Fragmentation across member states needs continuously monitored if the EU is to develop “a truly common data protection culture”, the first EU Commission evaluation of GDPR has found.
While largely positive in its outlook, the review report highlighted, in particular, that greater harmonisation was required in relation to the handling of cross-border cases and recommended a more effective use of all tools provided in the GDPR for the data protection authorities to cooperate.
In response to the review, the EU Commission has strengthened its ambition for a greater convergence of data protection standards, including eradicating differences in how governments and national data protection authorities apply data protection law, an expansion of jurisdictions offering equivalent data protection to the EU’s and a revision of standard contract clauses (SCCs) to help companies transfer personal data around the world more easily.
Separately, the Commission has outlined its intention to refine data protection law and guidance to better support digital innovation in areas such as AI use and blockchain technology.
The General Data Protection Regulation (GDPR) was a set of rules introduced to protect individuals with regard to the processing of personal data and on the free movement of such data.
In order to create a level playing field for all companies operating in the EU market, the legislation equipped national data protection authorities with stronger enforcement powers and established a new governance system among those authorities.
Written into the GDPR was that the EU Commission would carry out a review and evaluation of the set of rules two years after application and then every four years thereafter.
The Commission’s report in June 2020 represented the first assessment and found that GDPR has met most of its objectives, including “offering citizens a strong set of enforceable rights and by creating a new European system of governance and enforcement”.
Published pre-Covid-19, the report found that GDPR has proven to be flexible in supporting digital solutions, even in the unforeseen circumstances of the pandemic.
Two years on, it states that businesses are developing a compliance culture and are now increasingly using strong data protection as a competitive advantage.
Action list for member states to support GDPR application:
- complete the alignment of their sectoral laws to the GDPR;
- consider limiting the use of specification clauses which might create fragmentation and jeopardise the free flow of data within the EU;
- assess whether national law implementing the GDPR is in all circumstances within the margins provided for member state legislation; and
- allocate resources to data protection authorities that are sufficient for them to perform their tasks.
Amongst the key findings and further action outlined in the review, the Commission says that while EU citizens have become more aware of their rights, with some 69 per cent of the EU population over the age of 16 having heard of GDPR, more can be done to help citizens exercise these rights, particularly in relation to the right to data portability.
Data protection rules, the review says, have helped individuals to play a more active role in relation to what is happening with their data in the digital transition. It also points out that the enhanced corrective powers which have been given to data protection authorities are being used but that these authorities are being supported differently within member states.
Human, technical and financial resources needed by national data protection authorities to enforce the rules are largely recognised, with a combined 42 per cent increase in staff and a 49 per cent increase in budget for all national data protection authorities between 2016 and 2019, however, the report points to “stark” differences between member states.
On the performance of data protection authorities, the review says that while there is evidence that data protection authorities are working together in the context of the European Data Protection Board, room for improvement exists. The one-stop-shop governance mechanism, ensuring that a company processing data cross-border “has only one data protection authority as interlocutor” saw 79 final decisions issued in response to 141 draft decisions submitted between May 2018 and December 2019. “More can be done to develop a truly common data protection culture. In particular, the handling of cross-border cases calls for a more efficient and harmonised approach and an effective use of all tools provided in the GDPR for the data protection authorities to cooperate,” the review stated.
Pointing to international engagement on free and safe data transfers over the past two years, including with Japan with which the EU now shares the world’s largest area of free and safe data flows, the review says that the Commission will continue to work on adequacy with its partners around the world and is seeking to modernise other mechanisms of data transfer, not least the SCCs. However, the review also outlines an ambition to go further than existing relationships. In stating that “it is time to step up the international cooperation between data protection enforcers”, the review highlights that the Commission aims to open negotiations for the conclusion of mutual assistance and enforcement cooperation agreements with relevant third countries.
As well as publishing the review, the Commission also published a communication identifying 10 legal acts regulating processing of personal data by competent authorities for the prevention, investigation, detection or prosecution of criminal offences which should be aligned with the Data Protection Law Enforcement Directive.
“The alignment will bring legal certainty and will clarify issues such as the purposes of the personal data processing by the competent authorities and what types of data may be subject to such processing,” the Commission stated.
The Commission’s next evaluation report, which will also review implementation of the actions listed within the inaugural report, is expected for 2024.