Bulgaria has become the latest European Union member to fully adopt the bloc’s comprehensive privacy regime and is positioned to be a lead data enforcement authority there, attorneys told Bloomberg Law.
The Bulgaria Personal Data Protection Act, approved Feb. 26, is more stringent than the EU’s General Data Protection Regulation, and Bulgaria’s data protection office is poised to broaden its enforcement under the new implementation law, attorneys said. While the GDPR took effect in May 2018, individual EU nations must enact the law on their books and can make some changes, called derogations.
The law generally follows the main tenants of the GDPR, such as transparency, fairness, accuracy, and increased consumer rights in business data collection efforts. Bulgaria’s act provides stricter protections on some data collection practices that protect freedom of speech and the right to information, broadens the definition of personal data, and clarifies restrictions on data access in criminal investigations.
The Bulgarian law “introduces 10 criteria for estimation of the balance between freedom of speech/right of information and the protection of personal data” when such information is publicly available, Mitko Karushkov, privacy partner at Kambourov & Partners and head of the firm’s technology, media, and telecommunications group in Sofia, said. The law also creates special protection provisions for employment data, recruitment data, and data from children and identification cards, he said.
Bulgarian lawmakers made the changes in the country’s implementing law because they are typical “Bulgarian data processing habits,” Karushkov said.
The Bulgarian Data Protection Authority, charged with enforcing the law, will likely target financial services, e-commerce, and telecommunications sectors, privacy attorneys said. The increased focus could lead to billion in fines. The GDPR allows privacy enforcement agencies to bring fines up to 4 percent of annual revenue or 20 million euros, whichever is greater.