GDPR National Derogations: The Next Phase of EU Privacy Compliance
U.S. companies handling the personal data of EU residents should now be familiar with the requirements of the General Data Protection Regulation (GDPR), the new data protection law covering all countries in the EU, which went into effect on May 25, 2018. News about the GDPR has been plentiful, including Outside GC’s own alerts. However, compliance with EU privacy laws does not end with this regulation. There are other EU legislations covering privacy matters outside of the GDPR, such as the E-Privacy Directive 2002/58/EC of 2002 (a/k/a the “Cookies Directive”) and the “national derogations” of individual EU member state laws which impose additional responsibilities for U.S. companies that use the personal data of its residents as part of their business activities.
What are the National Derogations?
The national derogations are variations adopted by individual member states of the EU as part of their national legislation implementing the GDPR. Why are national derogations allowed? In the case of the GDPR, the answer lies in the subject matter of the GDPR, which takes precedence over its purpose.
The GDPR was adopted to replace its predecessor, the EU Privacy Directive 95/46/EC of 1995, and fulfills a two-fold objective: (1) address myriad technological developments impacting the processing of personal data that have occurred since 1995, and (2) eliminate the need to comply with 28 national data protection laws that have been passed by member states to implement the Directive. As a regulation, the GDPR would automatically and uniformly apply to all EU countries, simplifying the process of doing business in the EU.
However, the GDPR is a unique piece of legislation in that it purports to regulate an area of the law – the protection of personal data – which, in the EU, is deemed a fundamental right of individuals, much like the constitutional rights of U.S. citizens. As a result, the drafting and ultimate adoption of the GDPR represented a political tradeoff between the overall objective to standardize the law governing the processing of personal data across the EU, and the need of EU member states to protect the fundamental rights of its citizens by weighing in on certain aspects of the GDPR.
The Impact of the National Derogations on Compliance
Article 23 of the GDPR gives member states the right to adopt country-specific derogations in more than 50 areas of the Regulation. This means that even though the GDPR is the law of the EU for most areas of privacy, in more than 50 areas of privacy, compliance with EU data protection law means complying with the GDPR and the national derogations, some of which are actually much stricter than the GDPR.
As a result, companies processing the personal data of EU residents should identify the countries in which they are collecting data from or about its residents and ensure they are in compliance with any derogations applicable to such data. To date, 14 of the 28 Member States of the EU, and 2 of the 3 EEA countries, have published their national law implementing the GDPR.
The remaining member states are at different stages of their legislative process for the adoption of their own national derogations. Companies doing business across the EU are advised to stay informed about the evolving changes in national privacy laws.
Key GDPR Derogations
Below are some important areas of the GDPR subject to national derogations at the member state level:
- Article 9: Processing Special Categories of Data: Generally, processing sensitive data (e.g., data relating to health, religion, race) is prohibited. Member states may decide to implement exceptions to this prohibition.
- Article 17: The Right to be Forgotten: Data subjects have the right to have their personal data erased. Member states may impose exceptions where organizations do not have to erase such data.
- Article 22: Automated Decision-making & Profiling: Organizations are prohibited from using personal data for profiling and automated decision making. Member states may authorize specific uses for such activities so long as they balance data subject rights.
- Article 32: Security of Processing: Member states may impose requirements on organizations to process certain data.
- Article 35: Data Protection Impact Assessments (“DPIA”): There are specific requirements where organizations must conduct an assessment of their current data practices. Member states may impose additional requirements where they believe assessments are necessary.
- Article 37: Data Protection Officers (“DPO”): There are certain circumstances where an organization must formally appoint someone to ensure compliant privacy practices. Member states may impose additional requirements where they believe a DPO is necessary.
- Article 58: Powers: The GDPR grants investigative powers to the supervisory authorities of each member state. The member state has the power to expand on these powers or impose procedures for these authorities.
- Article 83: Conditions for imposing fines: The GDPR sets out violations that may result in fines. Member states may expand on the list of violations and who they apply to.
- Article 84: Penalties: Member states may impose additional penalties not addressed under Article 83.
Below are examples of how some member states have already approached the above mentioned derogations:
- Germany: On April 27, 2017, the German Federal Parliament adopted the new German Federal Data Protection Act (“Bundesdatenschutzgeset” in German). This act came into effect in May 25, 2018 and replaces the previous German federal privacy legislation of 2008 while incorporating the national derogations afforded to member states under the GDPR. Amongst some of the provisions of the new act, Section 64 expands the requirements for automated decision-making by imposing a series of additional security measures including preventing unauthorized actors and implementing verification systems. Section 35 of the act also sets out additional exceptions to the Data Subject’s right to erasure, allowing controllers to deny this right under circumstances such as where erasure is impossible and doesn’t negatively affect data subject rights. Section 22 addresses the Processing of Special Categories of Personal Data and also expands the right to process such data, specifically when it is being used for scientific or historical research.
- France: On May 18, 2018 the French National Assembly voted to update the Data Protection Act of 1978 to meet the standards of the GDPR and implements many derogations. Article 8 expands the reach of the national law by applying it to French residents even when the data controller is not established in France. Article 11 expands the ability for processing criminal records when it relates to exercising personal rights. Article 13 grants the CNIL, the French Data Protection Authority, the ability to impose additional requirements regarding healthcare data. Additionally, the act lowers the GDPR minimum age of consent from 16 years old to 15 years old.
- UK: On May 23, 2018 the UK Data Protection Act of 2018 received royal assent and officially replaced the UK Data Protection Act of 1998. Section 9 of the act officially lowered the age of consent from 16 years old to 13 years old. Under Section 10, the exceptions for processing special categories of data are expanded to allow processing for purposes like employment, social security, public interest, archiving and research. Section 45 provides additional exceptions where controllers may restrict data subject rights and requests under purposes like national security or legal obligation, however the controller must inform the data subject of the restriction.
If you have any questions about the GDPR or any applicable national derogations, we would be happy to assist you. Our team includes U.S. and EU-trained attorneys experienced with data privacy requirements in the EU and well-versed in the GDPR, the EU-U.S. Privacy Shield self-certification process and the data privacy laws and regulations in individual EU Member States.
Stephan Grynwajc served as a senior in-house attorney for several blue-chip technology corporations (e.g., Intel and Symantec) in France, the U.K. and the U.S., and today, focuses his practice on advising U.S.-based clients on navigating the EU privacy landscape.
Mark Johnson has over 20 years of experience advising clients on data privacy regulations and public policy, and is a former member of the Data Privacy practice group at the international law firm, Squire Patton Boggs in Washington D.C.
Lakshmi Sarma Ramani served as the lead global attorney for privacy matters at The Nature Conservancy, where she also managed a wide range of legal and regulatory compliance matters, including cybersecurity, tax, finance, technology, marketing, membership and fundraising.
This publication should not be construed as legal advice or a legal opinion on any specific facts or circumstances not an offer to represent you. It is not intended to create, and receipt does not constitute, an attorney-client relationship. The contents are intended for general informational purposes only, and you are urged to consult your attorney concerning any particular situation and any specific legal questions you may have. Pursuant to applicable rules of professional conduct, portions of this publication may constitute Attorney Advertising.