It is by now no secret that a lot of EU countries won't have implementing acts ready in time for the introduction of the General Data Protection Regulation this week. While this is unlikely to be the end of the world for most companies — the GDPR doesn't need to be transposed into member states' national laws to apply — it does create a level of confusion where the new regulation clashes with still-active national implementations of the old EU Data Protection Directive.
The European Commission is certainly not pleased about the lack of preparedness in some countries, with Justice Commissioner Věra Jourová last week threatening legal action in serious cases. But what is behind these delays? Broadly speaking, the issue is legislative laziness — member states have after all had two years to draw up and pass these laws.
But in some of the countries that are unlikely to pass implementation acts for a long while yet, the problem is exacerbated by elections and the refocusing of efforts that go on around them.
In Slovenia, for example, the first draft of the country's implementing bill was announced back in October last year. "As far as I read it, it was written in too speedy a manner," said Nataša Pirc Musar, the former Slovenian data protection authority and, these days, an attorney. "The public gave a lot of remarks on that draft and the government promised to take time to polish it. The second draft was issued in February, and again there were a lot of remarks by the public, especially from the retail companies, banking and insurance sectors, who were not satisfied."
Then the Slovenian prime minister, Miro Cerar, suddenly resigned in March, bringing forward elections that were already planned for mid-June by a week. Now, in a hurry to pass planned legislation, the justice ministry tried to push through the second draft of the data protection act through an urgent parliamentary procedure — but lawmaker successfully pushed back.
"We are going to have our election in June, and before a government is put together, two months will pass," Musar said. "The soonest the law can go into the regular parliamentary procedure is September or October. I'm pretty sure Slovenia will not have a GDPR implementation act before January or February 2019. Which is bad."
But although this will result in confusion for a while, isn't it better to take time on a law such as this?
"There are pluses and minuses. I am not in favor of speedy procedures, especially when it comes to human rights," Musar said. "But everybody had two years to adjust to the GDPR. We can take some of the shame and blame, but the Slovenian and all the governments of the EU had two years as well. Most of them just didn't do it. This is something which is not fair to the data controllers which have to use the GDPR after 25 May."
The situation in Hungary is arguably worse. With elections having taken place in early April, and the new government only having been officially installed last week, the country doesn't even have a GDPR implementation bill ready yet.
According to Zsolt Tolnai, a Budapest-based data protection lawyer, in the months leading up to the election, Hungarian politicians "didn't really focus on the issues which have no real political value for them."
"That meant all the bills about such regulations as implementing GDPR were postponed until the new parliament. Now [the new parliament] is working, but in the first few weeks it seems that politics has overruled everything and they have focused on some new legislation which has real political value for them and has some direct connection to the winning parties' promises," Tolnai explained.
"I suppose they will resume proper legislation only in June or even after the legislative break in July and August," he added. "My prediction is that the act implementing GDPR in Hungary is going to be issued… within the next six weeks. The ministry of justice has circulated this [draft] maybe since last August, and from last August nothing happened. Several NGOs, companies and government bodies issued comments … but it has not yet been submitted to the parliament."
Why has this taken so long? "I suppose it's just a tradition in Hungary that new legislation is only enacted at the last minute," Tolnai said. "They like living in danger."
The impact of this delay on Hungarian businesses will be limited, Tolnai said, because the existing Hungarian data protection law is already fairly strict and unlikely to conflict much with the GDPR. The only significant problem is that, until the new act is passed, the Hungarian data protection authority does not have a mandate from government to actually enforce the GDPR.
"Until we have the implementation act they cannot do that, it's true," Tolnai said. "But I don't think the authority is ready to go out next Friday and do big examinations [anyway] … It will be even a year until they can get up to full speed. I suppose, if there are a few weeks where they have no real mandate, it is not a real issue."
Italy is another country that won't be ready in time, although it's not as far behind as Hungary and Slovenia. Again, elections are a factor there — held in early March, it is only now that the victors are getting round to forming a coalition.
"Political instability is one of the reasons of the delay, but it does not seem to me that, apart from Germany, other countries have been much faster," noted Giulio Coraggio of DLA Piper's Milan office, who detailed some of the implementation bill's elements in a recent blog post.
If you want to comment on this post, you need to login.