Skip to content. | Skip to navigation

Personal tools
Sections
You are here: Home topics Internet EU data protection rules 2-year review

EU data protection rules 2-year review

24 June 2020
by eub2 -- last modified 24 June 2020

Two years after its entry into application, the European Commission published on 24 June an evaluation report on the General Data Protection Regulation (GDPR).


Advertisement

What are the main conclusions of the report?

  • Two years after its entry into application, the GDPR has been an overall success, meeting many of the expectations, even if a number of areas for future improvement have also been identified.
  • Like most stakeholders and data protection authorities, the Commission is also of the view that it would be premature to draw definite conclusions as to the application of the GDPR and to provide for proposals for its revision.
  • It is likely that most of the issues identified by Member States and stakeholders will benefit from more experience in the application of the Regulation in the coming years.
  • Increasing global convergence around principles that are shared by the GDPR offers new opportunities to facilitate safe data flows, to the benefit of citizens and businesses alike.

 What improvements has the GDPR brought?

  • Citizens are more empowered and aware of their rights. The GDPR enhances transparency and gives individuals enforceable rights, such as the right of access, rectification, erasure, the right to object and the right to data portability. Individuals also have the right to lodge a complaint with a data protection authority and to seek an effective judicial remedy. Today 69% of the population above the age of 16 in the EU have heard about the GDPR and 71% of people heard about their national data protection authority, according to results published in a survey from the EU Fundamental Rights Agency. The GDPR has empowered individuals to play a more active role on what is happening with their data in the digital transition. It is also contributing to fostering trust-worthy innovation, notably through a risk-based approach and principles such as data protection by design and by default.
  • Businesses, including SMEs, now have just one set of rules to which to adhere. The GDPR also creates a level playing field with companies not established in the EU but operating here. By establishing a harmonised framework for the protection of personal data, the GDPR ensures that all businesses in the internal market are bound by the same rules and benefit from the same opportunities, regardless of whether they are established and where the processing takes place. In addition, privacy has become a competitive quality that customers are increasingly taking into consideration when choosing their services. For SMEs, the implementation of the right to data portability has the potential to lower the barriers to entry to data protection friendly services. Compliance with the data protection rules and their transparent application will create trust between business and consumers when it comes to the use of their personal data.

How is the GDPR being applied to new technologies?

The GDPR is an essential and flexible tool to ensure the development of new technologies in accordance with fundamental rights. The implementation of the core principles of the GDPR is particularly crucial for data intensive processing. The risk based and technology neutral approach of the Regulation provides a level of data protection, which is adequate to the risk of the processing also by emerging technologies.

The GDPR's technologically-neutral and future-proof approach was put to the test during the COVID-19 pandemic and has proven to be successful. Its principles based rules supported the development of tools to combat and monitor the spread of the virus.

The future proof and risk-based approach of the GDPR will also be applied in the future EU framework for Artificial Intelligence and in the implementation of the European Data Strategy. The Data strategy aims at fostering data availability and at the creation of Common European Data Spaces.

How is the cooperation and consistency mechanism working in practice?

Data protection authorities have been very actively working together as members of the EDPB. They already use the cooperation tool of mutual assistance intensively. With regard to the consistency mechanism, the EDPB adopted several opinions over the past two years. However, neither a dispute resolution nor an urgency procedure have yet been triggered.

More generally and as the report shows, the handling of cross-border cases needs a more efficient and cohesive approach when using the cooperation tools provided in the GDPR. There is a very broad consensus from the European Parliament, the Council, stakeholders and by the data protection authorities on this.

The main issues to be tackled in this context include:

  • differences in national administrative procedures;
  • varying interpretations of concepts relating to the cooperation mechanism;
  • and varying approaches regarding the start of the cooperation procedure, the timing and communication of information.

The EDPB has indicated that it will clarify procedural steps to enhance cooperation between the lead data protection authority and the concerned data protection authorities.

How does the GDPR contribute to global data protection standards?

The GDPR has emerged as a reference point and acted as a catalyst for many countries and states around the world considering how to modernise their privacy rules. Chile, South Korea, Brazil, Japan, Kenya, India, Tunisia, Indonesia, Taiwan and the state of California, to name but a few. International instruments, such as the modernized "Convention 108" of the Council of Europe, or the "Data Free Flow with Trust" initiative launched by Japan are also based on principles that are shared by the GDPR.

This trend towards global convergence brings new opportunities for increasing the protection of Europeans while, at the same time, facilitating data flows and lowering transaction costs for business operators.

How has the GDPR facilitated international data flows?

The GDPR offers a modernised toolbox to facilitate the transfer of personal data from the EU to a third country or international organisation, while ensuring that the data continues to benefit from a high level of protection. This continuity of protection is important, given that in today's world data moves easily across borders and the protections guaranteed by the GDPR would be incomplete if they were limited to processing inside the EU. The toolbox includes actively engaging with key partners with a view to reaching an adequacy finding and yielded important results such as the creation between the EU and Japan of the world's largest area of free and safe data flows. Ongoing work also concerns other transfer mechanisms, such as standard contractual clauses and certification, to harness the full potential of the GDPR rules on international transfers.

How is the GDPR being enforced? What enforcement measures have been taken so far?

The GDPR gives national data protection authorities harmonised and strengthened enforcement powers.

Since the entry into application of the Regulation, data protection authorities are making use of a wide range of corrective powers provided by the GDPR, such as administrative fines, warnings and reprimands, orders to comply with data subject's requests, orders to bring processing operations into compliance with the Regulation, to rectify, erase or restrict processing.

The GDPR also provides for a broader palette of corrective powers. For example, the effect of a ban on processing or the suspension of data flows can be much stronger than a financial penalty.

What are the main improvements that can be made for the future?

We have presented in the report a list of actions. The key objective at this stage is to support a harmonised and consistent implementation and enforcement of the GDPR across the EU.

This requires a strong engagement from all actors:

  • making sure that national legislation, including sectoral ones, are fully in line with the GDPR;
  • Member States providing data protection authorities with the necessary human, financial and technical resources to properly enforce the data protection rules but also reaching out to stakeholders, both citizens and – very importantly – SMEs;
  • data protection authorities developing efficient working arrangements regarding the functioning of the cooperation and consistency mechanisms, including on procedural aspects;
  • making full use of the toolbox under the GDPR to facilitate the application of the rules, for instance through codes of conduct;
  • closely monitoring the application of the GDPR to new technologies such as AI, Internet of Things, blockchain.

As regards the international dimension, the Commission says it will continue to focus its efforts on promoting convergence of data protection rules as a way to ensure safe international data flows. This includes in the context of ongoing reforms for new or updated data protection laws, or the push for the 'Data Free Flow with Trust' (DFFT) concept in multilateral fora. This work will also cover various adequacy dialogues and the modernisation and expansion of our transfer toolbox through updating the SCCs and laying the groundwork for certification mechanisms.

Source: European Commission

Sponsor a Guide

EUbusiness Guides offer background information and web links about key EU business issues.

Promote your services by providing your own practical information and help to EUbusiness members, with your brand and contact details.

To sponsor a Guide phone us on +44 (0)20 7193 7242 or email sales.

EU Guides