We have been reading some commentaries to the effect that the GDPR (General Data Protection Regulation) needs to be transposed with special legislation adopted in the several EU member states. That there will be legislation is true, but the statement is misleading. Make no mistake: the GDPR is an EU regulation, not a EU directive (as the old privacy Directive 46/1995 was); it applies directly without any adoption or adaptation by the member states. In the EU legal system, a regulation, unlike a directive, “is a binding legislative act. It must be applied in its entirety across the EU.” A directive “is a legislative act that sets out a goal that all EU countries must achieve. However, it is up to the individual countries to devise their own laws on how to reach these goals.” See here. “Regulations have binding legal force throughout every Member State and enter into force on a set date in all the Member States” (here). You can be certain of one thing: on May 25, 2018, the GDPR is in force and failure to implement it in your organization – if you are subject to the regulation – can result in sanctions. (here)
When I read that specific national legislation will be needed, I believe I know what those commentators want to say, still I am afraid that those statements might generate a misunderstanding in the mind of those organizations that, from May 2018, will be subject to the GDPR: they might be led to believe (especially abroad where they are not very familiar with the EU law) that they could postpone their implementation efforts because the EU member states still have to implement the GDPR. [i] This would be a misguided way of thinking.
What those commentators probably mean — I am pretty sure – is that the GDPR requires action by national legislatures on some matters and there will need to be national legislation. Why?
The reason resides in the relationship between EU law and national law. The GDPR abrogates the Directive 46/1995 but cannot abrogate that national law that is “rooted” in the Directive. Because of the preemption mechanism of EU law on national laws, national law that is inconsistent with binding EU legislation (as the GDPR is) becomes inapplicable (principle of primacy of EU law)[ii]: every national judge in front of whom an issue is brought, must declare the national (inconsistent) law as inapplicable and simply apply the EU law; said it in other words, the EU law preempt national law.
However, because the national legislation enacted in the past to implement the Directive is extensive, the mechanism of automatic preemption would be both frequent and somewhat complex. To avoid inefficiencies, national legislators will need to take actions and abrogate or modify national privacy law that is inconsistent with the GDPR.
Another aspect on which the national legislators have some leeway are criminal sanctions. See GDPR 84.[iii] Should a Member state fails to legislate about criminal sanctions, the right to compensation and liability[iv] and the administrative sanctions provided by Article 83 of the GDPR[v] are nonetheless applicable.
Also, there are member states, like Italy in which the national legislature has been particularly active in privacy legislation. Italy has a privacy code that is stricter than the current EU privacy directive. Also, there are countries (Italy is also an example) in which the privacy rules intertwine with other laws (e.g., employment regulations) or in which the data protection authority has issued rules that are based on the directive (and its national implementation law) but not only on that (Italy again: think of the surveillance camera decisions that are backed up by privacy law but also by employment regulations.) Those countries – more than others – will need to issue domestic legislation to reconcile those rules with the GDPR. That doesn’t mean that the GDPR won’t be applicable until that legislation will be passed. And it’s better that you don’t count on postponement and start getting ready now.