For privacy professionals who are not familiar with the EU’s legal culture: Even if you think you understand all the ins and outs of the GDPR, you may still run into nasty surprises. The root cause of the problem? Translations!
The EU has 24 official languages. Add Norway and Iceland (EEA-countries) to the mix, and one ends up with 26 different language versions of every European directive or regulation. And all those languages are "official" versions of European law, which apply equally! The English version, although often the version of the law in which it was negotiated, is not the decisive interpretation for linguistic differences between the official texts. After all, the European Union is based on respect for the culture, history and language of each member state. So, one may hope that the unavoidable linguistic differences result in exactly the same legal interpretation of such law. However, more often than not, these differences result in differences in the interpretation of the law and therefore in differences in the way the law is applied in the member states. This does not really pose a problem if one only operates in a single jurisdiction. But it can become really problematic if one does business in multiple member states or has to comply with EU law when established outside the EU.
Which language version to rely on? Taking the time to examine the various language versions of a European law may avoid nasty surprises later on.
Sometimes, a simple translation error causes the problem. Like in the famous Lubella case of 1996, where the European Court of Justice, after review of the various language versions of an agricultural regulation, found that the German version contained a translation mistake (i.e. "sweet cherries" instead of "sour cherries"). Those mistakes are simple and easy to correct. But sometimes the linguistic differences really complicate things.
One example of translation differences in European data protection law came to light when the European Commission conducted its first review of the Data Protection Directive back in 2003. The English version of article 4(1)(c) of Directive 95/46, which determines the applicable law for non-EU controllers, uses the term “equipment (…) situated on the territory of the Member State.” However, as the review showed, most member states used an equivalent of the much broader English term “means.” Not surprisingly, the application of the Directive was read across the EU using the term “means,” except in the U.K. and Ireland. The Commission admitted that the term "equipment" was causing problems, especially for non-European controllers who were using means in, let’s say, Germany or France, but were reading the Directive in English.
Another example concerned the Dutch translation of the ePrivacy Directive 2002/58/EC, where the heading of article 13, which reads “unsolicited communications,” was translated into the Dutch equivalent of “unwanted communications.” A Dutch legislator felt compelled to insert a footnote in the Explanatory Memorandum to Chapter 11 of the Dutch Telecommunications Act, which implements Directive 2002/58, explaining that the Dutch translation of the Directive was wrong.
GDPR
Notwithstanding the fact that the GDPR aims to establish a single set of norms across the EU, Norway, Iceland and Liechtenstein, applying the GDPR uniformly across 31 countries using 26 different languages is a disaster waiting to happen. The opinions of the European Data Protection Board, the successor of the Article 29 Working Party, are an important means to ensure a uniform interpretation of the GDPR, but in the end they are not binding. It’s the task of the national courts and ultimately of the European Court of Justice to decide how a certain rule is to be interpreted. However, in most cases, EU law, even a regulation like the GDPR, is only interpreted by the national courts, since most cases never make it to the European Court of Justice in Luxemburg. So, inevitably, certain differences in interpretation and application of the GDPR will remain a reality between member states.
So, are there any translation errors in the GDPR? I haven’t examined every language version, and I am only able to read so much European languages, but the answer is a resounding yes.
So, are there any translation errors in the GDPR? I haven’t examined every language version, and I am only able to read so much European languages, but the answer is a resounding yes. For example, the Dutch version contains at least two translation errors. In article 10, the English term "offence" has been translated into the Dutch equivalent of the term "criminal fact" (in German: criminal act). This poses a problem, as Dutch law disposes of many minor offences, like simple speeding, using administrative law rather than criminal law. Ergo, on the basis of the Dutch version of the GDPR one could conclude that speeding tickets would not be covered by article 10, quod non. Unfortunately, this translation mistake was not caught by the Directorate Quality of Legislation (DQL) of the Council of the European Union in its so-called Corrigendum of 386 pages to the GDPR published on April 19, 2018. This Corrigendum deals mainly with typos and other clerical errors for all language versions of the GDPR. Earlier, several Member States already requested similar corrigenda for their own language versions.
Another known translation error was found in article 38(3), where the Dutch text required that the DPO reports directly to the “highest manager” instead of to the “highest management level” as required in the English, German and French versions. Dutch company law states that the board acts in unity, where the CEO or President is only the primus inter pares but does not outrank the other members of the board. So, from a company law point of view it would be perfectly fine if the DPO would report to another board member instead of the CEO. Yet, that is not what the Dutch translation required. Ergo, the Dutch and Belgian DPAs could in theory issue a fine if a DPO would report directly to another board member than the CEO. Luckily, this translation error was caught by DQL, allowing Dutch and Belgian companies a little more leeway in setting up the DPO position.
Even the (original) English version contained clerical errors. Most of them were harmless or confusing. But article 37(1), the requirement to appoint a DPO, contained a typo with real legal consequences (“…and personal data relating to criminal convictions…” instead of “or personal data relating to criminal convictions”). This error has also been corrected in the Corrigendum. So, be sure to always consult the most recent version of the GDPR to avoid surprises.
It becomes more difficult if the GDPR uses linguistically different wording for the same rule.
It becomes more difficult if the GDPR uses linguistically different wording for the same rule. One example is the definition of processor in article 4(8). The English and the Hungarian versions use the phrase "on behalf of" the controller. This clearly indicates that the processor is processing the personal data as an agent of the controller and all the processors' actions are attributed to the controller. Therefore, engaging a processor does not need a separate legal basis. As data protection practitioners often say: “The processor acts as a virtual part of the organization of the controller,” operating under their instructions and responsibility/liability. Although I completely agree with this interpretation, what constitutes a processor may differ in other languages. The German version uses a phrase that translates into “by order of the controller.” Although all service providers provide a service ordered by their client, in many cases that order does not make them processors. This makes the correct application of article 4(8), and therefore also the application of article 28 (the data processor agreement) much harder in Germany than it would be in the U.K., Ireland and Hungary. The French version on the other hand uses the equivalent of "for the account of," which suggests money to be transferred. This clearly cannot be the correct way to determine that a party is a processor (although I admit, my French is a bit rusty, so I may be missing something here). And the Dutch version uses a phrase that roughly translates as “for the benefit of the controller.” This may also lead to confusion, as all service providers (hopefully) provide a service for the benefit of their customers, but that wouldn’t necessarily constitute a controller-processor relationship.
The worst thing one could do is to literally translate the words used in the local language into general English instead of using the official English wording. The Babylonian confusion that may be the result of such approach is best illustrated by the Dutch and Italian versions of the GDPR. In the Dutch version the term “controller” is translated into “responsible [party] for the processing.” But in Italian, the phrase “responsible [party] for the processing” refers to the processor.
Recommendations
To avoid surprises, companies that do business in multiple member states or that operate from outside the EU should follow these guidelines:
- Do not solely rely on the English version of the GDPR (except in the U.K. and Ireland). Always consult the applicable language version for the relevant jurisdiction.
- When in doubt, compare the local language version to the (original) English version and, if possible, with the German and French versions, the other major languages in the EU. But any other language would also do the job.
- Read the EDPB opinions preferably in English, as the common position has most likely been reached in English.
- When discussing multiple language versions in a third language (e.g., English), use the official wording of such language version to ensure common understanding.
- Do not use Google Translate or a similar translation service to read a language version you don’t understand. Rather consult a native speaker.
Photo credit: Michał Kosmulski The Tower of Babel — side view via photopin