On 24th June, just over two years after its entry into application, the European Commission published an evaluation report on the General Data Protection Regulation (the Regulation / GDPR). The GDPR report shows the Regulation has met most of its objectives, in particular by offering citizens a strong set of enforceable rights and by creating a new European system of governance and enforcement.

Scope of the GDPR report

The GDPR proved to be flexible to support digital solutions in unforeseen circumstances such as the Covid-19 crisis. The GDPR report also concludes that harmonisation across the Member States is increasing, although there is a certain level of fragmentation that must be continually monitored. It also finds that businesses are developing a compliance culture and increasingly use strong data protection as a competitive advantage. The GDPR report contains a list of actions to facilitate further the application of the Regulation for all stakeholders, especially for Small and Medium Sized companies, to promote and further develop a truly European data protection culture and vigorous enforcement.

Background to the GDPR report

The General Data Protection Regulation is a single set of rules of EU law on the protection of individuals with regard to the processing of personal data and on the free movement of such data. It strengthens data protection safeguards, provides additional and stronger rights to individuals, increases transparency, and makes all those that handle personal data more accountable and responsible. It has equipped national data protection authorities with stronger and harmonised enforcement powers and has established a new governance system among the data protection authorities. It also creates a level playing field for all companies operating in the EU market, regardless of where they are established, ensures the free flow of data within the EU, facilitates safe international data transfers and has become a reference point at global level

As stipulated in Article 97(2) of the GDPR, the report covers in particular international transfers and ‘cooperation and consistency mechanism’, although the Commission has taken a broader approach in its review, in order to address issues raised by various actors during the last two years. These include contributions from the Council, the European Parliament, the EDPB, national data protection authorities and stakeholders. Key findings of the GDPR review are:

Empowering individuals to control their data

The GDPR enhances transparency and gives individuals enforceable rights, such as the right of access, rectification, erasure, the right to object and the right to data portability. Today, 69% of the population above the age of 16 in the EU have heard about the GDPR and 71% of people have heard about their national data protection authority, according to results published last week in a survey from the EU Fundamental Rights Agency. However, more can be done to help citizens exercise their rights, notably the right to data portability.

The application of the GDPR to new technologies

The GDPR report found that the Regulation has empowered individuals to play a more active role in relation to what is happening with their data in the digital transition. It is also contributing to fostering trustworthy innovation, notably through a risk-based approach and principles such as data protection by design and by default.

Enforcement of the GDPR

From warnings and reprimands to administrative fines, the GDPR provides national data protection authorities with the right tools to enforce the rules. However, they need to be adequately supported with the necessary human, technical and financial resources. Many Member States are doing this, with notable increases in budgetary and staff allocations. The GDPR report found that overall, there has been a 42% increase in staff and 49% in budget for all national data protection authorities taken together in the EU between 2016 and 2019. However, there are still stark differences between Member States.

Harmonised rules but still a degree of fragmentation and diverging approaches

The GDPR established an innovative governance system which is designed to ensure a consistent and effective application of the GDPR through the so called ‘one stop shop’, which provides that a company processing data cross-border has only one data protection authority as interlocutor, namely the authority of the Member State where its main establishment is located. Between 25 May 2018 and 31 December 2019, 141 draft decisions were submitted through the ‘one-stop-shop’, 79 of which resulted in final decisions. However, the GDPR report concludes that more can be done to develop a truly common data protection culture. In particular, the handling of cross-border cases calls for a more efficient and harmonised approach and an effective use of all tools provided in the GDPR for the data protection authorities to cooperate.

Advice and guidelines by data protection authorities

The EDPB is issuing guidelines covering key aspects of the Regulation and emerging topics. Several data protection authorities have created new tools, including helplines for individuals and businesses, and toolkits for small and micro-enterprises. It is essential to ensure that guidance provided at national level is fully consistent with guidelines adopted by the EDPB.

Developing a modern international data transfer toolbox

The GDPR report found that over the past two years, the Commission’s international engagement on free and safe data transfers has yielded important results. This includes Japan, with which the EU now shares the world’s largest area of free and safe data flows. The Commission will continue its work on adequacy, with its partners around the world. In addition and in cooperation with the EDPB, the Commission is looking at modernising other mechanisms for data transfers, including Standard Contractual Clauses, the most widely used data transfer tool. The EDPB is working on specific guidance on the use of certification and codes of conduct for transferring data outside of the EU, which need to be finalised as soon as possible. Given the European Court of Justice may provide clarifications in a judgment to be delivered on 16 July that could be relevant for certain elements of the adequacy standardthe Commission will report separately on the existing adequacy decisions after the Court of Justice has handed down its judgment.

Promoting convergence and international cooperation in the area of data protection

Over the last two years, the Commission has stepped up bilateral, regional and multilateral dialogue, fostering a global culture of respect for privacy and convergence between different privacy systems to the benefit of citizens and businesses alike. The Commission is committed to continuing this work as part of its broader external action, for example, in the context of the Africa-EU Partnership and in its support for international initiatives, such as ‘Data Free Flow with Trust’. At a time when violations of privacy rules may affect large numbers of individuals simultaneously in several parts of the world, it is time to step up international cooperation between data protection enforcers. This is why the Commission will seek authorisation from the Council to open negotiations for the conclusion of mutual assistance and enforcement cooperation agreements with relevant third countries.

Challenges for small and medium sized enterprises (SME’s)

The GDPR report noted that the Regulation, together with the Free Flow of Non-Personal Data Regulation offers opportunities to companies by fostering competition and innovation, ensuring the free flow of data within the EU and creating a level playing field with companies established outside the EU. The right to portability, coupled with an increasing number of individuals in search of more privacy-friendly solutions, have the potential to lower the barriers to entry for businesses and open the possibilities for growth based on trust and innovation. However, some stakeholders report that the application of the GDPR is challenging especially for small and medium sized enterprises.

SMEs stress in particular the importance and usefulness of codes of conduct which are tailored to their situation and which do not entail disproportionate costs. As regards certification schemes, security (including cybersecurity) and data protection by design are key elements to be considered under the GDPR and would benefit from a common and ambitious approach throughout the EU. The Commission is currently working on standard contractual clauses between controllers and processors, building on the on-going work on the modernisation of the standard contractual clauses for international transfers.

At EM Law we specialise in helping small and medium sized companies comply with the GDPR. If you have any questions on data protection law or on any of the issues raised in this article please get in touch with one of our data protection lawyers.