So You think You Comply with GDPR? Introducing the National Derogations
We’re just about to celebrate the one month anniversary of the entry in force of the GDPR and you’ve done your part to comply. Yet, if you think this means you comply with EU privacy laws, think twice. In this article we’re introducing the “National Derogations”.
Background: Regulations v. Directives
We already discussed the difference between regulations and directives when we first introduced the GDPR in a previous article on this blog. For those of you who are not familiar with the ins and outs of EU lawmaking, the EU uses two main instruments to pass legislation: Regulations and Directives. A Directive sets a goal for EU member states but permits each individual member state to determine the means of achieving that goal by way of national laws that are often quite inconsistent country to country. Under the previous EU Privacy Directive (95/46/EC) of 1995, organizations that collected or otherwise had access to the personal data of EU residents as part of their business activities were required to know and comply with the data protection law of each of the 28 member states from which EU personal data was collected. A Regulation,in contrast, automatically applies to all EU member states and should not, on paper at least, vary country to country. The General Data Protection Regulation (EU) 2016/679 (“GDPR”) is however a unique piece of legislation as, although it is a regulation, it purports to regulate an area of the law, the protection of personal data, which is a fundamental right of individuals in the EU. As a result, it constitutes a political tradeoff between the overall objective to uniformize the law that governs the processing of personal data across the EU, and the need of EU member states to continue to have a say in more than 50 areas of the Regulation in which they can, under Article 23 of the text, adopt “national derogations”. Even since the GDPR was published in April 2016, which triggered the two year period before its entry in force on May 25, 2018, member states have been scrambling to revise their existing law or adopt new national legislation in such way as to implement those so-called national derogations.
As a result, for organizations processing the data of EU residents to be compliant with EU privacy laws, they must not only comply with the GDPR, but also with any applicable national derogations. Organizations should identify where the data they collect from or about EU residents comes from, and make sure to stay informed and up-to-date on any derogations that apply to such data as they are adopted and implemented.
The National Derogations
Most member states have not yet finalized their derogations, so establishing what it takes to be of compliant within the EU will continue to be an evolving challenge. The following list identifies a number of specific provisions subject to derogations and the powers granted to individual member states to pass laws under these provisions. This list does not address all the areas subject to derogations, however organizations should be particularly aware of these provisions and stay updated on as the member states release their derogations:
– Article 9: Processing Special Categories of Data
Processing of sensitive personal data (e.g. health or biometric data) is generally prohibited. Exceptions includes where consent of the data subject has been validly obtained, or if a member state derogation creates additional carve-outs. For example, some member states have derogated that sensitive personal data may be used for insurance purposes or scientific research.
– Article 17: The Right to be Forgotten
Data subjects generally have the right to have their personal data erased except under certain exceptions. Member states may impose additional exceptions where data subjects do not have the right to request the erasure of their data.
– Article 22: Automated Decision-making & Profiling
Processing personal data for automated decision-making and profiling is prohibited except under three conditions: (1) it is necessary to perform a contract with the data subject, (2) the data subject has given explicit consent, or (3) the member state has authorized such use. Any member state derogations on this topic must include safeguards to protect data subject rights and freedoms.
– Article 23: Restrictions
This provision grants member states the power to pass national derogations, and provides details and instructions on when and how derogations are permissible, emphasizing that all derogations should “respect fundamental rights and freedoms” of individuals.
Under Article 23(1), derogations must have the purpose of safeguarding one of the following:
- national security
- public security
- criminal proceedings
- prevent ethical breaches in regulated professions
- public interest; specifically, economic or financial matters
- protect the judicial process
- exercising official authority
- protecting data subject rights and freedoms
- enforcing civil law matters
– Article 32: Security of Processing
This provision establishes the burden on controllers and processors to establish secure processing, and states that anyone processing data under a controller’s authority must only do so when clearly instructed by the controller. There is an exception where member states may implement laws that require an organization to process certain data even when not instructed by the controller.
– Article 35: Data Protection Impact Assessments (“DPIA”)
This provision establishes the general requirements where controllers must conduct a DPIA. Member states may impose additional requirements where they believe a DPIA is necessary. Additionally, the supervisory authority of each member state must make and publish lists regarding what types of processing require DPIAs and what kind of activities do not.
– Article 36: Prior Consultation
There are certain circumstances where a controller must consult with their supervisory authority prior to processing due to risks they have identified. Member states may expand and impose additional circumstances where controllers must consult with the authorities.
– Article 37: Data Protection Officers (“DPO”)
This provision establishes the circumstances where an organization must appoint a DPO. Members states may impose additional requirements for appointing DPOs.
– Article 58: Powers
This provision establishes the investigative powers of the supervisory authorities. Member states are granted the power to set procedures for supervisory authorities to access organizations’ premises and equipment. Member states may also expand on supervisory authority powers generally and adopt laws regarding how supervisory authorities may go about issuing opinions or commencing legal proceedings.
– Article 83: Conditions for imposing fines
This provision establishes the processes and circumstances where supervisory authorities may impose fines. Under Section 5(d), member states may adopt laws that, if infringed, hold organizations liable for administrative fines of up to 20 million euros or 4% of their yearly annual revenue. Member states may also dictate the rules regarding issuing administrative fines against public authorities and bodies within the member state. Additionally, member states may adopt laws determining supervisory authority powers, procedural safeguards, and judicial process.
– Article 84: Penalties
Member states have the power to impose additional penalties for infringement of the GDPR, specifically addressing infringements that are not subject to penalties under Article 83. Member states must ensure that all penalties are “effective, proportionate, and dissuasive” and notify the EU Commission of any laws adopted that impose additional penalties.
– Articles 85-91
These provisions found under Chapter IX provide member states with the power to impose conditions or rules for processing relating to:
- freedom of expression and information (Art. 85)
- public access to official documents (Art. 86)
- national identification numbers (Art. 87)
- employee data (Art. 88)
- archiving for public interest, scientific, historical, or statistical purposes (Art. 89)
- secrecy obligations (Art. 90)
- churches and religious associations (Art. 91)
In conclusion, complying with GDPR takes more than merely complying with the provisions of the European text. As explained, in more than 50 areas of the GDPR, EU authorities have invited member states to adopt so-called “national derogations” which, looking at some of the national legislations implementing GDPR that have already come out of the member states, go way further than the Regulation in those areas. So if you have to demonstrate your continued compliance with the GDPR, please make sure you take legal advice to also comply with applicable national data protection laws in the EU. Some more information in a previous entry in this blog here.