History Repeats Itself: Implementation of EU Data Protection Legislation in the Accession Countries

August 31, 2004

May 1 this year was a significant landmark. While colleagues from Prague or Budapest were exchanging congratulatory messages on their entry into what has become the largest single market in the world, the press in the “old” EU echoed the enthusiasm of the accession countries as a breath of fresh air, instilling a sense of optimism and excitement.

This social and political current has been reflected in the experience of privacy lawyers examining the efforts of the new Member States to bring their legal provisions in line with EU data protection standards. The broad conclusion Linklaters and its colleagues drew from their recent survey[1] of implementation in the expanded EU may be summarised simply: exuberance and enthusiasm but one or two substantial hiccups along the way.

1 Accession countries implementation: Overview

In many respects, the adoption of the EU’s data privacy regime has been an enormous success: all the accession countries have implemented the EU Data Protection Directive (the Directive)[2], and the implementation of the Privacy and Electronic Communications Directive[3] (the e-Privacy Directive) has more than kept pace with the EU15.

But those bald facts tell only half the story. Although the accession countries have all nominally implemented the Directive, in doing so they have mis-implemented some of the Directive’s key provisions. Surprisingly, the areas where the most serious of these mis-implementations have taken place are the areas that the EU Commission identified as causes for concern in its report on the Directive’s implementation by the EU15[4] last year: governing law, international transfers and the core definitions of the Directive. Some of those mis-implementations are more serious than others, and two of the accession countries in particular seem to be in danger of enforcement action by the EU Commission for failing to implement the Directives adequately.

Finally, not only have the accession countries adapted some of the provisions of the Directive; they have also attached serious penalties to the new legislation: seven of the ten accession countries provide for jail terms as a possible sanction for breach of their data protection legislation.

These issues are described in more detail below.

2 The status of implementation of the EU data protection regime in the accession countries

The EU Commission was damning of the efforts of the EU15 to implement the Directive. In its 2003 report it stated:

“Serious delays in implementation that occurred in most Member States is the first and main shortcoming which the Commission has the duty to report [and].which it unequivocally condemns.”

It should be no surprise then that all the accession countries implemented the Directive prior to 1 May 2004 (see Table 1), prior to completion of the implementation of the Directive in EU15 countries.[5] Even in implementing the much more recent e-Privacy Directive, the accession countries have kept pace with the EU15. Only 20% of the accession countries have completely failed to implement the e-Privacy directive (see Table 1), while 40% of the EU15 countries had failed to do so at the time of writing.[6]

Table 1

Directive implemented on

e-Privacy Directive implemented on


1 October 2003

1 May 2004


11 June 19961 July 2003[7]

1 May 2004


15 July 2003[8]

15 July 2003


1 September 20021 January 2004[9]

1 January 2004


7 August 1999

17 January 2003


23 November 2001 – 2 May 2003[10]

Partially implemented on 2 May 2003


1 May 1993 – 1 January 2004[11]

Partially implemented on 1 January 2004


30 April 1998 – 1 May 2004[12]

Partially implemented on 10 March 2003

Czech Republic

1 December 2000

No implementation


20 April 20001 January 2004

No implementation

There are probably more diverse reasons for that than the Commission’s threat to get heavy handed. In a number of jurisdictions there is a genuine enthusiasm for the protection data privacy legislation affords citizens, given their not too distant past. A number of the former communist countries of Eastern Europe have already adopted data protection regimes following the end of the Cold War, backed by enthusiastic regulators willing to exercise their powers (Hungary and Poland in particular, in our experience). In other countries, the speed probably reflects more the seriousness with which they have taken the need to meet the EU Commission’s exacting standards for entry to the EU, and the size of the stakes at risk, than any particular desire to implement a data protection regime. In other words, it would hardly have done to have been turned down for entry to the EU at the last hurdle on grounds of failure to implement a data protection directive. It will be interesting to see how well funded regulators in these jurisdictions are in the next few years.

3 Divergence between the Directive and the accession countries’ implementing legislation

Notwithstanding the formal compliance with implementation, a number of the accession countries have transferred the Directive into their national legislation in a manner which clearly runs contrary to the Directive’s intent. Two accession jurisdictions in particular, Latvia and Slovenia, stand out. Given previous comments by the Commission about similar flaws in the original EU15’s implementation, these two countries run the risk of action by the Commission to require amendments to their existing data protection legislation.

