Data Protected – Updated and revised

As the second anniversary of the application of the General Data Protection Regulation approaches, our newly updated Data Protected report suggests it has been largely successful in harmonising data protection rules within the EU even though further uniformity in the interpretation of those rules by regulators would be welcome.

Data Protected goes beyond the borders of the EU and covers 27 other major jurisdictions. This includes new sections for Turkey and Thailand, whose laws follow the structure of the GDPR and demonstrate its importance as an international standard for privacy laws.

The GDPR – Good for individuals, good for business?

When Viviane Reding, the EU Commission's then Vice-President, launched her plans to reform EU data protection laws in 2012 it had the twin aims of increasing individuals’ control over their data and of cutting costs for business. In the accompanying press release she stated it would not only better protect fundamental rights to data protection but that:

The reform will accomplish this while making life easier and less costly for businesses. A strong, clear and uniform legal framework at EU level will help to unleash the potential of the Digital Single Market and foster economic growth, innovation and job creation.”

While some dispute that the GDPR has made life easier for businesses, some of these aims have been carried through to the final form of the law; a Regulation that applies most rules directly in each EU Member State, supported by a One-Stop-Shop mechanism, so that EU businesses would only have to deal with one supervisory authority.

Has the GDPR helped create a digital single market?

Our Data Protected report was first issued in 2004 and is now in its 12th edition. This edition marks the second anniversary of the application of the GDPR and suggests that the GDPR has been successful in harmonising the data protection laws across the EU:

  • High overall levels of harmonisation: For EU jurisdictions we use grey text to set out the position under the GDPR and black text to show national variations. The amount of black text is limited.
  • National laws passed: All EU Member States, with the exception of Slovenia, have now passed national legislation to help apply and enforce the GDPR in their jurisdictions.
  • Data Protection Officers: Only seven Member States’ national laws contain additional obligations to appoint data protection officers, with some only creating the potential for wider appointment obligations and others only applying this obligation in limited cases. However, some jurisdictions have imposed much broader obligations, such as Germany which requires a data protection officer to be appointed where over 20 employees are involved in processing or the processing is hazardous.

However, this harmonisation is not complete and in some areas the approach of different Member States continues to diverge. For example:

  • Age for online consent: Only nine Member States have kept the age at which children can consent to online services at 16. The other states, perhaps reflecting the realities of raising teenagers, have reduced this age, with eight Member States opting for the minimum age of 13.
  • Employment: Similarly, most Member States have used the permitted derogations in the GDPR to introduce specific laws of varying degrees of complexity regarding the processing of personal data about employees. Given the close link between privacy and employment law, and the fact that many aspects of employment law are not fully harmonised, this is not surprising.
  • Special category of personal data: There is a spectrum of approaches to determining when special category of personal data can be processed. Those approaches range from the extreme of setting out an exclusive list of situations in which this type of data can be processed under national law (such as the UK which specifies 27 different situations including anti-doping in sport and informing elected representatives about prisoners) to other jurisdictions which have comprehensively amended existing national law (such as Poland which has amended 162 national acts) to those that simply rely on existing obligations under national law (such as Estonia).
  • Oddities: Finally, we have the oddities. This includes the UK which, amongst other things, has introduced a new criminal offence of re-identifying de-identified personal data in its national law. Spain has used this as an opportunity to create a new “digital charter of rights” including employees being granted the “right to disconnect” outside the office.

Other structures in the GDPR are also coming under strain. For example, there is increasing pressure by some regulators on the One-Stop-Shop mechanism following the perceived failure by other regulators to enforce the GDPR; particularly against the Big Tech companies.

However, in many respects the GDPR has worked. It has helped foster a digital single market and thus made it easier for businesses wanting to operate on a pan-European EU. Certainly, anyone who has had to navigate the byzantine jigsaw of sectorial federal law and state law in the US, will look back at the (relatively) uniform and comprehensive data protection law in the EU with some relief.

Outside the EU

The influence of the GDPR extends beyond the EU. The latest edition of Data Protected contains new sections looking at data protection laws in Turkey and Thailand. Both have laws that approximate to the GDPR albeit without mirroring it exactly.

Similarly, India is forging ahead with its Personal Data Protection Bill that will bring its law more closely into alignment with the comprehensive provisions of the GDPR. Brazil has already passed such a law, albeit that following the COVID-19 pandemic the effective date for that law is likely to be moved back to January 2021.

This all raises the question about the future direction of data protection laws in the UK post-Brexit. The UK has already passed a series of measures to incorporate the GDPR into its national law. These make little substantive change so when the transitional arrangements with the EU end on 31 December 2020, the UK will still be closely aligned with the EU. Any future changes will need to factor in a range of issues including the need to preserve the EU’s adequacy finding for the UK (if made), the benefits of providing a harmonised data protection framework with the rest of the EU and the GDPR’s status as a de facto global standard for data protection laws.  

The Data Protected Report is available here.

By Tanguy Van Overstraeten and Richard Cumbley