As we all know, the GDPR is all about the harmonisation of data protection across Europe – hence its form as a regulation (directly effective) rather than a directive (domestic implementing legislation needed). Yes, but: the GDPR leaves an awful lot to member states to implement. For example: exemptions to data subjects’ rights, mechanisms for reconciling data protection and freedom of expression, and the machinery of enforcement by supervisory authorities. Until we have domestic implementing legislation, we can’t fully understand how data protection will work after 25 May 2018.
What will domestic legislation look like in the UK? The short answer: no idea. Today is the closing day for submissions for the government’s “Call for views on GDPR derogations”. As Chris reported last month, “this is definitely not a consultation in the traditional sense. Even a cursory read will reveal that DCMS has not provided any hint at all of what it might be proposing to do…”
So the government has not revealed its intentions, and the election purdah period means we are unlikely to get much by way of explanation for a while yet. Are there any insights we can glean from the implementation process in other countries?
Germany is, unsurprisingly, the most advanced member state in this respect. Its Parliament, the Bundestag, passed a new Federal Data Protection Act on 27 April. This followed a process of amendment to the first published draft of the bill. The new Act now needs to be considered by the Federal Council. Here are some notable examples of how Germany has thus far gone about implementing the GDPR:
- Professional duties of confidence: how are transparency duties (see Articles 12-15 GDPR) supposed to be squared with professional duties of confidence (lawyers, doctors, auditors etc)? This is an important practical issue on which data protection law has tended to be unhelpfully opaque. The German Act carves out an exemption to the transparency duties so as to safeguard professional duties of confidence.
- Subject access exemptions: it appears that, where personal data is held only for data storage, backup or data security reasons – without measures in place to prevent any new processing – subject access rights do not apply.
- Right to be forgotten exemptions: this right does not apply if the requested erasure is not possible or would involve disproportionate effort because of the way in which the data has been stored.
- Purpose limitation: the default position under the GDPR is that if you use personal data for a new purpose (i.e. one which differs from the original purpose of the processing) you need to inform data subjects. That duty could create real practical difficulties in many cases. Germany has utilised its discretion to dilute that duty, for example where further processing is on public safety grounds, for the purposes of investigations (including internal investigations) or for purposes relating to civil legal claims.
- Sanctions: the GDPR’s provisions on swingeing financial penalties for data controllers are well known. Germany also proposes to extend certain sanctions to individuals, over and above the liability of the corporate data controller. That includes criminal sanctions, with periods of imprisonment of up to 3 years.
- Data protection officers: the German law requires all organisations with 10 employees or more to appoint DPOs – this is much more stringent than the GDPR.
Is the UK likely to borrow anything from the German approach? We don’t know yet, but chances are that the DCMS will be interested in Germany’s approach to exemptions and carve-outs (see 1-3 above, for example).
There are, however, reports that the European Commission objects to some of the proposed German carve-outs, on the grounds that they imperil full implementation of the GDPR. So – even for the Germans, who lead the pack – there may be plenty of work to do in terms of ironing out implementing legislation to ensure it has the Commission’s stamp of approval.
Will the UK manage to secure any such approval by May 2018? Bookies’ odds are not yet available on this most eye-catching of questions. But the clock is ticking.
Robin Hopkins @hopkinsrobin