3.1 Governing law

3.1.1 Article 4 of the Directive

Article 4 of the Directive sets out the principles under which Members States’ data protection legislation should regulate activity, and where. The Article was controversial when the Directive was being drawn up, and equally controversial when first implemented by the EU15 Member States. It is easy to see why:

“4(1) Each Member State shall apply the national provisions it adopts pursuant to this Directive to the processing of personal data where:

(a) the processing is carried out in the context of the activities of an establishment of the controller on the territory of the Member State; when the same controller is established on the territory of several Member States, he must take the necessary measures to ensure that each of these establishments complies with the obligations laid down by the national law applicable;

(b) the controller is not established on the Member State‘s territory, but in a place where its national law applies by virtue of international public law;

(c) the controller is not established on Community territory and, for the purposes of processing personal data makes use of equipment, automated or otherwise, situated on the territory of the said Member State, unless such equipment is used only for purposes of transit through the territory of the Community.”

[emphasis added]

The passage of time has not made this drafting any easier on the ear or eye; but it does create a very subtle and carefully balanced regime. A couple of points are worth focusing on:

(i) This is a mandatory Article. While many Articles of the Directive offer Member States discretion about what they choose to implement, this is not one of them. ( “Each Member State shall apply.”).

(ii) Sub-para (a) imposes data protection rules on establishments in the Member States. Importantly, each Member State is required to deal with processing by establishments (ie more than just places of legal incorporation) within their own borders, but not in other Member States. That affords clarity for each business establishment – comply with the laws in the places where you are established, and you need not worry about the laws elsewhere in the EU.

(iii) Sub-para (c) is an anti-avoidance measure to ensure that businesses which establish themselves outside the EEA, but process data within it, are caught by the regime.

3.1.2 The implementation of Article 4 in the EU15

The operation of Article 4, and particularly 4(1)(a), requires each Member State to take it on trust that every other Member State will implement the Directive adequately. If other Member States did not, then their citizens’ data could be spirited off outside their borders under Article 4(1)(a) and national regulators would have little if any power to exercise control over that extra-territorial processing (even within the EU). A number of the EU15 states, it seems, could not make that leap of faith or, even if they could, decided to use different language from Article 4(1)(a) to raise the possibility that somehow their implementation means something materially different from the original Directive.[13] The consequence is that, in a number of cases, businesses may become subject to data protection rules in Member States where they are not established, or cannot be certain whether they are or are not.

The EU Commission commented in its 2003 report[14] that the implementation of Article 4, “is deficient in several cases with the result that the kind of conflict of law this Article seeks to avoid could arise. Some Member States will have to amend their legislation in this regard.”

3.1.3 The implementation of Article 4 in the accession countries

Given the strong statement in the Commission report, it is surprising that all bar one of the accession countries[15] have chosen to amend the wording of Article 4, a mandatory article, in transposing it into national legislation (see Table 2).

Table 2

Scope of application of the national law (Summary of implementation of Article 4)


Applicable in relation to data processing carried out (a) by a data controller established in Cyprus or in a place where Cypriot law applies by virtue of public international law, and (b) by a data controller not established in Cyprus but using equipment situated in Cyprus for purposes other than the mere transit of data.

Czech Republic

Applicable to data controllers established in the Czech Republic and processing personal data in the Czech Republic.


Applicable within Estonia. Transmission of personal data through the territory of Estonia for transit purposes (without other processing) is excluded from the scope of the legislation.


Applicable to all data processing operation performed in Hungary.


Applicable to (a) data controllers registered in Latvia; (b) processing using equipment located in Latvia; and (c) processing performed in territories belonging to Latvia under international agreements.


Applicable to data processing activities in Lithuania.


Applicable to processing carried out in the context of activities of a data controller established in Malta or in a Maltese embassy or High Commission outside Malta and to the processing of personal data where the data controller is established outside Malta but uses equipment situated in Malta (other than for mere transit purposes).


Applicable if (a) the data controller is established or domiciled in Poland and the data are processed in the context of its activities; or (b) the data controller is established outside the EEA but uses equipment in Poland for the processing.


Applicable to processing performed by a controller which has its registered office in Slovakia.


