On December 19, 2019, the members of the Permanent Representations of EU Member States to the Council of the European Union (“the Council”) published a draft position on the application of the General Data Protection Regulation (“GDPR”). After the draft position has been formally adopted by the Council, it will be provided to the European Commission. This is part of the GDPR evaluation process under Article 97 of the GDPR, which requires the European Commission to publish a report on the evaluation and review of the GDPR by May 25, 2020.

The draft position recognizes that the GDPR has strengthened personal data protection, but finds there are certain issues that require improvement, including in the following areas:

  • Scope of the GDPR review: Although Article 97 (2) of the GDPR requires the EU Commission to examine in particular GDPR issues relating to international data transfers and the DPA cooperation/consistency mechanism, the Council calls on the Commission to conduct a more comprehensive review of the GDPR beyond what is specifically mentioned in Article 97.
  • Consent of Minors: The margin left to EU Member States to set their own rules regarding the age of consent of children has led to fragmentation of the applicable legal rules.
  • Data Transfers: The Permanent Representatives call on the Commission to update the Standard Contractual Clauses to align with the GDPR. In addition, they state that further guidance from the European Data Protection Board (“EDPB”) is necessary regarding the appropriate safeguards for data transfers under Article 46 of the GDPR.
  • Cooperation and Consistency: In the Council’s view, it is still early to assess the functioning of cooperation and consistency mechanisms, given the short period of their application. However, as there are administrative challenges with these mechanisms, the EDPB should develop an efficient working arrangement of data protection authorities in multi-jurisdictional cases. In addition, the Council states that the cooperation of data protection authorities should be further strengthened, as it is particularly relevant to the supervision of multi-jurisdictional processing by big tech companies.
  • Representatives: The Permanent Representatives would welcome more clarity regarding how far extraterritorial enforcement can go where non-EU organizations subject to the GDPR have not complied with the obligation to appoint a representative in the EU.
  • New Technologies: The Council underlines that the GDPR was drafted to be technologically neutral. However, because new technologies (such as AI, facial recognition, block-chain, quantum computing, etc.) simultaneously promise benefits while also challenging fundamental rights, the Council calls for further clarification on how the GDPR applies to new technologies.
  • Codes of Conduct: The adoption of sector-specific codes of conduct should be further encouraged as they contribute to the application of the GDPR, in particular, with regard to issues such as the protection of children’s personal data or the processing of health data.
  • SMEs: While recognizing that the risk-based approach of the GDPR was a choice made by the legislator, the Council nonetheless considers it important to try and assess how the intended balance between the risk-based approach of GDPR obligations on the one hand, and the need to take into account the special needs of SME’s on the other hand, works in practice.
  • National Laws: The GDPR leaves a margin for a national legislator to maintain or introduce more specific provisions to adapt the application of certain GDPR rules. While a certain degree of fragmentation caused by this margin was foreseen and is justified, a number of Member States have pointed out that the national margin has possibly resulted in unintended consequences, as it has, to some extent, contributed to an even more fragmented legal landscape than originally anticipated. The Permanent Representatives also state that more time and experience are required to understand the issue of overlapping territorial scopes of the EU Member States’ laws implementing the GDPR.

Read the draft Council position.