30 days before the GDPR – not even Member States are ready

by Gabriel Avigdor

image_pdfimage_print

If, as an organization, you think you are alone in the dark 30 days ahead of the GDPR’s worldwide implication, don’t be afraid, you are not.

It is not surprising to read this article that reminds that not only organizations, but also a majority of Member States are not ready for the GDPR. Private and public organizations around the globe falling into the scope of the GDPR have invested many resources to prepare for compliance to Regulation 2016/679 (the ‘GDPR’), each with different approaches and priorities. The situation is similar with Member States. They have to organize their national implementation of the GDPR, decide what provisions may be a matter of national importance with regard to their specific culture and their national legal framework.

Nevertheless, not all countries are as good students as Germany, Austria, Belgium and Slovakia the only 4 countries that have passed a national law before 25 May 2018. In January 2018, Věra Jourová already pointed out that, except 2 countries (Germany and Austria), 26 countries were unprepared to the GDPR. According to the BakerMckenzie Survey 2018, dated January 2018, 20 countries have either published or planned a draft bill to their Parliament, while 5 countries (Bulgaria, Greece, Malta, Portugal and Romania) haven’t demonstrated a strong will to implement the GDPR.

[edit 20.05.2018:] On 18 may 2018, just one week before the GDPR applies, the  “EU Observermentioned ‘eight EU countries would not be ready for the deadline‘. According to this article, some countries are, or are expected to be, ready on time (Austria, Germany, France, Croatia, the Netherlands, Sweden and Slovakia), others will be between end of May and June (Spain, Italy, Portugal, Romania and Latvia),  while the following are not going to be:

  • Belgium;
  • Bulgaria;
  • Cyprus;
  • the Czech Republic;
  • Greece;
  • Hungary;
  • Lithuania; and
  • Slovenia.

________________________________

The GDPR: a fully harmonized
legal framework ?

The GDPR is a Regulation, which means that it has binding legal force throughout every EU Member State and enters into force on a set date in all the Member States. In the case of the GDPR, the text was approved by the European Parliament on 14 April 2016 and entered into force in 24 May 2016. The date for binding effect of this Regulation was set to 25 May 2018, two years afterwards, which is the date that a majority of people remembers.

Although the GDPR is a Regulation that applies without the need for Member States to transpose provisions locally, the content of the GDPR gives room for Member States to do some tailoring with respect to certain provisions. For a Regulation that aims to create a ‘one-stop-shop mechanism for organizations active in more than one EU country, harmonize privacy in the European Union within a single market for data, creating identical rules in EU and beyond, the reality is a bit far from the goal and is not as clear as sought to be achieved, although it raises the bar of the privacy level in and outside EU.

In fact, the GDPR contains many provisions called “opening clauses“, (more than 70!!) imposing or allowing Member States to deviate from the Regulation (with stricter, less strict, or more detailed rules) and adopt exceptions. Some provisions of the GDPR impose Member States to have local provisions, such as personal data and freedom of expression or penalties, and other provisions give the opportunity to Member States to adopt or precise the text of the Regulation. These topics mainly relate to:

  • children consent;
  • employment data;
  • notification obligation relating to data breach;
  • designation of data protection officers (‘DPO’):
  • (non-) recognition of administrative fines;
  • professional secrecy;
  • scientific, historical or statistical purposes;
  • personal data of deceased persons;
  • special rules for special categories of data;
  • rules for genetic, biometric or health data;
  • national identification numbers/any other identifier of general application;
  • etc.

The opening clauses “run the risk of lowering the level of data protection“, said Christian Gemmin from the University Kassel in Germany. And it is worth noting that the famous sanction mechanism under the GDPR, that so many people are talking about, do not apply equally among Member States, both from an enforcement point of view, scope and amount.

For example, in Czech Republik, administrative fines for public authorities may be imposed only up to CZK 10 milion, (approx. EUR 358,000).  Same for Estonia, the Estonian law does not recognize the concept of administrative fines and thus such fines cannot be imposed in the way as set out in GDPR, but through its Data Protection Authority (‘DPA’). For Ireland, public authorities and public bodies will not be liable to administrative fines for breach of the GDPR, except where they are acting as an ‘undertaking’! In January, only Germany and Austria were fully in compliance with the GDPR.

On this website, you can find a very useful document, keeping up to date, compiling an overview of the topics that each EU Member State is implementing in its local law.

________________________________

What does it mean generally for countries that are not ready?

  1. everyone is late, including companies, a majority of Member States and data protection authorities (DPAs). And this is just a practical a reality.
  2. it creates legal uncertainty / insecurity for organizations processing personal data in those countries and or targeting consumers in these countries. These organizations cannot fully prepare to the GDPR until national laws are properly implemented into the national legal framework.
  3. it creates legal insecurity for data subjects. National proceedings may need adjustments to allow data subjects to exerce their rights and to enable enforcement under the GDPR. If not properly adjusted, data subjects would not be able to exerce their rights properly.
  4. this could “slow down the take-off of the harmonious application and the coherent application of the data protection rules throughout the EU” (as explained in this article).
  5. the EU Commission could file a lawsuit Member States that are unprepared (at this stage, all except Germany, Austria, Belgium and Slovakia) to pressure them on that topic, said Věra Jourová in January
  6. without synchronization of their readiness, member States may undermine the consistency mechanism (‘one-stop-shop’) as outlined in article 63 of the GDPR, as is requires cooperation between them to ensure proper application of the Regulation (see an opinion on this here).

________________________________

How to keep track of the changes for each Member States?

Some firms have performed the time consuming task to monitor and compile status of the GDPR implementation in the national laws of each EU Member States. Here are just a few, which I found useful and interesting:

  • Latham and Watkins: they put together a document and a free tracker available online here, which has the advantage to appears in one window. Honestly, this tool is just brilliant.
  • Bird&Bird: they have developed a GDPR tracking page relating to the developments and status of GDPR implementation in national laws country by country.
  • ReedSmith: in this article you can find a chart outlining current and pending changes within national laws and a list of legislative progress country by country.
  • Nymity Inc.: the well-known EU company that helps organizations with privacy tools, software, services and framework has developed and offers access to a tracking tool, which doesn’t appear to be free.
  • Nice Irish blog from Prof. Eoin O’Dell: updated on 25 April 2018, where you also find status of the countries and other links.

__

Article by Gabriel Avigdor | Ntic.ch