“Implementing” the GDPR – An update

EU Regulations are directive effective. This means the General Data Protection Regulation will automatically apply to all EU Member States from 25 May 2018. However, national law is still important. We consider why and provide a status update on those laws.

Why do you need national law?

Member States will need national data protection laws for four key reasons:

  • To take advantage of the national derogations within the GDPR. For example, Member States can widen the situations in which a data protection officer must be appointed or clarify when the processing of sensitive personal data is permitted.
  • To set up a regulator to enforce the GDPR and to provide them with appropriate enforcement powers. In most, but not all, cases the existing regulators will take on this task.
  • To create criminal offences under national law.
  • To implement the Law Enforcement Directive; a separate EU law that applies to law enforcement agencies and is not directly effective.

National laws will therefore have a significant influence over the data protection regime in each Member State and must be read alongside the GDPR.

Status update

We have been tracking these national laws through Data Protected, a summary of data protection laws in 53 jurisdictions around the world.

While a small number of Member States have already passed national law to help implement the GDOR, including Germany, Austria and Slovakia, the vast majority of Member States still only have draft legislation. A small number are not even at that stage.

The map below provides an overview of progress so far. There are more details in this table.


Interesting developments

There are a number of interesting issues coming out of these Member State laws. For example:

  • Data protection officers – The majority of Member States have not imposed additional obligations to appoint a data protection officer. However, Finland, Germany, Slovakia and Spain either have or are proposing to impose additional obligation. For example, Germany has retained the current obligation to appoint a data protection officer if at least ten persons are employed or there is hazardous processing.
  • Age of consent – Member States have taken very different approaches to the age at which children can consent to online services. Some, such as the Netherlands or France have kept the age at 16. Other have taken advantage of the derogations in the GDPR to reduce that age to 13 (such as Ireland and Denmark) or somewhere in between (such as Austria, which has reduced the age to 14).
  • Processing conditions: Sensitive personal data – There are also different approaches to allowing broader use of sensitive personal data and information about criminal offences. In many Member States such as Germany, there are limited additional rights to use this information in the employment context. However, others such as the United Kingdom have introduced laws permitting a number of uses ranging from the publication of legal judgments to the prevention of doping in sports.
  • Criminal offences: Finally, there are large differences in potential criminal liability for breach of data protection laws. In Luxembourg, it will be a criminal offence to obstruct an investigation by the CNPD. The United Kingdom is proposing to introduce three criminal offences including the novel offence of re-identifying individuals from anonymised or pseudonymised data.
Countdown to May 2018

We are expecting most Member States to finalise their national law over the next two months to ensure they are fully prepared for the GDPR. We will keep our Data Protected report updated as these changes are made.