Less than 100 days to go, and so far only two European countries have adapted their laws to be ready for GDPR – is it time to panic yet?
Although the General Data Protection Regulation builds on the existing Data Protection Directive, and aims to harmonize rules across the European Union, many member states need to change their national laws in order to be compliant.
The European Commission has called on EU governments and data protection authorities to be ready, and on 24 January published new guidance on practical application of the GDPR, issued a special online tool to support SMEs, and pledged €1.7 million to help member states get ready with a further €2 million available to support national authorities in reaching out to businesses. Despite all this, and rising alarm, only Germany and Austria can claim to be “GDPR ready”.
According to president of the French data protection authority (DPA) CNIL, Isabelle Falque-Pierrotin, some national DPAs have expressed concern over the slow progress with GDPR adaptation laws. As retiring chair of the EU Article 29 Data Protection Working Party, an oversight group made up of all the European DPAs, she should know.
After 25 May, the Article 29 working party will become the European Data Protection Board, but national DPAs must be named as the regulator in any new laws in order to take part.
“It seems as if almost no member state has prioritised the regulation,” Dr Lukasz Olejnik, cybersecurity and privacy researcher and consultant, affiliated with Princeton’s Center for Information Technology Policy, told CPO Magazine. “In most countries, GDPR law sparks multiple controversies and heated debates, with many local players participating in this tug of war. Consequently, you can find countries seemingly trying to test the bending properties of GDPR.”
The disorganization worries businesses too. UEAPME secretary general, Véronique Willems, said: “Only two member states have already adopted relevant national legislation and are ready for the implementation. This is very worrying from our point of view. So far only five out of 13 guidelines for application by the Article 29 Working Party are adopted. This does not help to create certitude. This situation at national level can create confusion among SMEs. It is almost surreal to pretend that SMEs can comply with the GDPR by 25 May when today, less than four months away, member states have still not completed the necessary work to prepare the right environment.”
A recent report from the UK’s Department for Digital, Culture, Media and Sport found that only 38% of businesses are even aware of the incoming GDPR legislation, nevermind ready to comply.
The big selling point of the GDPR has been that a single, pan-European law for data protection, will replace the current inconsistent patchwork of national laws. According to the European Commission, the benefits for companies to deal with just one law, not 28, are estimated at €2.3 billion per year. But with many member states eyeing possible exemptions, that may not come to pass.
France and Ireland, for example, intend to make public institutions exempt from GDPR fines, and Poland plans “an impressively long list” of carve outs.
“In effect, GDPR intended as a coherent constitution of data privacy in European Union might end up being fragmented,” explained Olejnik.
“We have exemptions from fines for the state, as in France and Ireland, and exemptions to fines that can be issued for public institutions in Poland. Sometimes with paradoxes when two entities competing on the market are subject to different levels of fines. This can only be topped by further exemption of SMEs with up to 250 employees,” he continued.
“The abundant rumors about the level of compatibility of the Irish Data Protection Bill with the GDPR complement the picture. But you also have UK with an attempt to ban certain privacy research in their own bill. Then there is France where public institutions will seemingly have it easier to apply profiling.”
While a fragmented GDPR remains the greatest risk, Olejnik points out that “if member states tune their national implementations on the edge of allowed exemptions, we should expect a steady stream of letters to the European Court of Justice (ECJ). This means a risk of unstable national regulations for years.”
What Poland, et al, plans may be technically within the scope of the GDPR. Article 23 allows exemptions to the rules if “important objectives” such as the “economic or financial interest of a member state” apply. However even that is up for debate, and could end up being for the ECJ to decide.
In efforts to encourage member states to sort out the mess, European Commission Vice President Andrus Ansip and Justice Commissioner Vera Jourová will embark on a GDPR-awareness campaign visiting Croatia, the Czech Republic and Bulgaria among others.
From May 2018 onward, the Commission will monitor how member states apply the new rules and take “appropriate action” as necessary. One year after the regulation enters into force, the Commission will organize an event to take stock of different stakeholder’s experiences, but by then it could be too late.
Poland believes that SMEs (companies with 250 employees or fewer) are so essential to its economic national interest that they should not need to tell people how long their data will be stored for; what their rights are regarding correction or deletion of information; if there has been a data breach; how they may access their data; or the right to complain to the Polish DPA.
Katarzyna Szymielewicz, president of anti-surveillance NGO Panoptykon Foundation, says this is hard to justify and is a “serious breach in the standard that the GDPR provides.”
The Ministry of Digitization initially wanted even more exemptions, but following a complaint by Panoptykon has taken a step back, restoring to SMEs the basic obligations contained in Article 13.
Nonetheless, SMEs would still be free from any obligation to inform customers whether they use automated decision-making (including on the basis of profiling); how long are they going to process the data; how they approach the issue of data security; and whether providing personal data is a statutory requirement or is necessary to conclude a contract.
“It is easy to imagine a dangerous leakage of passwords, about which customers will learn (if at all) only from the media, with no chance for a quick response and securing their account against burglary,” said Szymielewicz.
The privacy activist said it was unclear how the government had arrived at its position. “Because the ministries involved have not explained how the proportionality test was carried out – an analysis showing that the benefits from a public interest perspective outweigh the losses and risks on the part of citizens – the only argument for justification is the objective difficulty of providing the required information when the data is obtained by telephone,” she explained.
But, she continued, it can safely be assumed that the proposed exclusions would cover the majority of companies that process personal data, including a whole range of online stores and companies in the direct marketing industry.
“In their mass, they set the market standard and have an important role to play in disseminating good practices. In this sector, it is not the norm to conclude contracts by phone – the usual channel is the internet, which allows you to carry out information duties in a relatively cheap and simple way. On the other hand, the problem of companies that obtain data via the telephone could be solved by a narrower switch-off, reserved only for such situations,” she concluded.