News Archives

Tuesday, December 27, 2016

Eyeing GDPR, EU Member States Updating DP Laws

The EU General Data Protection Regulation comes into force directly and immediately across all member states of the European Union on May 25, 2018, without any need for enabling legislation to be passed by national governments.  It is a Regulation after all, not a Directive, and is designed to establish a single and consistent base DP law across the EU. So what should be made of all the reports by reliable media sources about this or that member state – Germany, France, Spain, the Netherlands – working on new data protection laws to implement the Regulation? The simple answer is that reporters on arcane matters like data protection law can easily choose the wrong words.  But more importantly, what is really going on?  What are these mis-identified “implementing” laws all about?

In general, these new member state laws, which anticipate the GDPR and amend current national data protection legislation, have one or both of the following objectives:
  • to bring certain provisions of the GDPR into effect prior to May 25, 2018; or
  • to legislate in areas not directly addressed by the GDPR but in which the GDPR allows member states a margin of maneuver or derogation to enact supplemental laws.
Examples of member states advancing the effective date of certain GDPR provisions include The Netherlands (which implemented a data breach notification requirement in January) and France (where the Digital Republic Bill enacted in October increased the fines that can be imposed by CNIL to €3 million - still far below the maximum level set by the GDPR – and also introduced the right to data portability).

Examples of member states working on supplemental or complimentary legislation include Spain (which is reported to be preparing a draft bill for consultation in February 2017 to harmonize its broad-based Organic Law on Data Protection with the GDPR) and Germany (which is attempting once again to legislate protections specifically directed to the employment context).

Multi-national companies have an easer time dealing with legislative changes in the first category, since these are basically timing issues.  Those in the second category are more troublesome, since they detract from the promise of a single, consistent data protection standard across the EU.  On the bright side, the differences between member states are likely to be far less stark and frustrating than those that have prevailed over the past 20 years.

No comments:

Post a Comment