19 EU Member States produced comments to the UE Council in regard to the implementation of GDPR and the process of application of the Regulation.
Here below we will summarise some key points noted by some of the participant countries (excluding notes regarding internal budgets and resource allocation as well as descriptive elements of local efforts).
In general, comments highlight that GDPR implementation is still of its early stages and that professionals 5is sectors like finance) are finding difficult to integrate cultural and organisational changes to comply with the regulatory expectations.
Belgium noted the potential discrepancy between member states given the powers of local data protection authorities and the existence of nationally approved data protection clauses, putting into discussion the risk of holding a non-harmonic approach on country to country basis.
Bulgaria noted similar risk regarding the lack of EU harmonisation as local data protections authorities adapt the regulation to the specific market.
Czech Republic noted the need for clarification of the scope of “national adaptation” in order to avoid different application of rules and recommended to make public best EU practices on data protection to enhance coordination.
Denmark at its turn noted the same margin of adaptation as a strong beneficial poet which allow members to adapt the rules and better focus over the points which are more relevant for the specific jurisdiction.
Germany noted the need for a broader local analysis of the regulatory system, to effectively implement GDPR on a cross sector manner, calling for a larger GDPR systemic implementation project.
In addition, Germany noted the potential benefit of having different regimes applying lighter rules to sectors of the economy which main activity is not the processing of data as well as to small and medium sized business.
Germany called for a clearer definition in regard to the application of the processing under the lawfulness of a legal obligation or upon legal authorisation.
Finally, Germany requesting the drafting of codes of conduct to help practitioners to better comply with the GDPR requirements applicable to their specific industry and defining criteria to be applied for the imposition of administrative measures such as fines.
Estonia requested clarification in regard to the security measures applicable to the processing of data.
Ireland noted the fragmented protection to children’s rights requesting further harmonisation.
France and Slovenia based its comments on the transfer of data outside the union and the need for a more detailed analysis regarding the effective methods for such data transfer in addition to the regime upon reception of data.
Furthermore, France requested mechanisms of cooperation between data protection authorities in order to produce a more effective supervision.
Latvia and Lithuania noted that given the level of implementation and the time elapsed as from the enforcement of the GDPR, the available data is not significant enough to produce proposals for change or to evaluate the implementation.
Luxembourg produced similar conclusions noting that is too early for conclusions, shared some statistical data and noted the robustness of its data protection authority and local data protection regime.
The Netherlands noted the need to converge technology with data protection, making reference to treats such as the role and power of tech companies, big data analyst, profiling and marketing actions and blockchain technologies.
Additionally, the Netherlands noted difficulties on the harmonised application of rules such as consent (and age of consent), certifications, codes of conduct, technicalities and guidance.
Furthermore, major points were analysed regarding profiling and the use of technology to identify products, services and prices which may generate discrimination as a result of tailor-made tools for customer targeting.
After a detailed analysis of those points, it was mentioned the need to address the effectiveness of the available tool in regard to supervisory authorities.
Finally, The Netherlands noted the importance of harmonising the consistency between GDPR and other EU and local rules in order to have a more dynamic and coherent system.
As a recommendation, The Netherlands proposed candidates for adequacy decisions (Singapore, Colombia, Mexico, South-Africa, Serbia, Dubai and in general countries having ratified the modernised Convention 108).
Sweden noted the difficulties in cooperation given the lack of harmonisation on the approach of the national data protection authorities in regard to complaints and to the requirement of “demonstrating compliance”.
In summary, GDPR has a long way to go before being able to assess the effectiveness of its implementation, moreover as countries and cultures are different, making local adjustments significant from country to country and from sector of activity to centre of activity.
significant from country to country and from sector of activity to centre of activity.