More than a year after the entry into force of the General Data Protection Regulation (RGPD), the final version of the draft law on the implementation of the regulation has now been approved in Parliament, which clarifies some of the issues left open by European legislation.
The proposal presented by the Government has been worked on in the Committee on Constitutional Affairs, Rights, Freedoms and Guarantees, and more specifically in the RGPD Working Group, during the last year, and SAPO TEK has followed the evolution of the texts and the different ideas which were assessed by Members, including the possibility for the Public Administration to have an exceptional regime, for young people to only "own" their consent data from the age of 16 until the extension of the consent period to another 6 months for the companies.
But what has taken so long to pass the RGPD implementing law, which in practice already came into force on May 25, 2018?
Andreia Neto, PSD deputy and coordinator of the Working Group, said today that this time was what was necessary to "not do a hurry work", and explains that all the entities that wanted to pronounce were heard and those that the group understood to be important the theme.
"It is a sensitive and complex issue, hence the constitution of the Working Group", said the deputy to SAPO TEK, saying that a thorough work was done and that it was fruitful and "often with a broad consensus".
Even so, only the PSD and the PS approved the proposal, with the abstention of the remaining parliamentary benches.
Asked about the major changes introduced in this version, Andreia Neto stressed the fact that the difference in the application of fines that existed between public and private entities in the original version of the bill had changed. This was an idea of the Government since the first draft of the law, proposing that the public administration be exempt from fines for three years, which would allow a longer adaptation period than was granted to private entities.
"We have withdrawn the proposal for the replacement text as a matter of principle of equality," she said.
Even so, it is possible for public bodies to request the National Data Protection Commission to exempt a possible fine, in a well-founded way, he explains. But "will be exceptional cases", required in isolation by each entity that is subject to a fine, and evaluated at the discretion of the CNPD, justifies Andreia Neto.
Also the topic of the age of consent of the young people, which was defined in the 13 years, was one of the most debated. Some argued that the maximum ceiling of 16 years should be applied, and among opinions, doubts and opinions, MEPs eventually imposed the minimum threshold, which was also adopted in other countries.
Now the promulgation by the President of the Republic and the publication of the implementing law of the RGPD are lacking so that the regulation can be effectively implemented in an effective way. This despite the CNPD already imposing fines for failures in data protection to public and private entities.