EU Countries Drag Heels on Laws to Enforce New Privacy Powers

Bloomberg Law: Privacy & Data Security brings you single-source access to the expertise of Bloomberg Law’s privacy and data security editorial team, contributing practitioners,...

By Stephen Gardner

The European Union’s 28 countries’ sluggish adoption of laws implementing the bloc’s new privacy regime could hobble regulators’ enforcement powers.

The EU General Data Protection Regulation, which takes effect May 25, grants privacy regulators the power to levy fines of up to the higher of 20 million euros ($24.5 million) or 4 percent of a company’s global revenues for the most serious privacy breaches.

But before they can act, countries may need to validate or upgrade laws establishing their privacy regulators. Without new laws, companies may be uncertain about the compliance and enforcement risks they face in individual EU countries, privacy attorneys told Bloomberg Law.“We still have countries that haven’t even published a draft,” Julia Kaufmann, a technology and data privacy partner with Baker McKenzie in Munich, told Bloomberg Law.

If national legislative processes aren’t done before the GDPR takes effect, it could create confusion, Monika Kuschewsky, a data protection partner with Squire Patton Boggs in Brussels, told Bloomberg Law.

“For legal certainty, countries have to repeal their existing laws,” she said.

Only Austria and Germany have finalized their GDPR implementation laws, according to a Baker McKenzie Jan. 19 report. Most of the other EU countries have GDP legislative efforts underway, but Bulgaria, Greece, Malta, Portugal, and Romania are lagging, with no clear plans for implementing the GDPR, the report said.

The bottom line is that national legislation authorizing privacy offices shouldn’t be an afterthought. Without it, privacy offices could find themselves “not able to exercise” their powers, Gail Crawford, chair of the data privacy committee at Latham & Watkins LLP in London, told Bloomberg Law.

European Commission

EU countries should “speed up the adoption of national legislation and make sure these measures are in line” with the GDPR, the European Commission, the EU’s executive arm, said in a Jan. 24 statement. EU governments “must ensure complete independence and sufficient resources” for their privacy offices, Justice Commissioner Vera Jourova, the EU’s top data protection official, said in the statement.

Elections could hold up the progress of adopting GDPR-implementation laws in some countries, adding a level of urgency.

For instance, the March 4 general election in Italy might delay passing a GDPR law, so Italian authorities should “speed up and do the necessary work,” Jourova said.

In Hungary, a draft GDPR implementation law was published for consultation in August 2017. The bill could be presented in the Hungarian parliament in February, but it is uncertain if much progress will be made before a scheduled April 8 parliamentary election, Laszlo Pok, a corporate law partner at Szecskay Attorneys at Law in Budapest, told Bloomberg Law.

Parliamentary elections will also take place later in 2018 in Latvia, Luxembourg, Slovenia, and Sweden.

Regulator Legislation

Even if a country hasn’t passed broad legislation to adopt the GDPR, it may be able to pass narrow legislation to authorize its privacy office to use the new EU-wide enforcement authority. Although the GDPR is directly applicable across the EU, countries would typically need a law to say their national privacy office can enforce the law, Kuschewsky said.

Belgium, for example, hasn’t made progress on a national GDPR implementation law but does have a separate law to establish a new Belgian Data Protection Authority to replace its Belgian Privacy Commission. The law, officially published Jan. 10, gave the national privacy regulator broader powers to investigate and sanction privacy violations.

In the Netherlands, a bill sent to Dutch lawmakers in December would clarify that, under the GDPR, the Dutch privacy office can issue fines without having to first issue a cease-and-desist order, as was previously required.

Even if national laws to implement the GDPR aren’t fully in place, the new European Data Protection Board will be, Olivier Rossignol, spokesman for the European Data Protection Supervisor, told Bloomberg BNA. The EDPB will replace the Article 29 Working Party of EU DPAs and will adjudicate in privacy cases involving more than one country. The EDPB will convene for the first time May 25.

To contact the reporter on this story: Stephen Gardner in Brussels at

To contact the editor responsible for this story: Donald Aplin at

Copyright © 2018 The Bureau of National Affairs, Inc. All Rights Reserved.

Request Bloomberg Law: Privacy & Data Security