The EU General Data Protection Regulation was portrayed as providing regulatory uniformity: The new legal regime would consist of a single set of rules together with enforcement through a “one-stop-shop” mechanism, enhancing legal certainty. The reality, however, appears to be different, and there may be less consistency and regulatory coherence than hoped.
The GDPR still leaves the member states a great degree of legislative freedom by allowing and even requiring national implementing legislation in a number of situations. For instance, member states are free to introduce specific conditions or limitations for the processing of biometric, genetic or health data; to create their own protection regimes for employee data and research and/or statistical data; and to pass local restrictions to the rights the GDPR grants to individuals. In addition, member states are required to establish supervisory authorities and to provide them with the resources required to effectively exercise their investigative and sanctioning powers. Businesses that are active in the EU market will not only have to comply with the GDPR but also with national privacy legislation in the countries where they operate.
