Written by Daniel Felz and Privacy & Data Security Team
On February 7, 2017, the Spanish Ministry of Justice launched a public consultation as a preliminary step before the drafting of a new bill implementing the General Data Protection Regulation (“GDPR”). The press release clarifies that although the GDPR has direct effect in the European Member States, its implementation into Spanish law is not a straightforward exercise because (i) the obligations in existing data protection legislation need to be maintained or amended (as the case may be), and (ii) other sector specific laws containing provisions on data protection need to be updated. A draft bill is currently in the making with respect to both the general data protection framework and the sector specific laws; however, the draft bill has not been released yet.
Against this background, the questions which are submitted to public consultation appear to be quite open. Interested parties in the public or private sectors and civil society may provide comments on the GDPR process or content by the end of the month.
This open-ended approach (although implemented under tight deadlines) is slightly different from the process in other European countries:
- In June 2016, the French data protection authority (“CNIL”) launched a public consultation on the GDPR. More specifically, the CNIL invited public and private organizations to join a forum on its website to provide comments or raise questions or concerns regarding the new provisions in the GDPR on (i) the DPO’s role, (ii) data portability, (iii) privacy seals and certifications, and (iv) the new triggers for data protection impact assessments. 225 organizations participated in the public consultation and the outcome was integrated into recent guidance from the Consortium of European Data Protection Authorities.
- In Germany, the Interior Ministry has been drafting a proposed Data Protection Amendments and Implementation Law (Datenschutz-Anpassungs- und Umsetzungsgesetz – or “DSAnpUG”) approximately since the GDPR was passed. The DSAnpUG implements the GDPR as well as the EU Law Enforcement Information Sharing Directive 2016/860. In late November 2016, the Interior Ministry circulated a draft of the proposed DSAnpUG, and provided a two-week period in which the German states and any other interested parties could provide written comment. After public consultation ended, the German Cabinet of Ministers approved the draft DSAnpUG for introduction into the legislature. At present, several committees of the Upper House of Parliament (Bundesrat) are debating the draft, and a full vote of the Upper House is scheduled for March 8, 2017.
The press release on the Spanish consultation is available (in Spanish) here; the CNIL’s report on the French public consultation is available (in French) here; the draft of the German DSAnpG, as introduced to the legislature by the German Federal Cabinet, is available (in German) here.
Alston & Bird is closely monitoring the implementation of the GDPR in various EU countries and is advising companies with operations in the above countries on how to comply with the GDPR requirements. For more information, contact Jan Dhont, Jim Harvey, or David Keating.