Just over two years after its full implementation, the European Commission has published an evaluation report on the European Data Protection Regulation (GDPR). The report shows how the GDPR has achieved most of its objectives, in particular by guaranteeing EU citizens a solid set of rights and creating a new European governance system. The GDPR has also proved flexible in supporting digital solutions in unforeseen circumstances such as the crisis caused by the Covid-19.
The Commission document also points out that the harmonisation of national legislation has increased thanks to the GDPR, although there is still some fragmentation in some areas (for example, in terms of balancing freedom of expression and data protection, or on health) that requires constant monitoring. There is also a culture of “responsibility” among companies and the idea that measures to protect personal data can be a competitive advantage.
The report also proposes a list of actions involving different stakeholders (Commission, Member States, Data Protection Authority, public and private entities) to further facilitate the application of the Gdpr with particular regard to small and medium-sized enterprises. The final objectives set out by the Commission are to reduce regulatory fragmentation (Member States are invited to play their part in this, and the Commission intends to monitor these issues carefully), as well as to further promote and develop a European culture of data protection and strict enforcement of rules. All this requires interpretive support, and not only the data protection authorities, but also greater and stronger cooperation between the authorities, who are invited to make full use of the tools made available to them by the Regulation.
These, in summary, are some of the main aspects of the review of the EU Regulation.
According to the Commission, the Regulation improves transparency and increases awareness of the rights enjoyed by people in the EU (right of access, adjustment, deletion, right of opposition and right to data portability). Data protection rules have proven to be appropriate for the digital age: the GDPR has promoted people’s active and conscious participation in the digital transition and fosters reliable innovation: in particular through a risk-based approach and principles such as data protection by design and by default (privacy by design and privacy by default).
Data protection authorities are using the strongest corrective powers provided by the GDPR, warnings and warnings to financial penalties. However, the Commission stresses, they must be adequately supported with the necessary human, technical and financial resources. While overall, between 2016 and 2019 there was a 42% increase in staff and 49% of the budget for all national privacy authorities in the EU, there are still significant differences between Member States.
There is room for improvement in the European data protection governance system, in particular with regard to the operation of the so-called ‘one-stop shop’ mechanism, where a company carrying out cross-border data processing has only one data protection authority as an interlocutor, namely the Authority of the Member State where its main plant is based.
Between 25 May 2018 and 31 December 2019, 141 draft decisions relating to cross-border complaints were submitted through the “one-stop shop”, 79 of which led to final decisions. The EDPB (the European Data Protection Committee made up of representatives from all European Guarantors) is also working on these governance issues, developing specific guidelines that also address the interpretation and implementation of key aspects of the Regulation and emerging issues.
With regard to the international dimension, the Commission intends to work with the Edpb to modernise some mechanisms in place for the transfer of personal data outside the EU, including standard contractual clauses, which are the most widely used instrument for such transfers, including in the light of developments in the Court of Justice’s jurisprudence.
Finally, the Commission emphasises the need to continue international negotiations to assess the adequacy of European standards in non-EU countries and to explore the use of instruments such as international mutual assistance agreements to make the implementation of the Regulation more effective in these areas.
SOURCE: FEDERPRIVACY