The Slovenian Personal Data Protection Act (ZVOP-2) proposal – overstepping the GDPR boundaries?
Ever since the proposal of the new Personal Data Protection Act (ZVOP-2) was published online by the Slovenian Ministry of Justice at the end of January, it has been under scrutiny from the interested public – and rightfully so. As the European Union (EU) adopted the General Data Protection Regulation (GDPR) in the form of a directly applicable regulation that does not have to be transposed into national law in order to be effective, the EU’s intention was inevitably to unify the data protection regimes in all Member States (thereby departing from the approach of the Data Protection Directive (95/46/EC) from 1995).
It is true that the GDPR left the Member States with a margin of discretion in regulating some of the aspects of the respective national data protection regimes (e.g. processing in the context of employment, processing of certain categories of sensitive personal data, including data concerning health, processing for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes, obligations of secrecy). The GDPR provides further guidance on the issue by explaining that Member States may, as far as necessary for coherence and for making the national provisions comprehensible to the persons to whom they apply, incorporate elements of the GDPR into their national law. However, that applies only where the GDPR provides for specifications or restrictions of its rules by Member State law (Recital 8 of the GDPR).
It seems that the ZVOP-2, if adopted in the form of the published proposal, would overstep these explicit authorizations granted by the GDPR.
To begin with, the proposal duplicates several GDPR provisions that are sufficiently clear and do not need transposition or interpretation. The examples include the definitions, principles relating to processing of personal data, rights of the data subjects and similar, all of which are included in the GDPR as well as in the ZVOP-2 proposal. While some provisions of the GDPR are restated verbatim, others are to a certain extent modified, which causes considerable confusion. It seems that in an attempt to make the law regulating data protection as comprehensive and clear as possible, the current ZVOP-2 proposal makes it less so.
Furthermore, the ZVOP-2 proposal regulates various topics differently or in more detail than the GDPR, even where the GDPR does not specifically allow for such specifications or restrictions. For example, the ZVOP-2 proposal specifically regulates direct marketing, which may be regarded as carried out for a legitimate interest according to the recitals of the GDPR; however, as regards the legitimate interest as basis for lawful data processing, the GDPR allows for no such specific regulation. The proposal also specifically regulates video surveillance (which, following the principle of technological neutrality, is not regulated in the GDPR) where similar considerations apply. Other examples of specific regulation by the ZVOP-2 proposal include the age applicable to the child’s consent in relation to information society services (the ZVOP-2 proposal sets the age limit at 15 years, departing from the GDPR’s default option of 16 years) and the processing of personal data of deceased persons (based on Recital 27 of the GDPR).
On the other hand, the ZVOP-2 proposal includes no specific regulation on some issues where pursuant to the terms of the GDPR it could, e.g. on the requirements to designate a data protection officer and on specific limitations for processing of genetic data or data concerning health. The proposal also does not restrict the possibility of processing of special categories of personal data in the private sector on the basis of explicit consent more than the GDPR.
As at the date of this article, the final text of the ZVOP-2 has not yet been confirmed. On 13 March 2018, a new proposal of the act was published as material under examination by the Slovene Government, which however does not deviate significantly from the above stated. The Government also stated that certain harmonisation activities with regard to this draft are still ongoing. In the meantime, as preparations for compliance under the new system may require substantial amounts of time and resources, the controllers and processors alike are in a less than desirable situation of uncertainty if and how the Slovenian law will regulate matters differently than the GDPR. The date of the GDPR’s effectiveness is approaching rapidly, and Slovenian authorities will need to come up with a final solution fast.