Only Austria and Germany have so far implemented national laws that lay the ground work for the EU general data protection regulation (GDPR), a wide-reaching overhaul of a two-decade old directive.
“If some member states lag behind and do not amend their legislation on time it might cause some problems for the overall functioning of the GDPR across Europe,” EU justice commissioner Vera Jourova told reporters on Wednesday (24 January).
While the regulation is automatically binding as of 25 May, national procedural rules are needed, among other things, to equip data protection authorities with means to ensure people’s privacy is protected.
States will also have to repeal and amend some existing laws and set up national data protection authorities. Jourova said this also entails making sure that data protection authorities are independent and financed enough to carry out their duties.
“I can tell you that all 26 [member states] are in a big rush now,” she said.
Karolina Majzesowicz, a data protection expert at the European Commission, told this website that such missing national rules “could slow down the take-off of the harmonious application and the coherent application of the data protection rules throughout the EU.”
The regulation offers a single set of rules that are required to be applied throughout all EU states and by any company, no matter where it is based, that processes the data of EU citizens and residents.
Breaking the law could incur fines up to €20 million or 4 percent of a company’s worldwide annual turnover.