Data protection: European Commission decides to refer Spain to the Court for not transposing EU law
Data Protection. The European Commission decided today (25 July) to refer Spain and Greece to the Court of Justice of the EU for failing to transpose the EU rules on personal data protection (the Data Protection Law Enforcement Directive, Directive (EU) 2016/680).
In April 2016, the Council and the European Parliament agreed the Directive had to be transposed into national law by 6 May 2018.
In the case of Spain, the Commission is calling on the Court to impose a financial sanction in the form of a lump sum of € 21.321 per day between the day after the deadline for transposition set out by the Directive expired and either compliance by Spain or the date of delivery of the judgment under article 260 of TFEU, with a minimum lump sum of € 5 290 000and a daily penalty payment of € 89 548.20 from the day of the first judgement until full compliance is reached or until the second Court judgment.
The protection of personal data is a fundamental right enshrined in the Charter of Fundamental Rights of the EU.
The aim of the Directive is ensure a high level of protection of personal data while facilitating exchanges of personal data between national law enforcement authorities.
The Directive lays down rules on the processing of personal data by competent law enforcement authorities for the purposes of the prevention, investigation, detection or prosecution of criminal offences or the execution of criminal penalties.
The Directive also ensures that the data of victims, witnesses, and suspects and perpetrators of crimes are duly protected in the context of a criminal investigation.
At the same time, better harmonised laws also facilitate cross-border cooperation of police, prosecutors and judges to combat crime and terrorism more effectively across Europe. These EU rules contribute to the accomplishment of an area of freedom, security and justice.
The lack of transposition by Spain and Greece creates a different level of protection of peoples’ rights and freedoms and hampers data exchanges between Greece and Spain on one side and other Member States who transposed the Directive on the other side.
Therefore, the Commission opened the infringement proceedings by sending a letter of formal notice to national authorities of the Member States concerned in July 2018 and the respective reasoned opinions -in January 2019.
To date, Greece and Spain have not notified the Commission on the adoption of the national measures necessary in order to transpose the Directive.
The proposal to refer Greece and Spain to the Court of Justice of the EU has been made taking into account that Greece and Spain have not notified any measure transposing the Data Protection Law Enforcement Directive (Directive (EU) 2016/680) into national law.
By failing to adopt all the laws, regulations and administrative provisions necessary to comply with the Directive or, in any event, by failing to notify such provisions to the Commission, Greece and Spain have failed to fulfil their obligations of this Directive.
In practice, under Article 260(3) of Treaty on the Functioning of the EU (TFEU) if a Member State fails to transpose a Directive adopted by the EU legislator into national law within the required deadline, the Commission may call on the Court of Justice of the EU to impose financial sanctions.
They take into account:
– the seriousness of the infringement,
– the duration of the infringement,
– special “n” factor (which varies between Member States and takes into account their Gross domestic product, GDP, in millions of euros and number of seats of the Member State concerned in the European Parliament),
The financial sanctions proposed by the Commission consist of a lump sum payment (to penalise the existence of the infringement itself), and a daily penalty payment (to penalise the continuation of the infringement after the Court’s judgment).