European Commission Releases Its First Review of the GDPR

While emphasizing the positive developments, the EC calls for more work to help nations and DPAs better and more uniformly endorse the law.

First things first, if you would like to receive my Technology Policy Update, email me. You can find some of these Updates from 2019 and 2020 here.

The European Commission submitted its two-year review of the General Data Protection Regulation (GDPR) that took effect across the European Union in May 2018. This review was required to occur two years after the new cross-border data protection structure took effect, and the GDPR further requires reviews every four years after the first review has been completed. It bears note the EC opted to exceed its statutory mandate in the report by covering more than international transfers of EU personal data and how well nations and DPAs are using coordination and cooperation mechanisms to ensure uniform, effective enforcement across the EU.

Overall, the EC touts what it frames as successes of the GDPR and calls for EU member states, data protection authorities (DPA), and the European Data Protection Board (EDPB or Board) to address and resolve a host of ongoing issues that make enforcement of and compliance with the GDPR more difficult. For example, the EC flags the resources and independence EU nations are providing their DPAs as a major issue, as many of the regulatory bodies lack the funding, technical capability, and human power to fully regulate the data rights and obligations enshrined in the GDPR. Another issue the EC discusses at some length are the differing national data protection laws, many of which conflict with or not fully implement the GDPR.

In terms of a top-line summary, the EC claimed

  • The   general   view is   that   two   years   after   it   started   to   apply,   the   GDPR   has successfully,  met  its  objectives  of  strengthening  the  protection  of  the  individual’s right  to  personal  data  protection  and  guaranteeing  the  free  flow  of  personal  data within  the  EU.  However  a  number  of  areas  for  future  improvement  have  also  been identified. 
  • Like most stakeholders and data protection authorities, the Commission is of  the  view  that  it  would  be  premature  at  this  stage  to  draw  definite  conclusions regarding the application of the GDPR.
  • It is likely that most of the issues identified by Member  States  and  stakeholders  will  benefit from  more  experience  in  applying  the GDPR  in  the  coming  years. 
  • Nevertheless,  this  report  highlights  the  challenges encountered so far in applying the GDPR and sets out possible ways to address them.
  • Notwithstanding  its  focus  is  on  the  two  issues  highlighted  in  Article  97(2)  of  the GDPR,   namely   international   transfers   and   the   cooperation   and   consistency mechanisms,  this  evaluation  and  review  takes  a  broader  approach  to  also  address issues which have been raised by various actors during the last two years.

Among its other findings, the EC asserted

  • However, developing a truly common European data protection culture between data protection authorities is still an on-going process. Data protection authorities have not yet made full use of the tools the GDPR provides, such as joint operations that could lead to joint investigations. At times, finding a common approach meant moving to the lowest common denominator and as a result, opportunities to foster more harmonisation were missed
  • Stakeholders generally welcome the guidelines from the Board and request additional ones on key concepts of the GDPR, but also point to inconsistencies between the national guidance and the Board guidelines. They underline the need for more practical advice, in particular more concrete examples, and the need for data protection authorities to be equipped with the necessary human, technical and financial resources to effectively carry out their tasks.

The EC called for greater funding and resources for DPAs to enforce the GDPR, especially in Ireland and Luxembourg which serve as the EU headquarters for a number of large technology companies:

Data protection authorities play an essential role in ensuring that the GDPR is enforced at national level and that the cooperation and consistency mechanisms within the Board functions effectively, including in particular the one-stop-shop mechanism for cross-border cases. Member States are therefore called upon to provide them with adequate resources as required by the GDPR.

The EC wrapped up the GDPR review by drawing a roadmap of sorts for future actions:

Based on this evaluation of the application of the GDPR since May 2018, the actions listed below have been identified as necessary to support its application. The Commission will monitor their implementation also in view of the forthcoming evaluation report in 2024.

