Bloomberg Law: Privacy & Data Security brings you single-source access to the expertise of Bloomberg Law’s privacy and data security editorial team, contributing practitioners,...
The European Union’s 28 countries’ sluggish adoption of laws implementing the bloc’s new privacy regime could hobble regulators’ enforcement powers.
The EU General Data Protection Regulation, which takes effect May 25, grants privacy regulators the power to levy fines of up to the higher of 20 million euros ($24.5 million) or 4 percent of a company’s global revenues for the most serious privacy breaches.
But before they can act, countries may need to validate or upgrade laws establishing their privacy regulators. Without new laws, companies may be uncertain about the compliance and enforcement risks they face in individual EU countries, privacy attorneys told Bloomberg Law.“We still have countries that haven’t even published a draft,” Julia Kaufmann, a technology and data privacy partner with Baker McKenzie in Munich, told Bloomberg Law.
If national legislative processes aren’t done before the GDPR takes effect, it could create confusion, Monika Kuschewsky, a data protection partner with Squire Patton Boggs in Brussels, told Bloomberg Law.
“For legal certainty, countries have to repeal their existing laws,” she said.
Only Austria and Germany have finalized their GDPR implementation laws, according to a Baker McKenzie Jan. 19 report. Most of the other EU countries have GDP legislative efforts underway, but Bulgaria, Greece, Malta, Portugal, and Romania are lagging, with no clear plans for implementing the GDPR, the report said.
The bottom line is that national legislation authorizing privacy offices shouldn’t be an afterthought. Without it, privacy offices could find themselves “not able to exercise” their powers, Gail Crawford, chair of the data privacy committee at Latham & Watkins LLP in London, told Bloomberg Law.
EU countries should “speed up the adoption of national legislation and make sure these measures are in line” with the GDPR, the European Commission, the EU’s executive arm, said in a Jan. 24 statement. EU governments “must ensure complete independence and sufficient resources” for their privacy offices, Justice Commissioner Vera Jourova, the EU’s top data protection official, said in the statement.
Elections could hold up the progress of adopting GDPR-implementation laws in some countries, adding a level of urgency.
For instance, the March 4 general election in Italy might delay passing a GDPR law, so Italian authorities should “speed up and do the necessary work,” Jourova said.
In Hungary, a draft GDPR implementation law was published for consultation in August 2017. The bill could be presented in the Hungarian parliament in February, but it is uncertain if much progress will be made before a scheduled April 8 parliamentary election, Laszlo Pok, a corporate law partner at Szecskay Attorneys at Law in Budapest, told Bloomberg Law.
Parliamentary elections will also take place later in 2018 in Latvia, Luxembourg, Slovenia, and Sweden.
Even if a country hasn’t passed broad legislation to adopt the GDPR, it may be able to pass narrow legislation to authorize its privacy office to use the new EU-wide enforcement authority. Although the GDPR is directly applicable across the EU, countries would typically need a law to say their national privacy office can enforce the law, Kuschewsky said.
Belgium, for example, hasn’t made progress on a national GDPR implementation law but does have a separate law to establish a new Belgian Data Protection Authority to replace its Belgian Privacy Commission. The law, officially published Jan. 10, gave the national privacy regulator broader powers to investigate and sanction privacy violations.
In the Netherlands, a bill sent to Dutch lawmakers in December would clarify that, under the GDPR, the Dutch privacy office can issue fines without having to first issue a cease-and-desist order, as was previously required.
Even if national laws to implement the GDPR aren’t fully in place, the new European Data Protection Board will be, Olivier Rossignol, spokesman for the European Data Protection Supervisor, told Bloomberg BNA. The EDPB will replace the Article 29 Working Party of EU DPAs and will adjudicate in privacy cases involving more than one country. The EDPB will convene for the first time May 25.
To contact the reporter on this story: Stephen Gardner in Brussels at email@example.com
To contact the editor responsible for this story: Donald Aplin at firstname.lastname@example.org
Copyright © 2018 The Bureau of National Affairs, Inc. All Rights Reserved.
All Bloomberg BNA treatises are available on standing order, which ensures you will always receive the most current edition of the book or supplement of the title you have ordered from Bloomberg BNA’s book division. As soon as a new supplement or edition is published (usually annually) for a title you’ve previously purchased and requested to be placed on standing order, we’ll ship it to you to review for 30 days without any obligation. During this period, you can either (a) honor the invoice and receive a 5% discount (in addition to any other discounts you may qualify for) off the then-current price of the update, plus shipping and handling or (b) return the book(s), in which case, your invoice will be cancelled upon receipt of the book(s). Call us for a prepaid UPS label for your return. It’s as simple and easy as that. Most importantly, standing orders mean you will never have to worry about the timeliness of the information you’re relying on. And, you may discontinue standing orders at any time by contacting us at 1.800.960.1220 or by sending an email to email@example.com.
Put me on standing order at a 5% discount off list price of all future updates, in addition to any other discounts I may quality for. (Returnable within 30 days.)
Notify me when updates are available (No standing order will be created).
This Bloomberg BNA report is available on standing order, which ensures you will all receive the latest edition. This report is updated annually and we will send you the latest edition once it has been published. By signing up for standing order you will never have to worry about the timeliness of the information you need. And, you may discontinue standing orders at any time by contacting us at 1.800.372.1033, option 5, or by sending us an email to firstname.lastname@example.org.
Put me on standing order
Notify me when new releases are available (no standing order will be created)