GDPR “fit for digital age” asserts European Commission in detailed review report
01 July 2020
JUST OVER two years after it came into being, the European Commission has published an evaluation report on the General Data Protection Regulation (GDPR). The report shows that the GDPR has “met most of its objectives” (in particular by “offering citizens a strong set of enforceable rights and creating a new European system of governance and enforcement”).
The GDPR has proven to be flexible when it comes to digital solutions in unforeseen circumstances, with the COVID-19 crisis serving as a good case in point. The report also concludes that harmonisation across the Member States is increasing, although there’s a certain level of fragmentation that must be continually monitored. The European Commission’s document finds that businesses are developing a compliance culture and increasingly using “strong data protection” as a competitive advantage.
The report contains a list of actions designed to further facilitate the application of the GDPR for all stakeholders and promote and develop a truly European data protection culture as well as transact “vigorous enforcement”.
Věra Jourová, vice-president for values and transparency at the European Commission, explained: “Europe’s data protection regime has become a compass to guide us through the human-centric digital transition and is an important pillar on which we’re building other policies, such as those centred on data strategy and our approach to Artificial Intelligence. The GDPR is the perfect example of how the European Union, based on a fundamental rights approach, empowers its citizens and gives businesses opportunities to make the most of the digital revolution. All of us must continue our work to ensure that the GDPR lives up to its full potential.”
Didier Reynders, the European Commissioner for Justice, added: “The GDPR has successfully met its objectives and become a reference point across the world for those countries wanting to grant a high level of protection for their citizens. We can do better, though, as the report duly shows. For example, we need more uniformity in the application of the rules across the European Union. We also need to ensure that citizens can make full use of their rights. In close co-operation with the European Data Protection Board, and in its regular exchanges with Member States, the Commission will monitor progress such that the GDPR can deliver on its full potential.”
Key review findings
The GDPR has been found to enhance transparency and gives individuals enforceable rights, such as the right of access, rectification, erasure, the right to object and the right to data portability. Today, 69% of the population above the age of 16 in the European Union have heard about the GDPR, while 71% have heard about their national data protection authority. However, more can be done to help citizens exercise their rights, and most notably so in relation to the right to data portability.
Data protection rules are fit for the digital age. The GDPR has empowered individuals to play a more active role in relation to what’s happening with their data in the digital transition. It’s also contributing towards the fostering of trustworthy innovation, notably so through a risk-based approach and principles such as data protection both by design and by default.
The data protection authorities are making use of their stronger corrective powers. From warnings and reprimands through to administrative fines, the GDPR provides national data protection authorities with the right tools to enforce the rules. However, they need to be adequately supported with the necessary human, technical and financial resources. Many Member States are doing this, with notable increases in budgetary and staff allocations.
Overall, there has been a 42% increase in staff and a 49% uptick in budget for all national data protection authorities taken together in the European Union between 2016 and 2019. However, there are still stark differences in play between Member States.
Room for improvement
Data protection authorities are working together in the context of the European Data Protection Board, but there’s room for improvement. The GDPR established an innovative governance system which is designed to ensure a consistent and effective application of the GDPR through the so-called ‘one-stop shop’, which provides that a company processing data cross-border has only one data protection authority as interlocutor (specifically the authority of the Member State where its main establishment is located).
Between 25 May 2018 and 31 December last year, 141 draft decisions were submitted through the ‘one-stop shop’, 79 of which resulted in final decisions. However, it’s felt that more can be done to develop a truly common data protection culture. In particular, the handling of cross-border cases calls for a more efficient and harmonised approach and an effective use of all tools provided in the GDPR for the data protection authorities to co-operate.
The European Data Protection Board is issuing guidelines covering key aspects of the GDPR and emerging topics. Several data protection authorities have created new tools, including Helplines for individuals and businesses, as well as toolkits aimed at smaller and even micro-enterprises. It’s essential to ensure that guidance provided at the national level is fully consistent with guidelines adopted by the European Data Protection Board.
When it comes to harnessing the full potential of international data transfers, over the past two years the Commission’s international engagement on free and safe data transfers has yielded important results. The Commission will now continue its work on adequacy with its partners around the world.
Data transfer modernisation
In addition, and in co-operation with the European Data Protection Board, the Commission is looking at modernising other mechanisms for data transfers, including Standard Contractual Clauses (the most widely used data transfer tool, in fact). The European Data Protection Board is working on specific guidance for the use of certification and Codes of Conduct for transferring data outside of the EU, which need to be finalised as soon as possible.
Given the European Court of Justice may provide clarifications in a judgement to be delivered on 16 July that could be relevant for certain elements of the adequacy standard, the Commission will report separately on the existing adequacy decisions after the Court of Justice has handed down its judgement.
Over the last two years, the Commission has stepped up bilateral, regional and multilateral dialogue, fostering a global culture of respect for privacy and convergence between different privacy systems to the benefit of citizens and businesses alike. The Commission is committed to continuing this work as part of its broader external action.
At a juncture when violations of privacy rules may affect large numbers of individuals simultaneously in several parts of the world, it’s time to step up international co-operation between data protection enforcers. This is precisely why the Commission will seek authorisation from the Council to open negotiations for the conclusion of mutual assistance and enforcement co-operation agreements with relevant third countries.
Also, the Commission has published a communication that identifies ten legal acts regulating the processing of personal data by competent authorities for the prevention, investigation, detection or prosecution of criminal offences which should be aligned with the Data Protection Law Enforcement Directive. That alignment will bring legal certainty and clarify issues such as the purposes of the personal data processing by the competent authorities and what types of data may be subject to such processing.
Lack of empirical evidence
Stewart Room, global head of data protection and cyber security at DWF, has offered thought-provoking comment on the European Commission’s report. He stated: “The European Commission’s report on the operation of the GDPR provides high praise for its achievements, claiming that it has ‘successfully met its objectives of strengthening the protection of the individual’s right to personal data protection and guaranteeing the free flow of personal data within the European Union’. While it’s certainly the case that the GDPR triggered a huge amount of compliance activity between 2016 and 2018 and lots of news coverage, which undoubtedly helped to raise awareness levels around data protection rights, the lack of empirical evidence to support the Commission’s claims stands out.”
Room added: “A key problem to note is that there’s an absence of such evidence on data protection performance levels under the previous legal regime (ie the 1995 Directive). Therefore, there isn’t a benchmark available to substantiate progress made under the GDPR. In contrast, reports of personal data security breaches haven’t by any means run dry. There are still structural problems in the AdTech environment and, with the ceaseless progression of developments in technology, such as facial recognition and Artificial Intelligence, there have to be doubts about the ability of the law and, indeed, the regulatory system itself to keep up-to-date.”
He concluded: “The GDPR is certainly a good and welcomed innovation, but perhaps we should divorce legislative intent from the realities on the ground, within which there remain serious problems with the resourcing levels of the regulatory offices compared to the work that needs to be done, not to mention low levels of enforcement activity.”