The European Commission has published a report on the GDPR, two years after the new data protection rules started to apply across the EU. The report is positive about the success of the GDPR, concluding that the rules “empower citizens and are fit for the digital age” - but it also makes several suggestions for improvement.

The European Commission published its evaluation report on the effectiveness of the General Data Protection Regulation (GDPR) in June 2020, after two years in force. In short, it concluded that the GDPR has been a success, meeting its objective of balancing individuals’ protection with maintaining the free flow of personal data within the EU. It modestly praised the EU’s leadership in adopting the GDPR, terming it a “global standard-setter” due to the myriad of countries following its example.

The report also recognised the timeliness of the GDPR, particularly its use as a framework for the Commission’s key priorities of a “Europe fit for the digital age” and the “European Green Deal”, empowering individuals in an economy and society rapidly embracing technology in the post-Covid age.

However, the Commission recognised the need for improvement in various areas. The report sets out the following challenges and suggested solutions:

  • Enforcement

    While fines have been issued and awareness raised, the Commission recognises that the ultimate objective of the GDPR is “to change the culture and behaviour of all actors involved”. The “one-stop-shop” mechanisms which enable cooperation and consistency between data protection authorities have been praised, but the Commission notes that consistency has not yet been achieved. It argues that progress is needed to achieve efficient and joint handling of investigations, particularly in cross-border cases.

    The solution? More practical advice, particularly concrete examples, to clarify inconsistencies in guidance. Member states should meet their obligations and provide the data protection authorities with sufficient resources.

  • Fragmentation and diverging approaches

    Despite all EU member states having adopted or been in the process of adopting their national data protection law (except Slovenia), there are still inconsistencies because the GDPR allows member states to include their own national-specific provisions. Along with the divergence from the idea of a “genuine single market for data”, this is a problem that is key to the Commission’s focus on cross-border transfers.

    The solution? The proper balancing between the rights to protection and rights to freedom of expression and information must be provided for by law, and the Commission will continue its assessment of national legislation. Mapping approaches and establishing codes of conduct are suggested as the first steps to achieving this.

  • Empowering individuals

    The Commission notes the GDPR’s success in raising individuals’ awareness of their rights, demonstrated by developments such as representative actions, but it also notes that the right to data portability is not being fully utilised. A lack of standards enabling data provision in a machine-readable format is key to this problem. This has a knock-on effect of potentially reducing “data altruism”, where individuals allow the use of their data for the public good.

    The solution?  Designing appropriate tools, standardisation formats and interfaces that can be used throughout the EU.

  • Small and medium-sized enterprises (SMEs)

    Application of the GDPR can be more challenging for SMEs, particularly due to disproportionate costs. However, a risk-based approach does not allow for derogations based on size, because the size of an organisation is not indicative of the risks of processing to individuals.

    The solution? The use of practical tools such as templates for data-processing contracts and records for processing activities, plus seminars and hotlines for SMEs. Codes of conduct tailored to SMEs should be issued and a “common and ambitious approach” should be taken as regards certification schemes, especially in the areas of security and data protection by design.

  • New technologies

Being “technology neutral” by design, the GDPR is intended to cover new technologies as they develop. The Commission notes the GDPR’s success in its application to the technology that has emerged from the Covid-19 crisis but recognises that “future challenges lie ahead” in the form of AI, blockchain, the Internet of Things and facial recognition technology.

The solution? Strong and effective enforcement of the GDPR; recognition of and readiness for emerging issues such as micro-targeting; and financial support for the drafting of EU codes of conduct in the area of health and research.

What next?

The solutions offered by the Commission seem practical and reasonable, but each requires the investment of time and money.

We can see from the progress that the ePrivacy Regulation is making (or failing to make, as the proposal was originally adopted in January 2017) that the political institutions of the EU have bigger fish to fry than the streamlining of GDPR processes. Work has been stalled by the coronavirus pandemic. A new presidency, Brexit negotiations, and a financial package for those economies most badly affected by Covid-19 are likely to be at the top of the priority list.

This was the first report by the Commission reviewing the effectiveness of the GDPR. It will be interesting to see how much progress has been made by the time of the second report, which is expected in two years’ time.

Authors