So you thought there was only one GDPR?
Richard Kranendonk
?? The Canvas Method: Empowering Ownership of Information Security
Before the first proposal for a new European privacy law was brought to the EC in the beginning of 2012, the intention was to harmonize privacy laws across the EU. This would be realized by replacing the existing Privacy Directive 95/46/EG with a regulation: a regulation is directly effective, bypassing the need for implementation in national laws.
This is Europe, however...
This is Europe, however, so the reality was 28 member states negotiating for more than 4 years and a record number of 3.999 amendments. The result is that the GDPR gives member states much room for local interpretation, to be laid down in 'implementing legislation'. These should have come in effect at the same date as the GDPR itself, May 25 2018, but not all countries where ready in time: the national implementations of Bulgaria, Czechia, Greece, Portugal, and Slovenia are still in development.
Even at the core of the GDPR, two of the lawful grounds for processing – out of a total of six – can be filled in on a national level: compliance with a legal obligation and the performance of a public task.
Other examples of room for national interpretation of the GDPR include:
- Extra protection for special categories of personal data, that enlarge the risk of discrimination, exclusion or fraud.
- Minimum age of consent for the processing of personal data: it's 13 in Denmark, Sweden, and Belgium, 14 in Cyprus, 15 in France and 16 in the Netherlands.
- Limitation of subject rights under certain circumstances, like national security.
- Deviation for journalistic purposes.
Enforcement of the GDPR will most likely also show different nuances for member states. Each member state is obligated to appoint its own supervisory authority with the possibility to apply sanctions. But what sanctions will be applied in which situation, is largely up to the member states themselves.
The conclusion is, that although there is only one regulation for all EU member states, it's advisable to do local compliance checks when you're entering new markets.
Based on a Dutch article.