A report published by the European Commission on the General Data Protection Regulation which is adopted with a common EU approach to the protection of personal data, directly applicable in the Member-States shows that it has achieved many of its objectives but needs more work.
The protection of personal data is a fundamental right in the European Union. The General Data Protection Regulation (the GDPR) is a comprehensive and progressive piece of data protection legislation, updated to deal with the implications of the digital age on data protection. It aims to reinforce trust by putting individuals back in control of their personal data and at the same time guarantees the free flow of personal data between EU Member States.
The GDPR has been applicable since 25 May 2018. A year after its entry into force, The European Commission (the Commission) has published a report on 24 July 2019 regarding the impact of the GDPR and how its implementation can be improved further. The Commission report concludes that most Member States have set up the necessary legal framework, and that the new system strengthening the enforcement of the data protection rules is becoming a reality but more work is needed to strengthen its implementation and application.
Now that the GDPR rules are firmly in place, businesses are developing a GDPR compliance culture accompanied by a clear cultural shift towards high data protection standards progressing at international level, while citizens are becoming more aware of data protection rules and their rights. However, only 20% of Europeans know which public authority is responsible for protecting their data. This is why the European Commission has launched a new campaign to encourage Europeans to read privacy statements and to optimise their privacy settings.
While the GDPR has achieved many of objectives, the Commission's report observes that further concrete steps are needed to strengthen GDPR and its application. The report sets out the following:
1. One continent, one law
Today, all but three Member States – Greece, Portugal and Slovenia – have updated their national data protection laws in line with the GDPR. The Commission is still dedicated to monitoring Member State laws to ensure that the GDPR in national laws remain in line with the GDPR. Otherwise, the Commission states in the report that it will not hesitate to use the tools at its disposal, including infringements, to make sure Member States correctly transpose and apply the rules.
2. Businesses are adapting their practices
Compliance with the Regulation has helped companies increase the security of their data and develop privacy as a competitive advantage. The report states support to the GDPR toolbox will continue for businesses to facilitate compliance, such as standard contractual clauses, codes of conduct and new certification mechanism. In addition, the Commission makes clear in the report that it will continue supporting SMEs in applying the rules.
3. Stronger role of data protection authorities
The Regulation has given national data protection authorities more powers to enforce the rules. During the first year, national data protection authorities have made use of these new powers effectively when necessary. Data protection authorities are also cooperating more closely within the European Data Protection Board. By the end of June 2019, the cooperation mechanism had managed 516 cross-border cases. The Board should step up its leadership and continue building an EU-wide data protection culture. The Commission also encourages national data protection authorities to pool their efforts for instance by conducting joint investigations. The European Commission states in the report that it will continue to fund national data protection authorities in their efforts to reach out to stakeholders.
4. EU rules as reference for stronger data protection standards across the globe
As more and more countries across the world equip themselves with modern data protection rules, they use the EU data protection standard as a reference point. This upwards convergence is opening up new opportunities for safe data flows between the EU and third countries. As reiterated in the report, the Commission intends intensify its dialogues on adequacy, including in the area of law enforcement. Beyond adequacy, the Commission aims to explore the possibility to build multilateral frameworks to exchange data with trust.
In line with the GDPR, the report noted the Commission will report on its implementation in 2020 to assess the progress made after two years of application including on the review of the 11 adequacy decisions adopted on the basis of Article 25(6) of Directive 95/46/EC to ensure an adequate level of protection when transferring personal data to a third country or an international organization.
Since its entry into force, nearly all Member States have adapted their national laws in the light of the GDPR. The national Data Protection Authorities are in charge of enforcing the new rules and are better coordinating their actions through new cooperation mechanisms and the European Data Protection Board. They are issuing guidelines on key aspects of the GDPR to support the implementation of the new rules.
A lot has happened since GDPR’s entry into force. Companies’ perspective towards handling personal data has fundamentally changed as well as empowering residents of the EU to control their personal information as they wish and engage in the digital world safely and freely.
Full report can be found in the below link:
For more information please visit our Data Protection & Cyber law team.
ContactsBack to News