Applicable to data subjects in Slovenia, regardless of the individual’s citizenship or the state of establishment of the data controller/administrator.

The degree of violence exacted on the wording varies. At one extreme, Poland has implemented Article 4(1)(a) all but exactly as prescribed. The Polish Act on the Protection of Personal Data applies not only to organisations “established” in Poland but also to individuals that are “domiciled” there.[16] The reason for the expansion of the wording reflects a theoretical distinction between individuals and legal entities under Polish law, but it raises the slim possibility that individuals running businesses without a place of establishment in Poland but which do have a domicile there would fall under that Act when they otherwise would not. At the other extreme, some differences are much more than simply theoretical. Two examples will serve to illustrate the point.

Example 1 – Hungary

The Hungarian Act on the protection of personal data and the disclosure of personal information applies to “all data processing operations within the Republic of Hungary.”[17] The fragile concept of place of establishment on which Article 4 of the Directive is founded is wholly ignored, with the consequence that EU established businesses collecting information in Hungary without a place of establishment there (perhaps via a Web site) will be subject to Hungarian law, as well as the laws of the jurisdictions in which they are established.

Example 2 – Slovenia

The implementation of Article 4 is even more unusual in Slovenia.[18] For starters, the Slovenian law on Personal Data Protection contains no specific provision regarding territoriality. The place of establishment of the data controller is not relevant in establishing whether rights accrue under the legislation. Rather, rights accrue by virtue of where the data subject is located. As a result, every individual in Slovenia (whether a Slovenian or non-Slovenian citizen) is protected under the Slovenian Act, wherever their data is processed in the world.

Attaching rights on the basis of where the data subject lives, in an EU regulatory system that attaches rights to where data controllers are established, has a number of interesting consequences. Clearly the residents of Slovenia are well protected – doubtless the principal concern of the national legislature. Any processing of personal data where Slovenian residents are the data subject is regulated by Slovenian law, whether it takes place in Ljubljana, London or Leipzig. The controllers in London and Leipzig are of course also subject to their own local laws, putting them in a pickle about which Act to comply with. This is far from some obscure oddity of legal theory. The Directive gives national data protection regulators competency in their own jurisdiction to enforce data protection law, “whatever the national law applicable”,[19] specifically contemplating the extra-territorial application of national law provided by the Slovenian legislation. Where the relevant national law is not that of the regulatory authority, they can be requested to bring enforcement action by the relevant national regulator, and the recipient of the request is under a duty to cooperate with that request.[20]

So if a Spanish company processes, in Spain, information about a Slovenian resident without first notifying the Slovenian Ministry of Justice: (i) it is committing an offence under Slovenian law for which it could be fined up to EUR 300,000 (or put in jail for a year, if the controller is an individual); (ii) the Slovenian regulator could request that the Spanish regulator take enforcement action in Spain; and (iii) the Spanish regulator would be under a duty to cooperate with that request.

We have painted an extreme scenario, of course, and Slovenian lawyers would doubtless argue that Slovenian law would be interpreted in the light of the Directive and that the risk outlined above would therefore be remote.

Although the territorial scope of the Slovenian law remains unclear, if the above interpretation is correct, non-Slovenian residents would acquire no rights and processing in Slovenia of personal data of German, French or Italian residents would therefore be largely unregulated.

The approach to jurisdiction taken by the Slovenian law seems inconsistent with the Directive and the approach taken in the rest of Europe. This could lead to the fragile governing law provisions of EU data protection legislation breaking down, with the potential results as outlined above. It is hard to imagine that this anomaly in implementation of the Directive will be overlooked by the Commission.

3.2 International transfers

3.2.1 Articles 25 & 26 of the Directive

As most readers will be aware, the Directive prohibits the transfer of personal data outside of the EU subject to certain exceptions. Some of these exceptions are cumbersome, clearly requiring approval of local regulators. Others, such as exporting to the US to a recipient who is a member of the US Safe Harbor scheme, or to a recipient who is a signatory of a model contract,[21] should in theory at least be much simpler. In the majority of the EU15 countries, using such techniques requires no approval by regulators and as a result the model contracts and Safe Harbor have become increasingly popular for international businesses as a means of sharing information around their global networks.

