The European Union (EU) Commission decided to refer both Greece and Spain to the EU Court for not transposing the Data Protection Law Enforcement Directive, Directive (EU) 2016/680 into national law.
On 25 July, the European Commission called upon the Court of the European Union to punish Greece with a penalty of €5,287.50 for each day between 6 May 2018, the deadline of transposition which it failed to meet, and either the day when the country achieves compliance or when the Court issues its first judgment under Article 260(3) TFEU. This punishment schedule will produce a minimum lump sum of €1,310,000. If it still hasn’t achieved compliance by this stage, Greece will incur a daily penalty of €22,169.70 beginning on the day of the first judgment and ending when it’s either achieved compliance or when it receives a second Court judgment.
The fines will be even higher for Spain. Leading up to when Spain achieves compliance or when the Court hands down its first judgment, the country will face a daily penalty of €21,321 stretching back to the transposition deadline. This punishment will amount to a lump sum of at least €5,290,000. If still non-compliant, Spain will face a daily penalty payment €89,548.20 from the day of the first judgment until it achieves compliance or until the Court hands out a second judgment.
These penalties all reflect the fact that neither Greece nor Spain have notified the Commission of their adoption of national measures designed to transpose the Data Protection Law Enforcement Directive, Directive (EU) 2016/680. The European Commission sees this failure to transpose the law as a problem, for it creates different levels of data protection among and hampers data exchanges between EU member states. As the Commission explains in a press release:
The protection of personal data is a fundamental right enshrined in the Charter of Fundamental Rights of the EU…. The Directive lays down rules on the processing of personal data by competent law enforcement authorities for the purposes of the prevention, investigation, detection or prosecution of criminal offences or the execution of criminal penalties. These EU rules contribute to the accomplishment of an area of freedom, security and justice.
In July 2018, the Commission opened the infringement proceedings against Greece and Spain by sending a letter of formal notice to these countries’ respective national authorities about the transposition failures. It then sent its reasoned opinions about their continued non-compliance in January 2019. Those opinions are available here.
These forthcoming penalties highlight the the importance of all concerned entities, from organizations that handle EU citizens’ data to member states like Spain and Greece, achieving and maintaining compliance with data protection laws including the General Data Protection Regulation (GDPR). Learn how Tripwire can help in this regard.