Data protection is a fundamental right which is recognised and protected in various international human rights agreements which in turn outline the importance of equal rights and obligations of data controllers and processors. The said right has been highlighted even more through the enactment of the General Data Protection Regulation (GDPR).
Nevertheless, even though the GDPR has been adopted by the European Union, it does not mean that it shall only apply to the EU Member States. The European Economic Area (EEA) Joint Committee, having regard to the Agreement on the EEA and in particular Article 98 thereof, it has recognised the importance of data protection and the rights surrounding the roles of controllers and processors in the European Economic Area. Thus, GDPR shall not just apply to EU Member States but it shall start to apply also to the European Economic Area.
Indeed the GDPR entered into force in Iceland, Liechtenstein and Norway on 20th July 2018 after the decision to integrate the GDPR into the EEA Agreement was adopted by the EEA Joint Committee on 6th July 2O18. The EEA Joint Committee is responsible for the management of the EEA Agreement. It is worth highlighting what the EEA Agreement actually entails. The said Agreement brings together the 28 EU Member States and the three EEA states whereby an internal market governed by the same basic rules regarding free movement of goods, services, persons and capital is established. Moreover, in order to achieve uniformity between the EU Member States and the EEA, there is a continuous effort to incorporate any EU acts into the EEA Agreement.
The GDPR is the successor of the Directive 95/46/EC on the protection of individuals with regard to the processing of personal data and the free movement of such data which was adopted in 1995. The said Directive was indeed incorporated into Annex XI of the EEA Agreement in 1999. Hence, through the said incorporation, personal data also flowed freely within the EEA under the same conditions found within the EU. After almost 20 years from the said unification, it is the GDPR’s turn to be incorporated in the EEA Agreement. The common ground to incorporate the GDPR remains the same; i.e: to protect the privacy of natural persons and to remove the fragmented legal system with respect to the protection of personal data.
Henceforward, natural persons in the EEA states and in the EU shall all start benefiting from the same level of protection. As a matter of fact, data controllers and data processors that are established in the EEA states shall start to be subject to the same responsibilities that are found in the GDPR and their compliance shall be monitored by the independent data protection authority found in each of the EEA state.