3.2.2 The implementation of Articles 25 & 26 in the EU15

Within the EU15, however, differences in approach still exist. In the Netherlands, transfers of information overseas on the basis of a model contract cannot commence until a permit has been issued by the Dutch Ministry of Justice.[22] In Spain, the regulator must approve transfers overseas even to Safe Harbor members or on the basis of a model contract[23] – and such approvals are rarely given. It is not clear why such permits and approvals are required when transfers are taking place on the basis of approved contracts or to destinations that have signed up to the Safe Harbor. Such permits and approvals also appear to contravene the requirements of Article 29(4) of the Directive. Safe Harbor entities with Spanish subsidiaries, in particular, might legitimately wonder why they bothered going to the expense of signing up to the Safe Harbor in the first place.

At the other extreme, the UK has adopted a self-assessment approach to whether destination countries afford adequate protection. It is up to the data controller to make the assessment and, if necessary, adduce additional safeguards by putting in place contractual measures. At no stage in this process is approval from the Information Commissioner’s Office, the UK regulator, required.

The Commission condemned both extremes, noting that:

“Divergences between Member States on the implementation of [Article 25 & 26] are very broad indeed. An overly lax attitude in some Member States – in addition to being in contravention of the Directive – risks weakening protection in the EU as a whole.An overly strict approach, on the other hand, would fail to respect the legitimate needs of international trade and the reality of telecommunications networks.”[24]

The Commission concludes, “more work is needed on the simplification of the conditions for international transfers.” A sentiment that almost all international businesses would sympathise with.

3.2.3 The implementation of Articles 25 & 26 in the accession countries

As with Article 4, all bar one of the accession countries[25] have chosen to retain significant administrative control over transfers of data outside the EEA, including where model contracts are used. This state of affairs is made worse in a couple of cases where administrative requirements are imposed in relation to transfers to other EU Member States as well. Two examples, again, will serve to illustrate the point.

Example 1 – Malta

The Maltese Data Protection Act 2001 does permit transfers of personal data to other EU Member States, but it requires the details of such transfers to be notified to the national regulator. That is clearly not an overly onerous burden, but businesses might legitimately ask, why is this step even required?

Example 2 – Slovenia

Again, Slovenian law diverges most from the Directive. Data controllers transferring personal data, of which Slovenian residents are the data subjects, must seek prior approval for the transfer from the Slovenian Ministry of Foreign Affairs. One of the criteria (perhaps unsurprisingly given the concern for the protection of Slovenian residents’ rights evident from Slovenia‘s implementation of Article 4) is the protection offered by the recipient’s country for data about residents in other countries. Which exhibits a curious double standard, bearing in mind that Slovenian law appears to offer no protection at all to non-Slovenian residents.

Most vexing of all, countries in the EU are given no preferential treatment (the same is true in Latvia). So transfers of personal data to Spain or Denmark will also need approval from the Slovenian Foreign Ministry.

One of the prime purposes of the Directive was to facilitate free trade by enabling the free circulation of personal data within the EU. Ironically, this was one area where the Commission felt the objectives of the Directive had been achieved.[26] The Commission will probably have to revisit that conclusion in its next report, as it seems hard to describe the measures taken by Malta, Latvia and Slovenia as ones that enable free trade. In particular, it seems likely that both Latvia‘s and Slovenia‘s implementation of Articles 25 and 26 is inadequate and, again, that Commission action may be required.

3.3 Core definitions

The problems in implementation of Articles 4, 25 and 26 are widespread among the accession countries. Other problems regarding core definitions, although equally fundamental, are less widespread but nevertheless worthy of attention.

3.3.1 “Controller”

Article 2(d) of the Directive defines a controller as: “the natural or legal person . which alone or jointly with others determines the purpose and the means of the processing of personal data”.

The definition is fundamental to any compliance strategy for businesses operating in more than one country, because the vast majority of compliance obligations fall on controllers. Again, this is an area where divergent approaches have been adopted by the EU15, which were identified by the Commission in its report last year.[27]

In the same vein however, four of the accession countries have adopted definitions of controller materially different to that set out in the Directive.[28] In some cases, the thinking behind the difference is unclear. For example, the Czech definition has four criteria applying to “any subject which:

(i) determines the purpose of personal data processing;

(ii) determines the means of processing;

(iii) carries out the processing [including by means of a third party data processor]; and

(iv) bears responsibility for such processing.”

