On 15 January 2018, the Ministry of Digital Affairs (Ministry) held a conference to summarize the outcome of a public consultation on Poland’s draft GDPR implementation law. The consultation invited all citizens and entrepreneurs to express their opinion on the draft law on the protection of personal data, which was released by the Ministry on 14 September 2017.
The public consultation phase ended on 13 October 2017, with over 700 pages of proposals received. More than 400 participants from various industries attended the conference and took to the floor to discuss the new legislation and provide suggested solutions to be incorporated in the law. The Ministry rejected the vast majority of the proposed 641 amendments, giving consideration to just a few of them. Below is the summary of the major issues, which proved to be the most controversial.
Electronic Services for Children Under 13 Years of Age and Consent to Data Processing
The Ministry rejected the broadly supported proposal that the age bar for granting consent in the case of electronic services offered directly to children should be raised to 16 – not kept at 13, as originally proposed. A number of children’s rights organizations argued that children who are under 16 are still very vulnerable to online dangers and, thus, the threshold should be raised to 16 (in line with the provisions of the GDPR). The Ministry rejected this argument, claiming that the GDPR (and hence the draft Polish law) is primarily meant to safeguard children’s personal data from being misappropriated, not to protect children against threats of the information society services as such (i.e. game addiction). Under Polish law, one acquires capacity to perform acts in law at the age of 13 and, accordingly, this should be set the default age. Above this age, parental consent is no longer required for the processing of the child’s data in the context of electronic services offered to that child. Moreover, the Ministry rejected the proposal that the draft legislation should give explicit instructions on how parental consent should be obtained and verified, claiming that this would fall foul of the provisions of the GDPR.
Certificate of Compliance with the GDPR
The Ministry also consider a proposal that certificates of compliance be issued also by private entities (certifying companies) as opposed to the President of the Office for the Protection of Personal Data (POPPD) only. The original draft assumed that the POPPD would be the sole competent authority with the power to issue such certificates. If that were to be the case, data controllers would likely be reluctant to take advantage of the certification tool, for fear of possible repercussions of non-compliance that could surface during the certification process. The Ministry did not support this view, but agreed with the argument that this would cause a significant burden for POPPD, which would be inundated with applications for certificates. Under the modified draft, POPPD and private entities (accredited by the Polish Center for Accreditation) will be able to issue certificates of compliance.
President of the Office for the Protection of Personal Data
Under the current law, the data protection authority (GIODO) is appointed by the Sejm of the Republic of Poland (with the approval of the Senate) from candidates proposed by a group of at least 35 members of the Parliament. This was to ensure that GIODO was politically independent. Under the draft of the new legislation, the Sejm will appoint the data authority, i.e. the POPPD, from candidates chosen by the Prime Minister, who will then appoint the POPPD’s three assistants (deputies) from a group of candidates proposed by the Minister of Interior and Administration and the Minister of Digital Affairs.
The proposal has caused widespread criticism. Many voices were raised doubting the real autonomy of the POPPD with respect to the performance of its tasks and exercising its powers, as set out under the GDPR. The Ministry rejected those accusations and maintained that the choice of the POPPD will not be politically driven and that the supervisory authority will remain free from any external influence.
Exemptions for SMEs
The Ministry wished to incorporate into the draft a number of additional provisions (put forward by the Ministry of Development) intended to exempt micro, small and medium enterprises from the majority of obligations imposed on data controllers under the GDPR. In particular, SMEs with fewer than 250 employees, which do not process sensitive data and do not transfer the data to third parties, would be exempt from the duty to inform data subjects on the rules pursuant to which their personal data is processed. Data subjects would not have to be informed as to the identity of the data controller, the purpose for which the data is collected or the period for which the data is to be retained by the data controller. Moreover, data controllers who pass the above-mentioned three-fold test would not be obliged to notify data subjects of the fact that their data has been misappropriated. The proposed solution is in stark contrast with the core provisions of the GDPR and has been heavily criticized, thus, the Ministry have abandoned the idea. Nonetheless, legislators are still considering the introduction of some exemptions for SMEs, though less broad. What approach the Ministry will ultimately take on this issue remains to be seen.
Entry Into Force
The draft legislation will now go through the process of pre-legislative scrutiny, where it will be considered by parliamentary committees so that the final law on personal data protection can become binding as from April, with enough time left for vacatio legis (period between the promulgation of a law and the time the law takes legal effect). However, the final form of the law remains unknown.