GDPR National Derogations: The Next Phase of EU Privacy Compliance
U.S. companies handling the personal data of EU residents should now be familiar with the requirements of the General Data Protection Regulation (GDPR), the new data protection law covering all countries in the EU, which went into effect on May 25, 2018. News about the GDPR has been plentiful, including Outside GC’s own alerts. However, compliance with EU privacy laws does not end with this regulation. There are other EU legislations covering privacy matters outside of the GDPR, such as the E-Privacy Directive 2002/58/EC of 2002 (a/k/a the “Cookies Directive”) and the “national derogations” of individual EU member state laws which impose additional responsibilities for U.S. companies that use the personal data of its residents as part of their business activities. What are the National Derogations? The national derogations are variations adopted by individual member states of the EU as part of their national legislation implementing the GDPR. Why are national derogations allowed? In the case of the GDPR, the answer lies in the subject matter of the GDPR, which takes precedence over its purpose. The GDPR was adopted to replace its predecessor, the EU Privacy Directive 95/46/EC of 1995, and fulfills a two-fold objective: (1) address myriad technological developments impacting the processing of personal data that have occurred since 1995, and (2) eliminate the need to comply with 28 national data protection laws that have been passed by member states to implement the Directive. As a regulation, the GDPR would automatically and uniformly apply to all EU countries, simplifying the process of doing business in the EU. However, the GDPR is a unique piece of legislation in that it purports to regulate an area of the law – the protection of personal data – which, in the EU, is deemed a fundamental right of individuals, much like the constitutional rights of U.S. citizens. As a result, the drafting and ultimate adoption of the GDPR represented a political tradeoff between the overall objective to standardize the law governing the processing of personal data across the EU, and the need of EU member states to protect the fundamental rights of its citizens by weighing in on certain aspects of the GDPR. The Impact of the National Derogations on Compliance Article 23 of the GDPR gives member states the right to adopt country-specific derogations in more than 50 areas of the Regulation. This means that even though the GDPR is the law of the EU for most areas of privacy, in more than 50 areas of privacy, compliance with EU data protection law means complying with the GDPR and the national derogations, some of which are actually much stricter than the GDPR. As a result, companies processing the personal data of EU residents should identify the countries in which they are collecting data from or about its residents and ensure they are in compliance with any derogations applicable to such data. To date, 14 of the 28 Member States of the EU, and 2 of the 3 EEA countries, have published their national law implementing the GDPR. The remaining member states are at different stages of their legislative process for the adoption of their own national derogations. Companies doing business across the EU are advised to stay informed about the evolving changes in national privacy laws. Key GDPR Derogations Below are examples of how some member states have already approached the above mentioned derogations: If you have any questions about the GDPR or any applicable national derogations, we would be happy to assist you. Our team includes U.S. and EU-trained attorneys experienced with data privacy requirements in the EU and well-versed in the GDPR, the EU-U.S. Privacy Shield self-certification process and the data privacy laws and regulations in individual EU Member States. Stephan Grynwajc served as a senior in-house attorney for several blue-chip technology corporations (e.g., Intel and Symantec) in France, the U.K. and the U.S., and today, focuses his practice on advising U.S.-based clients on navigating the EU privacy landscape. Mark Johnson has over 20 years of experience advising clients on data privacy regulations and public policy, and is a former member of the Data Privacy practice group at the international law firm, Squire Patton Boggs in Washington D.C. Lakshmi Sarma Ramani served as the lead global attorney for privacy matters at The Nature Conservancy, where she also managed a wide range of legal and regulatory compliance matters, including cybersecurity, tax, finance, technology, marketing, membership and fundraising. Feel free to reach out directly to Stephan [email protected], Mark [email protected] or Lakshmi [email protected], or request more information by visiting our Contact Us page.
Below are some important areas of the GDPR subject to national derogations at the member state level:
This publication should not be construed as legal advice or a legal opinion on any specific facts or circumstances not an offer to represent you. It is not intended to create, and receipt does not constitute, an attorney-client relationship. The contents are intended for general informational purposes only, and you are urged to consult your attorney concerning any particular situation and any specific legal questions you may have. Pursuant to applicable rules of professional conduct, portions of this publication may constitute Attorney Advertising.