The European Court of Justice has today fined Spain €15 million for failing to implement the Law Enforcement Directive, which it should have done by 6 May 2018 (shortly before the GDPR took effect). Notably, it’s the first time that the ECJ has issued a lump sum fine and a daily penalty for a member state’s failure to implement an EU directive. 

Since the introduction of the GDPR, the enforcement of Europe’s data protection rules has largely focused on private organisations. Today’s judgment shows that national governments are not immune from censure – particularly where they fail to implement the very rules with which organisations are expected to comply. 

Spain had claimed that its delay in transposing the LED was the result of exceptional political circumstances. However, in finding that Spain had persistently breached its obligations under the Lisbon Treaty by failing to bring the LED onto its statute book, the ECJ imposed a concurrent lump sum penalty and daily penalty payments for a member state’s failure to implement an EU directive.

It’s difficult to argue with the court’s conclusion, given that a key aim of the LED is to ensure a consistent level of protection for personal data throughout Europe. Indeed, it’s also likely that the Spanish data protection authority itself would give short thrift to an organisation which argued that its longstanding non-compliance with the GDPR could be overlooked on the basis that it has an unusual corporate governance structure.