On June 26, 2020, the European Commission (the “Commission” or the “EC“) published an evaluation report (“Report”) regarding the two years of application of the General Data Protection Regulation 679/2016 (“GDPR”).
The Report, entitled “Data protection as a pillar of citizens’ empowerment and the EU’s approach to the digital transition”, shows that the GDPR has achieved most of its objectives, in particular by guaranteeing EU citizens a solid set of rights and a better control over their personal data, which are processed for a legitimate purpose, in a lawful, fair and transparent way; by creating a new European system of governance based on stronger and harmonised enforcement powers provided to the independent data protection authorities (“DPAs”) and by strengthening the companies operating within the internal market in a context of an economy increasingly based on the processing of data, including personal data.
Moreover, the GDPR has also proved to be a flexible tool in supporting digital solutions in unforeseen circumstances such as the Covid-19 crisis while still ensuring a high level of protection of personal data.
This article provides a brief summary of some aspects of particular interest arisen from the Report concerning both the achieved objectives and the identified areas for future improvement of the GDPR.
Enforcement of the GDPR and the functioning of the cooperation and consistency mechanisms
The GDPR set up an innovative governance system, based on independent DPAs in the Member States and their cooperation in cross-border cases and within the European Data Protection Board (“EDPB”). The EDPB, composed of representatives of all European DPAs, is also working on these governance issues through the drafting of specific guidelines that also address the interpretation and implementation of key aspects of the GDPR and emerging issues. As of the end of 2019, the EDPB had adopted 67 documents, including 10 new guidelines (4 additional guidelines between January and the end of May 2020, and updated an existing one) and 43 opinions.
The Report points out that the DPAs have made balanced use of their strengthened corrective powers and they have developed their cooperation through the one-stop-shop mechanism and through a large use of mutual assistance.
Nevertheless, the EC consistently stressed the obligation for Member States to allocate sufficient human, financial and technical resources to national DPAs, especially in Ireland and Luxemburg, where the largest big tech multinationals are established and the DPAs of these countries act as lead authorities in many important cross-border cases. However, two years after the application of the GDPR, the situation is still uneven between Member States and is not yet satisfactory overall.
Harmonised rules but still a degree of fragmentation and diverging approaches
The GDPR provides for a consistent approach for data protection rules throughout the EU. However, it requires Member States to legislate in some areas and provides them with the possibility to further specify the GDPR’s provisions. As a result, there is still a degree of fragmentation which is notably due to the extensive use of facultative specification clauses (for instance, the age of children consent).
This fragmentation also creates challenges to conducting cross-border business, innovation, in particular as regards new technological developments and cybersecurity solutions. The Report stresses that such fragmentation – by way of example, with regard to the balance between the right to the protection of personal data and freedom of expression and information or mechanism of derogations’ implementation from the general prohibition for processing special categories of personal data, as regards the level of specification and safeguards, including for health and research purposes – requires constant monitoring activities.
Empowering individuals to control their data
According to the Report, individuals are increasingly aware of their rights: the rights of access, rectification, erasure, and portability of their personal data, the right to object to a processing, as well as enhanced transparency.
By way of example, the right to data portability has a clear potential, still not fully used, to put individuals at the centre of the data economy by enabling them to switch between different service providers, to combine different services, to use other innovative services and to choose the most data protection-friendly services. This will, indirectly, foster competition and support innovation.
Moreover, data protection rules have proven so far to be appropriate for the digital age: the GDPR has promoted the active and conscious participation of people in the digital transition and promotes reliable innovation: in particular through a risk-based approach and principles such as data protection by design and by default (the so called “privacy by design and privacy by default” principle).
Opportunities and challenges for organisations, in particular small and medium-sized enterprises
Taking into consideration that (i) the application of the GDPR is challenging especially for small and medium sized enterprises (“SMEs”) and (ii), according to the risk-based approach, it would not be appropriate to provide derogations based on the size of the operators, as their size is not an indication by itself of the risks the processing of personal data that it undertakes can create for individuals, the GDPR makes a toolbox available to all types of companies and organisations to help them demonstrate compliance, such as codes of conduct, certification mechanisms and standard contractual clause.
Moreover, several DPAs have provided practical tools to facilitate the implementation of the GDPR by SMEs with low risk processing activities. These efforts should be intensified and widespread, preferably within a common European approach in order not to create barriers to the Single Market.
The application of the GDPR to new technologies
The GDPR, having been conceived in a technology neutral way, is based on principles, and is therefore designed to cover new technologies as they develop.
