October 23, 2019

October 23, 2019

Subscribe to Latest Legal News and Analysis

October 22, 2019

Subscribe to Latest Legal News and Analysis

October 21, 2019

Subscribe to Latest Legal News and Analysis

GDPR is Now EEA Wide!

The General Data Protection Regulation (GDPR) was incorporated into the EEA Agreement by the EEA Joint Committee in Brussels and entered into force in mid-July.  The European Economic Area (EEA) currently includes all EU Member States, including, for the time being, the UK, as well as the three out of four EFTA States meaning Iceland, Liechtenstein and Norway(the fourth one being Switzerland). Additionally, on 15 July 2018, a new Act on Data Protection and the Processing of Personal Data, No. 90/2018, entered into force in Iceland.

The EEA Agreement provides for the inclusion of EU legislation in all policy areas of the Single Market. This covers the four freedoms, i.e. the free movement of goods, services, persons and capital, as well as competition and state aid rules, but also the following horizontal policies: consumer protection, company law, environment, social policy, and statistics. In order to be applicable in the EEA any EU Text with EEA relevance (as is the case for GDPR) has to be incorporated into the EEA Agreement by means of Joint Committee Decisions (JCDs) after a review process.

The fact that GDPR now also applies to  Iceland, Liechtenstein and Norway means, amongst other things, that transfers to these countries will be without any additional requirements and that data breaches will have to be notified in these countries as well.

There are still a number of issues to be clarified in this respect. We understand that Iceland, Lichtenstein and Norway should benefit from the one stop shop mechanism and have a seat at the European Data Protection Board (EDPB), but would not have any voting rights. The lack of voting rights may be of concern to these countries. We await a ruling on this issue.

© Copyright 2019 Squire Patton Boggs (US) LLP


About this Author

Stephanie Faber Attorney Squire Patton Boggs Paris
Of Counsel

Stephanie Faber heads the Data Privacy & Cybersecurity Practice and the Intellectual Property & Technology Practice in the Paris office. She specialises in international business law, with more than 20 years of experience. Her legal practice encompasses business transactions and operations, as well regulatory and compliance work.

In relation to the Data Privacy & Cybersecurity Practice, Stephanie advises on:

  • GDPR gap assessment and compliance programs

  • Data breach...

33 1 5383 7400