09 September 2021

Heterogeneity of Data Protection Legislation across the EU

The European Union (EU) wanted to unify and limit or at least ensure the proportionate use and adequate protection of personal data through the General Data Protection Regulation (GDPR) across all Member States. We took a brief look at how personal data protection legislation differs across the EU.

The upcoming deliverable on interoperability and cross-border compliance (D3.18) will address issues related to different eIDAS and GDPR implementations and legislation differences in EU Member States, that will ultimately hamper the fulfilment of the Digital Single Market in Europe.The above data protection/ privacy legislation map of the EU presents partial results of an upcoming CyberSec4Europe deliverable (D3.18) limited to the topic of GDPR differences between the Member States. The GDPR allows Member States to define or change some parts of the regulation in ways they choose. The prime example of this is the age of consent, which in the GDPR is 16 (persons aged 16 years and older do not require parental consent). However, the regulation allows individual countries to change this and go as low as 13 years old. Member States can also have additional legislation that builds on top of the GDPR.

To this end, we performed a survey, where we asked National Supervisory Authorities (NSAs) from each Member State to fill in some information regarding current legislation in their own states. The information-gathering was centred around different forms of data (e.g. biometrics) and upgrading the GDPR requirement in separate national legislation. Data collected includes the following information on the legislation in each specific Member State:

Any other legislation on the use of biometrics (other than the GDPR);
Any other specific legislation on privacy, specifically with relation to:
1. Video surveillance,
2. Photography,
3. Anonymisation,
4. Pseudonymization, and/or
5. Audit trails.
Any additional legislation that extends specific sections of the GDPR, specifically with relation to:
1. Verification of parental consent,
2. Processing data of the deceased,
3. Processing of genetic data,
4. Use of biometric data for the purpose of identification,
5. Processing of health data,
6. Processing of data on the sex life of individuals,
7. Processing of data on sexual orientation,
8. Erasure of personal data,
9. Data Protection Officer designation/appointment, and/or
10. NSA consultations
Any additional legislation on backing up of data;
Whether or not the use of biometrics is allowed for the electronic acquisition of handwritten signature;
Whether or not the use of biometrics is allowed in a work environment (e.g. opening of server rooms with a fingerprint).
Minimum consent age of persons without requiring consent from a holder of parental responsibility.

We had previously also tried to collect the same data from DPOs (Data Protection Officers) and other project partner employees working closely and/or familiar with the GDPR. However, the results were very inconsistent. We received a wide variance in the feedback from the same Member State. This was an obvious problem and an indication that asking people, even those working with the GDPR, will provide inconsistent data, and it would be difficult for us to recognise which feedback was accurate. This is the main reason we chose to change our approach and ask NSAs for their feedback, even knowing that we would not be able to get every NSA to respond to our queries.

In the survey, we managed to get feedback from 19 of the 27 Member States (Austria, Belgium, Croatia, Cyprus, Czechia, Denmark, Estonia, Finland, Greece, Germany, Hungary, Latvia, Luxembourg, Malta, Poland, Romania, Slovakia, Slovenia, and Spain). The responses were collected between April 2020 and May 2021 in many repeated solicitations of NSAs to participate in the survey.

The feedback was combined into a map of Europe containing the collected data from the NSAs (at the top of the page). The map allows a quick overview of the data collected, where a country coloured yellow indicates that a Member State has a particular rule or legislation and coloured blue means they do not. You can move between topics by selecting the topic under the map. The topics of additional legislation and extending the GDPR are a little different in that the colour of the map only tells us if there is any addition or extension: for further details, you have to hover over the Member State for which you wish to know more.

The results show that in the majority of cases, Member States do not have additional/specific legislations (topics marked from 1 to 4). This can be seen from the predominately red colour of the table. The areas of processing genetic data, using biometric data for the purpose of identification, and processing of health data appear to be the topics that are most often additionally covered with legislation other than the GDPR.
Luxemburg and Malta are the only countries that do not have any additional legislation on the topics covered in our survey, while all the other Member States that responded have at least one topic where they have other/additional legislation to the GDPR.

Based on the feedback from the NSAs, the most additional legislations relevant to the discussed topics are in Finland (15 green fields in topics from 1 to 4, from possible 17), Spain (14), Hungary (12), Germany (11), and Latvia (11). The use of biometrics for the electronic acquisition of handwritten signatures is allowed in 10 of the 19 countries – so a very even split, while only a handful of Member States do not allow the use of biometrics in a work environment (Germany, Malta, Slovakia, and Slovenia).

The conclusion of the research is that the GDPR is not really a unifying factor for compliance on personal data protection across the EU, but it is more the core or minimum standard that has to be reached in all Member States. However, for compliance in at least the majority of the countries, there are many more i’s to dot and t’s to cross before full compliance can be achieved.