GDPR Fragmentation May Appear More Significant than Intended

Written by

With the entry into application of the GDPR on May 25, 2018, the EU Member States were expected to have adopted national legislation implementing the regulation. To date, however, only 30% of Member States have effectively passed legislation, which still leaves the legal landscape to be precarious. The GDPR allows for deviations and specifications in several areas, for instance to introduce specific conditions or limitations for the processing of biometric, genetic, or health data; to create specific protection regimes for employee data; or to restrict the rights the GDPR grants to individuals. Businesses that operate in the EU are required to comply with both the legal framework of the GDPR and the (potentially deviating) national legal frameworks of the specific countries where they operate.

The 30% of Member States that met the May 25 deadline include frontrunners Germany, Austria, Slovakia, and Belgium (with legislation passed in 2017), as well as Sweden, Poland, the Netherlands, Denmark, Croatia, and the UK – although this second category of Member States passed legislation just a few days before May 25. However, it is worth noting that the majority of remaining EU Member States find their legislation in an advanced draft stage, with countries such as France and Italy close to adoption. In addition to EU Member States, the GDPR’s scope of application also expands to the EEA EFTA states (Iceland, Liechtenstein, and Norway) upon incorporation of the GDPR into the EEA agreement. These three countries have draft legislation in place but are primarily awaiting finalization of this incorporation process – expected to be complete by July 1, 2018.

Member State deviations from the GDPR may have significant impact on businesses. Key highlights in deviations include:

  • The Dutch Act allows processing of biometric data pertaining to employees for security/authentication purposes, even without employee consent (which proves challenging in the employment context).
  • Both the Austrian and Hungarian supervisory authorities will issue warnings before engaging in effective enforcement action.
  • The German Act further tailors the criteria to determine a business’s data protection officer (DPO) appointment requirement (effectively leading to more businesses being subject to the DPO designation requirement).

Businesses whose corporate focus lies in markets outside the 30% of Member States will have to be more patient to obtain certainty on the complete legal framework applicable to their business. Nevertheless, the expectation is that, save serious misconduct, supervisory authorities will hold off from true enforcement action until legal frameworks are fully established and settled.

*          *          *

This is an extract from a full-length article published in the National Law Journal. To consult the full-length article, please click here. To consult an overview of Member State deviations to the GDPR, please consult the Alston & Bird GDPR Tracker.

Alston & Bird and its Brussels-based EU Privacy Team is closely following DPA action and privacy litigation in the EU Member States. For more information, contact Jan Dhont, Jim Harvey, or David Keating.