GDPR 2-year review: progress across EU, but more needed
Photo © Anterovium - Fotolia
(BRUSSELS) - Two years on, the General Data Protection Regulation has met most of its objectives, with a set of enforceable rights and a new European system of governance and enforcement, says a report out Wednesday.
According to the European Commission's evaluation report, the GDPR proved to be flexible to support digital solutions in unforeseen circumstances such as the Covid-19 crisis.
Harmonisation across the Member States is increasing, although there is a level of fragmentation must be continually monitored. Businesses are developing a compliance culture and increasingly use strong data protection as a competitive advantage, says the report.
The report contains a list of actions to facilitate further the application of the GDPR for all stakeholders, especially for Small and Medium Sized companies, to promote and further develop a truly European data protection culture and vigorous enforcement.
More needs to be done, said Justice Commissioner Didier Reynders: "For example, we need more uniformity in the application of the rules across the Union: this is important for citizens and for businesses, especially SMEs. We need also to ensure that citizens can make full use of their rights."
Key findings of the GDPR review
Citizens are more empowered and aware of their rights: The GDPR enhances transparency and gives individuals enforceable rights, such as the right of access, rectification, erasure, the right to object and the right to data portability. Today, 69% of the population above the age of 16 in the EU have heard about the GDPR and 71% of people heard about their national data protection authority, according to results published last week in a survey from the EU Fundamental Rights Agency. However, more can be done to help citizens exercise their rights, notably the right to data portability.
The report says GDPR has empowered individuals to play a more active role in relation to what is happening with their data in the digital transition.
Data protection authorities are also making use of their stronger corrective powers. However, they need to be adequately supported with the necessary human, technical and financial resources. Many Member States are doing this, with notable increases in budgetary and staff allocations. However, there are still stark differences between Member States.
While data protection authorities are working together in the context of the European Data Protection Board (EDPB), more can be done to develop a truly common data protection culture. In particular, the handling of cross-border cases calls for a more efficient and harmonised approach and an effective use of all tools provided in the GDPR for the data protection authorities to cooperate.
Several data protection authorities have created new tools, including helplines for individuals and businesses, and toolkits for small and micro-enterprises. Guidance provided at national level needs to be fully consistent with guidelines adopted by the EDPB.
The Commission's international engagement on free and safe data transfers has yielded important results. This includes Japan, with which the EU now shares the world's largest area of free and safe data flows. The Commission is looking at modernising other mechanisms for data transfers, including Standard Contractual Clauses, the most widely used data transfer tool.
The Commission has stepped up bilateral, regional and multilateral dialogue, fostering respect for privacy and convergence between different privacy systems to the benefit of citizens and businesses alike. It is committed to continuing this work as part of its broader external action, for example, in the context of the Africa-EU Partnership and in its support for international initiatives, such as 'Data Free Flow with Trust'. The Commission is to seek authorisation from the Council to open negotiations for the conclusion of mutual assistance and enforcement cooperation agreements with relevant third countries.
Aligning EU law with the Law Enforcement Directive: in addition, the Commission has today also published a Communication that identifies ten legal acts regulating processing of personal data by competent authorities for the prevention, investigation, detection or prosecution of criminal offences which should be aligned with the Data Protection Law Enforcement Directive. It says the alignment will bring legal certainty and will clarify issues such as the purposes of the personal data processing by the competent authorities and what types of data may be subject to such processing.
Communication: EU acts to be aligned with the Law Enforcement Directive
EU data protection rules 2-year review - background guide