On June 24, 2020, the European Commission (“the Commission”) submitted its first report on the evaluation and review of the EU General Data Protection Regulation (“GDPR”) to the European Parliament and Council. The report is required under Article 97 of the GDPR and will be produced at four year intervals going forward.
In its report, the Commission concludes that generally the GDPR has successfully met its objectives, namely those of strengthening personal data protection and guaranteeing the free flow of personal data within the EU. It also, however, identified a number of areas for improvement, as highlighted below.
Separately, the Commission referred to its ongoing work in relation to the ePrivacy Regulation, which is set to replace the ePrivacy Directive and further harmonize the EU approach to data protection, commenting that it is “very important to ensure its rapid adoption.”
Fragmentation Between Member States
The report highlights the areas in which the Commission has seen fragmentation among Member States in application of the law. There are several provisions in the GDPR that allow for Member States to legislate or provide their own specifications, one of which relates to the age at which children may provide consent for the purposes of information society services. The Commission noted that this is one area where Member States have diverged, creating uncertainty for both children and their parents in the Single Market and difficulties for businesses working across borders. The report adds, “For the effective functioning of the internal market and to avoid unnecessary burden on companies, it is also essential that national legislation does not go beyond the margins set by the GDPR or introduce additional requirements when there is no margin.”
Similar fragmentation can be seen in the approach taken towards derogations to the GDPR’s general prohibition on the processing of special category data. The Commission states that it is in the process of mapping these approaches with a view to supporting the establishment of a code of conduct in order to contribute to a more consistent approach.
The Commission also acknowledges that while guidelines from the European Data Protection Board (“EDPB”) have been welcomed, issues have been raised in relation to inconsistencies between EDPB guidelines and guidance issued nationally.
The Commission states, however, that given the limited practical experience that has been gained so far and the fact that sector-specific legislation is under revision in many Member States, definitive conclusions on fragmentation could not yet be drawn. The Commission also points to the relevant case law of national courts and the Court of Justice as providing some guidance on issues of divergence, stating that this case law “helps to create a consistent interpretation of data protection rules,” and adding that national courts have already issued judgements that invalidate national provisions that depart from the GDPR.
In the future, the Commission recommends that Member States consider limiting their use of specification clauses in a way that could create fragmentation and prevent the free flow of data in the EU. It also states that it will explore whether possible targeted amendments to GDPR provisions might be appropriate, for example, by harmonizing the age of consent for children.
The report notes that data protection authorities (“DPAs”) have made use of their strengthened enforcement powers under the GDPR, not only with warnings, reprimands and fines, but also through bans on processing, which the Commission regards as potentially a more effective deterrent.
When it comes to cooperation between Member States, however, the Commission notes that the development of a “truly common European data protection culture” is ongoing, and that the management of cross-border cases requires improvement, including from a procedural perspective. Furthermore, the report points to an imbalance in the resources allocated to DPAs across Member States. The Commission acknowledges that Ireland and Luxembourg, as technology hubs, are likely to lead on many significant cross-border cases and additional resources may therefore be warranted in those jurisdictions. It acknowledges that many DPAs saw budgets and employee numbers grow over the past two years, but it comments that the imbalance in resource allocation between Member States is not currently satisfactory. Member States are called on to provide DPAs with adequate resources to fulfill their function, as required by the GDPR.
The report foresees issues arising with respect to the use of emerging technologies such as artificial intelligence (“AI”), though it refers to the GDPR as having been conceived in a technology-neutral and principles-based manner. The report states: “Future challenges lie ahead in clarifying how to apply the proven principles to specific technologies such as artificial intelligence, blockchain, Internet of Things or facial recognition which require […] monitoring on a continuous basis […] In this respect, data protection authorities should be ready to accompany technical design processes early on.”
The Commission also notes that the flexibility of the GDPR has been demonstrated during the COVID-19 crisis, for example, with regard to its application to contact tracing applications. The report invites the EDPB to issue guidelines on the application of the GDPR in several areas, including artificial intelligence, blockchain and possible other technological developments.
Data Subject Rights
The Commission states that further work is needed in facilitating the exercise of data subject rights, particularly the right to data portability. The report refers to this right as having clear but unused potential to “put individuals at the centre of the data economy by enabling them to switch between different service providers, to combine different services, use other innovative services and to choose the most data protection-friendly services.”
The Commission highlights unlocking this potential as a priority to avoid consumers being faced with unfair practices and “lock-in” effects and to yield benefits in a variety of sectors. It points to the design of appropriate tools, standardized formats and interfaces as a starting point, commenting that increased use of the data portability right could allow individuals to use their data for the public good, such as for health research purposes.
With regard to data transfers outside of the EU, the report highlights that the Republic of Korea is at an “advanced stage” in the adequacy process, and that exploratory talks are underway with partners in Asia and Latin America. Regarding the United Kingdom, the Commission states, “Adequacy also plays an important role in the context of the future relationship with the United Kingdom, provided that the applicable conditions are met […] In line with the Political Declaration on the Future Relationship between the EU and the UK, the Commission is currently carrying out an adequacy assessment under both the GDPR and the Data Protection Law Enforcement Directive.”
The Commission comments that DPAs should ensure their enforcement actions include foreign operators in the EU market in order to ensure a true, level playing field in the EU. In particular, the Commission highlights that such actions should involve the controller or processor’s representative in the EU. The report states, “This approach should be pursued more vigorously in order to send a clear message that the lack of an establishment in the EU does not relieve foreign operators of their responsibilities under the GDPR.”
The full report is available for review.