Only two out of the 28 EU member states have implemented national laws ahead of the new EU general data protection regulation (GDPR) which enters into force on 25 May.
According to the EU Observer reporting in January, only Austria and Germany have so far amended their legislations.
“If some member states lag behind and do not amend their legislation on time it might cause some problems for the overall functioning of the GDPR across Europe,” EU justice commissioner Věra Jourová was quoted as saying.
Member states will have to reform existing laws to establish data protection authorities, which are independent and sufficiently financed to fulfil their duties.
In September 2017, Luxembourg filed a draft bill complementing the GDPR. According to law firm Allen & Overy, writing on its site in 2017, the bill “extends the existing exception for data processing within the freedom of expression of journalists, artists, and writers, to “academic expression” as well.”
The firm further said that under the bill, “processing for scientific or historical research purposes or statistical purposes, however, is subject to an entire new set of rules. The Bill provides in that respect that a number of rights of the data subject may be limited if they would prevent or seriously hinder the realisation of the research project. A number of requirements are imposed on the data processing for scientific research purposes to guarantee the privacy of data subjects, such as the use of anonymised or pseudonymised data sets, access restrictions or log files. Those additional measures purport to set a minimum standard of protection and any decision not to apply one of the listed measures must be based on valid reasons.”
The GDPR aims to strengthen and harmonise data protection for individuals within the EU and shape the way organisations handle data. Among the list of requirements, companies must provide European customers with a copy of their personal data and delete it at their request.
They must also report data breaches within 72 hours. Organisations which fail to comply with the regulation face hefty penalties. According to Reuters, the regulation is creating a burgeoning new business stream for privacy experts and companies. Reporting in January, Reuters wrote that “companies across the globe spend millions of dollars to comply” with the regulation.