On February 24, 2020, the European Data Protection Board (“EDPB”) published general policy messages and a synthesis of the contributions and replies by its members – national data protection authorities (“DPAs”) – to the Questionnaire on the Evaluation of the EU General Data Protection Regulation (“GDPR”) sent by the European Commission (the “Contribution”).
Article 97 of the GDPR requires the European Commission to submit, by May 25, 2020, and every four years thereafter, a report on the evaluation and review of the GDPR to the European Parliament and to the Council of the EU. In its report, the European Commission shall examine, in particular, the application and functioning of (1) the international data transfer tools and (2) the cooperation and consistency mechanisms under the GDPR. In order to prepare its report, the European Commission may request information from DPAs.
Against that background, the European Commission sent a Questionnaire on the Evaluation of the GDPR to national DPAs. The Contribution summarizes the responses of the DPAs within the EDPB to the Commission’s questions and conveys general policy messages from the EDPB on the application of the GDPR. It also provides key statistics relating to the cooperation and consistency mechanisms, the human and financial resources of DPAs, enforcement of the GDPR and data breach notifications at the national level.
Key takeaways and statistics from the Contribution include:
International Data Transfer Tools
- Adequacy decisions. The EDPB welcomes the interest of third countries in engaging with the EU in the context of an adequacy decision. In this respect, the EDPB emphasizes that the adequacy decision on Japan adopted under the GDPR is an important precedent that should be taken into account to adjust the practice for future adequacy decisions and the review of existing ones. In the context of that adequacy decision, the assessment of the legislation of the third country was combined with specifically negotiated additional rules only applicable for transfers between the EU and this third country. The EDPB encourages the European Commission to ensure that an architecture of adequacy, relying on such additional rules, will be “a sustainable and reliable system that will not raise practical issues regarding the concrete and efficient compliance by foreign entities and enforcement by the third country data protection authority.” The EDPB further invites the European Commission to regularly monitor the binding nature and effective application of those rules in the third country.
- Standard Contractual Clauses (“SCCs”). The EDPB stresses the urgent need for the European Commission to update the existing SCCs in light of the GDPR, and to draft additional SCCs to cover new data transfer scenarios such as those occurring in a processor-to-processor relationship or transfers of personal data from a data processor in the European Economic Area (“EEA”) to a data controller outside the EEA.
Between May 25, 2018, and December 31, 2019:
- 1,346 procedures were initiated to identify the lead DPA and the concerned DPAs in a preliminary phase to enable DPAs to cooperate even before the formal One-Stop-Shop procedure is triggered. All DPAs have been identified at least once as a lead DPA or a concerned DPA.
- 807 cross-border cases have been registered in a central database called Internal Market Information (“IMI”) Case register, from which all cooperation and consistency procedures can be initiated, including one-stop-shop procedures.
- Lead DPAs issued 141 draft decisions to the concerned DPAs for their opinion, which triggered the formal One-Stop-Shop procedure. In most cases, none of the other DPAs concerned objected to the draft decision submitted by the lead DPA and the draft decision resulted in a final decision.
However, the DPAs have identified the following challenges when implementing the one-stop-shop procedures:
- differences in the national administrative procedures (differences in complaint-handling procedures, positions of the parties in the proceedings, admissibility criteria, duration of the proceedings, deadlines, possibility of sharing confidential information with other DPAs, concrete consultation of the concerned DPAs on draft measures, etc.);
- differences in the interpretation of several concepts relating to the cooperation mechanism (e.g., “relevant information,” “without delay,” “draft decision,” “amicable settlements”); and
- different approaches of the lead DPAs regarding the start of the cooperation procedure, the timing of involvement of concerned DPAs and the communication of relevant information to them.
The EDPB is examining possible solutions to overcome these challenges and to improve existing cooperation procedures. It also calls upon the European Commission to check if national procedures impact the effectiveness of the cooperation procedures and considers that, eventually, national legislators may also have a role to play in ensuring further harmonization.
In addition, DPAs have triggered 115 Mutual Assistance procedures under Article 61 of the GDPR and launched 2,427 procedures to assist each other on a voluntary basis.
No joint operation procedure has been yet triggered by DPAs. However, several DPAs are considering starting this type of cooperation in 2020.
Between May 25, 2018, and December 31, 2019, the EDPB adopted consistency opinions, including:
- 31 opinions regarding the national lists of processing subject to a data protection impact assessment (DPIA);
- Two positive opinions on Binding Corporate Rules (“BCRs”), while more than 40 BCRs are in the pipeline for approval, half of which could be expected to be approved by the end of 2020;
- Two opinions on the draft accreditation requirements for a code of conduct monitoring body pursuant to Article 41 of the GDPR; and
- One opinion on draft SCCs between data controllers and data processors according to Article 28(8) of the GDPR.
Budget and Human Resources of DPAs
- The EDPB notes that the effective application of the GDPR and the success of the one-stop-shop mechanism is largely dependent on the time and resources that DPAs have at their disposal. However, most of the DPAs explicitly stated that they do not have enough resources, with only nine stating that they do not see the need for further resources at this stage.
- Most DPAs also stated that they are not properly equipped to contribute to the cooperation and consistency mechanisms.
Enforcement of the GDPR at the National Level
- Between May 25, 2018, and December 31, 2019, 30 EU/EEA DPAs received approximately 275,557 complaints in total.
- DPAs made use of a wide range of corrective measures, i.e., administrative fines, but also warnings and reprimands. Regarding administrative fines, 22 EU/EEA DPAs made use of this corrective power, issuing approximately 785 fines altogether. Only eight DPAs have not imposed any administrative fines yet, although most of them have ongoing proceedings that might lead to an administrative fine in the near future.
- The circumstances that are most frequently taken into account when imposing administrative fines are: (1) the degree of cooperation with the DPAs; (2) whether the infringement had a systematic / repetitive nature; (3) whether the action was intentional, (4) the measures taken by the data controller to remedy the problem or to avoid future infringements; (5) the nature and duration of the infringement; (6) whether relevant previous infringements were made by the same data controller; (7) the nature of the data controller (e.g., a professional in the industry, an entity under great public attention); (8) the categories of personal data affected, and (9) the number of affected individuals.
Data Breach Notifications
- 160,040 personal data breaches were notified to 29 EU/EEA DPAs.
The Contribution concludes that the application of the GDPR in this first year and a half has been successful and it is premature to revise it at this point in time. Instead, the EDPB calls on the EU legislator to intensify efforts to adopt the proposed Regulation concerning the Respect for Private Life and the Protection of Personal Data in Electronic Communications and Repealing Directive 2002/58/EC (Regulation on Privacy and Electronic Communications), better known as the “Draft ePrivacy Regulation.”