On the second anniversary of the GDPR, the European Commission has published a report to verify and evaluate the results achieved since the entry into force of the Regulation in May 2018.
The main objective of the report, foreseen in Article 97 of the Regulation, is to provide an overall assessment and review of the application of the GDPR in the Union, with a particular focus on international processing and transfer and the internal cooperation mechanism between the supervisory authorities and the European Data Protection Board.
“The GDPR has successfully achieved its goals,” stressed Didier Reynders, European Commissioner for Justice. Generally speaking, the Commission is satisfied with the results achieved in the two years, especially in strengthening the right to protection of personal data and the free movement of personal data within the EU. The Regulation has contributed to the creation of a robust system of rights applicable in all Member States, effectively introducing a new European system of governance in this area, and is one of the key instruments supporting the Union’s digital strategy presented last February. However, the report also identifies a number of gaps to be filled and actions to be implemented to strengthen and fully implement the GDPR.
A first point concerns the application of the Regulation and its consistency with the functioning of the cooperation mechanisms at European level. The GDPR has established a new system of governance, based on cooperation between the supervisory authorities of the individual Member States and supervised by the European Data Protection Board. Although unprecedented results have been achieved, in particular in cross-border cases, the development of a truly common European data protection culture among data protection authorities is still an ongoing process. Indeed, the Commission’s assessment shows that the situation is still not homogeneous among the Member States and will therefore need to be addressed by making greater use of the tools provided for in the Regulation.
Closely linked to the previous point, a second consideration concerns the effective harmonisation of the rules within the Member States. The Commission has assessed the implementation of the GDPR in national legislation and while it found that, with the exception of Slovenia, all Member States have adopted new laws or adapted their national data protection legislation, the way they have transposed it has resulted in many inconsistencies in both legislation and definitions. The homogeneity of the system is a requirement considered essential by the Commission in order to ensure the effective functioning of the internal market and to relieve companies (especially cross-border ones) of the burden of transposing different regulatory regimes.
A positive aspect of the Commission’s assessment is the increased awareness among European citizens of data protection and related rights. According to a survey by the European Agency for Fundamental Rights, 69% of the European population over the age of 16 had heard about GDPR and 71% of people were aware of the existence of a national supervisory authority. In addition, there has been an increase in the number of citizens able to recognise which rights fall within those protected by the Regulation, such as the rights to access, rectification, cancellation and portability of their personal data.
One point where there have been voices of disagreement and concern since the GDPR’s entry into force regards the opportunities and challenges for European businesses, especially for small and medium-sized enterprises. While the objective of the GDPR is to standardise data protection and processing at European level, promoting competition, innovation and the free movement of data within the Single Market, some stakeholders continue to complain about difficulties in applying the rules of the Regulation, especially at the level of small and medium-sized enterprises (SMEs).
A final interesting point covered in the report concerns the promotion of international cooperation in the field of data protection. The adoption of the GDPR has encouraged other countries in many regions of the world to consider moving in this direction. At the global level, several countries have now decided to introduce tools inspired by the European regulation, including Chile, Brazil, California, South Korea, Japan, India, Indonesia and Kenya. This offers new opportunities to protect individuals not only within Europe’s borders, but also for outward data transfer and, at the same time, helps to facilitate global data flows. With this in mind, the Commission has increased international dialogue at the level of bilateral, regional and multilateral fora to promote a global culture of respect for rights and to develop elements of convergence between different privacy protection systems.