One primary goal in the EU's enactment of the General Data Protection Regulation was to “harmonize,” or bring into conformity with each other, the data protection laws of the 28 EU member states. Harmonization was also one of the main purposes for enacting the EU Data Protection Directive, which served as the source of EU data protection law prior to the GDPR. The EU decided that one major way to enhance harmonization through the new law was to enact it in the form of a regulation, rather than another directive.

But scrutiny of the resulting regulation suggests that it may well not achieve the desired harmonization.

A directive is an edict handed down by the EU, requiring each member state to enact national legislation containing provisions consistent with the directive (a process called “transposition”). In transposing the directive, each member state incorporated its own bells and whistles. As a result, the “harmonization” imposed by the directive fell well short of what the EU desired. Unlike a directive, a regulation need not and cannot be transposed. The instant the EU enacts it, a regulation is national legislation in each member state; there is no opportunity for member states to depart from it through transposing legislation. The EU’s intention was that by replacing the directive with a regulation, the member states would have no opportunity to introduce those bells and whistles that result from various transpositions. But a funny thing happened on the way to enactment of the regulation that ultimately was ordained.

The member states are not permitted to modify the GDPR. It turns out, however, that in order to defeat the goal of harmonization, they don’t have to.

The GDPR contains within itself the seeds of diversity. It comprises some 99 articles. Of those, 34 are ministerial, dealing, not with substantive rights to be accorded data subjects, but rather with formal matters such as creation and specifics of the European Data Protection Board, or submission of European Commission reports. Of the remaining 65 articles, 30 explicitly permit member states to diverge from the standard set forth in the article (yet others may indirectly permit divergence but, for our purposes here, they are ignored).

In other words, of the 65 articles that directly accord rights to data subjects, some 46 percent expressly permit member states to engage in a variation from the norm. 

In other words, of the 65 articles that directly accord rights to data subjects, some 46 percent expressly permit member states to engage in a variation from the norm. Perhaps this diversity results from a desire on the part of the enacting EU institutions to allow some minimal latitude to the states (even though that would create dissonance, rather than harmony). More likely, those EU institutions found it necessary to provide this flexibility in order to get the GDPR enacted in the first place.

This opportunity for diversity is actually telegraphed in GDPR Recital 10:

Although the member states cannot modify the GDPR, each of them needs national legislation to accompany it for two reasons. First, such legislation is needed for the GDPR to fit appropriately into the member state’s legal framework. National legislation is needed to select among the variations permitted in the GDPR itself. At this writing, only a minority of member states have enacted this implementing legislation – although all 28 were to have it in place by May 25, 2018 – and some others have draft legislation. We do not yet know the degree of diversity that will actually be introduced by selecting variations, but the potential for diversity is great. After all, the fact that a diversion from the norm is included in a particular article suggests that there may have been at least one member state that lobbied for it.

Thus, for example, Article 8 mandates a particular consent regime for treating personal data acquired online from children under the age of 16. It states, however, that each member state “may provide by law for a lower age for those purposes provided that such lower age is not below 13 years.” This optional variance has not gone unnoticed. The Austrian law has chosen under 14 as its standard, and the draft U.K. law has chosen under 13. Consider the effect of this permitted variation on a commercial entity that wishes to collect personal data from children across the EU. Instead of adopting a single set of procedures directed to this collection, it must inform itself about the standard in each member state and adapt its procedures accordingly. In doing so, it must immerse itself in exactly the type of differentiation among member state laws that harmonization was supposed to eliminate.

In doing so, it must immerse itself in exactly the type of differentiation among member state laws that harmonization was supposed to eliminate.

Or consider Article 9. Article 9(1) prohibits the processing of “special category” personal data (“personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, and … genetic data, biometric data for the purpose of uniquely identifying a natural person, data concerning health or data concerning a natural person’s sex life or sexual orientation”). Article 9(2) provides exceptions, the first of which is where the data subject has given explicit consent – unless EU or member state law provide that the prohibition is inalienable. Thus, processing of biometric data for the purpose of uniquely identifying a human might be permitted in some member states, but not in others.

