Sent to subscribers in May 2018

It is just a few weeks before the May 25, 2018, deadline to implement the General Data Protection Regulation (GDPR), and it seems that the privacy and data protection world is frozen. The Member States of the European Union and European Economic Area have not done much to take advantage of the numerous GDPR provisions that allow Member States to draft additions and adaptations to the GDPR. Austria, Germany, and Belgium are the exceptions.

Germany has added numerous changes to the GDPR. One of the most significant additions is the obligation for companies to appoint a data protection officer if (1) at least 10 persons in the organization deal with automated processing of personal data or (2) the company is required to conduct data protection impact assessments. The German additions to the GDPR also grant significant supplemental powers to the supervisory authorities. Austria has expanded the scope of the provisions that give individuals the ability to be represented by a non-profit organization that focuses on data protection issues to allow such mechanism to be used for actions not only against organizations but also against the supervisory authority.  Austria has also identified 14 as the age of consent.

In addition to Germany and Austria, Belgium has developed its local additions to the GDPR.  In the case of Belgium, the changes have focused on establishing a Data Protection Supervisory Authority and providing it with supervisory powers and punitive functions.  The Belgian additions to the GDPR grant the Supervisory Authority the power to give warnings, work on investigations, and impose administrative fines.

A few other Member States have developed drafts but, as we go to press, have not achieved finalization. These include, for example, France, Ireland, Latvia, the Netherlands, Spain, and the United Kingdom. The remainder of the European Union and European Economic Area Member States have not made any tangible progress.

While not a member of the European Union or European Economic Area, Switzerland is also in the midst of changing its data protection law to keep up with the changes that result from the passage of the GDPR and that affect the remainder of Western Europe.  The Swiss parliament, however, has not yet published a draft. The word is that a draft should be coming soon.