The addition of items (iii) and (iv) appears to add little to the Directive’s definition, other than an extra layer of complexity.

Other implementations carry more substantive weight. The Estonian implementation defines as controllers all entities engaged in processing personal data in Estonia, including data processors. Data processors[29] in Estonia, then, are required to implement compliance obligations just like controllers – a concept alien to almost all other EU jurisdictions.

The most far-reaching amendment to the Directive when implemented into national law is, once again, Slovenia‘s. The Slovenian legislation defines a data controller as an entity entitled and authorised under the Slovene law or by written consent of the data subject to establish, run and supervise the personal database.[30] The application of the data protection principles in Slovenia, therefore, bites directly only on entities which have notified the national regulator of their processing or obtained written consent from the data subject. Failure to notify is of course a criminal offence in Slovenia, and claims for civil compensation may be brought against any entity mis-processing data (data controller or not) so that in the vast majority of cases the practical result will be the same as if Slovenia had implemented the Directive as originally drafted. Which raises the question, why didn’t they?

3.3.2 Special categories of data or “sensitive personal data”

Article 8 of the Directive sets out categories of personal data afforded special protection. This list will be familiar to most readers: data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership, health or sex life, and the commission (or alleged commission) of criminal offences.

Curiously, two of the accession countries[31] have added to that list with the same item: “details of addictions”. Many addictions would clearly fall within the health related category set out in the Directive already: drug addiction and alcoholism, for example. Others, such as gambling or computer games, might not. It will be interesting to see how the Hungarian and Polish regulators interpret this additional restriction over time.

4 Severe penalties for breach in the accession countries

While implementing the Directive, a number of the accession countries have chosen to set out a rigorous regime of penalties (see Table 3). Seven of the ten accession countries have imposed jail terms as a possible sanction for breach of their data protection legislation, a ratio which is almost identical to that in the EU15. All the Baltic States, however, have excluded jail terms from the list of available penalties.

On paper, as with the EU15, these are substantial penalties[32] which will make business take notice. What will be interesting to see is the extent to which the accession regulators also follow the EU15 regulators in largely failing to impose the penalties available to them.

5 Conclusions

No practitioner with a passing concern for data protection expected the accession countries to produce uniform implementations of the mandatory provisions of the Directive. True parliamentary democracies will rarely cede legislative power to that degree. But the sight of such familiar flaws, particularly after the work of the Commission to encourage conformity in these key areas, is surprising and regrettable.

For businesses, the situation is more acute. The divergences of implementation of the Directive mean greater costs for pan-European businesses and greater frustration in achieving compliance. One of the aims of the Directive was to provide a level playing field for businesses across the EU to facilitate cross-border trade. The divergent domestic implementing legislation in EU Member States substantially hinders that purpose, effectively replacing one set of barriers to trade with another. Some businesses may conclude that it is impossible to reconcile their standardised business processes with the inconsistent national data protection regimes within the EU. As a consequence, they may decide to locate key processing hubs elsewhere. Others may be tempted to ignore specific local rules that appear to be inconsistent with the directives. This, however would be a high risk strategy given the harsh criminal penalties that characterise many of the new laws in the accession countries.

Richard Cumbley is a Managing Associate in the ITC Group of Linklaters in London. Tanguy Van Overstraeten is a Partner in Linklaters De Bandt in Brussels and Head of the ITC Group there.

[1] Data Protected: A report on the current status of data protection legislation in the enlarged European Union (The Linklaters Report). Available for free download at www.linklaters.com/pdfs/briefings/ITC_040429.pdf. The report was prepared with the assistance of Schönherr in Austria and Slovenia, Georgiades & Pelides in Cyprus, Gorrissen Federspiel Kierkegaard in Denmark, Raidla & Partners in Estonia, Hannes Snellman in Finland, J. Karageorgiou & Associates in Greece, LOGOS in Iceland, Mason Hayes & Curran in Ireland, Gianni, Origoni, Grippo & Partners in Italy, Klavins & Slaidins in Latvia, Wanger Advokaturbüro in Liechtenstein, Lideika, Petrauskas, Valiunas in Lithuania, De Brauw Blackstone Westbroek in the Netherlands, Mamo in Malta, Wiersholm Mellbye & Bech in Norway and Homburger in Switzerland. The assistance of the Linklaters offices and other contributing firms in the preparation of this article is gratefully acknowledged.