Again, a challenge to harmonization. 

There is a second basis for diversity to creep into the GDPR: the possibility of differing interpretations of its provisions. Such a possibility always exists with legislation, but may be more prominent when the interpreters are different member states with differing outlooks and perhaps goals. This basis for diversity has already manifested itself with regard to one of the most basic concepts: jurisdiction. Article 3(1) provides that the GDPR applies to processing in the context of the activities of an establishment in the EU, regardless of whether the processing takes place in the EU. Article 3(2) asserts jurisdiction over a company that offers goods or services to, or monitors the behavior of, persons in the EU.

Lokke Moerel notes that implementing legislation in the various member states interprets Article 3 differently. The Netherlands draft legislation provides that the GDPR applies to processing in the context of an establishment in The Netherlands. That draft applies the offering/monitoring provision only when the controller is established outside the EU and the processing is related to offering to, or monitoring behavior, in The Netherlands. Moerel contends that this approach is correct.

As an example of what Moerel views as overly broad, she discusses the German implementation law. That law applies to processing in the context of the activities of an establishment in Germany (which she contends is correct), or if the entity is not established in the EU (also correct) but offers to or monitors individuals in the EU (which she says is incorrect). The German law also applies if processing takes place in Germany. Moerel states that this is incorrect, as the location of processing is irrelevant.

Moerel concludes: “Given the substantial obligations of companies under the GDPR, there is no greater uncertainty than not knowing whether the GDPR applies and which national implementation laws apply.” Even on the critical issue of whether the GDPR applies to any particular processing activity, the GDPR has given rise to what might charitably be called diversity – and less charitably might be called confusion, ambiguity, and outright contradiction.

Even on the critical issue of whether the GDPR applies to any particular processing activity, the GDPR has given rise to what might charitably be called diversity – and less charitably might be called confusion, ambiguity, and outright contradiction.

A recent op-ed argues that the U.S. should not follow the EU’s lead in data protection. The rationale offered is that the GDPR is “staggeringly complex,” “intentionally ambiguous,” and many who are subject to it find it “incomprehensible.” All of this, of course, is grist for differing interpretations. This does not even take into account the differences introduced by translation of the GDPR into multiple languages. Citing numerous examples, Jeroen Terstegge writes, “Notwithstanding the fact that the GDPR aims to establish a single set of norms across the EU, Norway, Iceland and Liechtenstein, applying the GDPR uniformly across 31 countries using 26 different languages is a disaster waiting to happen.”

The EU admitted that the directive failed to bring about sufficient harmonization. The EU then concluded that a major reason for this failure was the necessity to transpose the directive into member state legislation. In promulgating the GDPR, the idea was to replace the transposition regime with one where member state discretion was minimized. What the EU actually accomplished was to replace a transposition opportunity for diversity with other diversity options that were built right into the GDPR. Presumably, some of this was necessary to secure the approvals necessary to get the GDPR enacted into law. The result is that fully 46 percent of the substantive GDPR articles directly and expressly offer diversity options. On top of that, there will be differing interpretations of the GDPR, including on the crucial issue of jurisdiction, and errors introduced by translation into multiple languages, all leading to a further lack of uniformity. Surely a toxic mix, especially given the draconian penalties that may result from a company’s conduct deemed non-compliant.

If this is harmonization, one wonders what diversity would look like.     

Companies that have been contemplating a single data protection law with which they could comply EU-wide and be done with it, must rethink their game plans. Instead of focusing solely on the GDPR, they must instead identify the particular member states in which they will do business and inform themselves as to the national legislation and interpretations thereof in each of those jurisdictions. Regardless of what the GDPR norm is, these companies must then establish policies and procedures to comply with the data protection laws in each of those pertinent member states.

Oh, and by the way, that’s exactly what these companies had to do under the directive, before the GDPR became effective. Plus ça change, plus c'est la même chose.

photo credit: Yukiko Matsuoka European Union via photopin (license)