The handbook ‘The Legal Consistency of Technology Regulation in Europe’, edited by Inge Graef and Bart van der Sloot (Tilburg University), to which the EMR also contributed a chapter, was published in June 2024. By combining fundamental rights, economic law and considerations from more recent legislation in the areas of digital platforms, data and AI, the open access publication provides a comprehensive picture of the current state of technology regulation in the EU. Various authors analyse the risks of regulatory fragmentation and the challenges associated with ensuring legal coherence now and in the future from different perspectives. By addressing issues of fundamental rights protection, free movement of data, consumer protection, competition and innovation, the book provides a comprehensive overview of the current state of the academic and political debate.
In their chapter ‘The Implementation of the GDPR in Member States’ Law and Issues of Coherence and Consistency“, Prof Dr Mark D. Cole, Director of Academic affairs of the EMR, and Christina Etteldorf, Senior Research Scientist at the EMR, examine these questions from the perspective of data protection law. According to the authors, the General Data Protection Regulation (GDPR) was and continues to be a milestone for strong protection of personal data of EU citizens and a prime example of comprehensive legislation that also extends beyond the borders of the EU. However, due to certain characteristics – a broad yet limited scope of application, the inclusion of opening clauses and leeway in the application by the Member States, as well as leeway for the interpretation of legal provisions – there is no complete harmonisation of data protection law in Europe. In order to answer questions about the coherence of the legal framework and possible legal tensions, Cole and Etteldorf analyse these features by illustrating the differences between the Member States and examining the coherence mechanisms provided for by the GDPR.
The contribution concludes with an assessment of the existing differences and their legal and practical implications, with a particular focus on cross-sectoral issues. In particular, the authors come to the conclusion that supposed ‘inconsistencies’ between EU and national law are often due to the fact that data protection law is a cross-cutting issue that may also have to take account of national and sectoral particularities. Questions of possible fragmentation must therefore be considered in a more differentiated way than perhaps in ‘isolated’ areas of law. It should not be understood as negatively connoted fragmentation in the sense of a deficit in legislation or practical implementation if there are good reasons to treat data protection law differently in different areas and/or different Member States – the article cites journalistic data processing and the legal framework for the protection of minors as examples. Rather, it is the question of coherence and consistency that must be asked in data protection law and answered in an endeavour to achieve as uniform a level of protection as possible for the fundamental rights of data subjects. This concerns cross-border, cross-sector and cross-legal framework coherence. While the first two aspects have a solid basis thanks to the harmonising case law of the Court of Justice and, above all, the work and cooperation of the data protection authorities gathered in the European Data Protection Board, the creation of a coherent overall legal framework appears to be a challenge that is urgently needed. The complex web of regulations, particularly for the digital sector, would not work without consistency with the GDPR. This must be clear, unconditional and transparent and may require an expansion of institutional (cooperation) structures. Otherwise, there is a risk that the level of protection aimed for by the GDPR will fall. Then we would be talking about fragmentation – in the negative sense.