While the GDPR compliance clock is ticking for companies, EU Member States have also been preparing for the implementation of the General Data Protection Regulation (“GDPR”) which will become enforceable on May 25, 2018.
The GDPR will be directly applicable in all EU Member States without the need for implementing national laws. However, apart from the need to establish the supervisory authority, the GDPR provides Member States with the possibility to introduce more specific rules in a number of. This includes the areas of employment, sensitive personal data such as health data and in relation to the role of data protection officers.
Below is a survey of the GDPR guidance by Data Protection Authorities (DPAs) in several key Member States.
Belgium
On August 23, 2017, a draft bill establishing a Data Protection Authority (Wetsontwerp tot oprichting van de Gegevensbeschermingsautoriteit – Projet de loi portant creation d’Autorité de protection de données, “draft DPA”) was introduced. The draft DPA aims to reform the existing Commission for the Protection of Privacy (also known as the Privacy Commission) and covers the data protection authority’s structural organization and competences. In addition to the draft DPA, a second implementing bill covering the GDPR’s data processing principles and conditions is being prepared and will be introduced before the Belgian Parliament in the coming months. Key topics of the draft DPA include the organizational structure of the DPA and the rules regarding infringement proceedings. For additional details, please read our in-depth post on this subject.
Czech Republic
The Czech Ministry of Interior has published a first draft of a new Data Protection Act to in line with the GDPR and replace the current personal data act. The Czech Data Protection Office has been heavily involved in preparing the draft, which in their opinion is not stricter than current regulations in areas where derogations were possible. Once comments from stakeholders have been processed, another draft will be presented to the Czech government that will then, through the usual legislative process, take it to the Czech Parliament. Given the upcoming general election at the end of October 2017, it is highly unlikely that major activity with respect the draft will take place before the year’s end.
France
The French government is currently working on a draft bill modifying the current Data Protection Act, with the aim of submitting it to the French Parliament by December this year. In addition, on February 22, 2017, a report highlighting the changes to be made to the existing French laws was submitted by the Commission on Laws to the French National Assembly (one of the two chambers of Parliament). Key topics of this report covered health data, the age threshold for children and the role and powers of the supervisory authority.
Germany
Germany was the first Member State to implement the GDPR by passing its new Federal Data Protection Act (Datenschutz-Anpassungs- und -Umsetzungsgesetz EU, the “Act”) on June 30, 2017. The Act will replace the former German Data Protection Act (Bundesdatenschutzgesetz or “BDSG”), which has been in force for nearly four decades. The Act includes various additional provisions that need to be followed concerning, for example, the appointment of data protection officers; employee data protection; sensitive personal data; creditworthiness and scoring; the rights of data subjects; the change of the purpose of processing; video surveillance; and fines and sanctions. Further details on this Act may be found in our Client Alert.
Hungary
The Hungarian Government has prepared and published a draft Act implementing the GDPR and EU Directive No. 2016/680/EU on protecting personal data processed for law enforcement purposes into Hungarian law at the end of August. The Act has not yet been submitted to the Hungarian Parliament, but it is expected that it will be accepted before the end of this year. Based on the published draft, the changes to the current Hungarian data protection regime will mostly be limited to those necessary for the implementation of the GDPR. Upon a person’s death, their proxy (and if no proxy had been named, their close relatives) will dispose over rights relating to personal data.
Poland
On September 14, 2017, a draft of the Polish Personal Data Protection Act implementing the GDPR (the “PDPA draft”) was published, as well as a draft act amending numerous sectoral laws. As announced by the Polish Minister for Digitization, the drafts will be subject to numerous public consultations. Key issues covered by the PDPA draft include financial and criminal penalties, rules regarding the infringement proceedings, and proposed changes to the Polish Labor Code. For further details, please see our Client Alert.
Spain
At the end of June, the Spanish Ministry of Justice has published a preliminary draft implementing the GDPR. The draft includes provisions on data transfers and entrenching GDPR principles, such as transparency and data minimization. The draft also includes a description of sanctionable conduct, distinguishing between very serious, serious and minor infractions. Next, the draft bill needs to be approved by the Spanish Council of Ministers and, subsequently, debated in the Spanish Parliament.
Slovak Republic
On September 20, 2017, the Slovak Government introduced a draft bill to the Slovak Parliament implementing the GDPR and EU Directive No. 2016/680/EU on protecting personal data processed for law enforcement purposes. Unlike other Member States, the lengthy draft bill copies the GDPR practically in its entirety. The draft bill, currently being debated in the Slovak Parliament, is expected to be adopted before the end of this year and with entry into force by May 26, 2018.
United Kingdom
The Data Protection Bill (“Bill) was published on September 14, 2017. The Bill will implement the UK government’s manifesto commitments to update data protection laws. The Bill proposes applying national derogations permitted under the GDPR and seeks to keep existing exemptions in relation to a number of specified circumstances, such as processing for the purposes of journalism, national security or crime prevention. The UK Government has further released a policy paper in relation to the exchange of personal data as part of the ongoing Brexit negotiations. The paper sets out a plan to establish an “unprecedented alignment” between data protection laws in order to develop “a UK-EU model for exchanging and protection of personal data that maintains the free flow of personal data between the UK and the EU.”
Conclusion
While one of the fundamental aims of the GDPR is to harmonize the data protection rules throughout the EU, this brief overview shows the different approach that various EU Member States are taking towards GDPR implementation and derogations. Some EU Member States like Germany make more extensive use of the possibility to adopt more specific rules than others, thus resulting in continued jurisdictional fragmentation. The European Commission will be closely monitoring EU Member States so that they do not overstep these derogation powers. Other EU Member States are still in the early stages of the legislative process and may therefore have problems in meeting the deadline of May 25, 2018, when the GDPR becomes enforceable.