The General Data Protection Regulation (GDPR) was incorporated into the EEA Agreement by the EEA Joint Committee in Brussels and entered into force in mid-July. The European Economic Area (EEA) currently includes all EU Member States, including, for the time being, the UK, as well as the three out of four EFTA States meaning Iceland, Liechtenstein and Norway(the fourth one being Switzerland). Additionally, on 15 July 2018, a new Act on Data Protection and the Processing of Personal Data, No. 90/2018, entered into force in Iceland.
The EEA Agreement provides for the inclusion of EU legislation in all policy areas of the Single Market. This covers the four freedoms, i.e. the free movement of goods, services, persons and capital, as well as competition and state aid rules, but also the following horizontal policies: consumer protection, company law, environment, social policy, and statistics. In order to be applicable in the EEA any EU Text with EEA relevance (as is the case for GDPR) has to be incorporated into the EEA Agreement by means of Joint Committee Decisions (JCDs) after a review process.
The fact that GDPR now also applies to Iceland, Liechtenstein and Norway means, amongst other things, that transfers to these countries will be without any additional requirements and that data breaches will have to be notified in these countries as well.
There are still a number of issues to be clarified in this respect. We understand that Iceland, Lichtenstein and Norway should benefit from the one stop shop mechanism and have a seat at the European Data Protection Board (EDPB), but would not have any voting rights. The lack of voting rights may be of concern to these countries. We await a ruling on this issue.