Skip to content

Brought to you by

Dentons logo

Privacy and Cybersecurity Law

Coverage and commentary on developments in data protection.

open menu close menu

Privacy and Cybersecurity Law

  • Home
  • About Us

The European Commission’s GDPR review in short

By Akkeroos Kremers and Marc Elshof
July 22, 2020
  • General
Share on Facebook Share on Twitter Share via email Share on LinkedIn

Two years after the GDPR entered into force, the European Commission (EC) issued its first evaluation of the GDPR. According to the EC, the GDPR’s data protection rules have proven that they are fit for the digital age, as they help to foster trust-worthy innovation, empower individuals to have more control over their personal data and guarantee the free flow of personal data within the EU. However, the EC also identified a number of areas for improvement. We have addressed the key points from the EC’s evaluation below.

  • Citizens are more aware of their rights

Individuals are increasingly aware of the GDPR and their GDPR rights. Today, 69% of the population above the age of 16 in the EU have heard about the GDPR and 71% of people heard about their national data protection authority. However, the right to data portability is still not used to its full potential. It is one of the EC’s priorities to increase awareness of the right to data portability, as it believes this right can foster competition and support innovation in many sectors.

  • Data protection authorities do cooperate but there is room for improvement

The GDPR’s cross-border enforcement system – the so called ‘one-stop shop’ mechanism – enhanced cooperation between data protection authorities. However, developing a truly common European data protection culture between data protection authorities is still an on-going process. Data protection authorities have not yet made full use of the cooperation tools the GDPR provides, such as joint operations that could lead to joint investigations. Additionally, further progress is needed to make the handling of cross-border cases more efficient by harmonizing procedural requirements across the EU.

  • Despite harmonised rules, there is still a degree of fragmentation and diverging approaches

As a result of Member States’ policy freedom arising from GDPR, there is still a degree of fragmentation which is notably due to the extensive use of facultative specification clauses. According to the EC, this fragmentation also creates challenges to conducting cross-border business, innovation, in particular as regards new technological developments and cybersecurity solutions. For the effective functioning of the internal market and to avoid unnecessary burden on companies, it is essential that national legislation does not go beyond the margins set by the GDPR, the fundamental rights or introduces additional requirements when there is no margin.

  • The GDPR’s international data transfer toolbox

The EC’s international engagement on harnessing the full potential of international free and safe data transfers has yielded some results. This includes the EU-Japan mutual adequacy decisions, which created the world’s largest area of free and safe data flows. The EC will continue its work on new adequacy decision, notably with the Korean Republic (advanced stage) and a number of other countries in Asia, as well as in Latin America (exploratory talks). The EC will further review the adequacy decisions that were adopted after the Court of Justice’s judgment in the Schrems II case (16 July 2020). Beside its adequacy work, the EC is working on a comprehensive modernisation of standard contractual clauses, to update them in light of new requirements introduced by the GDPR. The EC’s aim is to better reflect the realities of processing operations in the modern digital economy and consider the possible need, including in the light of the new case law of the Schrems II case.

For more information on the Schrems II case, please see this article and the previous blog.

  • Promoting convergence and international cooperation

Over the last two years, the EC has intensified its dialogue in a number of bilateral, regional and multilateral fora to foster a global culture of respect for privacy and develop elements of convergence between different privacy systems. In addition, the EC is also determined to tackle digital protectionism by developing specific horizontal provisions on data flows and data protection in trade agreements, such as forced data localisation requirements.

Furthermore, the EC’s reports that at a time when privacy compliance issues or data security incidents may affect large numbers of individuals simultaneously in several jurisdictions, cooperation ‘on the ground’ between European and international regulators should be further strengthened. In particular, this requires appropriate legal instruments to be developed for closer forms of cooperation and mutual assistance enforcement cooperation agreements with relevant third countries.

  • Final remarks

Besides the current status and the areas of improvement, chances and risks for organizations can be derived from the EC’s GDPR review.

Firstly, as individuals are more aware of their rights, organizations must have an internal governance framework in place to ensure that individuals are able to exercise their rights properly and to avoid enforcement backlash.

Secondly, as privacy is situated at the centre of the public debate the GDPR’s data protection rules are becoming more and more an element of convergence between different privacy systems. We see companies adopting (parts of) the GDPR in their global privacy programs. This also means that the GDPR can create chances for organizations to promote respect for personal data as a competitive differentiator and a selling point on the global marketplace, by offering innovative products and services with novel privacy or data security solutions.

Share on Facebook Share on Twitter Share via email Share on LinkedIn
Subscribe and stay updated
Receive our latest blog posts by email.
Stay in Touch
data protection, European Commission, GDPR, GDPR review, privacy law
Akkeroos Kremers

About Akkeroos Kremers

Akkeroos Kremers is an associate based in our Amsterdam office. As part of the Intellectual Property and Technology group, she focuses of IT and privacy-related matters.

All posts Full bio

Marc Elshof

About Marc Elshof

Marc Elshof is a partner in our Amsterdam office and Co-Head of Europe Data Privacy & Security. He has specialised experience in complex IT and data protection matters.

All posts Full bio

RELATED POSTS

  • General

NIST Releases Cloud Computing Guidance

Following on the heels of its December guidance on cloud privacy and security, NIST has released SP 800-146, “Cloud Computing […]

By Todd Daubert
  • General

New enforcement policy published by ICO demonstrating lack of resource?

Focussed enforcement action The UK Information Commissioner’s Office (ICO) recently published its new policy on regulatory and enforcement action. The […]

By Simon Elliott
  • General

EDPB guidelines on the targeting of social media users

By Rosemarie Schaar and Rosemarie Schaar

About Dentons

Dentons is designed to be different. As the world’s largest law firm with 20,000 professionals in over 200 locations in more than 80 countries, we can help you grow, protect, operate and finance your business. Our polycentric and purpose-driven approach, together with our commitment to inclusion, diversity, equity and ESG, ensures we challenge the status quo to stay focused on what matters most to you. www.dentons.com

Dentons boilerplate image

Twitter

Categories

  • Accountability
  • Asia Pacific
  • Canada
  • Cloud Computing
  • Consumer Protection
  • Cybersecurity
  • Data Breach
  • Data Transfers
  • Employee Privacy
  • Enforcement
  • Europe
  • General
  • Government Information
  • Health Information Privacy
  • Latin America
  • Marketing, Cookies & Spam
  • New and Proposed Laws
  • Privacy Notices
  • Privacy Rights
  • Record Retention
  • Smart Cities
  • United Kingdom
  • United States

Subscribe and stay updated

Receive our latest blog posts by email.

Stay in Touch

Dentons logo

© 2023 Dentons

  • Legal notices
  • Privacy policy
  • Terms of use
  • Cookies on this site