Ann Kristin Glenster reviews this companion to the 4th edition of Data Protection Law and Practice which is edited by Rosemary Jay and which was published in February (Sweet and Maxwell, 2017, £165, 447 pp, index 23 pp, ISBN: 9780414061019.
Painstakingly thorough, this companion guide to the new European data protection law, the General Data Protection Regulation (GDPR), is a much welcomed, useful, and ultimately frustrating book. The frustration should in no way be attributed to its editor and main author Rosemary Jay or its expert contributors, but to the many contradictions, obfuscations and limitations of the actual legal text the volume has boldly set to elucidate. Data protection law veteran Jay does not shy away from this rather Herculean task. The result is a testament to her deep knowledge of data protection combined with a practical eye that is invaluable for anyone attempting to get a firm grasp on this circumlocutory piece of EU legislation.
This pragmatic book does not delve into the complex normative debates that underpins the European data protection paradigm. Instead, the Guide to the General Data Protection Regulation offers a detailed examination of what European Data Protection Supervisor Giovanni Buttarelli rather optimistically has called the ‘new global digital golden standard’ of data protection. With 447 pages, the volume is organised in 21 chapters that progress from a general overview to the GDPR’s specific articles and recitals. Some of the territory is familiar from Jay’s previous book, Data Protection Law & Practice, such as Google’s William Malcolm’s discussion of cross-border transfers of personal data, albeit now with added insight post the CJEU’s landmark Schrems decision (Schrems v Data Protection Commissioner (C-362/14) 23 September 2015). Other chapters focus on what is brand new such as the addition of different processing conditions for research, or the still elusive one stop shop and consistency mechanisms. Overall, the logical sequence of chapters offers the patient reader a comprehensive overview of the GDPR and its myriad of interlocking and circular provisions.
The emphasis is on the differences between the current Data Protection Directive and the new legislation, including the novel responsibilities of processors and data protection officers, the bolstered requirements for documentation and notification, and new user rights, to mention a few. I suspect these passages will be immensely useful to legal practitioners, data controllers and processors in identifying areas where further pan-European and national guidance, or even litigation, may be anticipated. There is also a brief section on the potential impact of Brexit, perhaps unnecessarily repeated at the beginning of every chapter and, where relevant, a cursory analysis of the GDPR’s relation to the new Police and Criminal Justice Directive.
Guide to the General Data Protection Regulation is a much-needed book as companies and organisations prepare for the GDPR to take effect. It will be of great relevance to data controllers, processors and law practitioners both in and outside the EU, and for those with a special interest in the UK. The style is informative, and Jay’s chapters in particular should be commended for their clarity. Yet, through its in-depth examination of the GDPR, the guide cannot help but demonstrate how many questions regarding interpretation and implementation remain unanswered. As such, it is difficult to read Jay’s simple note that ‘The Regulation is not a perfect instrument’ (p. viii) as anything but a massive understatement.
Jay and her co-authors offer thoughtful and practice-oriented commentary with surprising restraint where the legal text offers muddled, vague or contradictory wording. Nevertheless, the authors’ frustration occasionally seeps into their analysis. For example, in discussing the timescale requirements in relation to supervisory authorities (Art. 36(2)) when Jay tersely notes that ‘This is something of a problematic addition’ (p. 189). Elsewhere, vague legal drafting leads her to arrive at assumptions that are not always apparent, ie. ‘It appears likely that a commercial organisation’s personal data processing activities are likely to be deemed “core” where they involve monetising personal data…’ (p. 198). This may very well be the case, but Jay does not offer any explanation or why that is so. However, her and her-authors willingness to read between the lines does not detract from the solid analysis that consistently runs through all the chapters. Indeed, it might have been near impossible to make sense of some of the GDPR provisions, upon a close reading, without this practical approach.
The GDPR has created quite a stir, especially with its bolstered regime of potential administrative fines of up to €20 million or 4% of annual global turnover, whichever is higher. This book is therefore a timely contribution to the literature on European and global data protection law. Nevertheless, despite the authors’ best efforts, numerous instances of uncertainty regarding how the GDPR will actually work haunts the volume throughout. We should therefore look forward to the next edition of the guide as more of the dust settles in terms of how it will be interpreted by the forthcoming European Data Protection Board, the national supervisory authorities, and by the courts. Until then, the Guide to the General Data Protection Regulation will remain one of the most, if not the most, comprehensive and authoritative text on the GDPR yet to be published.
Ann Kristin Glenster is a PhD Candidate at the Faculty of Law, University of Cambridge