“Implementing” the GDPR – An update

EU Regulations are directly effective. This means the General Data Protection Regulation applies automatically in all EU Member States. However, national law is still important. We consider why and provide a status update on those laws.

Why do you need national law?

Member States still need national data protection laws for four key reasons:

  • To take advantage of the national derogations within the GDPR. For example, Member States can widen the situations in which a data protection officer must be appointed or clarify when the processing of sensitive personal data is permitted.
  • To set up a regulator to enforce the GDPR and to provide them with appropriate enforcement powers. In most, but not all, cases the existing regulators will take on this task.
  • To create criminal offences under national law.
  • To implement the Law Enforcement Directive; a separate EU law that applies to law enforcement agencies and is not directly effective.

National laws will therefore have a significant influence over the data protection regime in each Member State and must be read alongside the GDPR.

Status update

We have been tracking these national laws through Data Protected, a summary of data protection laws in 53 jurisdictions around the world.

While many Member States have already passed national law to help implement the GDPR, a number of Member States still only have draft legislation. These include some significant jurisdictions such as Finland, Portugal and Spain.

The map below provides an overview of progress so far.


Interesting developments

There are a number of interesting issues coming out of these Member State laws. For example:

  • Data protection officers – The majority of Member States have not imposed additional obligations to appoint a data protection officer. However, Bulgaria, CyprusFinland, Germany, Slovakia and Spain either have or are proposing to impose additional obligations. For example, Germany has retained the current obligation to appoint a data protection officer if at least ten people are employed or there is hazardous processing.
  • Age of consent – Member States have taken very different approaches to the age at which children can consent to online services. Some, such as the Netherlands or Poland have kept the age at 16. Others have taken advantage of the derogations in the GDPR to reduce that age to 13 (such as the UK and Sweden) or somewhere in between (such as Austria, which has reduced the age to 14).
  • Processing conditions: Sensitive personal data – There are also different approaches to allowing broader use of sensitive personal data and information about criminal offences. In many Member States such as Germany, there are limited additional rights to use this information in the employment context. However, others such as the United Kingdom have introduced laws permitting a number of uses ranging from the publication of legal judgments to the prevention of doping in sports. Similarly, there are very different approaches to the situations under which information about criminal offences can be processed (with some taking a relatively generous approach, such as Austria where processing is permitted under a legitimate interest test).
  • Criminal offences: Finally, there are large differences in potential criminal liability for breach of data protection laws. In Luxembourg, it will be a criminal offence to obstruct an investigation by the CNPD. The United Kingdom is proposing to introduce three criminal offences including the novel offence of re-identifying individuals from anonymised or pseudonymised data. 
Continuing scrutiny

We are expecting those Member States who have not issued implementing law to continue to work to introduce those laws. We will keep our Data Protected report updated as these changes are made.