The EC offered the following as ongoing or future actions to more fully realize implementation and enforcement of the GDPR to be undertaken by EU states, EU DPAs, the EC, the EDPB, and stakeholders in the EU and elsewhere:

Implementing and complementing the legal framework

Member States should

  • complete the alignment of their sectoral laws to the GDPR;
  • consider limiting the use of specification clauses which might create fragmentation and jeopardise the free flow of data within the EU;
  • assess whether national law implementing the GDPR is in all circumstances within the margins provided for Member State legislation.

The Commission will

  • pursue bilateral exchanges with Member States on the compliance of national laws with the GDPR, including on the independence and resources of national data protection authorities; make use of all the tools at its disposal, including infringement procedures, to ensure that Member States comply with the GDPR;
  • support further exchanges of views and national practices between Member States on topics which are subject to further specification at national level so as to reduce the level of fragmentation of the single market, such as processing of personal data relating to health and research, or which are subject to balancing with other rights such as the freedom of expression;
  • support a consistent application of the data protection framework in relation to new technologies to support innovation and technological developments;
  • use the GDPR Member States Expert Group (established during the transitory phase before the GDPR became applicable) to facilitate discussions and sharing of experience between Member States and with the Commission;
  • explore whether, in the light of further experience and relevant case-law, proposing possible future targeted amendments to certain provisions of the GDPR might be appropriate, in particular regarding records of processing by SMEs that do not have the processing of personal data as their core business (low risk), and the possible harmonisation of the age of children consent in relation to information society services.

Making the new governance system deliver its full potential

The Board and data protection authorities are invited to

  • develop efficient arrangements between data protection authorities regarding the functioning of the cooperation and consistency mechanisms, including on procedural aspects, building on the expertise of its members and by strengthening the involvement of its secretariat;
  • support harmonisation in applying and enforcing the GDPR using all means at its disposal, including by further clarifying key concepts of the GDPR, and ensuring that national guidance is fully in line with guidelines adopted by the Board;
  • encourage the use of all tools provided for in the GDPR to ensure that it is applied consistently;
  • step up cooperation among data protection authorities, for instance by conducting joint investigations.

The Commission will

  • continue to closely monitor the effective and full independence of national data protection authorities;
  • encourage cooperation between regulators (in particular in fields such as competition, electronic communications, security of network and information systems and consumer policy);
  • support the reflection within the Board on the procedures applied by the national data protection authorities in order to improve the cooperation on the cross-border cases.

Member States shall

  • allocate resources to data protection authorities that are sufficient for them to perform their tasks.

Supporting stakeholders

The Board and data protection authorities are invited to

  • adopt further guidelines which are practical, easily understandable, and which provide clear answers and avoid ambiguities on issues related to the application of the GDPR, for example on processing children’s data and data subject rights, including the exercise of the right of access and the right to erasure, consulting stakeholders in the process;
  • review the guidelines when further clarifications are necessary in the light of experience and developments including in the case law of the Court of Justice;
  • develop practical tools, such as harmonised forms for data breaches and simplified records of processing activities, to help low-risk SMEs meeting their obligations.

The Commission will

  • provide standard contractual clauses both for international transfers and the controller/processor-relationship;
  • provide for tools clarifying/supporting the application of data protection rules to children;
  • in line with the Data Strategy, explore practical means to facilitate increased use of the right to portability by individuals, such as by giving them more control over who can access and use machine-generated data;
  • support standardisation/certification in particular on cybersecurity aspects through the cooperation between the European Union Agency for Cybersecurity (ENISA), the data protection authorities and the Board;
  • when appropriate, make use of its right to request the Board to prepare guidelines and opinions on specific issues of importance to stakeholders;
  • when necessary provide guidance, while fully respecting the role of the Board;
  • support the activities of data protection authorities that facilitate implementation of GDPR obligations by SMEs, through financial support, especially for practical guidance and digital tools that can be replicated in other Member States.

Encouraging innovation

The Commission will

  • monitor the application of the GDPR to new technologies, also taking into account of possible future initiatives in the field of artificial intelligence and under the Data Strategy;
  • encourage, including through financial support, the drafting of EU codes of conduct in the area of health and research;
  • closely follow the development and the use of apps in the context of the COVID-19 pandemic.

