The EC’s GDPR review has found that harmonisation across member states and cross-border cooperation need improving, but concludes it is too early to revise the regulation.
The mandated evaluation report was published just over two years since the introduction of the GDPR. It is based on feedback from EU member states, the European Data Protection Board (EDPB) and a wide range of stakeholders, on the practical application of the GDPR.
It concludes that the regulation has overall been a success and met most of its objectives, offering EU citizens a strong set of enforceable rights and creating a new European system of governance and enforcement. However, a number of areas for future improvement have been identified.
The report concludes that GDPR harmonisation across EU member states is increasing, but there remains “a degree of fragmentation and diverging approaches” that must be continually monitored.
It says this fragmentation creates challenges for conducting cross-border business and hinders innovation.
“For the effective functioning of the internal market and to avoid unnecessary burden on companies, it is also essential that national legislation does not go beyond the margins set by the GDPR or introduces additional requirements when there is no margin,” the report states.
It also concludes that data protection authorities are working together through the EDPB but there is “room for improvement”.
The GDPR has established a governance system designed to ensure a consistent and effective application of the regulation through the so-called ‘one-stop shop’. This means the data protection authority in a company’s main country of establishment acts as interlocutor for any oversight.
The report says that between 25 May 2018 and 31 December 2019, 141 draft decisions were submitted through the one-stop shop, 79 of which resulted in final decisions.
But it adds that “more can be done to develop a truly common data protection culture”.
“In particular, the handling of cross-border cases calls for a more efficient and harmonised approach and an effective use of all tools provided in the GDPR for the data protection authorities to cooperate,” the report notes.
It says there is “very broad consensus” from the European parliament, council, stakeholders and data protection authorities on this.
It finds three main issues to be tackled. These are: differences in national administrative procedures; varying interpretations of concepts relating to the cooperation mechanism; and varying approaches regarding the start of the cooperation procedure, the timing and communication of information.
The EDPB has indicated that it will clarify procedural steps to enhance cooperation between the lead data protection authority and the concerned data protection authorities.
The report also finds that data protection authorities are making use of their stronger powers but there remain “stark differences” between staffing levels to achieve this.
“The general view is that data protection authorities have made balanced use of their strengthened corrective powers, including warnings and reprimands, fines and temporary or definitive processing limitations. The Commission notes that the authorities made use of administrative fines ranging from a few thousand euros to several million, depending on the gravity of the infringements. Other sanctions, such as bans on processing, may have an equally if not higher deterrent effect than fines. The ultimate objective of the GDPR is to change the culture and behaviour of all actors involved for the benefit of the individuals,” it says.
But it adds that the authorities need to be adequately supported with the necessary human, technical and financial resources.
“Many member states are doing this, with notable increases in budgetary and staff allocations. Overall, there has been a 42% increase in staff and 49% in budget for all national data protection authorities taken together in the EU between 2016 and 2019. However, there are still stark differences between member states,” states the report.
It also finds that businesses are developing a compliance culture and increasingly use strong data protection as a competitive advantage.
But having flagged areas of strength and weakness in the GDPR, the EC’s reports says it is simply too early to recommended rule changes.
“Like most stakeholders and data protection authorities, the Commission is also of the view that it would be premature to draw definite conclusions as to the application of the GDPR and to provide for proposals for its revision,” it states.
“It is likely that most of the issues identified by member states and stakeholders will benefit from more experience in the application of the regulation in the coming years,” it adds.
The Commission will monitor the implementation of suggested GDPR improvements following the report and has scheduled further evaluation for 2024.
It explains that the key objective at this stage is to support a harmonised and consistent implementation and enforcement of the GDPR across the EU.
It adds that this requires strong engagement from all actors and lists key areas of focus:
Making sure that national legislation, including sectoral ones, are fully in line with the GDPR
Member states providing data protection authorities with the necessary human, financial and technical resources to properly enforce the data protection rules but also reaching out to stakeholders, both citizens and – very importantly – SMEs
Data protection authorities developing efficient working arrangements regarding the functioning of the cooperation and consistency mechanisms, including on procedural aspects
Making full use of the toolbox under the GDPR to facilitate the application of the rules, for instance through codes of conduct
Closely monitoring the application of the GDPR to new technologies such as AI, the internet of things, and blockchain.
Didier Reynders, European Commissioner for Justice, said: “The GDPR has successfully met its objectives and has become a reference point across the world for countries that want to grant to their citizens a high level of protection. We can do better though, as today’s report shows.
“For example, we need more uniformity in the application of the rules across the Union: this is important for citizens and for businesses, especially SMEs. We need also to ensure that citizens can make full use of their rights. The Commission will monitor progress, in close cooperation with the European Data Protection Board and in its regular exchanges with member states, so that the GDPR can deliver its full potential,” he added.
The European Data Protection Supervisor (EDPS), Wojciech Wiewiórowski, said the GDPR has strengthened the fundamental right to data protection and contributed to raising awareness about the importance of data privacy, both within the EU and in other parts of the world.
But he too stressed that consistent and efficient GDPR enforcement remains a priority.
“Resources available for the national data protection authorities are sometimes insufficient and there are some discrepancies caused by the different legal frameworks and national procedural laws. In response to these practical constraints, the EDPS believes that solidarity and reinforced cooperation with the EPDB and other related actors is key,” said the EDPS.
“We now need a stronger expression of genuine European solidarity, burden sharing and a common approach to ensure the enforcement of our data protection rules. The outstanding success of the GDPR is the combination of many factors but the European data protection authorities’ ability to enforce EU rules is key, in particular if we want to address some harmful data practices by powerful global players. The EDPS stands ready to share its resources and expertise,” added Mr Wiewiórowski.
more at CRE
© Commercial Risk Europe
Key
Hover over the blue highlighted
text to view the acronym meaning
Hover
over these icons for more information
Comments:
No Comments for this Article