An earlier version of this story reported six of the 28 member states had passed GDPR implementation acts, Germany, Belgium, Poland, Austria, Slovenia, and Slovakia. However, it has come to our attention that the number is fewer than that; neither Poland nor Slovenia has done so. Look for a follow-up story in The Privacy Advisor on what’s causing national delays.
The EU's incoming General Data Protection Regulation is, as the name makes clear, a regulation. Unlike an EU directive, it applies across all member states without the need for each country to transpose it into national law.
However, each member state does still need to update its national data protection law in order to align it with the GDPR and to flesh out certain elements of the regulation for that country's domestic context. Unfortunately, only four of the 28 member states (Germany, Belgium, Austria, and Slovakia) have so far passed their GDPR implementation acts. And the GDPR will take effect in a month's time.
So, if a member state hasn't produced its implementation act by May 25, what does that mean for businesses trying to operate there?
"The answer is fairly clear-cut: You have to follow the GDPR," said Gail Crawford, a partner at Latham & Watkins's London office. "The question is whether the regulators in that country will be able to enforce it without new legislation. That's a country-by-country thing.
"With a case that is challenging … ultimately the [Court of Justice of the European Union] would find you have to comply with the GDPR if the national legislation is not clearly up-to-date," she said. "Without implementing legislation, you don't get the details you need to be able to comply easily."
For example, Article 9 of the GDPR gives member states latitude to decide on local exceptions to the ban on the processing of special categories of personal data, such as data about ethnic origin, religious beliefs, health and sexual orientation. Member states can allow the processing of such data in order to enable research or to support employment law or the substantial public interest, but they need to clearly spell out their derogations in their implementing acts.
"We have a client who's looking at operating in that industry in Spain. They've been told that even when the implementing legislation comes in, it won't have all the derogations in it," Crawford said. "New businesses may be deterred from investing in a country if a country hasn't made derogations easy to [follow]."
Indeed, this points to an additional concern with implementing legislation: that it won't do everything it needs to do. Belgium, for example, has passed its legislation, but, like Spain, the derogations themselves won't be spelled out until after the implementation date. The devil is in the detail.
Meanwhile, some countries are very much behind on the implementing-act front, and many are in Eastern Europe. Bulgaria and the Czech Republic are two notable examples — ironically, each is the home turf of a key European Commission player in this regard, respectively Digital Economy Commissioner Mariya Gabriel and Justice Commissioner Věra Jourová.
"Bulgaria has not implemented any local legislation on the GDPR, neither has the Commission [of Personal Data Protection] provided additional guidance," said Anna Rizova, a partner at the Sofia office of Wolf Theiss.
Plamen Angelov, the director of legal affairs at the Bulgarian data protection authority, confirmed that there was no new legislation yet, despite a draft having been submitted in Fall 2017 to the interior and justice ministries to get the ball rolling. "As far as we are aware, the delay has been caused by differing views on the financial impact," he said.
However, Angelov disputed the claim that the CPDP hasn't been providing sufficient guidance. "The Bulgarian DPA has been regularly publishing guidelines and practical advice to all data controllers," he said. "Moreover, we are engaged in very extensive awareness campaign addressing both big business, SMEs and NGOs."
According to Tomáš Mudra, an associate at the Prague law firm UEPA, the Czech legislation was also prepared around September last year but will "very likely" not be ready May 25. The bill only reached the Czech Parliament a couple weeks ago and is set to be debated for the first time in committee today.
"It was an idea to put it in a very quick legislative procedure, but it appears it won't happen," Mudra said. "I'm afraid it's likely to pass about September, October. If it would be before the summer, it would be a great success."
Mudra said he had heard the Bulgarian authorities have not been providing guidance on what to do in the absence of a new implementing act, and, by comparison, the Czech DPA has "invested a significant effort in helping business." However, he said, the local regulator is very cautious about only providing guidance where the DPA itself is entirely sure of what it is saying.
"There are many topics where we got an answer [along the lines of], 'We don't know, we will wait for the European decision, we will discuss it in [the Article 29 Working Party],'" he said.
The Czech situation is, of course, not helped by the fact that the country still does not have a legitimate government, some five months after a general election led to protracted and so far unsuccessful coalition talks. But again, what is the effect of the implementation act delay on businesses?
According to Mudra, the changes to Czech data protection law that are coming in the GDPR implementation bill are not hugely consequential for businesses — they are more dramatic for the public sector. For businesses, the main elements of note will relate to professional secrecy in sectors such as finance and setting the age of processing consent at 15 (out of the 13 to 16 range allowed by the regulation).
However, the Czech lawyer argued, the country's implementation bill is particularly important because of its psychological impact.
"In the way of thinking of businesses, there are a lot of people who still obey a national implementation as some sort of deus ex machina. I believe there is a significant part of Czech business who will still wait for the national implementation, and are not going to make any preparation without Czech legislation," Mudra said. "They are all used to the fact that, yes, something came from the EU, but after that, it has to go through our Parliament. This regulation is not very much understood. The direct effect is not very well understood or accepted by many people. It’s very hard that the bill won't pass in time."
If you want to comment on this post, you need to login.