Book Review: Guide to the General Data Protection Regulation

August 28, 2017

Painstakingly thorough, this
companion guide to the new European data protection law, the General Data
Protection Regulation (GDPR), is a much welcomed, useful, and ultimately frustrating
book. The frustration should in no way be attributed to its editor and main
author Rosemary Jay or its expert contributors, but to the many contradictions,
obfuscations and limitations of the actual legal text the volume has boldly set
to elucidate. Data protection law veteran Jay does not shy away from this
rather Herculean task. The result is a testament to her deep knowledge of data
protection combined with a practical eye that is invaluable for anyone
attempting to get a firm grasp on this circumlocutory piece of EU legislation.

This pragmatic book does not
delve into the complex normative debates that underpins the European data
protection paradigm. Instead, the Guide
to the
General Data Protection
Regulation
offers a detailed examination of what European Data Protection
Supervisor Giovanni Buttarelli rather optimistically has called the ‘new global
digital golden standard’ of data protection. With 447 pages, the volume is
organised in 21 chapters that progress from a general overview to the GDPR’s
specific articles and recitals. Some of the territory is familiar from Jay’s
previous book, Data Protection Law &
Practice
, such as Google’s William Malcolm’s discussion of cross-border
transfers of personal data, albeit now with added insight post the CJEU’s
landmark Schrems decision (Schrems v Data Protection Commissioner (C-362/14)
23 September 2015). Other chapters focus on what is brand new such as the
addition of different processing conditions for research, or the still elusive
one stop shop and consistency mechanisms. Overall, the logical sequence of chapters
offers the patient reader a comprehensive overview of the GDPR and its myriad
of interlocking and circular provisions.

The emphasis is on the differences
between the current Data Protection Directive and the new legislation,
including the novel responsibilities of processors and data protection
officers, the bolstered requirements for documentation and notification, and
new user rights, to mention a few. I suspect these passages will be immensely
useful to legal practitioners, data controllers and processors in identifying
areas where further pan-European and national guidance, or even litigation, may
be anticipated. There is also a brief section on the potential impact of
Brexit, perhaps unnecessarily repeated at the beginning of every chapter and,
where relevant, a cursory analysis of the GDPR’s relation to the new Police and
Criminal Justice Directive.

Guide
to the General Data Protection Regulation
is a much-needed book as companies and
organisations prepare for the GDPR to take effect. It will be of great
relevance to data controllers, processors and law practitioners both in and
outside the EU, and for those with a special interest in the UK. The style is
informative, and Jay’s chapters in particular should be commended for their
clarity. Yet, through its in-depth examination of the GDPR, the guide cannot
help but demonstrate how many questions regarding interpretation and
implementation remain unanswered. As such, it is difficult to read Jay’s simple
note that ‘The Regulation is not a perfect instrument’ (p. viii) as anything
but a massive understatement.

Jay and her co-authors offer
thoughtful and practice-oriented commentary with surprising restraint where the
legal text offers muddled, vague or contradictory wording. Nevertheless, the
authors’ frustration occasionally seeps into their analysis. For example, in
discussing the timescale requirements in relation to supervisory authorities
(Art. 36(2)) when Jay tersely notes that ‘This is something of a problematic
addition’ (p. 189). Elsewhere, vague legal drafting leads her to arrive at
assumptions that are not always apparent, ie. ‘It appears likely that a commercial organisation’s personal data
processing activities are likely to be deemed “core” where they involve
monetising personal data…’
(p. 198). This
may very well be the case, but Jay does not offer any explanation or why that
is so. However, her and her-authors willingness to read between the lines does
not detract from the solid analysis that consistently runs through all the chapters.
Indeed, it might have been near impossible to make sense of some of the GDPR
provisions, upon a close reading, without this practical approach.

The GDPR has created quite a
stir, especially with its bolstered regime of potential administrative fines of
up to €20 million or 4% of annual global turnover, whichever is higher. This
book is therefore a timely contribution to the literature on European and
global data protection law. Nevertheless, despite the authors’ best efforts,
numerous instances of uncertainty regarding how the GDPR will actually work
haunts the volume throughout. We should therefore look forward to the next
edition of the guide as more of the dust settles in terms of how it will be interpreted
by the forthcoming European Data Protection Board, the national supervisory
authorities, and by the courts. Until then, the Guide to the General Data Protection Regulation will remain one of
the most, if not the most, comprehensive and authoritative text on the GDPR yet
to be published.

Ann
Kristin Glenster is a PhD Candidate at the Faculty of Law, University of
Cambridge