The Slovenian toothless GDPR tiger
Slovenia remains the only EU country which has still not passed the implementing act according to the GDPR. This is necessary since administrative fines are not a part of the Slovenian legal system. Therefore, the Slovenian Information Commissioner has been a “toothless tiger” for almost 3 years.
Not implementing a new national Data Protection Act is not the first or only big mistake made in the last 5 years. The root of the problem was Slovenia not calling for an exemption on implementing administrative fines into the national legislation during the GDPR law-making process. Slovenia does not have a procedure nor a material law which could provide tools for imposing administrative fines. Administrative fines laid down in the GDPR did, on paper, come into effect on May 28, 2018. There is just a “minor glitch” – there is no competent body to impose administrative fines. The Information Commissioner who was before the GDPR known as one of the strictest and most efficient supervisors in the EU, has in fact become a toothless tiger.
Consequences are well known. Data protection compliance level has dropped sharply after the
media boom in May 2018. Since there are no fines, the controllers (especially SMEs) heavily rely on this fact and do not put their efforts or money into compliance with the GDPR. Just check one or more Slovenian websites and read cookie banners. Or check their privacy policies. While EU DPAs already impose high administrative fines to controllers for not complying with Article 13 of the GDPR or CEU’s decision in case Planet 49, the Slovenian Information Commissioner has imposed a total of zero (0!) GDPR fines. What is even more concerning is the fact that not even the court can impose administrative fines pursuant to Article 83(9). This is (again) because the legal system of the Republic of Slovenia does not know and regulate the concept of administrative fines.
The situation is starting to look bizarre, almost ridiculous. Slovenia has become the GDPR “tax haven” and that is not funny at all. Namely, the largest companies which invested considerable financial resources into GDPR compliance, now ask themselves if that was a waste of money. Sure, being privacy friendly is still one of the goals for socially responsible and sustainable companies – with or without the national implementing act imposing administrative fines, however, they are suffering from effects of unfair competition ignoring the GDPR. Companies are being forced to deliberately break the cookie law and the GDPR because their competition uses i.e., Google Analytics without user’s prior consent and they get more and better market data. SMEs in particular, cannot afford to act socially responsible and sustainable if their competition will push them out of the market before it is forced to comply by high fines.
It was the data protection ‘professionals’ with their marketing strategies that have been driving the companies to work towards GDPR compliance, however, the inflation thereof has not also contributed to heightening the data protection standard in the country, but unfortunately quite the opposite. What happened in 2018, was an emergence of large amounts of self-pronounced data protection experts that merely read the GDPR once and never worked a day in their life in the field of personal data protection. In the recent years, the number of private companies advertising personal data protection services amounted to more than 200, which is an alarming signal in a country of 2 million inhabitants. The level of professionalism among DPOs and the conditions they work in is devastating. I believe this is also a consequence of the lack of the implementing act. Not appointing a DPO, appointing an inappropriately educated DPO lacking any experience in data protection, not ensuring the GDPR required working conditions for the DPO, outsourcing a DPO who works as a DPO for 249 other controllers is unfortunately the reality in Slovenia. These sorts of data protection experts contributed to a degradation of the field in the country, which was as I mentioned above before the GDPR one of the leading best practices example in the EU. Now these ‘experts’ are reinventing long established personal data protection concepts in the most inappropriate forms, with no sign of any responsibility to bear.
Another consequence of the ‘no law’ situation is that there are no certification mechanisms in place in Slovenia. This puts Slovenian companies in an inferior competitive position on the EU and global market. Sure, they can obtain certification in other EU countries, but they face the language barrier, higher costs due to distance and in case of obtaining certification for operating on the Slovenian market in specific fields (i.e., health, labour law) there is the issue of national specific regulations not being considered.
I would hate to be pessimistic and predict that the damage done is irreparable, however, I do advocate additional pressure to the government of the Republic of Slovenia to pass a law – it could be just a simple act providing for competent bodies and implementing the procedure to issue administrative fines. It could in fact be as simple as that. The longer we wait for the law, the more damage will be done, the more reparatory measures will have to be invoked, the longer it will take to reach the level of data protection we had before ‘the GDPR raised the pole and stakes’.
Why still no national law?
I do not have the answer to this question. There were two drafts presented to the public, but both were, correctly, broadly criticised for being in contravention with the GDPR. The Slovenian legislator just cannot step out of the 2004 national Data Protection Law logic box. I.e., in both drafts, legal bases for public and private sector were regulated separately, also providing for superiority of certain legal bases. Referring to my above observations on the quality of data protection experts in Slovenia, the lack of appropriate human resources was officially recognised in the proposals, providing for exemptions to fulfilling professional standards for appointed DPO as provided in the GDPR. Unfortunately, nobody on the national level thought of the problem in the previous years and acted accordingly, perhaps with government funded education programs?
Nevertheless, the first draft almost got passed in the parliament, but the process was abandoned due to the government resignation. The second draft was not even close to being filed with the members of parliament. In this case, the reason was a large number of comments received. And then … the COVID 19 spread.
As I recall, the European Commission has warned Slovenia for not implementing the Data Protection Act at least two times so far. Result? Status Quo. Who’s kidding and who’s crying in the internal EU market?