The Board is invited to

  • issue guidelines on the application of the GDPR in the area of scientific research, artificial intelligence, blockchain, and possible other technological developments;
  • review the guidelines when further clarifications are necessary in the light of technological development.

Further developing the toolkit for data transfers

The Commission will

  • pursue adequacy dialogues with interested third countries, in line with the strategy set out in its 2017 Communication ‘Exchanging and Protecting Personal Data in a Globalised World‘, including where possible by covering data transfers to criminal law enforcement authorities (under the Data Protection Law Enforcement Directive) and other public authorities; this includes finalisation of the adequacy process with the Republic of Korea as soon as possible;
  • finalise the ongoing evaluation of the existing adequacy decisions and report to the European Parliament and the Council;
  • finalise the work on the modernisation of the standard contractual clauses, with a view to updating them in light of the GDPR, covering all relevant transfer scenarios and better reflecting modern business practices.

The Board is invited to

  • further clarify the interplay between the rules on international data transfers (Chapter V) with the GDPR’s territorial scope of application (Article 3);
  • ensure effective enforcement against operators established in third countries falling within the GDPR’s territorial scope of application, including as regards the appointment of a representative where applicable (Article 27);
  • streamline the assessment and eventual approval of binding corporate rules with a view to speed up the process;
  • complete the work on the architecture, procedures and assessment criteria for codes of conduct and certification mechanisms as tools for data transfers.

Promoting convergence and developing international cooperation

The Commission will

  • support ongoing reform processes in third countries on new or modernised data protection rules by sharing experience and best practices;
  • engage with African partners to promote regulatory convergence and support capacity-building of supervisory authorities as part of the digital chapter of the new EU-Africa partnership;
  • assess how cooperation between private operators and law enforcement authorities could be facilitated, including by negotiating bilateral and multilateral frameworks for data transfers in the context of access by foreign criminal law enforcement authorities to electronic evidence, to avoid conflicts of law while ensuring appropriate data protection safeguards;
  • engage with international and regional organisations such as the OECD, ASEAN or the G20 to promote trusted data flows based on high data protection standards, including in the context of the Data Flow with Trust initiative;
  • set up a ‘Data Protection Academy’ to facilitate and support exchanges between European and international regulators;
  • promote international enforcement cooperation between supervisory authorities, including through the negotiation of cooperation and mutual assistance agreements.

EC staff released a working document more detailed than the EC’s report and broader than the mandate in Article 97 of the GDPR:

Although its focus is on the two issues highlighted in Article 97(2) of the GDPR, namely international transfers and the cooperation and consistency mechanisms, this evaluation takes a broader approach in order to address issues which have been raised by various actors during the last two years.

EC staff highlighted the number and types of enforcement actions, taking care to stress their deterrent effect, in part, perhaps to counter criticism that the fines levied have often been a fraction of the statutory ceiling. Of course, this sort of argument is hard to dispute for how does one prove or disprove a negative (i.e. all the GDPR violations that were averted because regulated entities feared being punished in a fashion similar to entities subject to enforcement actions.) EC staff asserted:

The GDPR establishes independent data protection authorities and provides them with harmonised and strengthened enforcement powers. Since the GDPR applies, those authorities have been using of a wide range of corrective powers provided for in the GDPR, such as administrative fines (22 EU/EEA authorities)10, warnings and reprimands (23), orders to comply with data subject’s requests (26), orders to bring processing operations into compliance with the GDPR (27), and orders to rectify, erase or restrict processing (17). Around half of the data protection authorities (13) have imposed temporary or definitive limitations on processing, including bans. This demonstrates a conscious use of all corrective measures provided for in the GDPR; the data protection authorities did not shy away from imposing administrative fines in addition to or instead of other corrective measures, depending on the circumstances of individual cases.

© Michael Kans, Michael Kans Blog and, 2019-2020. Unauthorized use and/or duplication of this material without express and written permission from this site’s author and/or owner is strictly prohibited. Excerpts and links may be used, provided that full and clear credit is given to Michael Kans, Michael Kans Blog, and with appropriate and specific direction to the original content.

Image by Biljana Jovanovic from Pixabay

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s