The European Commission (Commission) published on 24 June 2020, just over two years of its entry into application, the first evaluation report on the General Data Protection Regulation (GDPR).
The Commission’s report argues that, generally, GDPR has successfully met most of its objectives, in particular by offering citizens a strong set of enforceable rights and by creating a new European system of governance and enforcement. It also, however, identified a number of areas of improvement.
The key findings of the GDPR review, suggesting areas in which there is room for improvement, are the following:
Fragmentation: The report highlights the areas in which the Commission has seen fragmentation among Member States in application of the law. The Commission also acknowledges that while guidelines from the European Data Protection Board (EDPB) have been welcomed, issues have been raised in relation to inconsistencies between EDPB guidelines and guidance issued nationally. The Commission states, however, that given the limited practical experience that has been gained so far and the fact that sector-specific legislation is under revision in many Member States, definitive conclusions on fragmentation could not yet be drawn. In the future, the Commission recommends that Member States consider limiting their use of specification clauses in a way that could create fragmentation and prevent the free flow of data in the EU.
Enforcement: The report notes that data protection authorities (DPAs) are making use of their stronger corrective powers, however, they need to be adequately supported with the necessary human, technical and financial resources. The report acknowledges that many DPAs have seen budgets and employee numbers grow over the past two years, but the imbalance in the resource allocation between Member States in not satisfactory.
Technology: GDPR has empowered individuals to play a more active role in regards to their data in the digital transition and contributed to the fostering of trustworthy innovation. The Commission foresees issues arising with respect to the use of emerging technologies and invites the EDPB to issue guidelines in areas such as artificial intelligence, blockchain and other possible technological developments. The report also highlights that GDPR has been flexible to support digital solutions in unforeseen circumstances such as the covid-19 crisis.
Cooperation between DPAs: The GDPR established an innovative governance system which is designed to ensure a consistent and effective application of the GDPR through the so called ‘one stop shop’, which provides that a company processing data cross-border has only one data protection authority as interlocutor, namely the authority of the Member State where its main establishment is located. However, more can be done to develop a truly common data protection culture. In particular, the handling of cross-border cases calls for a more efficient and harmonised approach and an effective use of all tools provided in the GDPR for the data protection authorities to cooperate.
Data Subject Rights: GDPR enhances transparency and gives individuals enforceable rights, such as the right to access, rectification, erasure and object but more can be done in facilitating the exercise of data subject rights, particularly the right to data portability.
International Data Transfers: The Commission’s international engagement on free and safe data transfers has yielded important results. The Commission will continue its work on adequacy with its partners around the world. In addition, and in cooperation with the EDPB, the Commission is looking at modernising other mechanisms for data transfers, including Standard Contractual Clauses, the most widely used data transfer tool. The EDPB is working on specific guidance on the use of certification and codes of conduct for transferring data outside of the EU, which need to be finalised as soon as possible
International cooperation: The Commission has stepped up bilateral, regional and multilateral dialogue, fostering a global culture of respect for privacy and convergence between different privacy systems to the benefit of citizens and businesses alike and according to the report, the Commission is committed to continuing this work as part of its broader external action.
In addition, the Commission has also published a Communication that identifies ten legal acts regulating processing of personal data by competent authorities for the prevention, investigation, detection or prosecution of criminal offences which should be aligned with the Data Protection Law Enforcement Directive.
The next GDPR evaluation report will be produced in 2024 and at four-year intervals going forward.
The full report is available here.