GDPR working, but not well enough: EU report
Vera Jourova - 14 - Photo EC
(BRUSSELS) - While most EU Member States have set up the legal framework for the General Data Protection Regulation (GDPR), more is needed if the new data protection regime is to be fully effective, says a new report.
Just over a year after entry into force of the GDPR, the European Commission has published a report looking at the impact of the EU data protection rules, and how implementation can be improved further.
The report concludes that most Member States have set up the necessary legal framework, and that the new system strengthening the enforcement of the data protection rules is falling into place. It says businesses are developing a compliance culture, while citizens are becoming more aware of their rights. At the same time, convergence towards high data protection standards is progressing at international level.
"The General Data Protection Regulation is bearing fruit," says Consumers Commissioner Vera Jourova: "It equips Europeans with strong tools to address the challenges of digitalisation and puts them in control of their personal data. It gives businesses opportunities to make the most of the digital revolution, while ensuring people's trust in it. Beyond Europe, it opens up possibilities for digital diplomacy to promote data flows based on high standards between countries that share EU values. But work needs to continue for the new data protection regime to become fully operational and effective."
The General Data Protection Regulation, applicable since 25 May 2018, is a single set of rules with a common EU approach to the protection of personal data, directly applicable in the member States. It is supposed to reinforce trust by putting individuals back in control of their personal data and at the same time guarantees the free flow of personal data between EU Member States.
Nevertheless, currently only 20 per cent of Europeans know which public authority is responsible for protecting their data, according to a Eurobarometer survey. The Commission is launching this summer a new campaign to encourage Europeans to read privacy statements and to optimise their privacy settings.
The Commission says that while the new data protection rules have achieved many of their objectives, its communication sets out concrete steps to further strengthen the rules and their application:
- One continent, one law: Today, all but three Member States – Greece, Portugal and Slovenia – have updated their national data protection laws in line with EU rules. The Commission will continue to monitor Member State laws to ensure that when they specify the GDPR in national laws, it remains in line with the Regulation and that their national laws are not a gold-plating exercise. If needed, the Commission will not hesitate to use the tools at its disposal, including infringements, to make sure Member States correctly transpose and apply the rules.
- Businesses are adapting their practices: Compliance with the Regulation has helped companies increase the security of their data and develop privacy as a competitive advantage. The Commission will support the GDPR toolbox for businesses to facilitate compliance, such as standard contractual clauses, codes of conduct and new certification mechanism. In addition, the Commission will continue supporting SMEs in applying the rules.
- Stronger role of data protection authorities: The Regulation has given national data protection authorities more powers to enforce the rules. During the first year, national data protection authorities have made use of these new powers effectively when necessary. Data protection authorities are also cooperating more closely within the European Data Protection Board. By the end of June 2019, the cooperation mechanism had managed 516 cross-border cases. The Board should step up its leadership and continue building an EU-wide data protection culture. The Commission also encourages national data protection authorities to pool their efforts for instance by conducting joint investigations. The European Commission will continue to fund national data protection authorities in their efforts to reach out to stakeholders.
- EU rules as reference for stronger data protection standards across the globe: As more and more countries across the world equip themselves with modern data protection rules, they use the EU data protection standard as a reference point. This upwards convergence is opening up new opportunities for safe data flows between the EU and third countries. The Commission will further intensify its dialogues on adequacy, including in the area of law enforcement. In particular, it aims at concluding the ongoing negotiations with the Republic of Korea in the coming months. Beyond adequacy, the Commission aims to explore the possibility to build multilateral frameworks to exchange data with trust.
In line with the General Data Protection Regulation, the Commission will have to report on its implementation in 2020 to assess the progress made after two years of application including on the review of the 11 adequacy decisions adopted under the 1995 Directive.