Background
On 15 May 2018 the European Parliament organized a cross-committee meeting on the implementation of the GDPR in EU member states. Member states’ parliaments were invited to consult the members of the European Parliaments and the experts present.
In general, the view among the interveners was that that clarity was not provided to the consumers or the companies by the GDPR. Application and interpretation will not be problem-free, but everyone can witness the toughening up of the application of the data protection rules, for example in increasing fines at national level. Also, the work is not over, as many national authorities will develop diverse opinions, which have to be streamlined over time but rather soon.
Important takeaways
There is a general concern about the national implementation of the GDPR as agencies and courts in the member states are not yet prepared. Some MEPs criticized this view by stating that there was almost a two year period given to comply and stressed that the national “implementation” of the regulation is seriously lagging behind. Jan Albrecht, the LIBE rapporteur, emphasized that the core of the GDPR data protection laws is actually something that has been in effect for the last 23 years in the EU states, as the Data Protection Directive (Directive 95/46/EC) on the protection of individuals in regard to the processing of personal data, the first step taken towards the regulation of data protection, was passed in 1995. Thus the success of the GDPR is not in the implementation of entirely new laws and regulations, but rather in the strengthening in enforcement powers of the Data Protection Directive.
The current problem faced by the EU on data protection laws is the enforcement of them, as until now the Member States have all implemented the laws differently causing confusion among consumers and lack of respect for the regulations from companies. By imposing a single legal standard, the EU has made sure that companies now will no longer be able to evade the data protection laws within the EU market. However, MEPs also stated that the lag in implementation is the fault of national administrations, not the European institutions as the diverging national interpretations of the GDPR will not help companies and consumers in implementation.
Parliamentarians from the member states had emphasized that small and medium sized companies have problems and are not ready to apply GDPR. This is strongly supported by the representative of the EU SME union.
National representatives mentioned the issue of upcoming cross-border cases. They stated that national agencies (DPAs) do not feel confident about handling such cases (only 17 responded to a survey that they were indeed confident about the handling of the cross-border comments).
As regards the ePrivacy directive, remarks by certain experts suggest that the best solution would probably be to wait another year before the package is adopted. This is due to strong lobbying pressure by parties not interested in the adoption of the package. The EP would be pressured to adopt a half-ready, half good law. Some MEPs had the view that this is due to the fact that member states are blocking the law in the Council, and the package should be quickly adopted.
What this means for companies
EU companies are trying to provide the same level of protection to all customers involved (also from outside of the EU). Companies are also in the need of a unified and as much harmonized as possible framework and guidance on the application of the law. Currently, this is not the case. It was pointed out that the application of the law is difficult because there are many contradictions in the GDPR. SME trade union asked for a grace period of one year to Commissioners, as it is estimated that the cost of compliance for an SME is approx. 40.000 euros. Companies need to see it as a competitive edge if anybody wants companies to invest. However, some of the national parliamentarians do not support this “poor SMEs” view because most of rules have existed for a long time, companies should not be surprised.
The GDPR is becoming not only the standard for the EU market, but is being adopted globally by various countries. As Albrecht pointed out, according to a study conducted last week in the United States, 69% of American consumers want protection like the kind provided to the consumer by the GDPR in Europe. This means that the new data protection standards being established by the EU are becoming a huge selling point for companies, as companies that can claim GDPR compliance are seen as more trustworthy to the consumer.
Additionally, small companies expressed concern over their struggle to achieve compliance in time, but it was hinted that the first companies to be investigated and sanctioned will be the larger companies that have the resources to achieve compliance and the information to know better than to violate the GDPR regulations. Therefore the larger companies that have been under suspicion for some time now will be the first investigated, while the small to medium companies endeavoring to reach compliance will be helped rather than penalized.
Comments