[2] Directive 95/46/EC of the European Parliament and of the Council of 24 October 1995 on the protection of individuals with regard to the processing of personal data and on the free movement of such data [1995] OJ L281/31.

[3] Directive (EC) 2002/58 of the European Parliament and of the Council of 12 July 2002 concerning the processing of personal data and the protection of privacy in the electronic communications sector [2002] OJ L201/37.

[4] The First Report on the implementation of the Data Privacy Directive (95/46/EC) – Commission of the European Communities COM (2003) 265 (The “Commission Report”).

[5] The implementation of the Directive in France, the last EU15 Member State to implement the Directive, is due to take place in the summer of 2004.

[6] Belgium, France, Germany, Greece, Luxembourg and the Netherlands.

[7] The Lithuanian Act has been amended on three occasions. See p. 55 of the Linklaters Report for full details.

[8] The Maltese legislation is subject to a number of transitional periods, described in more detail on p. 62-64 of the Linklaters Report.

[9] The Slovakian Act has been amended. See p. 79 of the Linklaters Report for full details.

[10] The Cypriot Act has been amended. See p. 8 of the Linklaters Report for full details.

[11] The Hungarian Act has been amended on several occasions. See p. 35 of the Linklaters Report for more details.

[12] The Polish act has been amended on several occasions. See p. 72 of the Linklaters Report for more details.

[13] See for example the implementations in Greece, Denmark, Austria and Germany. Under Article 3(1) of the Austrian Federal Data Protection Act, UK branches of businesses whose principal office is in Austria are subject to Austrian data protection law as well as the UK law (pursuant to the UK‘s Data Protection Act 1998). Conversely, branches of UK businesses in Austria appear not to be regulated by the Austrian law (Article 3(2)), and do not fall within the scope of the UK Data Protection Act either (see the Data Protection Act 1998, s 5).

[14] The Commission Report, p.17.

[15] Malta is the exception.

[16] Linklaters Report, p. 72.

[17] The Linklaters Report, p. 35.

[18] The Linklaters Report, p. 83. The Slovenian law is the oldest unamended data protection act still in force among the accession countries, and that may go some way to explain its current wording.

[19] Article 28(6) Directive.

[20] ibid.

[21] There are two types of such model clauses approved by European Commission decisions (controller-controller transfers under a decision [2001] OJ L181/19 and controller-processor transfers under a decision [2002] OJ L6/52).

[22] Such a permit will usually be granted, but the process will take at least four to nine weeks, see the Linklaters Report, p. 67.

[23] Linklaters Report, p. 88.

[24] The Commission Report, pp. 18-19.

[25] Estonia is the exception. Regulators’ approval for the use of model contracts is required in Cyprus, the Czech Republic, Latvia, Lithuania, Malta, Poland, Slovakia and Slovenia.

[26] The Commission Report, p. 10.

[27] For example, the tests for what constitutes a data controller vary across the EU15. In the UK and Italy, the data controller is the person who determines the purposes and manner of data processing. In Spain, it is the person who determines the purposes, contents and use. The addition of ‘contents’ gives rise to the possibility that a person who purchases a database and who goes on to process the data contained in it is not a data controller because the contents of the database were determined by the seller and not by it. At the other end of the spectrum, in Austria, it is the person who determines merely the purpose of the processing who is classed as the data controller – a very wide net that will catch far more ‘controllers’ than the systems in the UK and Italy and more still than that in Spain, the Linklaters Report, pg. 1, 46, 86 and 95.

[28] The Czech Republic, Estonia, Hungary and Slovenia.

[29] “Authorised processors” under Estonian law, which are defined as being those persons or entities processing data on behalf of data controllers on the basis of an administrative act or agreement.

[30] The Linklaters’ Report, p. 83.

[31] Hungary and Poland.

[32] Sanctions in the Czech Republic can increase to five years’ imprisonment if serious harm is caused by the breach of data protection law, while repeated breaches of data protection law can currently lead to the imposition of an increase of 100% in the maximum fine. The provision under which this increased fine can be imposed, however, is due to be repealed.