National measures of GDPR asap. Why are we late again?
Originally published: www.huffingtonpost.gr (in Greek)
Date: 3/09/2019
Republished: newspaper “Estia” (“GDPR and emergency procedure: Who is to blame?”) (in Greek)
Date: 8/11/2019
On Monday, August 26, 2019, the new law on personal data was passed by the Greek Parliament. This is an important legislative text with a dual content. First, special measures were adopted to implement EU Regulation 2016/679, also known as the GDPR. Secondly, EU Directive 2016/680 on the processing of personal data by law enforcement authorities, in particular the police authorities, known as LED, was transposed. Apart from the content of the new law, which will surely occupy us in the future, there was a great deal of discussion regarding the option to introduce the bill in Parliament under the emergency procedure in accordance with article 76 par. 4 of the Constitution and Article 109 of the Rules of Procedure of the Parliament. This resulted in a very rapid and consequently limited discussion on the bill, obviously inconsistent with its importance. The question which arises, therefore, as to the procedure chosen is clear. Who is to blame?
The answer to the above question is connected with another sad modern Greek record of delays. The GDPR, which was adopted in April 2016, as an EU Regulation, is directly applicable as early as May 2018, without the need to adopt a national law. Nevertheless, the new Regulation is original in that it provides for a number of cases where the national legislature is required to adopt more specific measures. In this context, on February 20, 2018, i.e. approximately 22 months from its adoption and 3 months before the commencement of its application, a relevant bill on specific measures for the implementation of the GDPR was put to public consultation. This was the work of a special legislative committee set up in June 2016. The abovementioned ambitious bill also sought the incorporation of LED, similarly about 22 months after its adoption and 3 months before the expiration of the relevant transposition deadline, which was set for May 6, 2018. In this way, the fate of the national law concerning the GDPR was linked to the fate of the transposition of LED.
The completion of the public consultation on the above bill on March 5, 2018, unfortunately, had as a result that not all comments were taken into account and that the bill was rapidly submitted to Parliament. On the contrary, after many months, by virtue of a ministerial decision issued in November 2018, the composition of the special legislative committee was changed and the completion of its work was extended until December 31, 2018. With a new ministerial decision issued in January 2019, the composition of the special legislative committee was changed once again and a new extension of the completion of its work was given until February 28, 2019, when a second bill was prepared, but without being put to a public consultation. All this while more than 32 months had already passed from the time of adoption of the GDPR and LED, as well as more than 7 months from the commencement of application of the GDPR and the expiration of the deadline for the transposition of the LED.
In the face of this shocking slowness, it was certain that the European Commission would not remain inactive. Thus, after a warning letter was sent to the competent authorities in July 2018 and a reasoned opinion in January 2019, i.e. a request for compliance, on July 25, 2019, Greece was referred to the EU Court for untimely transposition of the LED. In this context, the European Commission has called on the EU Court to impose heavy financial sanctions on us, i.e. a huge fine, especially taking into account the current financial situation of the country. The same fate was reserved by the European Commission only for one more Member State. In addition to the issue of the fine for the untimely transposition of the Directive, a similar situation in terms of delays existed regarding the national measures for implementing the GDPR, with Greece being one of only two Member States that had not yet adopted them.
In the above circumstances, the adoption of the emergency procedure for the specific measures implementing the GDPR seems to have been inevitable, given that: a) its connection to the LED had already taken place in the existing draft law, and any attempted to split them would mean a significant setback, b) the threatened financial sanctions should have been blocked and c) the delays had exceeded all tolerable limits. As for the answer to the question “Who is to blame?”, in the light of the above it is more than obvious.