It is seen as an essential and flexible tool to ensure that the development of new technologies is in compliance with fundamental rights. The data protection and privacy legislative framework proved its importance and flexibility during the Covid-19 crisis, notably in relation to the design of the tracing apps and other technological solutions to fight the pandemic.
Developing a modern international data transfer toolbox
The GDPR offers a modernised toolbox to facilitate the transfer of personal data from the EU to a third country or international organisation, while ensuring that the data continues to benefit from a high level of protection. The Commission has been actively engaged with key partners in order to reach “adequacy decision” with Japan (reached in 2019) and the adequacy process with the Republic of Korea is at an advanced stage and exploratory talks are ongoing with other important partners in Asia and Latin America. Adequacy also plays an important role in the context of the future relationship with the United Kingdom, provided that the applicable conditions are met.
Beside its adequacy work, the Commission is working, together with the EDPB, on a comprehensive modernisation of standard contractual clauses, to update them in light of new requirements introduced by the GDPR. The aim is to better reflect the realities of processing operations in the modern digital economy and consider the possible need to further clarify certain safeguards. These clauses represent by far the most widely used data transfer mechanism, with thousands of EU companies relying on them in order to provide a wide range of services to their clients, suppliers, partners and employees.
Finally, the Commission highlights the need to continue international negotiations to assess the appropriateness to European standards of non-EU countries and to explore the use of instruments such as international mutual assistance agreements to make the application of the GDPR more effective in these areas.
Promoting convergence and international cooperation in the area of data protection
The GDPR has already emerged as a key reference point at international level and acted as a catalyst for many countries around the world to consider introducing modern privacy rules. This trend towards global convergence is a very positive development that brings new opportunities to better protect individuals in the EU when their data is transferred abroad while, at the same time, facilitating data flows. Building on this trend, the Commission has intensified its dialogue in a number of bilateral, regional and multilateral fora to foster a global culture of respect for privacy and develop elements of convergence between different privacy systems.
However, at a time when privacy compliance issues or data security incidents may affect large numbers of individuals simultaneously in several jurisdictions, cooperation ‘on the ground’ between European and international regulators should be further strengthened. In particular, this requires appropriate legal instruments to be developed for closer forms of cooperation and mutual assistance, including by allowing the necessary exchanges of information in the context of investigations.
Areas for improvements
To meet the full potential of the GDPR, the Report highlights that it is important to create a harmonised approach, reducing regulatory fragmentation, and a European common culture of data protection, and to foster a more efficient and harmonised handling of cross-border cases. All this requires interpretative support, and not only from the DPAs, but also greater and more effective cooperation between them, who are invited to make full use of the instruments made available to them by the GDPR.
In light of the above, the Report lists a number of actions, as indicated below, which have been identified as necessary to support the application of the GDPR and such actions involve different stakeholders (Commission, Member States, DPAs, public and private entities). The Commission will monitor their implementation also in view of the forthcoming evaluation report in 2024.
- implementing and complementing the legal framework;
- making the new governance system deliver its full potential;
- supporting stakeholders;
- encouraging innovation;
- further developing the toolkit for data transfers;
- promoting convergence and developing international cooperation.
It is likely that most of the issues identified by Member States and stakeholders will benefit from more experience in applying the GDPR in the coming years. Nevertheless, the Report highlights the challenges encountered so far in applying the GDPR and sets out possible ways to address them, the evaluation and review carried out by the Commission takes a broader approach to also address issues which have been raised by various actors during the last two years.
As indicated by the Commission, the GDPR has certainly achieved most of its objectives, strengthening data protection in the digital age demonstrating that it can respond adequately to many of the challenges posed by the digital age and proving to be a flexible tool also in the management of the current pandemic. However, the Commission has stressed that some improvements are necessary, with particular regard to those enforcement activities of the national DPAs related to transnational procedures.
According to the Commission, the European DPAs have not yet made full use of the powers and instruments they enjoy under the GDPR, such as the possibility to carry out joint operations and investigations. Further progress is also needed to make cross-border case management more efficient and harmonised at European level, including from a procedural point of view. The criticisms identified by the Commission echo some of the findings made by the EDPB, which had already pointed out that the “one-stop-shop” mechanism requires some improvements, in particular in its practical application. Indeed, the application of this mechanism has often proved to be complex from a procedural point of view, and extremely slow.
Providing an initial response to the highlighted criticisms, the EDPB has published a register in which all or almost all final decisions taken under the ‘one-stop-shop’ mechanism will be published, accompanied by an English language summary, in order to give more visibility to this type of procedure, while ensuring greater transparency.