No 41: General Data Protection Regulation: Challenges Posed by the Opening Clauses and Conflict of Laws Issues


  • Kristina Yuliyanova Chakarova
Publish Date:
November 4, 2019
Publication Title:
European Union (EU) Law Working Papers
Stanford Law School
Working Paper
  • Kristina Yuliyanova Chakarova, General Data Protection Regulation: Challenges Posed by the Opening Clauses and Conflict of Laws Issues, EU Law Working Papers No. 41, Stanford-Vienna Transatlantic Technology Law Forum (2019).
Related Organization(s):


The General Data Protection Regulation (“GDPR”) established the new data protection framework in the European Union and repealed the previous legal act which regulated that matter – the Directive 95/46/EC of the European Parliament and of the Council of 24 October 1995 on the protection of individuals with regard to the processing of personal data and on the free movement of such data. However, the aim of the new legal act was not to revolutionise EU data protection law, but rather to eliminate the fragmentation and differences between Member State laws under the previous regime, and thereby to fully harmonise EU data protection law and remove the obstacles to flows of personal data within the Union.

The problem, however, is that the GDPR contains a significant amount of opening clauses, which enable Member States to enact their own legislation by further specifying the requirements of the regulation. In turn, these flexibilities threaten to once again fragment the EU data protection framework. In addition, the removal of the conflict of laws provisions which existed under the previous data protection regime, seems to further exacerbate the problem.

The purpose of this thesis is to answer two main questions. First, whether the amount of the opening clauses in the GDPR indeed undermines its purpose to establish a uniform data protection regime in the Union. Second, given the expected differences in national law due to the opening clauses and the lack of general applicable law rule, how could an eventual conflict of laws issue be resolved under the new data protection regime?

In order to answer these questions, Section II of this thesis starts with an overview of the opening clauses, focusing in detail on the opening clauses which are more important from a practical perspective for the day-to-day business activities of controllers and processors in the private sector. Section III examines the approach of five different Member States to the opening clauses in order to evaluate whether Member States in fact make use of the provided opportunity to enact legislation within the delegated competence, and thereby creating diverging data protection law within the Union. Finally, Section IV examines whether the GDPR provides a solution for establishing the applicable law in case provisions enacted within the opening clauses differ from one Member State to another, and if not what other solutions are there.

The conclusion of the thesis to the first question is not only that there indeed are too many opening clauses, but also that Member States actively legislate within the delegated competences, sometimes even arguably beyond them. This leads to inconsistencies in the data protection regime within the EU and thus undermines the aim of the GDPR to establish a uniform legal framework. As regards the second question, the GDPR does not provide general conflict of laws provisions which further exacerbates the issues caused by the diverging national legislation. However, the law literature provides possible solutions to the issue, such as analogy to the rules for determining lead supervisory authority, relying on general EU conflict of laws rules (e.g., Rome I Regulation), relying on national conflict of laws rules, or deriving applicable law indications from certain opening clauses. It remains to be seen whether further guidance of the European Data Protection Board or case law of the Court of Justice of the European Union would clarify the conflict of laws concerns and address problematic national provisions contrary to the GDPR.