The European Union’s General Data Protection Regulation has taken effect in three additional European nations.
Norway, Liechtenstein, and Iceland—European Economic Area member states—began compliance with the GDPR July 20. The regulation gives individuals broader online data protection rights. GDPR took effect for the EU’s 28 member states on May 25.
The GDPR replaces the 1995 Data Protection Directive 95/46/EC. GDPR gives EU citizens the right to ask companies what personal data on them is being processed, to ask for erasure of their personal data if they believe it is incorrect, to object to the processing of their personal data, and, among other things, the right to withdraw consent previously given to the processing of their personal data.
Companies can be fined up to 20 million euros, or 4 percent of annual global turnover, for violations of the GDPR.
Compliance with the bloc’s new personal data protections will be monitored by independent data protection authorities in Norway, Liechtenstein, and Iceland, according to the European Free Trade Association.
The inclusion the three nations ensures “homogeneity between these 31 states” and creates an internal market “governed by the same basic rules regarding free movement of goods, services, persons and capital,” the EFTA secretariat said. The internal market makes it easier for the three countries to do business with the EU.
Tourism in Iceland and financial services in Liechtenstein are major industries that could be affected by GDPR’s incorporation in the EEA, Shannon Togawa Mercer, national security and law associate at Stanford’s Hoover Institution, said.
The EEA Joint Committee adopted the incorporation of GDPR into the EEA Agreement on July 6. EU acts that are relevant to the three countries are continuously added to the agreement, according to the EFTA website. GDPR was among 69 such acts the committee added to the agreement earlier this month.