New GDPR Implementation and Privacy Law in Lithuania
Lithuania’s Law No XIII-1426 of 30 June 2018 amending Law No I-1374 or Law No XIII-1426 for short is a data protection and personal privacy law that passed in 2018. Law No XIII-1426 was enacted in accordance with a provision within the EU’s General Data Protection Regulation or GDPR that mandates that member states draft their own national legislation for the purposes of implementing the provisions and requirements of the law. As such, Law No XIII-1426 sets forth the legal guidelines that individuals and organizations within Lithuania are charged with following when engaging in data processing activities within the country. Moreover, the law also establishes the various punishments that can be imposed against data controllers and processors that fail to comply with the law.
What is the scope and application of Law No XIII-1426?
In terms of the scope and application of the law, Law No XIII-1426 is applicable when:
- Personal data are processed by a data controller or a data processor whose registered office is in the Republic of Lithuania in the course of its activities, regardless of whether the data are processed in the European Union or not;
- Personal data are processed by a data controller established outside the Republic of Lithuania, to whom the laws of the Republic of Lithuania apply in accordance with international public law (including diplomatic missions and consular posts of the Republic of Lithuania);
- The personal data of data subjects in the European Union are processed by a data controller not established in the European Union or a data processor who has been appointed.
- A representative was established in the Republic of Lithuania in accordance with Article 27 of Regulation (EU) 2016/679. to data subjects in the European Union, whether or not the data subject has to pay for these goods or services, or to the monitoring of the behavior of these data subjects when operating in the European Union.
What are the primary differences between Law No XIII-1426 and the EU’s GDPR law?
As it relates to the requirements of data controllers and processors, as well as the rights that are provided to Lithuanian citizens, Law No XIII-1426 and the EU’s GDPR law are largely identical. For example, Law No XIII-1426 mandates that data controllers within the country adhere to the same data protection principles that were set forth in the General Data Protection Regulation. Such principles include but are not limited to ensuring that personal data is collected and processed in accordance with the principles of lawfulness, fairness, and transparency, ensuring that personal data is only processed for specific purposes that are outlined to data subjects at the time in which their data is collected, and ensuring that any personal data that is processed is accurate. However, the two laws do vary as it relates to the legal age of consent regarding data processing.
Under the EU’s GDPR law, the legal age of consent in regard to data processing is set at 16 years old. However, provisions of the law allow EU member states to deviate from this set age when implementing the provisions of the law into the legislation of their particular country. As such, Lithuania’s Law No XIII-1426 of 30 June 2018 amending Law No I-1374 places the legal age of consent concerning data processing at 13 years old, with all individuals younger than 13 needing the expressed consent from their parent or guardian to legally submit their data for processing or collection. Conversely, as is the case with many other data protection laws around the world, Lithuania’s Law No XIII-1426 makes certain exceptions as it relates to personal data that is collected and processed in the context of scientific, research, or public safety needs.
What are the punishments for violating Law No XIII-1426?
In terms of penalties that can be imposed against data controllers and processors who fail to comply with the law, Law No XIII-1426 is enforced by Lithuania’s State Data Protection Inspectorate. As such, the State Data Protection Inspectorate has the authority to levy a number of sanctions against individuals and organizations within Lithuania, which includes a fine of up to €10 million or up to 2% of the total global annual turnover for a business’s previous financial year, whichever amount is higher, to a fine of up to €20 million or up to 4% of the total global annual turnover for a business’s previous financial year, whichever amount is higher, in accordance with the EU’s GDPR law. Furthermore, Lithuanian citizens also have the right to file complaints against data controllers and processors who violate their rights under the law.
As personal data can now be shared instantly via the internet via technology that has never been available before in human history, drafting legislation that addresses the potential issues that can arise from this level of data sharing is of the utmost importance. As such, Lithuania’s Law No XIII-1426 of 30 June 2018 amending Law No I-1374 provides Lithuanian citizens with a means to combat the issues that can arise from unauthorized personal data access, as the law enables said citizens to file complaints against data controllers and processors who violate their rights. Moving forward, many countries around the world will continue to pass similar legislation, with the goal of ensuring that the personal data of all individuals around the world is protected at all times.