On July 25, the European Commission referred Greece and Spain to the Court of Justice of the European Union for failing to implement the Data Protection Law Enforcement Directive (Directive (EU) 2016/680) within their own countries. In April 2016, the European Council and the European Parliament had agreed that the Directive had to be transposed into national law by May 6, 2018.

Greece and Spain are the only two nations who haven’t notified the Commission on whether this directive has been transposed through national laws. The European Commission had commenced infringement proceedings against Greece, Spain and 5 other member states (Bulgaria, Cyprus, Latvia, the Netherlands, and Slovenia) in July 2018 by sending a formal notice to respective national authorities. It sent reasoned opinions to the 7 states in January 2019.

European Commission to Court of Justice: Impose financial sanctions on Greece and Spain

The European Commission wants the Court of Justice of the EU to impose financial sanctions on the two nations.

Greece:

  • Lump sum of €5,287.50/day between the day after the deadline for transposition (that is, May 7, 2018) and either compliance by Greece or date of delivery of the judgement; minimum lump sum of €1.3 million, and penalty of €22,169.70/day from day of first judgement until full compliance or second judgement.

Spain:

  • Lump sum of €21,321/day between the day after the deadline for transposition (that is, May 7, 2018) and either compliance by Greece or date of delivery of the judgement; minimum lump sum of €5.29 million, and penalty of €89,548.20/day from day of first judgement until full compliance or second judgement.

Why drag Greece and Spain to Court of Justice?

The European Commission has argued that the lack of compliance by Greece and Spain creates two levels of protection of peoples’ rights and freedoms within the EU. It “hampers data exchanges between Greece and Spain on one side and other Member States who transposed the Directive on the other side”.

European Commission is allowed to take member states to Court of Justice of EU under Article 260(3) of the Treaty on the Functioning of the EU (TEFU) when a member state fails to transpose an EU Directive into national law within the required deadline.

Is this about GDPR?

The Data Protection Law Enforcement Directive is different from the better known General Data Protection Regulation (GDPR) (Regulation (EU) 2016/679). While both deal with the protection of personal data in EU, the former focuses on the “protection of natural persons regarding processing of personal data connected with criminal offences or the execution of criminal penalties, and on the free movement of such data” [emphasis ours]. It preserves EU citizen’s fundamental right to data protection whoever personal data is used by criminal law enforcement authorities for law enforcement purposes. “It will in particular ensure that the personal data of victims, witnesses, and suspects of crime are duly protected and will facilitate cross-border cooperation in the fight against crime and terrorism.” The latter, however, deals with personal data within the commercial and public spheres.