In general, these new member state laws, which anticipate the GDPR and amend current national data protection legislation, have one or both of the following objectives:
- to bring certain provisions of the GDPR into effect prior to May 25, 2018; or
- to legislate in areas not directly addressed by the GDPR but in which the GDPR allows member states a margin of maneuver or derogation to enact supplemental laws.
Examples of member states working on supplemental or complimentary legislation include Spain (which is reported to be preparing a draft bill for consultation in February 2017 to harmonize its broad-based Organic Law on Data Protection with the GDPR) and Germany (which is attempting once again to legislate protections specifically directed to the employment context).
Multi-national companies have an easer time dealing with legislative changes in the first category, since these are basically timing issues. Those in the second category are more troublesome, since they detract from the promise of a single, consistent data protection standard across the EU. On the bright side, the differences between member states are likely to be far less stark and frustrating than those that have prevailed over the past 20 years.