The General Data Protection Regulation (GDPR) aims to harmonise the data protection laws of the Member States. In fact, since coming into full Regulation, it has a binding effect on the entire European Union and it prevails over national data protection laws.
Still, some room has been left in the GDPR for Member States to set their rules for specific topics, such as the use of national identification numbers. Chapter 9 GDPR contains a list of specific processing activities that Member States can provide national rules for, namely:
- Freedom of expression and information
- Public access to official documents
- Processing of national identification number
- Processing in the context of employment
- Processing for archiving purposes in the public interest, scientific or historical research purposes, statistical purposes
- Secrecy situations
- Existing data protection rules for religious purposes
Modifying Provisions of the GDPR
Member States can modify the provisions of the GDPR that contain ‘opening clauses’ and implement them in their local legislation.
More than 50 provisions of the GDPR contain opening clauses that give Member States a certain degree of flexibility on setting the rules.
For example, Member States can create domestic rules on the requirements for the designation of a data protection officer, the age of consent of children and they can create local rules on the notification obligations.
Therefore, Member States have started enacting legislation, often called ‘Implementation Acts’ that include their specific application of the GDPR.
These Member State specific rules addressing domestic concerns must be formulated in line with the level of protection that the GDPR aims to provide. You might wonder if leaving room for national rules clashes with the direct applicability of the GDPR. However, this mechanism just sets rules for applying the Regulation in specific situations.
For this reason, the National Implementation Acts of the GDPR are seen as a supplement of the GDPR, and different variations of rules can be seen across Member States.
Have all Member States Passed GDPR Implementation Acts?
The GDPR entered into force last month and although time is up, the question arises whether all Member States passed their GDPR Implementation Acts. What will happen if they did not make their data protection laws align with the GDPR?
Germany was the very first state to adapt the changes as it passed the German Data Protection Amendment Act (the GDPAA). Austria, France and other Member States followed up by passing their own legislation.
However, regardless of the warnings of the European Commission, not all the Member States are ready. Some Eastern European Member States such as Bulgaria have not implemented any domestic legislation about the application of the GDPR yet.
So, what does it mean for the data processing activities in Member States that have not enacted any legislation for the application of the GDPR yet?
Without clear and specific rules, it will be more difficult for businesses to operate their processing activities since there is no guidance for application of the GDPR in specific processing activities. It might increase the cost for compliance and the cost of legal services because companies will be subject to making decisions on matters that are unclear, or differ dependent on interpretation. Especially the lack of domestic rules for the consent age of minors and the rules for the use of national identification numbers can have a great impact on the daily operations of businesses.
In conclusion, Member States are given the opportunity to set specific rules for several topics regarding the application of the GDPR into their national privacy legislation with the possibility to modify the articles by taking advantage of the derogations and opening clauses under the GDPR. Some of the Member States have not finished enacting their Implementation Acts yet and this may cause ambiguities for businesses.