carefully for quality and
consistency. We hope that this has resulted in a book which is of consistently high quality
and provides substantial insight into the many questions raised by the GDPR. Because of
the global interest in the GDPR and its international impact, we have also tried to keep
in mind the needs of readers outside of Europe.
A project of such immense scope can only succeed as a team effort, and we could never
have hoped to finish it without the assistance and contributions of many people.
In the first place, we would like to thank our assistant editor, Laura Drechsler. This
book would never have come to fruition without her untiring assistance, particularly in
her meticulous review of all the commentaries. She has been a true partner in this project,
and we owe her our deep gratitude.
Other contributors have also gone far beyond the call of duty. In particular, Hielke
Hijmans and Luca Tosoni have not only written several commentaries but have also pro-
vided invaluable input on a number of difficult legal issues related to some of the other
ones. They were always available to help when needed, and their expertise was crucial in
allowing us to bring this project to a successful conclusion.
We are proud to have assembled such an outstanding group of contributors, and we
would like to express our sincere gratitude to all of them for their hard work and for
giving us the benefit of their expertise. We may not always have been easy in the demands
we made on them, but all have been receptive to our requests and willing to take our
comments into account.
We are deeply saddened by the passing away of Giovanni Buttarelli, who kindly wrote
the preface to this volume, and who left us just a few months before it was published. He
was a visionary, an indefatigable champion for data protection, and a good friend to the
nascent GDPR in which he invested so much. We are much poorer for his loss, but his
work will live on. Si monumentum requiris, circumspice.
Others also played an important role in the success of this Commentary and deserve our
thanks. Joseph Williams performed sterling duty as our language editor. Anna Ciesielska,
Rossana Fol, Bastiaan Suurmond, Valda Beizitere and Pilar Cordoba Fernandez provided
invaluable research assistance. The Brussels office of Wilson Sonsini Goodrich & Rosati
provided both logistical and moral support. Various data protection officials who shall re-
main anonymous gave of their time to discuss our questions and provided valuable insights.
We also express our sincere gratitude to Oxford University Press, in particular to our
editor Alex Flach and his colleagues Clare Jones, Emma Taylor, Natalie Patey, Rachel
Mullaly, Gemma Parsons and Ruth Anderson. They have been willing to do everything
possible to make the book a success, and were unfailingly patient every time we explained
why we had to delay it further because of some new development.
Editors’ Preface ix
Last but not least, we are very grateful to our families for their patience and under-
standing in tolerating our obsession with the GDPR, and we apologise for the many
hours that this project took us away from them.
We will be happy if this book makes some small contribution to help the GDPR realise
its potential as the bedrock of the European Union’s system of data protection, and to
promote understanding of it around the world.
Christopher Kuner Lee A. Bygrave Christopher Docksey
Brussels and Oslo, October 2019
