Two years after the GDPR entered into force, the European Commission (EC) issued its first evaluation of the GDPR. According to the EC, the GDPR’s data protection rules have proven that they are fit for the digital age, as they help to foster trust-worthy innovation, empower individuals to have more control over their personal data and guarantee the free flow of personal data within the EU. However, the EC also identified a number of areas for improvement. We have addressed the key points from the EC’s evaluation below.
- Citizens are more aware of their rights
Individuals are increasingly aware of the GDPR and their GDPR rights. Today, 69% of the population above the age of 16 in the EU have heard about the GDPR and 71% of people heard about their national data protection authority. However, the right to data portability is still not used to its full potential. It is one of the EC’s priorities to increase awareness of the right to data portability, as it believes this right can foster competition and support innovation in many sectors.
- Data protection authorities do cooperate but there is room for improvement
The GDPR’s cross-border enforcement system – the so called ‘one-stop shop’ mechanism – enhanced cooperation between data protection authorities. However, developing a truly common European data protection culture between data protection authorities is still an on-going process. Data protection authorities have not yet made full use of the cooperation tools the GDPR provides, such as joint operations that could lead to joint investigations. Additionally, further progress is needed to make the handling of cross-border cases more efficient by harmonizing procedural requirements across the EU.
- Despite harmonised rules, there is still a degree of fragmentation and diverging approaches
As a result of Member States’ policy freedom arising from GDPR, there is still a degree of fragmentation which is notably due to the extensive use of facultative specification clauses. According to the EC, this fragmentation also creates challenges to conducting cross-border business, innovation, in particular as regards new technological developments and cybersecurity solutions. For the effective functioning of the internal market and to avoid unnecessary burden on companies, it is essential that national legislation does not go beyond the margins set by the GDPR, the fundamental rights or introduces additional requirements when there is no margin.
- The GDPR’s international data transfer toolbox
The EC’s international engagement on harnessing the full potential of international free and safe data transfers has yielded some results. This includes the EU-Japan mutual adequacy decisions, which created the world’s largest area of free and safe data flows. The EC will continue its work on new adequacy decision, notably with the Korean Republic (advanced stage) and a number of other countries in Asia, as well as in Latin America (exploratory talks). The EC will further review the adequacy decisions that were adopted after the Court of Justice’s judgment in the Schrems II case (16 July 2020). Beside its adequacy work, the EC is working on a comprehensive modernisation of standard contractual clauses, to update them in light of new requirements introduced by the GDPR. The EC’s aim is to better reflect the realities of processing operations in the modern digital economy and consider the possible need, including in the light of the new case law of the Schrems II case.
- Promoting convergence and international cooperation
Over the last two years, the EC has intensified its dialogue in a number of bilateral, regional and multilateral fora to foster a global culture of respect for privacy and develop elements of convergence between different privacy systems. In addition, the EC is also determined to tackle digital protectionism by developing specific horizontal provisions on data flows and data protection in trade agreements, such as forced data localisation requirements.
Furthermore, the EC’s reports that at a time when privacy compliance issues or data security incidents may affect large numbers of individuals simultaneously in several jurisdictions, cooperation ‘on the ground’ between European and international regulators should be further strengthened. In particular, this requires appropriate legal instruments to be developed for closer forms of cooperation and mutual assistance enforcement cooperation agreements with relevant third countries.
- Final remarks
Besides the current status and the areas of improvement, chances and risks for organizations can be derived from the EC’s GDPR review.
Firstly, as individuals are more aware of their rights, organizations must have an internal governance framework in place to ensure that individuals are able to exercise their rights properly and to avoid enforcement backlash.
Secondly, as privacy is situated at the centre of the public debate the GDPR’s data protection rules are becoming more and more an element of convergence between different privacy systems. We see companies adopting (parts of) the GDPR in their global privacy programs. This also means that the GDPR can create chances for organizations to promote respect for personal data as a competitive differentiator and a selling point on the global marketplace, by offering innovative products and services with novel privacy or data security solutions.